Last week we posted about University researchers who found that it was possible to recover live video images from the EM leakage emanating from various IoT security cameras. The 'EMEye' software to do this was released as open-source on GitHub.
Recently Aaron, who created DragonOS and WarDragon, has uploaded a video showing EMEye working on WarDragon. In the video, Aaron shows how to install and use the EMEye software on WarDragon, and demonstrates it working with a Wyze Cam Pan V2 that he purchased for this test.
In this video, I guide you through a practical demonstration of Tempest-based camera eavesdropping attack research. I'll be focusing on the EM Eye project, a tool derived from TempestSDR with some added features.
I'll show you how to construct the EM Eye project, step by step, and how to use it to tune into the EMI emitted by the Wyze Cam Pan v2 using an Ettus B210. By processing this EMI/RF signal, we're able to reconstruct the video stream using the algorithms provided by EM Eye and TempestSDR.
Additionally, I'll demonstrate how DragonOS FocalX and the WarDragon kit offer a cost-effective alternative by including a prebuilt version of TempestSDR that works with the Airspy R2. This allows for similar functionality at a lower cost.
Oona (also known as [Windytan] and @windyoona) was recently looking for a way to capture PAL composite video from her old 1980’s Nintendo Entertainment System (NES) without spending a bunch of money on what are often poor video capture cards. As she already owned an Airspy SDR she decided to receive the PAL signal with the Airspy and modify some software to act as a PAL decoder.
SDR-based PAL decoder is still black & white, but after a notch filter on the audio the picture quality is getting a lot better. pic.twitter.com/SUoBlnBZF3
PAL decoding was handled via some modifications to her private Tempest software. Normally Tempest type programs like TempestSDR that we covered in a [previous article] are used to spy on computer/TV monitors from signals that are unintentionally emitted in the surrounding area.
Oona has made the connection from the composite output directly to the SDR antenna input so it’s not unexpected that you’d have a strong signal. However, I have to admit that’s an incredibly clear image for a video being demodulated via a software radio.
What makes this an even more amazing feat is that the latency is low enough that it’s nearly playable using a computer and SDR in place of a television set.
I’ve been looking for ways to capture NES video on my Mac. No easy+cheap solutions, but with some changes to my Tempest tool I can use the Airspy to receive the analog video carrier. The latency is almost good enough for playing, though it’s not my goal 🙂 pic.twitter.com/B6x44NEuvK
Over on YouTube SignalsEverywhere (aka Corrosive) has uploaded a tutorial video showing how to use TempestSDR with an Airspy SDR. Back in November 2017 we posted about how we were able to get TempestSDR to run with an RTL-SDR, Airspy and SDRplay, and showed some results. Since then several people have managed to repeat our results, but many have also had trouble understanding how to make TempestSDR work and what all the settings are for.
TempestSDR is an open source tool that allows you to use any SDR that has a supporting ExtIO (such as RTL-SDR, Airspy, SDRplay, HackRF) to receive the unintentional signal radiation from a screen, and turn that signal back into a live image. This can let you view what is on a screen without any physical connections.
Corrosive's tutorial video shows us how to tune the signal in the TempestSDR software in order to receive a clear image as well as showing the software in action.
Thanks to RTL-SDR.com reader 'flatflyfish' for submitting information on how to get Martin Marinov's TempestSDR up and running on a Windows system. If you didn't already know by definition "TEMPEST" refers to techniques used by some spy agencies to eavesdrop on electronic equipment via their unintentional radio emissions (as well as via sounds and vibrations). All electronics emit some sort of unintentional RF signals, and by capturing and processing those signals some data can be recovered. For example the unintentional signals from a computer screen could be captured, and converted back into a live image of what the screen is displaying.
TempestSDR is an open source tool that allows you to use any SDR that has a supporting ExtIO (such as RTL-SDR, Airspy, SDRplay, HackRF) to receive the unintentional signal radiation from a screen, and turn that signal back into a live image. This can let you view what is on a screen without any physical connections. If a high gain directional antenna is used then it may be possible to receive images from several meters away as well.
TempestSDR showing what's on the screen via unintentional RF radiation from the monitor.
Although TempestSDR has been released now for a number of years it hasn't worked properly in Windows with ExtIO interfaces. In his email flatflyfish showed us how to compile a new version that does work.
1. You need to install a 32-bit version of the Java runtime. The 64-bit version won't work with extio's possibly because they are all 32-bit. Also install the JDK.
2. You need to install MingW32 and MSYS and put their bin folders in your Windows PATH.
3. Then when compiling I was seeing a lot of CC command unknown errors. To fix that I just added CC=gcc to the top of all makefiles. I also removed the Mirics compilation line from the JavaGUI makefile to make things easier as we're not using that sdr.
4. Originally my JDK folder was in Program Files. The makefile didn't like the spaces in the folder, so I moved it to a folder without spaces and it fixed the errors.
5. Lastly to compile it you need to specify the ARCHNAME as x86 eg "make all JAVA_HOME=F:/Java/jdk1.7.0_45 ARCHNAME=X86"
After doing all that it compiled and I had a working JAR file. The extio's that are used normally with HDSDR work fine now and I get some images from my test monitor with an rtlsdr.
We tested compilation ourselves and were successful at getting a working program. To help others we've just uploaded a fork of the code with the makefile changes done, as well as a precompiled release ZIP available on the releases page so no compilation should be required to just use it. Note that to use the precompiled JAR you still need to install MingW32, and also don't forget to install the MingW /bin and msys /1.0/bin folders into the Windows PATH. You also do need to have the 32-bit Java runtime installed as the 64-bit version doesn't seem to work. On at least one Win 10 machine we also had to manually add a 'Prefs' folder to the Java path in the registry.
We've tested the software with the ExtIO for RTL-SDRs (available on the HDSDR downloads page) and confirmed that it works. Images from one of our older DELL monitors using DVI are received nicely, although they are a bit blurry. We also tried using an Airspy or SDRplay unit and this significantly improved the quality of the images a lot due to the larger bandwidth. The quality was good enough to make out large text on the screens. ExtIO's for the Airspy are available on this page, and for the SDRplay on the official SDRplay website. Note that for the SDRplay we were unable to go above 6 MHz, and on the RTL-SDR 2.8 MHz was the limit - anything higher on these SDRs did not produce an image possibly due to dropped samples.
To use the software you should ideally know the resolution and refresh rate of your target monitor. But if you don't there are auto-correlation graphs which actually help to predict the detected resolution and frame rate. Just click on the peaks. Also, you will need to know the frequency that your monitor unintentionally emits at. If you don't know you can browse around in SDR# looking for interference peaks that change depending on what the image of the screen is showing. For example in the image below we show what the interference might look like. A tip to improving images is to increase the "Lpass" option and to watch that the auto FPS search doesn't deviate too far from your expected frame rate. If it goes too far, reset it by re-selecting your screen resolution.
Unintentionally radiated RF signal from computer screen shown in SDR#
The best results were had with the Airspy listening to an older 19" DELL monitor connected via DVI. A newer Phillips 1080p monitor connected via HDMI had much weaker unintentional signals but images were still able to be recovered. A third AOC 1080p monitor produced no emissions that we could find.
Clear images were obtained with an antenna used in the same room as the monitor. In a neighboring room the images on the DELL monitor could still be received, but they were too blurry to make anything out. Possibly a higher gain directional antenna could improve that.
An example set up with RTL-SDR antenna and monitors
Below we've uploaded a video to YouTube showing our results with TempestSDR.
TempestSDR - Remotely Eavesdropping on Monitors via Unintentionally Radiated RF
