Deep-TEMPEST Reveals All

Technology as a whole is a very fast-moving field, and cybersecurity is one of the fastest moving areas within the field. Every day new security threats are uncovered, and following closely on their heels are software updates meant to prevent them from being exploited. Those that keep up with the latest news and research in cybersecurity, immediately patch all of their machines, set long, random passwords that would take decades to crack by brute force, and enable two-factor authentication wherever possible may feel like they are pretty safe. But while these are all great steps to take, lessons from the past tell us that there is always something we are overlooking.

Highly motivated malicious hackers are very crafty individuals, and always seem to find some obscure attack vector that is unprotected. Side-channel attacks are some of the most difficult to protect a system from. Traditional measures, like strong authentication and encryption can be powerless to combat them. These attacks exploit information that is leaked from a system through factors like power consumption patterns or electromagnetic radiation.

Among the most dangerous of all side-channel attacks are those that can reveal what is being displayed on a monitor. These attacks are by no means new — they have existed at least since the 1980s. As monitor technologies have changed, so have the exploits, but one thing that has remained constant is that the resolution of the reconstructed images has been fairly low. This has made it generally impractical to reconstruct fine details, such as those that would be needed to read text.

That is no longer the case, however, after the release of an exploit called Deep-TEMPEST by a team at the University of the Republic in Montevideo. The researchers built upon an existing side-channel attack, called gr-tempest, which spies on unintended electromagnetic emanations from HDMI displays and uses those signals to reconstruct the content of the display. But while the reconstructed images from gr-tempest are grainy and do a poor job of revealing text, the output of Deep-TEMPEST is quite clear and can reveal most text.

As a first step, Deep-TEMPEST remotely captures the electromagnetic emanations of an HDMI monitor by using a software-defined radio (SDR) receiver and processes them with gr-tempest. The team’s primary innovation involves using a deep convolutional neural network to then translate these grainy results into a high-resolution reconstructed image of the HDMI display’s current state. This neural network was trained to do this job with a large dataset consisting of real and simulated data that demonstrated how to map the rough results to clear images.

Images produced by Deep-TEMPEST are very clear, and it was demonstrated that, when evaluating text, the average character error rate was 60 percent better than what was possible to achieve with previous techniques.

The team suggested a few countermeasures that could prevent a Deep-TEMPEST attack. First, they note that inserting low-level noise into the image displayed on the monitor would significantly degrade the reconstructed images, likely to the point that text could not be read. They also note that adding a color gradient to the background of images can foil the attack, however this approach is more perceptible to users so would be generally less desirable.

The source code and training data have been open-sourced and are available for download for anyone that would like to experiment with Deep-TEMPEST, or look for methods to defeat it.