Use this URL to cite or link to this record in EThOS:
Title: Exploiting quasiperiodic electromagnetic radiation using software-defined radio
Author: O'Connell, Christian David
ISNI:       0000 0004 7961 8582
Awarding Body: University of Cambridge
Current Institution: University of Cambridge
Date of Award: 2019
Availability of Full Text:
Access from EThOS:
Full text unavailable from EThOS. Please try the link below.
Access from Institution:
Electronic devices emanate unintentional electromagnetic radiation from which an attacker can extract sensitive information. In video display units these are quasiperiodic: nearly periodic in the short term. Video-eavesdropping attacks on these, a main motivation for the use of TEMPEST shielded equipment in security-critical applications, have evolved little since first publicly demonstrated by van Eck in 1985. I investigate digital signal processing techniques that exploit the quasiperiodic nature of digital video signals, with TMDS-encoded data on HDMI/DVI cables as the main example. After first discussing the practicalities of intercepting compromising emanations from the UHF frequency band, using a software-defined radio platform to perform IQ down conversion, I outline the process to carry out a video eavesdropping attack, and methods for rasterising intercepted data. Using a database of video modes, such as VESA and CEA standards, I identify viable eavesdropping targets by fitting likely harmonics of emanating clock signals to a model. Video signals contain blanking intervals that create characteristic periodicities; cepstral features can be used to eliminate false positives, and provide improved performance over autocorrelation as a method of recovering synchronisation frequencies. The signal-to-noise ratio of intercepted emanations is often very poor. Coherent periodic averaging in the complex domain can suppress noise and uncorrelated background sources. I design a phase-locked loop to perform clock recovery and synchronisation of the video signal, negating the effects of temperature drift in the local oscillators. This permits averaging arbitrary-length recordings, increasing the range at which an attack can be performed. I discuss the implications this may have on existing protection standards. Finally, I present a method to recover bandwidths higher than that which the SDR frontend hardware is nominally capable of. I use the cross-correlation between multiple overlapping lower-bandwidth recordings to correct time and phase offsets, and a zero-phase Linkwitz-Riley filter pair to combine them. The resulting higher-bandwidth recordings improve raster clarity, and enable use of a hidden Markov model to recover colour information.
Supervisor: Kuhn, Markus Sponsor: Not available
Qualification Name: Thesis (Ph.D.) Qualification Level: Doctoral
Keywords: Digital Signal Processing ; TEMPEST ; Side-channel attack