The threat of information theft by reception of electromagnetic radiation from RS-232 cables.
It is a well-known fact that electronic equipment emits unwanted electromagnetic radiation which can disturb radio reception in the vicinity of the equipment. Until recently it was less generally realized that radiation arising from data processing equipment may contain private information which may be interceptable by an interested party.
Research into the possibility of picking up the electromagnetic radiation originating from video display units (VDUs) made clear that this type of information theft can be committed very easily. It is not only this type of equipment which is vulnerable to interception at a distance. Experiments on eavesdropping RS-232 cable signals prove that it is possible in some cases to intercept data signals running along an RS-232 cable by picking up and decoding the electromagnetic radiation produced by the cable.
This report gives the results of these experiments and research into the underlying mechanisms. These results show, that compared with the VDU case, RS-232 eavesdropping has significantly different consequences with regard to information security.
When an RS-232 interface cable connection forms part of the equipment configuration, there are many factors acting in favor of the eavesdropper, the most important being the following: * The bit amplitude of an RS-232 data signal is relatively large compared with the levels of the logic signals used in the inner circuits of the equipment. * The rise and fall times of the data signal are very short. Consequently, they correspond to high-frequency components resulting in considerable radiation. * The RS-232 interface connection is unbalanced with respect to earth. This inherent unbalance will contribute to a high level of radiation. * In many cases, the RS-232 cables are not shielded or the shield is not adequately connected to the equipment, so that those cables behave like unshielded cables. * Inner walls (without metal grids) do not affect radiation levels significantly at frequencies of interest (below 200 MHz). * The data are serially transported along the RS-232 cable, which makes it easy to recognize the individual bits. Usually, the data are coded in well-known character sets (like ASCII). This makes it very easy to decode the reconstructed bits. * The data are often structured by the legal user; therefore, they are easily interpreted. * The data signal is transmitted at bit rates which are low (300, 600, 1,200 bits/s) compared with the Nyquist rate corresponding to the bandwidth of a standard radio receiver (AM about 5 kHz, FM about 75 kHz). Therefore, in principle, the data signal can be detected even with the help of a standard pocket radio receiver. At the same time the data can be recorded on tape with the help of an ordinary cassette recorder.
In addition to these risk factors, there is an important reason for looking into the interception of RS-232 data; it may contain very sensitive information such as passwords, user codes and financial transactions.
A possible mechanism by which information bearing emanation may occur is an unintended conversion of the transmitted (differential mode) signal [V.sub.t] into a common mode current [I.sub.cm]. This current forms, together with the circumferencing area, a magnetic dipole which radiates in the uncontrolled environment. This mechanism is shown in Figure 1.
In this figure, a communication system (i.e., a terminal-terminal or a PC-modem connection) is represented by two boxes (transmitter and receiver) and an interconnecting RS-232 cable. The cable conductors associated with the signaling have been omitted. A second simplification is the absence of the coupling between the two resulting signal conductors. For the most commonly used RS-232 cables this omission makes no significant difference to the field strength calculation presented below. Furthermore, we have assumed that the transmitter is grounded and the receiver is not.
When no ground connection exists, there will be a certain amount of parasitic capacity between equipment and groundplane (in the case of table-top equipment typically 100 pF). In practice, the inductance of a conductor is not zero but about 1 [mu]H [m.sup.-1]; therefore, the differential mode current [I.sub.dm] will flow partly through [L.sub.w] and partly through [C.sub.p] and the reference plane. We assume that the wavelengths [Lambda] of the frequency components of interest in [V.sub.t] are large compared with the dimensions of the system configuration. In that case it is permitted to base our calculations of the currents which act as sources of radiation on network theory. In addition the radiating source can be considered as a magnetic dipole consisting of [I.sub.cm] circumferencing area A. This radiator will cause an electric field in the free halfspace above the conducting earth plane with a spectrum according to: [Mathematical Expression Omitted] where r is the separation distance in the direction of maximum radiated power. The bit information of [V.sub.t] appears in the radiation via [I.sub.cm]. The maximum value of [I.sub.cm](f) appears at the resonance frequency: [Mathematical Expression Omitted]
To calculate the bit error rate [P.sub.e] of the intercepted data we use the following well-known expression for [P.sub.e]:
[P.sub.e] = Q([Lambda]/2)
In Figure 2, the bit error rate of the intercepted data signal is shown for the typical values of the signal and system parameters.
The two curves correspond to 5-and 10-m lengths of the RS-232 cable. We see that in the case of A = 10 [m.sup.2] the original data stream is interceptable very well at a separation distance of 7 m. This conclusion holds also for the situation where both transmitter and receiver are "floating" (i.e., they have no galvanic connection to the reference). On the other hand, if both terminals are grounded no significant resonances will appear and the radiation level seems to be safe at all frequencies for typical values of the source impedance of [V.sub.t] and the load impedance of the receiver (5 k[Omega]). However, for values that deviate (for instance much lower values of source and load impedance), the radiation may reach an intolerable level.
It has to be emphasized that these conclusions have been based on a theoretical model of a typical equipment configuration only. As such they are not suitable for the evaluation of individual configurations as installed in practice. In practice the system parameter values may differ significantly among different systems and because [P.sub.e] is very sensitive to these parameter variations. The main reason for this analysis is to demonstrate the potential danger of RS-232 eavesdropping in general.
A test configuration consisting of two ASCII terminals communicating via an unshielded and twisted RS-232 cable of 3-m length was considered. Both terminals were placed on a table at 3-m apart and connected via a 2-m mains connection to the net. The transmitting terminal sent a sequence of subsequent ASCII characters "d" in "REPEAT-MODE."
The original signal was transmitted and the signal detected 7 m away with a pocket radio receiver tuned to 16 MHz (short-wave band). Although the signs of the transitions were lost by the AM envelope detection process it was clear that an eavesdropper would be able to reconstruct the received signal.
In addition to reception in the short-wave band, it was possible to detect the transmitted ASCII characters in the FM band at harmonics of the system clock signal. The presence of these modulations of the data signal in the radiation cannot be understood by the previously described mechanisms. Because modulation is a nonlinear process, it appears from this phenomenon that this kind of information-bearing radiation arises from unintentional modulation of the clock signal by the RS-232 signal. It is not feasible to evaluate the amplitude levels of these undesirable components by calculating every internal coupling. Therefore we must restrict ourselves to the pragmatic approach.
Further experiments were carried out to find out if the phenomena as described in this paper were just incidental, or whether other equipment operating in different configurations on different sites would radiate information in the same way. Seven different sites were examined; the maximum separation distance was assessed for a bit error rate of approximately 0.01 with the help of a standard AM/FM radio receiver equipped with a simple whip antenna 1 m long. A hard-limiter circuit was used to reconstruct the detected data. On each site, two situations were examined; in one case an unshielded RS-232 cable was installed, and in the other case, a shielded cable. The results are shown in Table 1. [Tabular Data Omitted]
Only at one site was the shielding effectiveness significant. Radio signals could be detected at a distance in all cases, visually correlating with the original data stream. However, at three sites the data could not be reconstructed with just the aid of a simple level detector. At the remaining sites, the data could be reconstructed with level detection at distances varying from 6 to 9 m. A PC-modem connection placed in a living room could be intercepted in the bedroom of an adjacent house!
Data signals transmitted along an RS-232 cable connection may be vulnerable to interception at a distance. The distance at which interception of data is possible is limited to several meters, while in the VDU case separation distances may be much larger. On the other hand, the receiver and recording equipment necessary for intercepting RS-232 data signals are very small, simple and cheap compared with the equipment needed for the interception of video signals. Besides that there is another very significant difference: in the VDU case the intercepted information is limited to the information appearing on the originating VDU screen. As a security measure this video display information seldom contains passwords; passwords are normally entered in "echo-off" mode. Although passwords do not appear on the screen, they are (of course) always transmitted along the RS-232 cable. Because of this fact and the risk factors mentioned in the introduction, we have to take special account of the RS-232 eavesdropping possibilities in vulnerability studies.
PHOTO : FIGURE 1 TWO-BOX REPRESENTATION OF A COMMUNICATION SYSTEM
PHOTO : FIGURE 2 THE BIT ERROR RATE OF INTERCEPTED DATA
Peter Smulders is with the Telecommunications Division of Eindhoven University of Technology.
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||EW Design Engineers' Handbook & Manufacturers Directory|
|Publication:||Journal of Electronic Defense|
|Date:||Jan 1, 1992|
|Previous Article:||The shhh factor: designing quiet products.|
|Next Article:||A survey of password mechanisms.|