G 0.13 — Interception of Compromising Emanations

An intelligence operative parks an unmarked van on the side street of a technology company. Inside, a directional antenna captures the electromagnetic emanations from the screens of the development office. On his own monitor, in real time, appears what the engineers are seeing — circuit diagrams, source code, internal communication.

Compromising emanations are among the least considered threats to information security. The BSI lists them as elementary threat G 0.13 — and although the attack sounds highly technical, the necessary equipment is today affordable and largely freely available.

What’s behind it?

Every electronic device — computer, screen, printer, network coupling element — emits electromagnetic waves during operation. For devices that process information, this radiation can carry the data currently being processed. These emanations are then called revealing or compromising emanations.

An attacker can capture these signals with a suitable receiver and reconstruct the original data from them. They only need to be close enough to the target device — a neighbouring building, a parked vehicle or an adjacent room suffices depending on signal strength.

Types of emission

Passive emanation — the device emits signals on its own that an attacker picks up. Screen cables (VGA, HDMI) and keyboards are particularly susceptible because their signals are comparatively strong and structured.
Active illumination — the attacker deliberately bathes a device in electromagnetic waves. The reflected signals carry information about the internal processing state. This method extends the range and works even for devices with weak passive emanations.
Acoustic emanation — printers, keyboards and mechanical hard drives produce sounds from which conclusions about processed data can be drawn. Keystroke analysis can reconstruct input with surprising accuracy.

Impact

The damage affects confidentiality only. Attackers gain access to the content the target device is currently processing: screen content, keyboard input, print jobs. This becomes particularly sensitive for trade secrets, classified material or personal data. The attack leaves no traces on the target system — the affected organisation typically never learns that data has leaked.

Practical examples

Screen reconstruction in an office complex. A competitor rents a room in the same office building, separated only by a plasterboard wall. With a receiving antenna and specialised software, they intercept the HDMI emanations from a workstation in the neighbouring office. Over weeks they read along as the competition drafts offers and calculations — without the affected company noticing any sign of data outflow.

Keystroke analysis via structure-borne sound. In a co-working space, an attacker places a highly sensitive contact microphone on the shared desk. The vibrations of keystrokes from a neighbouring user are recorded and translated into plain text by a machine-learning model. Passwords and confidential messages are captured this way.

Targeted illumination of an air-gapped system. A foreign intelligence agency bathes a computer in a secured facility with high-frequency waves. The reflected signals modulate according to the internal data processing. The attacker analyses the reflections and extracts cryptographic keys — even though the system has no network connection at all.

Relevant controls

The following ISO 27001 controls mitigate this threat. (You’ll find the complete list of 6 mapped controls below in the section “ISO 27001 Controls Covering This Threat”.)

Prevention:

A.7.9 — Security of assets off-premises: Protection of mobile devices against physical threats — relevant here because devices outside shielded areas are particularly exposed to emanation attacks.
A.8.20 — Networks security: Protection of network infrastructure, including shielded cabling.
A.8.21 — Security of network services: Encryption of data transmission reduces the information value of intercepted signals.
A.8.24 — Use of cryptography: Application-layer encryption protects data even if signals are intercepted.

Detection:

A.5.14 — Information transfer: Rules for the secure transfer of information that also consider physical channels.

Response:

A.8.1 — User end point devices: Policies for the secure handling of end-user devices, including use in untrusted environments.

BSI IT-Grundschutz

The BSI IT-Grundschutz catalogue links G 0.13 to the following modules:

CON.1 (Crypto concept) — requirements for the selection and use of cryptographic methods that devalue intercepted signals.
CON.7 (Information security while travelling) — protection measures for mobile devices in uncontrolled environments.
SYS.3.2.2 (Mobile device management) — central administration and protection of mobile end-user devices.

Sources

BSI IT-Grundschutz: Elementary Threats, G 0.13 — original description of the elementary threat
ISO/IEC 27002:2022 Section 7.9 — implementation guidance on the protection of devices outside secured areas
BSI: Technical Guideline TR-03209 (Electromagnetic Shielding) — requirements for electromagnetic shielding

Frequently asked questions

What are compromising emanations?

Every electronic device emits electromagnetic waves. When these emanations carry the data currently being processed — for example the screen content or keyboard input — they are called compromising or revealing emanations. An attacker can capture these signals with suitable receivers and reconstruct the original data.

Are the statutory EMC limits sufficient for protection?

The limits set by EMC regulations govern electromagnetic compatibility between devices and aim at preventing mutual interference. For protection against targeted interception of emanations they are generally not sufficient. That requires additional measures such as shielded enclosures, shielded rooms or TEMPEST-certified equipment.

How realistic is an emanation attack in practice?

With freely available software-defined radio (SDR) hardware, screen content can be reconstructed from several metres away. The effort is lower than many assume. For organisations that handle classified material or highly sensitive trade secrets, the risk must be taken seriously.