On Fri, May 31, 2002 at 10:14:18AM +0200, Ben Nagy wrote: > > Not trying to rain on anyone's parade, but do either of you guys have > any references for those two scenarios, out of interest? >
Nothing written down[1]... only verbal advice from our "spook" interface when I queried him about whether running wireless was acceptable or not. > I'm interested in the possible TEMPEST [1] style attacks, because they > really shouldn't be possible except for up extremely close, > OK, you are missing something here. Most equipment is not designed to emit RF at all so a TEMPEST attack has to rely on accidental radiation of signals that the equipment was never meant to radiate. This makes TEMPEST difficult because the radiation is very low level and requires sensitive equipment - even then some devices simply don't radiate enough. but.... > and > certainly shouldn't leak as transmitted data, with any reasonable design > of the AP. It should absolutely be possible to get some radiant EM > signals from very nearby (inches), with very sensitive equipment, as > with any device that receives data, but I see no reason why the AP would > "shout" RF > And this is what you are missing... the AP is DESIGNED to output RF, it is it's purpose in life... without the RF radiation the AP is a rather inefficient doorstop. Have a look at a very rough block diagram for a wireless network card: +-----------+ +---------+ +-------------+ | interface |-----| network |------| RF |---> antenna | goop | | goop | | modulator | +-----------+ +---------+ +-------------+ OK this is really rough but hopefully you get the idea. The interesting thing here is the link between the RF Modulator and the network goop is an analogue interface, it is not an on or off thing, if there is noise present at the input to the modulator then it will be merrily modulated and spat out the antenna. You tiny tempest signals have just been put onto the airwaves by a real RF transmitter making them much easier to pick up. Just think what you would get if the RF input somehow picked up the clocking of the 10BaseT lan port as noise... Also, don't think just of an Access Point, think of a laptop with a wireless card in it. There is a hell of a lot more interesting noise that could be retransmitted from that. [1] Well... maybe there is. I may be mistaken but I do believe that in "Spycatcher" there was a story about a certain embassy's encryptor that had an interesting habit of leaking the unencrypted data at a lower level on to the encrypted data channel, all the spies had to do was filter off the encrypted data to pick up the unencrypted information. -- Brett Lymn _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls