Tempest

This section presents various countermeasures that can be used to mitigate the problem of information leakage by electromagnetic emanations either in conjunction with or instead of implementing red/black zones9_.

6.5.1 Soft Fonts to Prevent Eavesdropping

A software defence against having electromagnetic radiation from video display units is provided by Kuhn and Anderson (1998). The method entails using a Fourier transform to lter (i.e. remove) the top 30% of the horizontal frequency spectrum. The authors state that this causes the eavesdropping device to fail to display the text that it could prior to the lter being applied.

6.5.2 Countermeasures for USB Connector Radio Frequency Emis-

sions

Three countermeasures against USB connectors being used as RF transmitters are de- scribed by Guri et al. (2016). The rst is a procedural countermeasure of using zones to keep sensitive computers physically separate from other electronics. The second is soft- ware, such as where patterns of reads and writes belonging to a process are monitored by anti-virus or IDS software. Lastly, the authors describe a physical method of including shielding, grounding and limiting the emissions that a USB connector can emit during its design.

6.5.3 Countermeasures for Video Connector Radio Frequency Emis-

sions

After having demonstrated how to recreate a retro-reector that is the NSA RageMaster, GBPPR (2014) shows that RF absorbing foam can attenuate the radar carrier signal

6.6. INTERCEPTION 88 being used to exltrate the information from the bug. Although expensive, this material causes the eavesdropper to need to be closer in order to monitor the weaker signal. The author also proposes using ferrite containing absorbent material. Other types of radiation absorbent material10 _{may also be employed to achieve the same eect.}

6.6 Interception

Interception involves the attacker listening or reading the communication taking place between the sender and the receiver. Attackers can also place themselves between the receiver / sender pair, and listen to, possibly modify and retransmit the messages to the receiver to eect a MITM attack.

6.6.1 Detecting and Preventing Man in the Middle Attacks

One key factor in detecting MITM attacks is to be able to verify the identity of the device being communicated with, such as a web server, wireless AP or cellular phone base station. The identity of web servers on the Internet is commonly veried by certicates issued by certicate authorities which are trusted by client web browsers. This approach could potentially be reused for base stations and APs.

Detecting IMSI-catchers is possible and numerous applications, including for smartphones, exist to do this. However, Park et al. (2017) write that the ve applications they tested only monitor for certain patterns of behaviour of IMSI-catchers and that many of these can be circumvented.

If the attacker can control the response to DNS requests, e.g., with Quantum-DNS as described by NSA (n.d.) or by being able to issue certicates for the domain that the target is attempting to visit, then it can render TLS/SSL unable to prevent the attack. However, as stated by Haagsma (2015) it is possible to detect the quantum insert attack by looking for packets that have the same sequence number but dierent payloads. The author states that Suricata was able to detect such duplicate packets and patches were made to the Snort IDS which enabled it to do the same. The author however cautions that it is possible to evade this detection method by spoong a FIN packet after the inserted packet to end the session before the authentic packet arrives.

6.6.2 Encryption

The increased adoption of encryption technologies such as TLS(SSL) and IPsec hampers the ability of attackers to monitor Internet activity and collect meta-data (NSA and GCHQ, 2011). This suggests that increased adoption of encryption will frustrate the eorts of attackers to gain information of their targets during reconnaissance.

One aspect of network communication that leaks information even when encryption is being used for requesting and receiving content is the DNS requests that are sent and answered in plain text (Dickinson, 2018a). There are two IETF RFCs which ensure privacy of DNS requests and prevent eavesdropping. The rst is RFC7858, DNS-over- TLS (DOT), which has been published and RFC8094, DNS-over-DTLS, which is described but is not yet a published specication (Dickinson, 2018b).

The use of encryption to safeguard data and meta-data such as DNS from attackers mitigates against MITM and man-on-the-side attacks.

6.7 Location Finding

Location nding entails being able to identify and measure a signal to determine its bearing and distance. Removing chances for the attacker to do so increases the diculty of determining a victim's location.

6.7.1 Fundamental Weakness of Broadcasting

When a cellular phone broadcasts to nd a base station or a WLAN card checks to see if APs that is knows of are present, then these devices are advertising their presence to all and sundry.

One way to prevent the phone having to announce its presence is to reverse the process so that the base station or AP announces its presence to any device in range. At the same time the base station or AP can prove its legitimacy, by for example, key-signing or signed certicates so that end user devices do not connect to impersonated base stations or APs.

For existing network generations that use symmetric cryptography, van den Broek et al. (2015) propose using temporary random pseudonym IMSIs (PMSIs), issued by the net- work operator, in place of the IMSI to identify the end user device to the network. For future generations the authors write that asymmetric cryptography would protect the IMSI.

6.8. GOING ON THE OFFENSIVE 90