Two bits of this paper seem important to me: first, they demonstrate a MASSIVE improvement over TEMPEST as implemented so far, by training a smallish network (trained on a single 3090). As in the output goes from “kinda works” to “looks completely readable”. That’s amazing, and a significant step forward in SOTA for eavesdropping on HDMI, at least for what’s in the public domain.
Second, the paper was written (and tech implemented) by people with significant signals experience - quite a lot of thought went into the design, and a CNN (the part they trained) is just one component of the stack - for instance, they run the output image through Tesseract at the end to do character recognition. I’m not sure how they manage gradient descent end to end, although they talk about it in the paper.
So, this is a practitioner’s paper, using some modern techniques for ‘the hard bit’ -> taking radio waves and turning them into an image.
I’d be really interested in seeing someone do this again ‘the dumb way’ by just creating a full end to end autodifferentiable stack and running it for longer. I’m sure it would take more training time, but the number of people in the world who could have come up with this idea and done the implementation is small, probably in the single digit thousands.
Using, e.g. Sonnet 3.5 or Lllama 3.1 to be like ‘design and implement an autodifferentiable tempest attacker for me’, and seeing where results are right now is the sort of benchmark that I think matters a lot to track progress on the ‘leverage’ part of AI — basically can tech like this be delivered to, e.g. 1 million people worldwide, rather than thousands, with the help of a large model?
Anyway, very cool.
Finally, I’ll point out the two mitigations they mention don’t seem likely to be successful to me: they suggest adding Gaussian noise to the signal, or adding more gradients in colors for images. The second is not going to happen, except in very high security environments. I don’t believe the first is resistant to extra network training against the mitigation.
Very interesting, will have to read that properly, the results look impressive.
I came across this paper 'Eye of Sauron: Long-Range Hidden Spy Camera Detection and Positioning with Inbuilt Memory EM Radiation' recently, which I thought was extremely clever too.
I am quite impressed by the results. Really, I was originally amazed that they were able to get much at all. I'm more familiar with DisplayPort so I was surprised that a fully differential embedded clock compressed 8b10b signal at 6GHz was recoverable. The answer is that I suspect it is not, even if a 1600:900 60Hz HDMI 1.4 with a 324MHz pixel clock is.
I think there are some fairly big caveats with this (still quite impressive) work. It appears to be on HDMI 1.4 (2009), and although I don't doubt many TVs (though fewer monitors) use such an old standard, it's certainly not modern. It's limited to FHD at 60Hz (or 4k at 30Hz). Even HDMI 2.1 is from 2017.
The differences are fairly significant. HDMI 1.4 is differential, but uses a separate clock rather than embedded clock for 2.1, which makes collecting FM data a LOT easier. The channel clock is "only" 350MHz t0 1.7GHz rather than an embedded clock signal carrying 12Gbps on a 6GHz 2bit symbol rate for modern HDMI. The video data is uncompressed rather than "lossless" compression (~4:1), which also makes things MUCH easier. Higher refresh rate might actually provide more data for eavesdropping, but higher HDR color depths probably confuse things. Modern video transports are often now "whitened" with short length LFSR to minimize radiation peaks for FCC compliance, but I don't really know about HDMI in particular.
The Gate and Source line drivers on a modern LCD might give you more information since they're closer to analog (High voltage single ended) and only run at a few hundred kHz, but they are massively parallel rather than serial.
Thanks for linking this paper, that’s super interesting. Seems like a project tailor made for a tech transfer startup and acquisition. I bet you could add directionality to the detector — essentially just walk around the room and go.
Finding out about differential power analysis had me wondering about mains -> motor -> vibration-damped coupler -> dynamo -> top secret loads, as a way to protect against analysis of said loads by household smart meters.
I heard one of the issues is to prevent leaks through the ground connection. It seems special circuits ("crypto grounds" ?) are needed to filter the ground connection while still allowing it to work normally if an electrical fault occurs...
Wasn't this something that was also revealed by Snowden to be a technique in wide-spread use within the NSA's little community of human-rights abusing miscreants?
TEMPEST attacks have been publicly known about since the late 1990s, and feature as a sort of attack macguffin in Neal Stephenson’s Cryptonomicon (1999). They have generally been thought to be in the domain of persistent threat actors; tech like this makes the attack more accessible — whether you like the idea of that or not probably depends on your politics and tech background, though.
Second, the paper was written (and tech implemented) by people with significant signals experience - quite a lot of thought went into the design, and a CNN (the part they trained) is just one component of the stack - for instance, they run the output image through Tesseract at the end to do character recognition. I’m not sure how they manage gradient descent end to end, although they talk about it in the paper.
So, this is a practitioner’s paper, using some modern techniques for ‘the hard bit’ -> taking radio waves and turning them into an image.
I’d be really interested in seeing someone do this again ‘the dumb way’ by just creating a full end to end autodifferentiable stack and running it for longer. I’m sure it would take more training time, but the number of people in the world who could have come up with this idea and done the implementation is small, probably in the single digit thousands.
Using, e.g. Sonnet 3.5 or Lllama 3.1 to be like ‘design and implement an autodifferentiable tempest attacker for me’, and seeing where results are right now is the sort of benchmark that I think matters a lot to track progress on the ‘leverage’ part of AI — basically can tech like this be delivered to, e.g. 1 million people worldwide, rather than thousands, with the help of a large model?
Anyway, very cool.
Finally, I’ll point out the two mitigations they mention don’t seem likely to be successful to me: they suggest adding Gaussian noise to the signal, or adding more gradients in colors for images. The second is not going to happen, except in very high security environments. I don’t believe the first is resistant to extra network training against the mitigation.