Screen Gleaning: A Screen Reading TEMPEST Attack on Mobile Devices Exploiting an
Electromagnetic Side Channel
Zhuoran Liu, Niels Samwel, L
´
eo Weissbart, Zhengyu Zhao, Dirk Lauret
∗
, Lejla Batina and Martha Larson
Institute for Computing and Information Sciences, Radboud University, The Netherlands
{z.liu@cs, n.samwel@cs, l.weissbart@cs, z.zhao@cs, dirk.lauret@student, lejla@cs, m.larson@cs}.ru.nl
Abstract—We introduce screen gleaning, a TEMPEST attack
in which the screen of a mobile device is read without a visual
line of sight, revealing sensitive information displayed on the
phone screen. The screen gleaning attack uses an antenna and
a software-defined radio (SDR) to pick up the electromagnetic
signal that the device sends to the screen to display, e.g., a message
with a security code. This special equipment makes it possible to
recreate the signal as a gray-scale image, which we refer to as
an emage. Here, we show that it can be used to read a security
code. The screen gleaning attack is challenging because it is often
impossible for a human viewer to interpret the emage directly. We
show that this challenge can be addressed with machine learning,
specifically, a deep learning classifier. Screen gleaning will become
increasingly serious as SDRs and deep learning continue to
rapidly advance. In this paper, we demonstrate the security code
attack and we propose a testbed that provides a standard setup
in which screen gleaning could be tested with different attacker
models. Finally, we analyze the dimensions of screen gleaning
attacker models and discuss possible countermeasures with the
potential to address them.
I. INTRODUCTION
Most of our daily business relies on the devices we carry on
us. A great deal of sensitive information is exchanged through
these devices, and the security and privacy of our data is
constantly at stake. Even the task of authenticating ourselves
(or our data) has been shifted to our phones, where two-factor
authentication, a common approach, requires successfully pre-
senting two or more pieces of evidence to confirm our identity.
To protect our data, mobile devices typically use secret
(cryptographic) keys that are not accessible from the outside.
Getting a hold of the key allows a hacker to steal our data.
The majority of real-world attacks on security implementations
on small devices today use side-channel analysis (SCA), i.e.,
they measure and process physical quantities, like the power
consumption or electromagnetic emanations of a chip, or
reaction time of a process. Moreover, thanks to computing
power becoming ever cheaper nowadays, modern adversaries
have started using state-of-the-art machine and deep learning
algorithms for SCA. Securing (embedded) systems against
SCA remains a great challenge.
In certain cases, the security implementation is not the tar-
get of an attack. Instead, the target is the sensitive information
displayed on the screen. For example, here, we can think of
secret security codes sent from banks or credit card companies,
giving secure access to a user who is the only one able to read
the code. SCA can take advantage of the fact that information
is exposed in this way in order to mount an attack. Since
we can expect adversaries will always target the weakest link,
such attacks are more feasible than cryptographic attacks i.e.
cryptanalysis.
In this paper, we investigate the problem of sensitive
information on mobile phone screens. Until now, the study
of side-channel analysis attacks that aim to recover the screen
content of a mobile phone has focused on visible-spectrum
signals. This focus is consistent with people’s general belief
that protecting information on their mobile phone screen means
hiding it from the line of sight of a person or a camera.
However, SCA can go beyond visible-spectrum information
displayed on the screen. In this paper, we present a low-cost
SCA attack that can recover information displayed on a mobile
device’s screen by capturing the electromagnetic signal sent to
the phone screen. Our work introduces an attack, which we call
screen gleaning, that uses an antenna and a basic software-
defined radio (SDR). Our attack demonstrates the security
threat posed by emanations leaking from mobile devices. We
release an implementation of our attacks that allows for further
testing and extension.
1
The side-channel analysis that we consider in this work is
a type of TEMPEST technique. TEMPEST techniques exploit
vulnerabilities of communication and other types of emana-
tions from electrical equipment that contain sensitive data [55].
From our experiments with a simple TEMPEST setup using
an SDR receiver, we were able to successfully capture the
phone screen content without a visible-spectrum line of sight.
The signal recovered from the screen can be visualized as a
gray-scale image, which we refer to as an emage. A challenge
faced by our attack is that the emage is often not interpretable,
meaning that it cannot be read by way of human eyesight.
We propose a machine learning-based approach capable of
processing an emage that is not interpretable to the human
eye in order to recover secret information, such as a security
code in two-factor authentication.
This simple attack story illustrates the potential danger of
our attack:
Alice keeps her mobile phone on a stack of magazines
on top of her desk. She lays the phone face down because
she receives security codes and she believes that blocking the
visual line of sight to the phone screen will keep the codes
secure. Eve has access to Alice’s desk and has hidden an
1
Code available at: https://github.com/cescalab/screen gleaning
∗
This author is affiliated with the Eindhoven University of Technology. This
work was done during an internship at Radboud University
Network and Distributed Systems Security (NDSS) Symposium 2021
21-25 February 2021, Virtual
ISBN 1-891562-66-5
https://dx.doi.org/10.14722/ndss.2021.23021
www.ndss-symposium.org