I read an interesting article today on how a hacker can Eavesdrop on HDMI from its Unintended Electromagnetic Emanations by scientists Santiago Fernández, Emilio Martínez, Gabriel Varela, Pablo Musé, Federico Larroca from University of the Republic in Montevideo.
The article is all about analyzing the electromagnetic waves that unintentionally emanate from the cables and connectors, particularly HDMI and its possible to train a deep learning model to map the observed electromagnetic signal back to the displayed image.
As a layman I have never thought that a HDMI which is quite innocent in nature and the only use of it is to transfer the audio and video signals. Can this be also used by hackers by utilizing the electromagnetic waves which it emits.
The fancy word is “TEMPEST”. TEMPEST is a term used to describe the unintentional emanation of sensitive or confidential information from electrical equipment.
Now when we talk about such attacks it cannot be done just like that there are technicalities and equipment’s involved. The article has considered a threat model to work on like a laptop, SDR hardware (Software defined ratio), an antenna and a Low Noise Amplifier (LNA).
Two separate operational scenarios has been considered:
- ATTACKER REMAINS UNNOTICED:
Example: Firstly, one where the attacker remains unnoticed, e.g., if the spied system is close to a wall and the attacker operates from the other side. In this case, the setup may include somewhat large directive antennas, and an online operation is viable where, for instance, the attacker adjusts the antenna’s direction until a proper image is obtained and only saves the images that they are interested in.
- ONLY THE ATTACKER’S HARDWARE GOES UNNOTICED
Example: For instance, a small omnidirectional antenna is left near the HDMI cable and connectors of the spied system, and the spying PC is not visible or does not draw attention. In this case, which requires physical proximity to the spied system, the
attacker’s PC may periodically (e.g., every second) record a signal, process it to obtain an image, and save it for offline visualization. If hard drive space is not an issue, the attacker may even record the raw samples of the SDR periodically and apply our method to
these recordings.
The scientists have generated a training set and done the required testing but its important to remember that obtaining real captures is not a simple task. They mentioned that they used a monitor with a resolution of 1600 × 900 @ 60 fps, tuning the SDR to the third harmonic of the pixel frequency (324 MHz) using a modified version of the flowgraph of gr-tempest.
