More on the Dutch Machine compromise

From: Charlie Strauss <cems_at_earthlink_dot_net>
Date: Sun Oct 15 2006 - 00:01:05 CDT

Back when I was learning to program on an Altair 8800 (which you
programed not with a key board but by flipping binary switches for
every bit), we used to put a radio beside the computer to capture the
RF leakage and listen to it. Then by adjusting the wait states in the
choice of instructions we could play patterns on the noise the radio
picked up. This was used among other things to add "phaser" noises
to the star trek games we would write and play on the machine. (this
was way before anyone heard of a "sound card" or even a speaker on a
computer).

Well there's been some recent news about how a dutch e-voting system
that is popular in europe was totally compromised at avery possible
level from software to hardware. As a joke they even added a chess
playing program to the voting machine's software.

One of the interesting things way down in the report is discussion of
the RF emissions from the video circuitry. It turns out that certain
character sets disrupt the refresh rate of the screen. This is
audible on an ordinary FM radio for up to 25 meters. Thus for
example if you have an um-late or accent grave in your name, the
audio signal on the radio is perturbed when your name is on the
screen. One can also gather much more information.

http://www.wijvertrouwenstemcomputersniet.nl.nyud.net:8080/images/
9/91/Es3b-en.pdf

Ironically this is not a new thing. The spy services have been using
this technology since the late 40s and 50s. For example, they could
infer key presses via the differential currents in IBM selectric
trypewriters that introduce spikes on the power line. Peter Wright
at MI5 in britain pioneered this, to listen to the foreign embassies
in london. Likewise IF emmission from radios was used in world war 2
and later to hunt down cladestine transmitters or sudden transmission
burst in response to an event. If you've ever seen the secret
service vehicles driving around the president's convoys you've see
the antenna rigs they use to look for people talking on radios in
response to their motion. You can buy detector from anti-bugging
sites on line for not much money. Recently, the fiction book
Crytonomicon, discussed its use to read out the screens of laptops
through hotel walls.

So it's not like they could not have known this would happen. It's
unclear how one works around this on anything with a screen, while
still using commodity hardware.

"It would appear that if a special character is displayed, the
controller has to do extra work
every time the display is updated. This causes the display refresh
frequency to drop from 72Hz to
58 Hz. The difference between these two frequencies can be determined
by ear. In The Netherlands,
the name of the major political party CDA is written in full on the
display when the voter chooses
any CDA candidate: “Christen Democratisch Appèl”. So using only a
simple scanner or short-wave
receiver, we can tell whether or not a voter is currently voting for
a party or candidate with an
accent in the name. In Germany for instance this would yield a
“Grünen detector”, although the
much more frequent use of non-ASCII characters in German names would
diminish the selectivity
somewhat.
We have observed large signal strength variations between the three
devices we have tested
this on. In all cases we could receive the signal at a few meters. In
one case we could receive the
signal up to 25 meters away. Note that a signal like this can be
filtered from noise long after the
unaided human ear stopped hearing it, so range can be significantly
extended using digital signal
processing. When experimenting with software to detect these two
tones, we noticed that filtering
for 216 Hz and 232 Hz respectively, each with a bandwidth of 10 Hz,
seems to work better than
filtering at the base frequencies of the audible tones. We also
noticed energy present at 3845 Hz
when the vote-button is pressed. "

_______________________________________________
OVC-discuss mailing list
OVC-discuss@listman.sonic.net
http://lists.sonic.net/mailman/listinfo/ovc-discuss

==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Tue Oct 31 23:17:04 2006

This archive was generated by hypermail 2.1.8 : Tue Oct 31 2006 - 23:17:10 CST