Compromising Reflections

or
How to Read LCD Monitors Around the Corner
Michael Backes
Saarland University and
Max Planck Institute for Software Systems
Saarbr
ucken, Germany
backes@cs.uni-sb.de

Markus D
urmuth
Dominique Unruh
Saarland University
Saarbr
ucken, Germany
{duermuth,unruh}@cs.uni-sb.de

Abstract

the computer itself (or its display) is exploited. These

attacks can often be successfully prevented by shielding the hardware to avoid the occurrence of these unexpected emanations, e.g., by using LCD displays instead
of CRT screens, by using specially insulated cables, by
using soundless keyboards, and so on.
Our work introduces a side-channel that is not an idiosyncrasy of the computers behavior, but it exploits
the visual emanation of the screen itself and hence
its proper functionality in combination with everyday
objects that are located in close proximity to the screen
such as tea pots, eyeglasses, plastic bottles, spoons, or
the eye of the user. Our approach is predicated on the
idea that the image of the screen can be reconstructed
from reections on those objects, see Figure 1. We
focus on the (common) setting in which the screen is
facing away from the window, see Figure 2, and on
curved reection surfaces, since reections on these surfaces cover a very large area of the environment; this
increases the likelihood that a reection of the screens
content can be eavesdropped on the object.
We demonstrate in this paper that this idea can be
successfully realized in practical scenarios, using inexpensive, o-the-shelf equipment of less than 1500 dollars (a camera and a telescope) from a distance of up to
10 meters for spying on small fonts. Relying on a more
expensive telescope allowed us to conduct this attack
from over 30 m away. Particularly good results were
obtained from reections in a users eyeglasses or a tea
pot located on the desk next to the screen. Reections
that stem from the eye of the user also provide good results. However, eyes are harder to spy on at a distance
because they are fast-moving objects and require high
exposure times.
Our experiments indicate that this shortcoming can
be remedied by using more expensive equipment that

We present a novel eavesdropping technique for spying at a distance on data that is displayed on an arbitrary computer screen, including the currently prevalent
LCD monitors. Our technique exploits reections of
the screens optical emanations in various objects that
one commonly nds in close proximity to the screen and
uses those reections to recover the original screen content. Such objects include eyeglasses, tea pots, spoons,
plastic bottles, and even the eye of the user. We
have demonstrated that this attack can be successfully
mounted to spy on even small fonts using inexpensive,
o-the-shelf equipment (less than 1500 dollars) from a
distance of up to 10 meters. Relying on more expensive equipment allowed us to conduct this attack from
over 30 meters away, demonstrating that similar attacks are feasible from the other side of the street or
from a close-by building. We additionally establish theoretical limitations of the attack; these limitations may
help to estimate the risk that this attack can be successfully mounted in a given environment.

1. Introduction
Side-channel attacks are a particularly salient approach for spying on condential data. As early as in
1985, electrical emanations of CRT screens were successfully exploited to reconstruct the screens content
from a distance [12]. This attack was further rened in
diverse variations of dierent levels of sophistication,
e.g., emanations from the cable connecting an LCD
screen to the computer were successfully abused to recover the content of the screen [6]. All these attacks are
grounded on the idea that an unexpected emanation of
1

Figure 1. Image taken with a macro lens from short distance; the distance between the eye and the
monitor was reduced for demonstration. Readability is essentially limited by the camera resolution.

oers lower exposure times. Unlike the human eye,

glasses constitute an ideal target for our attack due
to their less extreme curvature. Additionally, we illustrate that reections of non-emissive objects, e.g., papers that are located on the desk in close proximity to
a tea pot, can be exploited to spy on this object; this
might allow for spying on condential documents for
which no direct line of sight is given.
We have established lower bounds on the size of
the telescope (and consequently the amount of money)
needed to carry out this attack in dierent scenarios.
The lower bounds rely on physical characteristics such
as diraction (Rayleighs Criterion) as well as bounds
on the permitted exposure times.
From our experiments, we conclude that the reections gathered from curved surfaces on close-by objects
indeed pose a substantial threat to the condentiality
of data displayed on the screen. Fully invalidating this
threat without at the same time hiding the screen from
the legitimate user seems dicult, without using curtains on the windows or similar forms of strong optical
shielding. Most users, however, will not be aware of
this risk and may not be willing to close the curtains
on a nice day.

RS-232 serial lines [11], keyboards [1], as well as the

digital cable connecting modern LCD monitors [6].
We refer to [7] for a discussion on the security limits for electromagnetic emanation. Acoustic emanations were shown to reveal text typed on ordinary
keyboards [2, 13], as well as information about the
CPU state and the instructions that are executed [10].
Acoustic emanations from printers were studied in [3].
The work that comes closest to ours is that diuse
reections of the light emitted by a CRT monitor can
be exploited to recover the original monitor image [5].
This approach exploits the point-wise image construction and the time-characteristics of the light-emitting
material used in CRT monitor. This technique hence
does not apply to monitors that do not construct images in this fashion; in particular, it does not apply to
LCD monitors. Information leakage from status LEDs
is studied in [8]. Reections of images from a human
eye were already investigated in [9], but without security questions in mind, in particular only for low resolutions, small distances, and without taking diraction
into account.

1.2. Outline

1.1. Related Work

Section 2 reviews the relevant optical parameters
and describes their inuence on images quality. Section 3 contains our experimental results in various scenarios for the low-cost equipment. Section 4 shows that
the approach scales to larger distances by relying on a
more expensive telescope. Section 5 establishes theoretical lower bounds on the size of the telescope (and
consequently the amount of money) needed to carry
out this attack in dierent scenarios, while Section 6
discusses the feasibility of our attack in realistic scenarios. Section 7 concludes the paper and outlines future
work.

Military organizations have been rumored to deal

with compromising emanations since the 1960s; the
results of these works, however, are condential. The
rst publicly known attack we are aware published
in 1985 [12] used electromagnetic radiation of CRT
monitors. An early discussion of these results can be
found in [4].
Various forms of emanations have since been exploited to spy on condential data. Electromagnetic
emanations have turned out to constitute a security
threat to computer equipment such as poorly shielded
2

Let the distance from the monitor to the observer

be d, and let n be the desired resolution; the desired
resolution could be the actual monitor resolution, but
it could also can be lower, depending on the scenario.
In the following we will mainly use the full resolution,
but we will later discuss how these results scale with
a lower resolution. The optical resolution (in radians) required to capture the full resolution is given by
u1
u1
nd
, where the approximation holds as
= arctan nd
u1  d and tan for 0. In particular, is
linear in the inverse of the distance d.

2.2. Diraction Bounds

Diraction is a physical phenomenon that diuses
light, or any other electromagnetic wave, whenever it
passes some aperture. It is best known for very small
apertures, where it is visible to the human eye. In
the case of high magnications, however, even a large
aperture like the one of a telescope produces noticeable
diraction; in fact, the diraction constitutes one of the
limiting parameters in the use of modern telescopes.
The inuence of diraction on the maximum resolution of a telescope is given by Rayleighs Criterion. Let
two point sources P1 , P2 be given such that the angle
between these two sources (as seen by the observer) is
(in radians). Let D be the diameter of the objective
lens of the telescope and the wavelength of the light.
Then Rayleighs Criterion states that the two points
P1 , P2 can be distinguished if and only if 1.22
D . In
some of our experiments we were close to the theoretical bound given by Rayleighs Criterion. Combining
the bounds from this section and from the previous
one, we obtain bounds on the maximum resolution for
a given distance and telescope aperture.

Figure 2. The basic setting: The monitor

faces away from the window in an attempt to
hide the screens content.

2. An Optics Primer
We start by reviewing the relevant parameters of the
optical system and describe their inuence on image
quality. This allows us to better understand our experimental results, and it will provide the basis for deriving lower bounds on the resources that are required to
mount the attack.

2.1. Size of the Reected Image

The reection of an object, in our case a computer
display, in a curved mirror creates a virtual image that
is located behind the reecting surface. For a at mirror this virtual image has the same size and is located
behind the mirror at the same distance as the original
object. For curved mirrors, however, the situation is
more complex. In this section, we calculate the size
and the location of the virtual image.
The overall situation is depicted in Figure 3. It is
common to approximate a spherical mirror as a lens
of focal length f0 = 2r , provided that the width of the
mirror is small compared to its radius. The location b0
of the virtual image (the distance between the virtual
image and the reecting surface), given the location a0
of the object, is given by the thin lens equation as
b0 =

2
r

2.3. Exposure Time

Another important factor in our experiments turned
out to be the necessary exposure time. Since the exposure time depends on many practical factors in the
setup (quality of the lenses, brightness of the screen,
color of the reecting object, sensitivity of the lm/chip
in the camera, etc.) it does not seem possible to give
reasonable theoretical bounds on the exposure time. It
is known, however, that the exposure time is inversely
proportional to the intensity of the light per square angle reaching the camera. Thus if all other values are
xed, the necessary exposure time is proportional to
the square of the magnication and inversely proportional to the square of the aperture diameter. (The
distance does not directly inuence the exposure time,
but a larger distance will usually be compensated by

1
a10 .

The size u0 of the virtual image is given by u0 = ba00x .

Finally, we have to consider that the image appears
smaller if seen from an angle ; the apparent size u1 is
u1 = u0 cos().
3

telescope

observer

intermediate
virtual image

f1

camera
okular

front lens
f1

f2 f2

u2

...

u0

u1

f0

u3

reflecting
surface

b0
intermediate
image

virtual
image

...

d=a1

b1

a2

b2

a0
monitor

Figure 3. Size and location of the reflected image. The curvature of the sphere in the left part of the
figure is exaggerated for illustration.

a larger magnication, hence indirectly inuences the

exposure time.) Given experimental values for a given
setup, this allows us to at least estimate the necessary
exposure time for settings that vary only in these parameters, e.g., when deciding which telescope size is
necessary for a given setup. Furthermore, by comparing our equipment with other available equipment, we
at least obtain an estimate when the attacker does not
use specically manufactured (and possibly very expensive) equipment.
In theory, there is no upper bound on the exposure
time. However, changing monitor images, moving objects, and air turbulences caused by heating or air conditioning can blur the image. Exposure times of several
seconds are possible; we have taken most pictures with
exposure times of two seconds. For moving mirrors, in
particular for the human eye, much shorter exposure
times are required, as the rapid movement of the eye
substantially blurs images even after a 0.1 seconds.

We used the following camera and two telescopes for

our tests:
An SLR digital camera Canon EOS 400D with a
resolution of 10.1 mega-pixels and a sensor size
of 22.2mm 14.8mm; it costs approx. 550 Euros
(800 dollars).
Some pictures were taken using a Sigma macro lens
with focal length f = 50mm and an approximate
aperture of D = 18mm (F = 2.8). Using this
lens with a smaller sensor yields a slightly cropped
image, comparable to images taken with an 80mm
lens.
A refractor telescope: a Skywatcher ED 80 PRO
with focal length f = 600mm and an aperture of
D = 80mm. This telescope has very good imaging
qualities, but a quite small aperture. Its price is
approximately 380 Euros (550 dollars).
A Newtonian reector telescope: a Skywatcher
Dobson 200 with focal length f = 1000mm and an
aperture of D = 200mm. Its simple design has impacts on image quality, mostly on color delity and
distortion, which both are of only minor importance for our task. Its larger diameter, however, allows for a higher resolution according to Rayleighs
Criterion and for shorter exposure times. It costs
approx. 300 Euros (435 dollars). Unless explicitly
stated otherwise, the experiments described below
were conducted using this telescope.

3. Experimental Results for Low-cost

Equipment
We now present experimental results using low-cost
equipment that illustrate the feasibility of the attack.
The experiments show that many objects that may be
found at a usual workplace can be exploited to retrieve
information on a computers display by an outsider.
In the following, we consider the test image depicted
in Figure 4 shown on the 15 LCD screen of a ThinkPad
T43. We then placed a reecting object on the table
close to the LCD screen (except for the cases where we
investigated the reections in the eye of the user) and
photographed the reection of the screen in the object
from various distances through a telescope.

Both telescopes were used with the Canon EOS 400D,

directly mounted on the telescope with a projection
camera adapter using a 25mm eye piece and extension
tubes to allow for the short object distances. The camera was triggered by remote control and congured to
4

3.2. Reections in Human Eyes

Another reecting object that is prevalent in all ofces is the human eye. In fact, the reecting properties
of the cornea, the foremost part of the human eye, are
excellent, as it is designed not to distort the light beams
passing it (this can be seen in Figure 1). On the downside, the radius of the cornea is very small, and the
reection is quite dark, requiring long exposure times.
The rapid movement of the eye causes the images
taken with our equipment to be rather blurred when
taken from a distance, see Figure 8. For photographing reections in the eye a high magnication is used.
Since the eye itself does not reect much light, the exposure time constitutes the limiting factor in these experiments.
Figure 9 shows the reections from a short distance,
taken with a macro lens, where the eye is at a normal distance from the monitor. The readability of the
text is essentially limited by the resolution of the captured image. (The bar in the rightmost picture has
a height of 18 pixels, consequently the line below was
recorded with a resolution of 9 pixels. Although this
does not (yet) constitute a practical attack, it serves
as a strong indication that the reections are of high
quality, and that they could be captured using more
expensive equipment.

Figure 4. The test image used in most of our

experiments. Font sizes are 300pt, 150pt,
72pt, 36pt, and 18pt.

wait between moving its mirror and taking the actual

photo (mirror lockup) to reduce the eect of vibrations.
We have investigated the following reecting objects: Various tea pots, human eyes, eyeglasses, drinking glasses, bottles, and spoons. In the following we
describe the results obtained with these objects.

3.1. Reections in Tea Pots

We obtained very good reections in various tea
pots. We frequently used the tea pot shown in Figure 5, which is the tea pot that one of the authors uses
daily. Figure 6 shows two additional tea pots that we
investigated.
The reections shown in Figure 5 and Figure 6 as
well as in most of the following gures were taken indoors. At the time of most of the experiments, the
outdoor and indoor temperatures diered by approximately 20 degrees Celsius and poorly insulated windows caused heavy air turbulence. In combination with
the quite long exposure time of one second, this caused
blurred images, so we photographed the reections indoors. Our experiments on a warmer day indicate
that this does not constitute a serious problem, as it
does not occur when temperatures outside are warmer,
when better insulated glass is used, or when sensors
of higher sensitivity are used, which leads to shorter
exposure times. Alternatively, one can resort to a technique used in astronomical photography, where air turbulences cause blurred images: Many images are taken
with very short exposure times; Each of these images
is heavily underexposed, but subject to very little blur.
Then approx. 10% of the best images are added to obtain a single, bright and unblurred image.
Figure 7 shows the reection of a Word document
with a font size of 12pt, from a distance of 5 meters.

3.3. Reections in Eyeglasses

Eyeglasses are another prevalent reecting object.
In fact, glasses substantially facilitate the attack, as
they typically have surfaces with a large radius. It
turned out that even anti-reecting coatings do not disturb the attack. The pictures in Figures 10 were taken
while the glasses were worn by their respective owner.
Both glasses had an anti-reecting coating.

3.4. Reections in Other Objects

Surprisingly many objects yield suitable reections.
The following three examples were captured from a distance of 5 meters. The reections in an empty wine
glass are shown in Figure 11. The double reections
are caused by the two faces of one side of the glass. As
the radii of both surfaces are essentially equal, both reections can be seen sharply. The other side of the glass
cannot be seen. A glass full of wine would oer even
better reections, because of the darker background.
An ordinary plastic bottle produces reasonable reections as well, see Figure 12. Depending on the exact
position and the exact shape of the bottle, the image
can be distorted; in some cases even the last line is
5

Figure 5. Reflections in a tea pot, taken from a distance of 10m. The 18pt font is readable from the
reflection.

Figure 6. Reflections in two other tea pots, taken from a distance of 5m. The 18pt font is readable
from the reflection in the left picture, and almost readable in the right picture.

Figure 7. Reflection of a Word document with small 12pt font size in a tea pot, taken from a distance
of 5m. The 12pt font is readable from the reflection.

Figure 8. Image taken with the refractor telescope from a distance of 3.5m, produced with an exposure time of one second.

Figure 9. Image taken with a macro lens from very short distance, with realistic distance between
the monitor and the eye. Readability is limited by the resolution of the camera.

Figure 10. Reflections in two different pairs of glasses, taken from a distance of 5m. Both the inner
side and the outer side of glasses produce reflections. The 18pt font is readable from the reflection.

Figure 11. Reflections in an empty wine glass, taken from a distance of 5m. Reflections occur on
both sides of the glass. The 18pt font is readable from the reflection.

Figure 12. Reflections in a 0.5l plastic Coca-Cola bottle, taken from a distance of 5m. Because of the
irregular surface, only parts of the text are readable.

Reecting objects
(radius r)
Tea pot (70mm)
Tea pot (70mm)
Human eye (8mm)
Human eye (8mm)
Human eye (8mm)

readable. Even a spoon has clear reections, both on

its inner and outer side, see Figure 13.

3.5. Printouts Reecting in a Tea Pot

Although a tea pot theoretically can reect all the
objects in a room, and our work shows that it reects
the monitor quite well, the monitor is a bright target compared with paperwork lying on the desk. Figure 14 shows that the tea pot also reects paperwork
and could be used to cover cases where the attacker
does not have a direct view on the paper. In Figure 14,
the paper was placed next to the tea pot and the work
space was lit by an ordinary desk lamp. In this case,
the paper and the reecting object (tea pot) were very
close and the image quality is excellent. One can easily
read the reection of the 10pt font paper.

Distance d
to the camera
5m
10m
2m
5m
10m

Minimal
aperture D
16.6cm
33.2cm
62cm
155cm
310cm

Table 1. Some concrete values for the minimal aperture D needed to capture the full resolution of 1024 pixels.

5. Practical Limits of this Approach

To better understand the implications of this attack
and for providing concerned people with suitable defense mechanisms it is important to study the principal limitations of our approach. Our bounds are not
absolute, but they depend on the size of the telescope.
However, since the price tag of the telescope is directly
related to its size, one can at least estimate a lower
bound for the costs of an attack in a given setting.
Furthermore, in many settings there might be an upper
bound on the size of the telescope because the telescope
needs to be hidden somewhere.

3.6. Large Distances

For distances beyond approx. 10 meters between reector and camera, diraction substantially limits the
resolution we can obtain with our low-cost telescope
(cf. Section 5 and Table 1). Of course one could simply use a larger telescope, but even the substantially
lower resolution can impose a substantial threat. Figure 15 shows two images captured over a distance of 40
meters in which graphical information is clearly readable, e.g., business charts. At the authors campus, this
is the distance between two computer science buildings,
which means that this quality is realistic when spying
from one building to the other.

5.1. Based on the Rayleigh Criterion

The rst lower-bound can be derived from the
Rayleigh Criterion, cf. Section 2.2. We have
1

4. Experimental Results for More Expensive Equipment

We now present experimental results using more expensive equipment: a Dobson telescope of excellent
quality with mirror diameter D = 60cm and focal
length f = 2.6m. A used telescope sells for about
19000 Euros (approx. 27500 dollars). The telescope
is shown in Figure 16, along with an image of the reections in a tea pot from a distance of 30 meters. The
quality of the captured image is compliant with the
following theoretical observations. The Rayleigh Criterion gives a linear correlation between the telescope
diameter and the distance where images of a constant
quality can be taken. Furthermore, the brightness of
the image decreases quadratically when the distance increases, and the area of the mirror, i.e., its capability
to gather light, increases quadratically with increasing
mirror diameter. Thus overall, the relation between
distance and mirror diameter is also linear.

For illustration we give some concrete values in Table 1.

These values are for the full resolution n = 1024 pixels;
the monitor width x = 30cm, the monitor distance
(from the eye) a0 = 50cm, the wavelength = 600nm,
and the angle = 0 are kept constant. In most cases
a fraction of the full resolution is sucient to achieve
good results, in this case the distance or the diameter
can be multiplied/divided by a corresponding factor.
An increasing diameter has two negative eects for
the attacker: First, the telescope gets increasingly large.
Typically the focal length of telescopes increases linearly with the diameter, making it dicult to hide the
telescope. Second, the prices of these telescopes increase rapidly with increasing diameter. For astronomical telescopes, the most expensive part is the mirror
(lenses are even more expensive and hardly ever used
in large astronomical telescopes). Thus we consider
8

1.22
u1
nd

1.22nd
=
u1

for

u1 = cos()

2
1
r a0

a0

x
.

Figure 13. Reflections at the inner side and at the outer side of a spoon, taken from a distance of 5m.
The 18pt font is readable from the reflection in the right figure, and almost readable in the left figure.

Figure 14. Reflections of a printed paper in a tea pot, taken from a distance of 5m. The paper was
located close to the tea pot, yielding excellent reflections.

Figure 15. Reflections of the monitor in a tea pot, taken from a distance of 40 meters. Readability is
good enough to identify relevant information from, say, business charts.

Figure 16. Reflections in a tea pot, taken from a large distance of 30 meters using a larger telescope.
The 18pt font is readable from the reflections.

the price of the mirror only; prices of three randomly

selected manufacturers are shown in Figure 17. (Note
that prices for mirrors of the same size can vary depending on the manufacturer, the quality, and nishing.)
The Rayleigh Criterion was specically stated for
the human eye. The imaging quality of typical telescopes is lower than the Rayleigh Bound, due to inaccuracies of lenses and mirrors. With the assistance
of cameras and post-processing one could perhaps improve on the resolution. However, even with expensive
equipment, we expect the Rayleigh Bound to be correct
up to a small constant factor.
Another possible attack scenario would be to use
techniques from astronomy to increase imaging quality,
in particular an array of telescopes or mirrors as in the
Very Large Telescope Project. This technically challenging undertaking is typically only used for telescopes
with a diameter greater than 5 meters. An array of 5
meter telescopes is unrealistic in our attack scenario,
and the technical challenges of a portable telescope array are unlikely to be resolved at a reasonable price.

is to use more expensive hardware: a larger telescope

with larger diameter and a more sensitive camera to
improve the exposure time. Also methodical and algorithmic improvements are possible. So far, we have
photographed the pictures and applied simple standard
algorithms to improve readability. However, advanced
deconvolution algorithms or the analysis of whole sequences of pictures might lead to much better picture
quality. For instance, in astronomy there is a technique
called lucky imaging where several underexposed pictures are algorithmically combined to yield a picture of
higher quality, see Section 3.1.
A single picture of the whole screen is also not necessary; one could shoot a series of photos and combine
them in a jigsaw puzzle fashion. We conjecture that
the attack can be improved by at least one order of
magnitude in both resolution and distance by applying
a combination of such techniques.

6.2. Low Resolution

Even if improvements on our technique are not sufcient to increase the resolution such that small fonts
on a screen are readable, there are still threats beside
the possibility to read mere text. For example, even
with a very unclear picture of the screen it might be
possible to guess which program a user is currently using, or even to recognize web pages the user is currently
browsing. The latter in particular works if there is a
limited set of possible candidates with which to compare the layout on the screen. As soon as such a web
page is found, one can follow the browsing user by only
clicking on links, since the set of links on a given page
typically yields a small list of candidates.
Furthermore, presentations generally use very large
fonts and could easily be read from a distance, compromising sensitive business information. If the attacker
has good contextual knowledge, even blurred diagrams
and graphs can reveal damaging information, e.g. a bar
chart showing condential sales gures. In these cases,
even the low resolution we achieved when photographing the human eye might already pose some threat.

5.2. Based on the Exposure Time

In our experiments, the exposure time was the limiting factor in photographing reections in the human
eye. The reection in the eye is very small, thus large
magnication is needed. As discussed in Section 2.3,
the exposure time grows quadratically with the magnication.
Deriving bounds based on the exposure time, similarly to what we did in the previous section for the
diameter, depends on the quality of the photographic
lm/chip an other factors that are hard to measure.
The exposure time seems to be the actual limiting factor in some of our experiments, and we know that exposure time is proportional to the square of the magnication and inversely proportional to the square of
the aperture diameter. We can thus extrapolate values
of the exposure time to get an impression about the
limits incurred by the necessary aperture time. One
should keep in mind that bounds obtained in this fashion are correct only assuming a camera of the same
quality as our and assuming that no special algorithmic techniques are used to reconstruct the screen from
sequences of underexposed pictures.

6.3. Disguise
Standing with a large telescope directly in front of
the user and observing him obviously causes suspicion.
It is essential for the attacker to be unnoticed. Assuming a distance of 10 meters or more, the telescope could
be mounted inside a small van parked near the window
of the user (assuming a ground oor oce). Opacifying the windows of the van except for one window and
switching o lights inside, the telescope should not be

6. Threat Analysis
6.1. Possibility of Improvement
The experimental results presented in this paper are
only a rst case study. The most obvious improvement
10

$6

$18
$16

Zambuto Carl
(APM)

$14
$12

Swayze
Optical

$10
$8
$6

Discovery
Telescopes

$4

$5
$4
$3
$2
$1

$2
$0

64

56

46

37

15

64

56
61

46
51

37
41

25
32

15
20

$0
25

Thousands

$20

Figure 17. Prices of Newtonian mirrors of various manufacturers for increasing diameter (left side),
and per square-cm (right side).

visible. A larger distance of 20-30 meters might even

allow to observe the user from an apartment on the
other side of the road.

eye of the user also provide good results. However, eyes

are harder to spy on at a distance because they are fastmoving objects and require high exposure times. Using
more expensive equipment with lower exposure times
helps to remedy this problem. We have furthermore established lower bounds on the size of the telescope (and
consequently the amount of money) needed to carry
out this attack in dierent scenarios, based on physical
characteristics such as diraction as well as bounds on
the permitted exposure times. Fully invalidating the
attack seems dicult, except for using curtains on the
windows or similar forms of optical shielding.

6.4. Availability of reecting surfaces

Although our experiments were performed under lab
conditions, it is realistic that there will be several reecting surfaces near any given computer. The oce of
one of the authors had ve curved reecting surfaces:
a glass, a bottle, a muesli container, a spoon, and the
front glass of a wall clock. More tidy oces might be
less threatened but the eye of the user (or even his
glasses) will be present.

We are currently conducting experiments on a related attack that is not based on reecting objects, but
rather exploits diuse reections on the users clothes
or on a nearby wall. The approach is grounded on the
following idea: A single monitor pixel (in particular for
LCD displays) produces a slightly directed beam; hence
a narrow area of the wall is lightened, which is called
the Point spread function (PSF). Measuring this function and applying modern deconvolution algorithms
both to this function and the image of the light distribution on the wall allow for partial re-computation
of the monitor image. Algorithms already exist that
behave well if the original image has high contrasts,
e.g., text documents on a monitor. While diuse reections naturally complicate the situation, rst examples
indicate that this approach is feasible at least under
idealized conditions: A diusely reected image of the
letter C and the corresponding reconstruction is shown
in Figure 18.

7. Conclusion and Future Work

We have presented a novel eavesdropping technique
for spying at a distance on data that is displayed on
an arbitrary monitor, including the currently prevalent
LCD monitors. Our technique exploits reections of
the screens optical emanations in objects that one commonly nds in close proximity to the monitor. This
includes glasses, tea pots, spoons, plastic bottles, and
even the eye of the user. We have demonstrated that
this attack can be successfully mounted using inexpensive, o-the-shelf equipment. Relying on more expensive equipment allowed us to conduct this attack from
larger distances; in particular spying from a close-by
building clearly becomes feasible.
Particularly good results were obtained from reections in a users eyeglasses or a tea pot located on the
desk next to the screen. Reections that stem from the
11

[11] P. Smulders. The threat of information theft by reception of electromagnetic radiation from RS-232 cables.
Computers & Security, 9:5358, 1990.
[12] W. van Eck. Electromagnetic radiation from video
display units: An eavesdropping risk? Computers &
Security, 4:269286, 1985.
[13] L. Zhuang, F. Zhou, and J.D.Tygar. Keyboard acoustic emanations revisited. In Proceedings of the 12th
ACM Conference on Computer and Communications
Security, 2005.

Figure 18. Diffuse reflections of a monitor

display from a wall, recovered using deconvolution algorithms: The monitor image (left),
the reflection from the wall (middle), and the
result from deconvolution, gamma correction, and edge detection (right).

Acknowledgments
We would like to thank Hendrik Lensch and Andrei Lintu for helpful discussions and for giving us access to parts of their telescope equipment, to Markus
Ludes from APM Telescopes for giving us access to
the 60cm Dobson telescope, and to Markus Kuhn and
Jean-Jacques Quisquater for general comments.

References
[1] R. J. Anderson and M. G. Kuhn. Soft tempest an opportunity for NATO. In Information Systems Technology (IST) Symposium Protecting NATO Information
Systems in the 21st Century, 1999.
[2] D. Asonov and R. Agrawal. Keyboard acoustic emanations. In Proceedings of the 2004 IEEE Symposium
on Security and Privacy, 2004.
[3] R. Briol. Emanation: How to keep your data confidential. In Symposium on Electromagnetic Security for
Information Protection, 1991.
[4] H. J. Highland. Electromagnetic radiation revisited.
Comput. Secur., 5(2):8593, 1986.
[5] M. G. Kuhn. Optical time-domain eavesdropping risks
of CRT displays. In Proc. of the 2002 IEEE Symposium on Security and Privacy, 2002.
[6] M. G. Kuhn. Electromagnetic eavesdropping risks of
flat-panel displays. In Proc. 4th Workshop on Privacy
Enhancing Technologies, pages 88107, 2005.
[7] M. G. Kuhn. Security limits for compromising emanations. In Proc. of CHES 2005, volume 3659 of LNCS.
Springer, 2005.
[8] J. Loughry and D. A. Umphress. Information leakage
from optical emanation. ACM Transactions on Information and Systems Security, 5(3):262289, 2002.
[9] K. Nishino and S. K. Nayar. Corneal imaging system: Environment from eyes. International Journal
on Computer Vision, 2006.
[10] A. Shamir and E. Tromer. Acoustic cryptanalysis
on nosy people and noisy machines. Online at
http://people.csail.mit.edu/tromer/acoustic/.

12