I was intrigued this morning to see on the front page of the Guardian newspaper a new revelation by NSA whistleblower Edward Snowden: a US eavesdropping technique “DROPMIRE implanted on the Cryptofax at the EU embassy [Washington] D.C.”. I was even more intrigued by an image that accompanied the report (click for higher resolution):







Having done many experiments to eavesdrop on office equipment myself, the noisy image at the bottom third of the picture above looked instantly familiar: it is what you might get from listening with a radio receiver on the compromising emanations of a video signal of a page of text.

Unfortunately, the Guardian so far provides no technical details other than a brief mention that some of the eavesdropping techniques used involve “collection of transmissions with specialised antennae”. The Guardian piece also interprets the above slide as a reference to “a bug placed in a commercially available encrypted fax machine used at the mission”, but does not provide any further details.

I know nothing more about this specific case than what was in the Guardian this morning, but the noisy image shown gives a few clues. Look closely at the large-letter text “EC NCN”:



You may spot that only vertical edges of these letters are showing up as bright lines. The corresponding horizontal edges are largely missing (e.g., E, N).

Imagine the device being eavesdropped is a fax machine with a laser-print engine. A laser beam exposes one image pixel after another on a photo-sensitive charged drum. If the laser is on, the spot it hits on the drum is discharged of static electricity, and the toner will not stick, resulting in a white pixel. If the laser is off, the surface of the drum remains charged, the toner sticks, and is transfered onto the paper, resulting in a black pixel. A typical laser printer contains a single laser diode that draws one pixel after another on the printed page, line by line. Now each time the laser diode is switched on or off, an electromagnetic “click” emerges from the cable that powers it, which can be heard with a radio receiver tuned to many otherwise quiet parts of the radio spectrum. At pixel frequencies of a few megahertz (depending on the print resolution and speed), a normal AM radio designed for humans listening will not be able to resolve such a rapid sequence of clicks, but a good laboratory receiver with a bandwidth of many megahertz will. The resulting waveform can be digitized and converted into a raster image (see publications below for details).

Let’s simulate, what eavesdropping a laser printer writing “EC NCN” might look like: the first figure below is the text to be eavesdropped, and the second figure is what the eavesdropper would see as a result:

As the laser beam scans the text image line by line, each time it switches on or off, that is each time it transitions between a white and a dark area, we can visualize the resulting broadband “click” as a bright pixel. Any vertical edge of a letter turns into a bright vertical line, whereas horizontal edges remain invisible. Plus you get background noise, from all the many other things going on in that part of the radio spectrum at the same time.

In the image above, I have merely simulated this process, namely approximated the bandpass filtering and amplitude demodulation of a radio receiver by taking the horizontal derivative of the input image, and then the absolute value, plus adding a bit of noise. The result will certainly differ somewhat from the image in the Guardian, perhaps due to different fonts and resolutions being used and the eavesdropped signal being a scanned image in which lines of text are not perfectly horizontal. The image in the Guardian also shows the text being slanted backwards quite a bit, which is an effect that you get if the eavesdropper has not adjusted the horizontal scan frequency used perfectly. If that is in fact the case here, I would actually be a bit disappointed: I would have expected the NSA to master the signal-processing tricks that could be used to automatically align the eavesdropped image precisely with the pixel-clock of the emitting device.

What remains unclear is what exactly the NSA may have “implanted on the Cryptofax” device. The eavesdropping attack on the power-supply current of a diode laser, as outlined above, can work well on an unmodified device, without any “eavesdropping bugs” implemented, as a purely passive attack. However, the resulting signal may not be very strong, and difficult to receive more than a few (tens of) meters away, without heroic, radio-astronomy-style antenna designs.

On the other hand, if the enemy had physical access to the targeted device, they could install a custom-made transmitter inside it. That could just pick up the processed datastream from one of the internal digital interfaces and send it out using proper digital modulation and error-correcting codes, which should result in an image as clear as that being printed, without any background noise. The image does not look like this is what has happened here, due to the noise and scan-line artefacts mentioned above.

So I can only speculate what the “implant” might refer to instead:

The NSA might have modified the device, but without installing additional electronics, in order to reduce the probability of discovery. They might have made some minor, purely mechanical changes, to strengthen an existing accidentally emitted signal. An easy way to achieve this is to manipulate the ground-return path. Good electronics designers ensure that any current returns to the source along the same path as it came, e.g. via a twisted-pair cable. By disconnecting a ground-return line and sending the current back on a detour via some other metal structure in the device, you can effectively build a transmitter coil, and substantially increase the signal leakage without leaving any obvious traces (such as additional circuit boards with transmitters). They could also remove shielding material, short-circuit or remove low-pass filters designed to suppress radio interference, basically do the opposite of anything an electromagnetic-compatibility textbook advises.

They might have installed nearby (within a few meters, possibly on the same mains power circuit) a device that records any compromising emanations as described above, and then retransmits them over a much larger distance for further analysis.

They might have installed something that “illuminates” the target device with microwave radiation, perhaps through a window, and then look at interesting data in the back-scatter signal. Every bit of wire acts as both a receive and transmit antenna, and reflects electromagnetic waves as a result. It will reflect some frequencies better than others, depending not only on its length, but also on how the ends are terminated (e.g., left open or grounded). If the termination of a wire changes in a data-dependent way, beaming RF energy at a suitable frequency at it and listening to what comes back may allow eavesdropping from a much larger distance than just passive listening.

If a non-linear device (transistor, diode) is connected at the end of the wire, then the state of that (open, closed) will also affect what harmonics are being created. This can be exploited by an eavesdropper listing to backscatter radiation at an integer multiple of the frequency at which the device is being illuminated.

Many of these techniques have been speculated about or demonstrated in a laboratory setting in the open literature. But there is very little hard evidence of how widely they are used in practice to violate someone’s privacy or steal secrets, because the people who perform such eavesdropping attacks in real life (as opposed to academic laboratories) are not in the habit of publishing their work. Therefore, I am thankful for this little glimpse of a contemporary real-world TEMPEST-style attack!

Related literature: