How to Spy on Your Neighbors With a USB TV Tuner

The Vantech Terratec Realtek RTL-SDR radio USB kit, as seen on Amazon.comThe Vantech Terratec Realtek RTL-SDR radio USB kit, as seen on Amazon.com"Every device that you own is screaming its name into the infinite void," said security researcher Melissa Elliott this past Saturday (Aug. 3) at the DEF CON hacker conference in Las Vegas.

That "scream" is made up of the low-level radio transmissions each electronic device emits in the course of normal operations. The emissions vary according to device, power consumption and operations, with the result that sensitive antennae can "fingerprint" gadgets and activities accordingly.

Around 1970, the National Security Agency created the Tempest program to develop ways to spy on foreign communications using such accidental radio emissions.

A few years ago, French researchers showed that even individual keys being pecked on computer keyboards generated unique radio fingerprints.

Today, dirt-cheap technology and free software make it possible for ordinary citizens to run their own Tempest programs and listen to what their own — and their neighbors' — electronic devices are doing.

Elliott, a researcher at Boston-based security company Veracode, showed that an inexpensive USB dongle TV tuner costing about $10 can pick up a broad range of signals, which can be "tuned" and interpreted by software-defined radio (SDR) applications running on a laptop computer.

MORE: 13 Security and Privacy Tips for the Truly Paranoid

"I managed to go most of my life not knowing that my electronics were all leaking all of the signals that detail what they're getting up in their private little electronic lives," Elliott said.

But a visit to the U.S. National Radio Quiet Zone on the Virginia-West Virginia border, site of the world's largest moveable radio-astronomy telescope, taught Elliott otherwise.

"Their biggest challenge to getting the science done is the very electronics that they need to measure and process the signal, because those same electronics blast the signal out at the sky," Elliott said.

"They have a microwave oven, which is a Faraday cage" — a structure enclosed by a wire mesh to prevent electricity from getting in or out — "inside another Faraday cage, inside another room, which is also a Faraday cage," she recalled. "That is how much they had to shield things just so they could reheat their pizza at 2 a.m."

So Elliott found a website that sold USB tuners for $10, and found free software to tune and analyze the signals.

At DEF CON, she demonstrated how much radio noise electronic devices emit by using a netbook she bought for $50 on a trip to China.

"It has no shielding," Elliott said. "I'm pretty sure that this violates FCC from Rule 1 to the last. They'd have a conniption if they knew I imported it."

On another laptop, Elliott used her USB tuner and her software-defined radio application to dial into an FM radio station, and projected her output on the conference-hall screen. After a minute, she powered on her cheap Chinese netbook, which was a few feet away.

"Do you see all those little spikes that weren't there a minute ago?" she asked. "Those are between 32 and 33 kilohertz apart," she said, explaining that the signal came from the netbook's real-time clock running at a standard 32.768 kHz.

Further demonstrations showed that keyboard presses emitted different radio signals, as did changing screen colors and patterns, with a black-and-white checkerboard pattern even being somewhat visible on the radio-signal analysis screen.

"Can you recover the screen from this?" Elliott wondered. "I'm pretty sure you can. Unfortunately, my radio sample rate is not very high. But again, I have a $10 radio."

Elliott said an engineer co-worker told her that the cable from the netbook's video processor to its screen was emitting the signals — which explained why the signals stayed active even after the screen went to sleep.

MORE: Can You Hide Anything From the NSA?

It's not just screens that emit radio signals, Elliott said; keyboards, LED lights, wired and wireless microphones, computer memory and hard drives all put out signals.

"You can pick up everything to some extent," Elliott said as she projected a screen shot of a neat grid generated by RAM memory chips. She could also see that her iPhone was downloading data over Verizon's 3G network.

"Different types of devices can be profiled for their activity, and then after you know exactly what they do, you can detect them," Elliott said. "You can see them through walls. You can triangulate them in 3D space, almost like they're radio transmitters that you're carrying — because they are."

"It's trivial to distinguish when one of these machines is idle and when it's active," she added. "If you carefully study it, you can distinguish between different kinds of active states. An advanced adversary can probably very finely distinguish between active states."

Eliott noted that she was carrying a very specific assortment of gadgets around DEF CON: an iPhone 4S, a Nexus 7, a Nintendo 3DS and a MacBook Air.

"If someone knew exactly what my brand preferences are," she said, "they could pinpoint me in a crowd if they had all the equipment set up ahead of time."

"Even if I turn off WiFi and Bluetooth, this is still possible," Elliott explained. "You're still saying, 'My phone is here, my phone is definitely here.'"

"This is why the paranoid types are like, 'Don't just turn off the phone — take out the battery,'" Elliott said, implying that only then will a phone be completely radio silent. "So I'm gonna take out the battery on my — oh, wait, my iPhone doesn't have a removable battery."

"So what I can do is make like a shoplifter and get some booster bags," said  Elliott, referring to plastic bags designed to block radio waves. "You can find them on the Internet labeled as 'cellphone blockers' or 'cellphone etiquette wrappers,' so your cellphone won't ring during dinner."

"If you need to have a completely private talk," Elliott said, "empty everyone's pockets and put everything in your microwave oven — do not run it — and close the door. It's not perfect, but it works pretty well."

Microwave ovens are designed to keep radio waves from getting out, and also keep radio waves from getting in.

MORE: 9 Tips to Stay Safe on Public Wi-Fi

Anyone can use these cheap USB tuners to pick up a lot of signals, Elliott said. "In the process, you will learn that there are trillions of devices broadcasting weird things in your neighborhood."

Elliott recommended USB dongles using the DVB-T specification with RTL2832U chipsets and Elonics E4000 tuners. The dongles are made for TV tuning in dozens of countries across Europe, Asia and Africa, and hence have a wide frequency range.

She ordered hers from China for $10 each, but entire user kits, complete with antennae and remote controls, can be found on U.S. retail websites for between $20 and $30.

Elliott recommended two free SDR applications to process and analyze the radio signals: for Windows, SDR# (pronounced "ess-dee-arr-sharp"), and for Mac and Linux, GQRX. Both can easily be downloaded online.

Elliott noted that for anyone feeling paranoid about such revelations, the NSA and its European counterparts have posted guidelines on how to avoid unintentional radio leakage.

"Their key takeaway is, 'correlated emissions are bad,'" Elliott said. "'Correlated emissions' means, 'it changes when something on the machine changes.' That leaks information. You don't want that."

"So ask your landlady about copper plating for your bedroom," she joked. "I'm sure it will go over really well."

Elliott closed with a funny story about how she tested her equipment by sitting under an LED-draped metallic tree in the Veracode offices.

She found that when the LEDs changed colors, the radio interference patterns also changed.

"Someone comes by and asks, 'What are you doing?'" Elliott recalled. She replied, "'I'm listening to the tree — and I can hear the colors.'"

Follow us @tomsguide, on Facebook and on Google+.

Create a new thread in the Streaming Video & TVs forum about this subject
This thread is closed for comments
2 comments
Comment from the forums
    Your comment
  • Paul Beaumont
    It's not new; in the 1950s MI5 were tracking diplomatic and spy transmissions using the same technique - codenamed 'RAFTER.' It's also how TV Licence detection is carried out in Britain.
    What the lady didn't state was that with some software these devices can be made to track aircraft by exploiting their S Mode transmissions on 1090MHz.

    These devices have a range around 25 to 2000MHz but you can build or purchase a converter so you can look at lower frequencies and there's a lot of exploitable signals around 300 to 500kHz as well as 10.7 and 21.4MHz.

    You can even listen into baby alarms on 49MHz - not that I would ever condone that.

    As a Sunday Times journo intimated in 1989, if you turn on an electronic device you just shout out your details; there's a lot of persons wanting to hear them.
  • gccradioscience
    We are just listening to short wave radio broadcast transmissions, AM and FM broadcasts, ham radio, and pirate radio transmissions. I have no interest in what she is doing. I don't have time to listen to noise.