|
The
complete, unofficial
Over five years of public disclosure, and one-stop shopping for TEMPEST info... Across the darkened street, a windowless van is parked. Inside, an antenna is pointed out through a fiberglass panel. It's aimed at an office window on the third floor. As the CEO works on a word processing document, outlining his strategy for a hostile take-over of a competitor, he never knows what appears on his monitor is being captured, displayed, and recorded in the van below. This page is about surveillance technology. If a search engine mistakenly led you here, try Shakespeare, Pontiacs, or Arcade Games. (The graphic on the right is the logo for the US Army Blacktail Canyon TEMPEST Test Facility.) News & Updates March 5, 2002 - Joe Loughry has authored and released a
fascinating paper on what he calls "Optical
TEMPEST." To quote the introduction, "A previously unknown form of compromising emanations has been
discovered. LED status indicators on data communication equipment, under certain conditions, are shown to carry a modulated optical
signal that is significantly correlated with information being processed by the device. Physical access is not required; the
attacker gains access to all data going through the device, including plaintext in the case of data encryption systems. Experiments show
that it is possible to intercept data under realistic conditions at a considerable distance. Many different sorts of devices, including
modems and Internet Protocol routers, were found to be vulnerable."
At least the black, electrician's tape is a cheap countermeasure. Later in
the day, Markus Kuhn released a paper entitled Optical
Time-Domain Eavesdropping Risks of CRT Displays. To quote
from the conclusion, "The information displayed on a modern cathode-ray tube computer monitor can be reconstructed by an eavesdropper from its distorted or even diffusely reflected light using easily available components such as a
photo-multiplier tube and a computer with suitably fast analog-to-digital converter."
Kudos to you both gentlemen. Excellent research. February 25, 2002 - The Complete, Unofficial TEMPEST Information Page is back. I took the site down around the first of the year and had John Young archive it at cryptome.org. However due to popular demand and some time freeing up, I've decided to continue with updates. - A new Help Wanted section has been added for companies, agencies, and recruiters looking for folks with TEMPEST/RFI/EMI experience. If you're trying to find an engineer, send me your requirements and I'll post them. No guarantees on successful leads, but this site does generate a fair amount of traffic, and for now the service is free. - A couple of years ago Frank Jones, AKA "Spy King" was hyping supposed TEMPEST surveillance products. You may be interested in his conviction and probation papers. - TinFoil Hat Linux is a single floppy-based distro with a variety of privacy features, including some unique "anti-Tempest" features. Review here, download Web site here. December 30, 2001 - From an anonymous UK source: "1. GCHQ in the UK is the #1 monitoring place for TEMPEST, they HAVE NOT scaled down any business to do with
TEMPEST and now even use their techniques for corporate applications. They are STILL the first port of call of
the Ministry of Defence for any queries. 2. The GCHQ standard (BTR) is the bible for the UK Military with regard to installations that may negate
TEMPEST emissions, mainly due to good practices and safe areas around antenna and
cryptographic equipment, also JSP440 is a watered down version of the standard that also covers computer security which is available to all
CIDA's (Installation Design Authorities) within the Ministry. CIDA is one of the main 'businesses'
within the MoD. Stories... these I have 'heard' from people in the know and witnessed
myself: Gibraltar August 3, 2001 - TEMPEST mentioned in James Bamford's "Body of Secrets" book (NSA tell-all, follow-up to The Puzzle Palace). Specifically, ship implemented eavesdropping on Cuba. Ross Anderson also has a lengthy section on emissions security in his new book "Security Engineering." (I recommend Anderson's work to anyone interested in security systems - from ATMs to art galleries to EMSEC to crypto. This book is destined to become a classic.) NSA's online TEMPEST Endorsement Program has recently been updated. SANS Institute (the security folks) have a nice, concise TEMPEST FAQ (my only complaint is the reference to Codex Data Systems). Some good info on BEMA's TEMPEST shielded tents (lots of interest in these at the recent Special Operations Command Show and Conference). National Security Telecommunications Information Systems Security Committee Maintenance and Disposition of TEMPEST Equipment (PDF format dated December 2000). And finally the Nicodemo Scarfo trial is underway, and the outcome will definitely have an impact on the future of legal electronic surveillance. Stay tuned... January 14, 2001 - John Young has released a FOIA version of NACSEM 5112, NONSTOP Evaluation Techniques. This is the first public document to come to light on NONSTOP surveillance techniques. The document has been heavily redacted. We do know NONSTOP testing is very similar to TEMPEST testing. In Side Channel Cryptanalysis of Product Ciphers (Postscript format), John Kelsey, Bruce Schneier, David Wagner, and Chris Hall speculate that NONSTOP and HIJACK refer to the compromise of cryptographic devices through nearby radio transmitters (such as a cell phone, handheld radio, intercom). One of the more interesting things about the document is toward the end. "It is further noted that UNCLASSIFIED information concerning NONSTOP should not be discussed or made available to persons without a need-to-know. No information related to NONSTOP should be released for public consumption through the press, advertising, radio-TV or other public media." The original document came out in 1975, and has gone through several updates. January 1, 2001 - John Young has received eight more TEMPEST-related documents from his October 1999 NSA FOIA appeal. The printing in the documents is in pretty poor shape, so text is being hand-typed. Currently available documents include: NSTISSAM TEMPEST/2-95, 12 December 1995 - "Red/Black Installation Guidance", Specification NSA No. 94-106, 24 October 1994 - Specification for Shielded Enclosures, NACSIM 5000, 1 February 1982 - TEMPEST Fundamentals, and NSTISSI 7000, 29 November 1993 - "TEMPEST Countermeasures for Facilities." (This last document is especially interesting in that it reveals the U.S. Government keeps a list of countries it views as having the ability and motivation to conduct TEMPEST attacks on U.S. interests. Censors did a bad job of blacking out the text in this 1995 document, and 12 of the 25 countries are identifiable. Including: Singapore, Norway, Hungary, Netherlands, Taiwan and some big industrial states that are known to dabble in economic espionage.) The remaining documents will be added as John has them transcribed. December 10, 2000 - French SCSSI TEMPEST site, TEMPEST history, Ft. Huachuca Blacktail Canyon logo, fixed www.dtic.mil links (an astute reader pointed out that the "dead" DoD dtic sites on the TEMPEST Sources page could be revived by changing the domain - thanks Rob!). December 6, 2000 - Over the past four years a tremendous amount of information has come to light on TEMPEST and related topics. So much that even though the page had no graphics, it was taking a couple of minutes to load on slow, dial-up connections. To celebrate the site's four year birthday, I've split it into four pages so it will load a bit faster. - CNET News reports on the Feds using a bugged keyboard to snag a Philadelphia mobster who was using PGP. I've been telling clients for years that this is a significant risk. In most cases it's much easier to do a "black bag" job on a target and install key monitoring software or hardware (or even hide a wireless CCD camera positioned to transmit what's being typed on the keyboard or appearing on the screen), than deal with strong encryption. Although the risk of discovery is obviously higher than a TEMPEST intercept, the lower cost and fewer required technical skills make this a much more likely attack option. Introduction to this SiteIf you're even vaguely familiar with intelligence, computer security, or privacy issues, you've no doubt heard about TEMPEST. Probably something similar to the above storyline. The general principle is that computer monitors and other devices give off electromagnetic radiation. With the right antenna and receiver, these emanations can be intercepted from a remote location, and then be redisplayed (in the case of a monitor screen) or recorded and replayed (such as with a printer or keyboard). TEMPEST is a code word that relates to specific standards used to reduce electromagnetic emanations. In the civilian world, you'll often hear about TEMPEST devices (a receiver and antenna used to monitor emanations) or TEMPEST attacks (using an emanation monitor to eavesdrop on someone). While not quite to government naming specs, the concept is still the same. TEMPEST has been shrouded in secrecy. A lot of the mystery really isn't warranted though. While significant technical details remain classified, there is a large body of open source information, that when put together forms a pretty good idea of what this dark secret is all about. That's the purpose of this page. The following is a collection of resources for better understanding what TEMPEST is. And no, I seriously don't think national security is being jeopardized because of this information. I feel to a certain extent, the "security through obscurity" that surrounds TEMPEST may actually be increasing the vulnerability of U.S. business interests to economic espionage. Remember, all of this is publicly available. A fair amount has come from unclassified, government sites. Up to this point, no one has spent the time to do the research and put it all together in a single location. References marked with an (X), are good primary sources. If you just read these, you'll end up with an excellent overview on TEMPEST-related topics. References marked with an (O) are reported dead links. These pages may be temporarily or permanently unavailable. Dead links are left for reference sake (you may want to check the main domain name or do further searching with AltaVista, etc.). It's interesting to note the number of military sites that now report 404 - Not Found or Forbidden Request errors for certain documents. The site content is listed below. There are three pages in addition to this one. Introduction provides detailed background info on TEMPEST. Sources provides links to hardware manufacturers, software vendors, and specific government documents. Miscellaneous is comments from readers and other things that don't fit in the other pages. Note: As you start viewing TEMPEST info, you likely will run into vague or confusing acronyms. A great Net resource is the Acronym Finder site. Happy reading! Joel McNamara
Site ContentsWhat
is TEMPEST? TEMPEST
Hardware & Consulting Used
TEMPEST Disclaimer: I've never been involved with the TEMPEST community, had a security clearance for TEMPEST, or have access to classified material relating to TEMPEST. The information on these pages is completely derived from publicly available, unclassified sources. Last changed March 5, 2002 |
