Evaluating the Information Content of the Computer Monitor Radio Frequency

Radiation Using a Simple Technique.

Anatol Wiesner, Member, IEEE
Wiesner Associates, Postfach 301562, Berlin, Germany.
Email: Sig346@netscape.net

Abstract -This paper sets up to discuss meth- and modulated with pixel values Vp (t).
ods and techniques for evaluating the feasibil-
ity of a remote reconstruction of the image on
a target computer monitor by demodulating
its radio frequency (RF) radiation. A simple
technique is proposed, based on an RF narrow-
band demodulation scan and synchronous FFT
analysis of the demodulated baseband signal.
A distinctive FFT signature of the frequency
components around the nominal value of the
horizontal pixel refreshment frequency of the
target monitor may be taken as an indication of
a security risk. The paper summarizes prelim-
inary experimental results obtained with the
proposed method.
Computer screen is the most important human-
Fig.1. RF radiation intercepted from 3 computer moni-
machine interface and the ability to restore its infor-
tors, differential scan:a- Brand1, b- Brand2, c- Brand3.
mational content from its electromagnetic radiation
may compromise every data security effort. Current
Proper visualization and monitor matrix control
regulatory requirements pertain to radiated radio fre-
require the convolution of the pixel stream with two
quency (RF) energy, its spectral density or a normal-
blanking signals, having pulse widths th = tp (xt − xd )
ized field strength, leaving the informational aspect
and tv = tp (yt − yd ), where xt , yt , xd , yd are respec-
beyond the scope of certification. This necessitates
tively width and height of the display pixel field and
the development of appropriate methods and systems
actual display image, th , tv are horizontal and vertical
for evaluating the risk of radiated RF energy being
blanking pulse widths.
received and decoded by unauthorized persons.
Convolution with the horizontal and vertical
Detailed analysis of the monitor radiation sources
blanking signals yields spectrum components:
is beyond the scope of this paper, but apparently,
more than one mechanism of computer monitor RF +∞
sin πtp Δxf 
radiation from modern TFT monitors exist. Most Sh (f ) = tp Δx V (f − ifh ) (2)
”natural” would be a direct radiation of pixel spec- πtp Δxf i=−∞
tral components F (V p(t)) in an analog (VGA) mode
or their equivalents F (V p(t))*F (H(t)) in a digital and
(DVI) mode (V p(t) is pixel envelope signal, H(t) is +∞
sin πtp Δyf 
a function of Hemming Weight of pixel digital stream Sv (f ) = tp Δy V (f − ifv ), (3)
against time, F denotes Fourier transform and * de- πtp Δyf i=−∞
notes convolution). Pixel spectral components Sp (f )
can be written in the form [1,2] where Δx = xt − xd , Δy = yt − yd , fh , fv are respec-
tively horizontal and vertical frequencies.
+∞
sin πtp f  Combined spectrum of the radiated monitor signal
Sp (f ) = tp V (f − ifp ), (1) now can be represented as:
πtp f i=−∞
Sm (f ) = Sp (f ) · Sh (f ) · Sv (f ) · T (f ), (4)
where tp , fp denote respectively pixel pulse width and
pixel clock frequency. where T (f ) is a transfer function, which reflects RF
Spectral components Vp (f ) are repeated through- radiation properties of the monitor.
out RF spectrum around the frequencies equal to It can be seen, that while Sp (f ) generates spec-
monitor pixel frequency fp and its higher harmonics trum lines equal to pixel clock frequency fp and
1
its higher harmonics, Sh (f ) adds components (side-
bands) around fp equal to horizontal pixel frequency
fh and its higher harmonics and Sv (f ) adds further
spectrum lines around fh equal to vertical refreshment
frequency fv and its higher harmonics. Due to their
limited bandwidth two latter components are accessi-
ble using conventional technique employing RF scan
and used here for evaluation of the computer monitor
RF radiation.
Fig.2. A cluster of frequencies around a horizontal re-
freshment frequency of the monitor, a: frequency span
35-85KHz, b: frequency span 4KHz, c: frequency span
200Hz.
Radio frequency scan as it is known in classi-
cal EMI, EMC (Electromagnetic Interference & Com-
pliance Test) and countermeasure techniques [3] can
yield some highly confusing and even misleading re-
sults due to a broadband nature of the signal of in-
terest and to the fact, that not all components of ra-
diated energy contain information about the image
on the monitor. Figs 1a to 1c depict radiation level
plots against frequency obtained by a differential scan
(target computer ON/OFF) made with the Rockwell
Collins 95S1A Digital Receiver and Rohde&Schwarz
ECM Log Periodic Antenna placed 5m from computer
monitors of three different brands. Applying standard
countermeasure criterium (maximal eye pattern open-
ing) brand 2 could be classified as a monitor present-
ing maximal security risk. However, further analysis
presented here shows, that brand 1 presents by far a
greater security risk, since its RF radiation contains
more information about the image on its monitor.
The most straightforward way of the information
content evaluation would be an attempt to remotely
restore some test image on a target computer screen
from demodulated RF energy picked from the moni-
2
tor. This attitude would require following the eaves-
dropping technique with all its highly specialized and
costy equipment and can not be justified by the pur-
pose.
Fig.3. A typical signature of the signal from FFT Monitor
backlight converter.
The information obtained from the RF scan rep-
resents the distribution of the radiated energy against
radio frequency. This energy may contain or may
not contain any information on the image on a target
monitor. In fact, a major part of the radiated RF en-
ergy may come from a system electronics like backlight
voltage converter of the TFT monitor, switched power
supply, data bus and the like, and even from a jam-
mer, purposely integrated into a target system. RF
radiation from these sources contains no information
on the image on a target monitor. Hence, some fur-
ther criterium is required to determine as to whether
intercepted RF energy contains any information about
the image on a target monitor, and if so, around what
frequency and in what demodulation bandwidth this
information content is maximal.
Our survey based on radiation measurement and
rasterization of the demodulated RF signal from more
than 50 different combinations of computers and mon-
itors of major brands represented on the market
showed, that every combination producing RF radi-
ation with restorable information content also pro-
duces some degree of RF radiation, which is mod-
ulated with horizontal pixel refreshment frequency.
This modulation can be detected with a scanning re-
ceiver having demodulation bandwidth from approxi-
mately 200KHz up to 50 MHz and more and analyz-
ing the demodulated baseband signal. But presence
of the horizontal pixel refreshment component in the
baseband signal spectrum alone was not sufficient for
a successful remote information content restoration.
The proposed here criterium for information con-
tent evaluation is the presence in the baseband spec-
trum of the intercepted RF signal of the group of
equidistant frequency components (cluster) around a
frequency equal to a nominal horizontal refreshment
frequency of the monitor, with a step between said
components equal to nominal value of monitor ver-
tical refreshment frequency. Baseband signal can be
obtained either by a direct RF to baseband conversion,
or by means of heterodyning and AM demodulation
on the intermediate frequency.
Fig.4. A synchronized RF scan/FFT waterfall diagram
for 210 - 310MHz.
Since the nominal values of horizontal and vertical
video monitor refreshment frequencies are known, an-
alyzing baseband spectrum of the intercepted RF sig-
nal within 45 to 100KHz frequency band, the presence
of a group of frequency components can be detected
on an FFT spectrum plot (SP) or/and by its typical
signature on a waterfall diagram (WFD), as shown in
Fig. 2, where a typical spectrum plot and associated
WFD of a demodulated signal comming from target
monitor are shown.
Zooming the SP and WFD may reveal the struc-
ture of the cluster in more detail, as shown in Fig.
2 b, c. The cluster of frequencies has a distinctive
signature and differs from other components usually
intercepted from the same system, since it is nor-
mally more stable as compared to components com-
ming from TFT backlight converter or power supply,
and contrary to other components it has a discrete and
equidistant spectrum, easily seen on FFT waterfall di-
agram. Other RF radiations from the same system
or from the same monitor, containing no information
about the image on the monitor have different signa-
tures, mostly of a pseudo-noise or continuous charac-
ter, as shown in Fig. 3 for a typical signal comming
from the same monitor, but generated by its backlight
voltage converter.
The range of radio frequencies where this clus-
tered signal is maximal can be obtained with a RF
scan synchronized with an FFT analyzer and observ-
ing demodulated output on the waterfall diagram as
shown in the Fig. 4. It can be seen from Fig 4, that
for the display under test the cluster centered at hor-
izontal refreshment frequency appears on the WFD
between 260 and 310MHz and the energy of the clus-
3
ter reaches its maximum at approximately 269MHz
and 301MHz.
Fig.5. Typical signature of the demodulated RF signal for
different images on the screen: PDF text, default Win-
dows screen, Word text, JPG image (left to right).
The information content of the monitor radiation
is proportional to the number of discernible spectrum
lines and to the RF span where the cluster is de-
tectable. If the scan is made using a conventional mea-
surement receiver (Rockwell Collins, Rohde&Schwarz
or similar) with a demodulation bandwidth 300KHz,
the following evaluation metric can be used for moni-
tor comparison:
+kΔf 
f1  N
IM = SN Ri , (5)
f1 i=1
where N > 2 is the number of discernible spectrum
lines with signal-to-noise ratio more than 2, SN Ri
is signal-to-noise ratio in i−th spectral line averaged
thru 1MHz scanning frequency band, f1 is starting
frequency of the RF scan and k and Δf are number
of scanning steps and scanning step respectively.
In other words, the proposed information content
metric is based on the product of the number of spec-
trum lines in demodulated RF signal, weighted ac-
cording to the power level of the cluster. The calcula-
tion of the IM can be performed by the FFT analyzer
in a similar way as signal-to-noise ratio and third or-
der distortion are measured in acoustic measurement
software [5,6].
Normally, these spectrum lines can be detected in
more than one RF band, so to obtain a right value of
IM the check must be made in every RF range where
they appear in the demodulated signal and the aggre-
gate bandwidth must be taken for calculation. This
must be done, since the proposed method is based
on an RF scan with demodulation bandwidth much
narrower than is normally required for image recon-
struction (300KHz vs 10 - 100MHz).
 Since the RF radiation level and its content de-
pend on too many factors to be encountered (cabling
layout, type of video interface, system configuration
etc), the measurement must be done on-site, with all
system and network interconnections in place.
Fig.6. Original image on the screen and rasterized in-
tercepted RF signal: a: original image, b: Brand1, DVI
interface, c: Brand2, VGA interface.
Ideally, according to Nyquist criterium, demodu-
lated bandwidth should equal to the pixel frequency
of a target monitor, which is far beyond any practi-
cal limit, bearing in mind typical pixel frequencies of
modern monitors ranging from 50MHz to 200MHz.
However, for reconstruction of static images (e.g.
drawings, text fonts), the repetitive nature of the spec-
trum of a video signal can be exploited, such reducing
4
the necessary demodulation bandwidth to a fraction
of a pixel frequency and thus, enhancing achievable
signal-to-noise ratio. Depending on local environmen-
tal conditions, the demodulation bandwidth of 10MHz
to 100MHz may be considered as sufficient for success-
ful image reconstruction.
The number of discernible spectrum lines and their
intensity distribution also depends on the image on
the target monitor, hence, for reference purposes it
would be reasonable to make comparison tests with
the same image on the screen, say, a text file with No.
15 fonts. Fig. 5 shows spectrum lines distribution ob-
tained from a target monitor for different images on
the screen: PDF text, default Windows screen, Word
text, JPG image (left to right). It is seen from this
example, that albeit the distribution of spectrum lines
is different for any particular file, the number of dis-
cernible lines for a text image remains approximately
the same.
To evaluate the proposed method the intercepted
RF radiation was demodulated and rasterized for dif-
ferent computer/monitor combinations, featuring IM
as measured above from 200 to 10000. A purposely
designed receiver [4] was used in the experiments.
The signal was rasterized with Dynamic Sciences RG-
1000 Raster Generator driven by a purposely designed
FFT-based synchronization extraction system. The
RF signal was intercepted from behind the 27cm brick
load-bearing wall, approximately 5m away from a tar-
get monitor.
For systems with IM below 300 the raw image
quality was not sufficient for any content extraction
even using frame averaging, hence this level of threat
can be considered as the lower boundary of the in-
formation content in RF radiation when checked with
the proposed method, at least in a constellation de-
scribed here. The raw reconstructed image for sys-
tems with IM more than 1000 was good enough to
make a content extraction feasible, and for systems
with IM above 5000 the information about the image
on a target screen was accessible even without frame
averaging.
Fig. 6 shows raw images obtained from two sys-
tems, one having IM = 300 and VGA video interface
(Fig6 c, associated RF scan is shown in Fig. 1b, Brand
2), another with IM = 3000 and DVI video interface
(Fig 6 b, RF scan of Fig 1a, Brand 1), along with an
original file on the screen. The monitor of both com-
puters was connected to the system with a high grade
double shielded cable.
Intercepted image in Fig. 6b was obtained
with demodulated bandwidth 40MHz around the ra-
dio frequency 270MHz, and in Fig. 6c with de-
modulated bandwidth 50MHz around the frequency
320MHz. These center frequency/bandwidth combi-
nations yielded the best reconstructed image quality
in spite of some contamination by terrestrial narrow-
band radio signals.
The images in Fig. 6b and 6c were obtained by
direct rasterization of the intercepted RF signal. Fur-
ther enhancement of the image quality can be per-
formed using frame averaging, yielding a processing
gain of Gp = 10dB · lgM , where M is a number of
frames. Applying frame averaging to image in Fig. 6b
makes it readable with a little guess work at M = 100.
The line drawings in the same file became completely
readable starting from M = 10.
To evaluate the range from which computer screen
image could be intercepted, the proposed evaluation
must be made with an antenna featuring an appro-
priate gain. No extrapolation would be productive
here. It should be pointed out, that the achievable
eavesdropping operating range is highly exaggerated
in open literature. RF signal interception from a com-
puter monitor requires a broadband antenna, operat-
ing in the range of 200 to 1000MHz. Even a moder-
ate bandwidth antenna covering 200 to 500MHz can-
not be made small enough not to catch an attention.
Such an LPDA antenna with measuring 85cm x 100
cm would have a gain approximately 7,5dBi. To get
11dBi gain, two stacked LPDA with stack distance
80cm are needed. And such an antenna would have
the gain of 11dBi provided there are no electrically
conductive items in its reactive zone, that is within
70 cm from every side, so it will not work if hidden
in a minibus. All other antenna configurations do not
have sufficient bandwidth (e.g. Yagis) or mechanically
even bigger than LPDA (e.g. helix). Therefore, a test
with a 12 compact element LPDA would be sufficient
to evaluate the security threat level for a variety of
practical applications.
The proposed method of information content eval-
uation in the computer monitor RF radiation can be
realized using accessible equipment, such as a combi-
nation of a scanning receiver and a software defined
demodulator (e.g. SDR-14, SDR-1000). Although
some aspects of the evaluation are up to the inter-
pretation of the operator, and not always there is a
clear go/nogo decision to be concluded, the method
described above at least provides an indication, as
to whether further system check with a specialized
equipment should be considered.
References
[1] M. Kuhn, R. Anderson. Soft Tempest: Hidden
Data Transmission Using Electromagnetic Ema-
nations. Information Hiding, pp. 124-142. Springer
Verlag, 1998.
[2] R. Anderson, M.Kuhn. Low Cost Counter-
meausure Against Compromising Electromagnetic
Computer Emanations. U.S. Patent 6721423.
[3] R. Wiley. ELINT: Interception and Analysis of
Radar Signals. Artech House, 2006
[4] A. Wiesner, Technique and Device for Reconstruc-
tion of the Information Content of a Remote Video
Monitor. U.S. Pat. Appl. No 61161072.
[5] Sound Technology, Inc. Spectra Series,
http://www.soundtechnology.com
[6] SpectraPlus. Pioneer Hill Software,
http://www.spectraplus.com