TEMPEST (Telecommunications Electronics Materials Protected from Emanating Spurious Transmissions) refers to spying on computer systems by gathering information from leaked radio of electrical signals.
Information related to TEMPEST was declassified in 2007 by the US National Security Agency.
In this article, we will be looking at intercepting signals from a computer monitors HDMI lead using the TEMPEST SDR Software.
Equipment Needed
You will need the following:
- A computer with a HDMI monitor attached.
- A Software Defined Radio (SDR) such as the HackRF One.
- A suitable antenna, such as a log periodic with the appropriate frequency range. Other antennas, such as dipole will work, although be less performant.
TEMPEST attacks are typically quite dependent on the amount of bandwidth available, so a more capable SDR such as a USRP B210 (with 56Mhz of bandwidth vs the HackRF’s 20 Mhz) would be preferable, although significantly more expensive.
General tips
- Start with your antenna next to the monitor before attempting greater distances.
- A low noise amplifier may improve performance.
- HDMI leads should be shielded to reduce external interference, how well this works depends on how the lead was manufactured. If you lead you are trying does not work, try another.
- Don’t expect things to work immediately. This requires a lot of tweaking to get working.
Finding Signal Leakage Frequencies
First, we need to identify the frequency of our monitor’s signal. Download the TEMPEST Für Elise song from here.
Play this file on a loop on the target monitor we are aiming to intercept. This should just appear as a series of black bars. Make sure the video is on a loop!
At this point, if you place an AM radio next to the monitor you should be able to hear the song being played.
On the attacker system with the SDR connected, download and install SDR++.
Open SDR++ and start scanning for the monitor between 100Mhz-600Mhz. You should see a series of peaks and troughs, which when tuned into sounds like Beethoven’s Für Elise. The signal likely repeats on multiple different frequencies. Ideally, you want to identify the highest frequency with the lowest noise. The frequency manager in SDR++ will allow you to bookmark these signals as you find them.
Using TEMPEST SDR
A pre-compiled copy of TempestSDR for Windows can be downloaded here.
Run the executable and select File > Load ExitIO Source. Change the settings to reflect the below options then close the dialog box.
In TEMPEST SDR, set the frequency to the one we identified using SDR++. Uncheck the L and A buttons. In the bottom graph (monitor height), we want to select the highest peak value. This can also be done by using the “AUT” button. Once this is set, you should be able to see lines from the monitor signal.
Next, adjust the top graph (FPS) to select the highest peak value. Finally, attempt to adjust the LPASS (low pass filter) slider to sharpen the image.
You should start to see the lines being transmitted.
Once you can detect the lines, start moving onto more complex shapes, such as the black and white diamond below.
With basic shapes working, keep adjusting until text recovery becomes possible.
In Conclusion
TEMPEST SDR provides a quick way to determine if TEMPEST attacks are viable against equipment. As of 2024, there has been some interesting work done on using deep learning with TEMPEST to significantly increase the performance. In addition, some of the HackRF’s bandwidth limitations could be addressed by clustering multiple units as seen here.