On Fri, May 31, 2002 at 10:14:18AM +0200, Ben Nagy wrote:
>
> Not trying to rain on anyone's parade, but do either of you guys have
> any references for those two scenarios, out of interest?
>
Nothing written down[1]... only verbal advice from our "spook" interface
when I queried him about whether running wireless was acceptable or
not.
> I'm interested in the possible TEMPEST [1] style attacks, because they
> really shouldn't be possible except for up extremely close,
>
OK, you are missing something here. Most equipment is not designed to
emit RF at all so a TEMPEST attack has to rely on accidental radiation
of signals that the equipment was never meant to radiate. This makes
TEMPEST difficult because the radiation is very low level and requires
sensitive equipment - even then some devices simply don't radiate
enough. but....
> and
> certainly shouldn't leak as transmitted data, with any reasonable design
> of the AP. It should absolutely be possible to get some radiant EM
> signals from very nearby (inches), with very sensitive equipment, as
> with any device that receives data, but I see no reason why the AP would
> "shout" RF
>
And this is what you are missing... the AP is DESIGNED to output RF,
it is it's purpose in life... without the RF radiation the AP is a
rather inefficient doorstop. Have a look at a very rough block
diagram for a wireless network card:
+-----------+ +---------+ +-------------+
| interface |-----| network |------| RF |---> antenna
| goop | | goop | | modulator |
+-----------+ +---------+ +-------------+
OK this is really rough but hopefully you get the idea. The
interesting thing here is the link between the RF Modulator and the
network goop is an analogue interface, it is not an on or off thing,
if there is noise present at the input to the modulator then it will
be merrily modulated and spat out the antenna. You tiny tempest
signals have just been put onto the airwaves by a real RF transmitter
making them much easier to pick up. Just think what you would get if
the RF input somehow picked up the clocking of the 10BaseT lan port as
noise...
Also, don't think just of an Access Point, think of a laptop with a
wireless card in it. There is a hell of a lot more interesting noise
that could be retransmitted from that.
[1] Well... maybe there is. I may be mistaken but I do believe that
in "Spycatcher" there was a story about a certain embassy's encryptor
that had an interesting habit of leaking the unencrypted data at a
lower level on to the encrypted data channel, all the spies had to do
was filter off the encrypted data to pick up the unencrypted
information.
--
Brett Lymn
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
For Account Management (unsubscribe, get/change password, etc) Please go to:
http://lists.gnac.net/mailman/listinfo/firewalls
