Van Eck Phreaking
By Erik van Kempen | April 7, 2007
During the last two elections citizens of Eindhoven and 34 other cities in the Netherlands had to vote using the good old red pencil or on a German voting machine. The new voting machines were banned because the ballot information might not be kept secret. I wanted to find out what caused the information leakage and found that you could read some data via an eavesdropping method called 'Van Eck phreaking'.
A Dutch guy, Wim van Eck, published a paper on this eavesdropping process as early as 1985. This paper stated that for example CRT displays use high frequency electric signals to drive itself. These signals happen to information about the displayed data. Because of these high frequencies, these signals are also radiated into the air where they can be picked up by antennas and be further analyzed by computers.
According to Van Eck, the signals were similar to those of TV broadcasting signals, but only lacked a synchronization signal. By using an external synchronization signal, the exact image can be duplicated on another screen.
Ringing
The effect, that causes the information to be radiated into the air, is called ringing. Imagine a square wave pattern, which represents a stream of pixel on/off information. This information is constantly moved from the framebuffer to the actual display. In a perfect world, the wave would be perfectly square, but this world is not perfect so the wave pattern will look like damped sine waves at the two logic levels (mostly 0V and 5V). These sine waves occur every time the pixel information stream changes from low level (0V) to high level (5V) and vice versa. So by analyzing these waves, one can recreate the exact pixel information stream.
These signals are often very low, so there's no real danger. But the vote information of the banned voting machines could even be analyzed outside the polling station, using low-budget HF receivers. The only information that could be extracted from the radiated signals was if someone voted for the CDA, which is a Dutch Christian-democratic political party. This was caused by the name of the party, which contains the character 'è', which is not a regular ASCII character. The machine needed to get this exact character from another memory and reading from this memory caused the radiated signals.
If you want to experiment with this effect yourself you can download TEMPEST for Eliza and tune your radio to 100MHz, then you will be able to hear the tune of 'Für Elise" on your radio. Or you can watch this video which demonstrates the same.