All posts by Markus Kuhn

About Markus Kuhn

I'm an Associate Professor at the Department of Computer Science and Technology, working on hardware and signal-processing aspects of computer security.

Permissive action links for individual bullets

Security engineering

I read with interest about US Patent application 20060117632, which proposes to apply the notion of cryptographic accessory control to individual bullets in firearms. Only after an authentication protocol has convinced the tiny microprocessor in a cartridge that it is OK to potentially kill someone, it will close a transistor switch that normally blocks the electrical ignition mechanism.

It does not seem to me technically infeasible, or even cost prohibitive, to apply security mechanisms comparable to those we have come to expect to be used in weapons of mass destruction also to smaller weapon systems that were designed to kill only a few people at a time.

(The idea could be extended. If we add a chip to each cartridge, we might as well place it into the bullet itself. The bullet processor could then store in its NVRAM an audit log of the certification chain that ultimately authorized the firing of this bullet. With the right packaging, NVRAM chips can be made extremely tough and withstand hundreds of km/s² acceleration, much more than the conditions a normal bullet faces when penetrating a body. Having a log file in each bullet that identifies who is responsible for firing it could make the forensic investigation of shootings and war crimes so much easier.)

Video eavesdropping demo at CeBIT 2006

Hardware & signals

If you happen to be at CeBIT 2006 in Hanover this week, don’t miss a little demonstration of compromising video emanations that I developed (Halle 6, Stand A42, booth of GBS). It shows how easily now cheap FPGA DSP evaluation boards can be turned into impressive home-brew eavesdropping devices.

COVISP demonstration setup at CeBIT 2006

The system shown consists of a log-periodic antenna (not on the photo), a Dynamic Sciences R1250 wideband receiver, and an Altera FPGA DSP Development Kit, Stratix II Edition. The FPGA board is the implementation platform for my COVISP-1 (compromising video emanations processor) circuit. It receives the 30 MHz intermediate-frequency output signal from the UHF tuner, samples it with 12-bit resolution at 120 MHz, applies a number of signal-processing steps (AM demodulation, gain control, clipping, blanking), and outputs the result – along with sync-pulses – onto the connected VGA monitor. It implements all the controls necessary to adjust it precisely and comfortably to the video mode of the eavesdropping target, including a video clock synthesizer with a frequency-resolution of about 1 part-per-billion, necessary for accurate synchronization of the image.
The eavesdropping target to which the demo setup is tuned in on the above picture is a PC with a flat-panel display:
Eavesdropping target of COVISP demonstration at CeBIT 2006

It belongs to a nearby Russian stand, is about 25 meters away from our antenna. Its PowerPoint presentation is clearly readable on our eavesdropping system, which managed to isolate this signal from the many hundred PCs located in the same room.