Scientific research of hardware vulnerabilities often paints captivating espionage scenarios, and a recent study by researchers from universities in the United States and China is no exception. They found a way to steal data from surveillance cameras by analyzing their stray electromagnetic emissions — aptly naming the attack EM Eye.
Reconstructing information from stray emissions
Let’s imagine a scenario: a secret room in a hotel with restricted access is hosting confidential negotiations, with the identities of the folks in attendance in this room also deemed sensitive information. There’s a surveillance camera installed in the room running round the clock, but hacking the recording computer is impossible. However, there’s a room next-door to the secret room accessible to other, regular guests of the hotel. During the meeting, a spy enters this adjacent room with a device which, for the sake of simplicity, we’ll consider to be a slightly modified radio receiver. This receiver gathers data that can be subsequently processed to reconstruct the video from the surveillance camera in the secret room!
How is this even possible? To understand this, let’s talk about TEMPEST attacks. This codename, coined by the U.S. National Security Agency, refers to methods of surveillance using unintentional radio emissions, plus countermeasures against those methods. This type of hardware vulnerability was first studied during… World War II. The U.S. Army used an automatic encryption device from the Bell Telephone Company: plaintext input was mixed with a pre-prepared random sequence of characters to produce an encrypted message. The device used electromagnetic relays — essentially large switches.
Think of a mechanical light switch: each time you use it, a spark jumps between its contacts. This electrical discharge generates radio waves. Someone at a distance could tune a radio receiver to a specific frequency and know when you turn the light on or off. This is called stray electromagnetic radiation — an inevitable byproduct of electrical devices.
In the case of the Bell encryption device, the switching of electromagnetic relays generated such interference that its operation could be detected from a considerable distance. And the nature of the interference permitted reconstruction of the encrypted text. Modern computers aren’t equipped with huge electromechanical switches, but they do still generate stray emissions. Each bit of data transmitted corresponds to a specific voltage applied to the respective electrical circuit, or its absence. Changing the voltage level generates interference that can be analyzed.
Research on TEMPEST has been classified for a long time. The first publicly accessible work was published in 1985. Dutch researcher Wim van Eck showed how stray emissions (also known as side-band electromagnetic emissions) from a computer monitor allow the reconstruction of the image displayed on it from a distance.
Images from radio noise
The authors of the recent study, however, work with much weaker and more complex electromagnetic interference. Compared to the encryption devices of the 1940s and computer monitors of the 1980s, data transmission speeds have increased significantly, and though there’s now more stray radiation, it’s weaker due to the miniaturization of components. However, the researchers benefit from the fact that video cameras have become ubiquitous, and their design — more or less standardized. A camera has a light-sensitive sensor — the raw data from which is usually transmitted to the graphics subsystem for further processing. It is this process of transmitting raw information that the authors of the research studied.
In some other recent experiments, researchers demonstrated that electromagnetic radiation generated by the data transmission from a video camera sensor can be used to determine the presence of a nearby camera — which is valuable information for protecting against unauthorized surveillance. But, as it turned out, much more information can be extracted from the interference.
The researchers had to study thoroughly the methods of data transmission between the video camera sensor and the data processing unit. Manufacturers use different transmission protocols for this. The frequently used MIPI CSI-2 interface transmits data line by line, from left to right — similar to how data is transmitted from a computer to a monitor (which that same Wim van Eck intercepted almost 40 years ago). The illustration above shows the experiments of the authors of the study. A high-contrast target with dark and light stripes running horizontally or vertically is placed in front of the camera. Next, the stray radiation in a certain frequency range (for example, 204 or 255 megahertz) is analyzed. You can see that the intensity of the radio emission correlates with the dark and light areas of the target.
This is essentially the whole attack: capture the stray radio emission from the video camera, analyze it, and reconstruct the unprotected image. However, in practice, it’s not that simple. The researchers were dealing with a very weak and noisy radio signal. To improve the picture, they used a neural network: by analyzing the sequence of stolen frames, it significantly improves the quality of the intercepted video. The result is a transition from “almost nothing is visible” to an excellent image, no worse than the original, except for a few artifacts typical of neural networks (and information about the color of objects is lost in any case).
EM Eye in practice
In numerous experiments with various video cameras, the researchers were able to intercept the video signal at distances of up to five meters. In real conditions, such interception would be complicated by a higher level of noise from neighboring devices. Computer monitors, which operate on a similar principle, “spoil” the signal from the video camera the most. As a recommendation to camera manufacturers, the authors of the study suggest improving the shielding of devices — even providing the results of an experiment in which shielding the vulnerable module with foil seriously degraded the quality of the intercepted image. Of course, a more effective solution would be to encrypt the data transmitted from the video camera sensor for further processing.
Pocket spy
But some of the researchers’ findings seem even more troubling. For example, the exact same interference is generated by the camera in your smartphone. OK, if someone starts following his target around with an antenna and a radio receiver, they’ll be noticed. But what if attackers give the potential victim, say, a slightly modified power bank? By definition, such a device is likely to stay close to the smartphone. When the victim decides to shoot a video or even take a photo, the advanced “bug” could confidently intercept the resulting image. The illustration below shows how serious the damage from such interception can be when, for example, photographing documents using a smartphone. The quality is good enough to read the text.
However, we don’t want to exaggerate the danger of such attacks. This research won’t lead to attackers going around stealing photos tomorrow. But such research is important: ideally, we should apply the same security measures to hardware vulnerabilities as we do to software ones. Otherwise, a situation may arise where all the software protection measures for these smartphone cameras will be useless against a hardware “bug” which, though complex, could be assembled entirely from components available at the nearest electronics store.