TEMPEST information Page
Over five years of public disclosure, and one-stop
shopping for TEMPEST info...
Across the darkened street, a windowless van is parked.
Inside, an antenna is pointed out through a fiberglass panel.
It's aimed at an office window on the third floor. As the CEO
works on a word processing document, outlining his strategy for a
hostile take-over of a competitor, he never knows what appears on
his monitor is being captured, displayed, and recorded in the van
This page is about surveillance technology.
If a search engine mistakenly led you here, try Shakespeare, Pontiacs, or Arcade Games. (The
graphic on the right is the logo for the US Army Blacktail Canyon TEMPEST Test Facility.)
News & Updates
skip the news and go to the introduction
March 5, 2002 - Joe Loughry has authored and released a
fascinating paper on what he calls "Optical
TEMPEST." To quote the introduction, "A previously unknown form of compromising emanations has been
discovered. LED status indicators on data communication equipment, under certain conditions, are shown to carry a modulated optical
signal that is significantly correlated with information being processed by the device. Physical access is not required; the
attacker gains access to all data going through the device, including plaintext in the case of data encryption systems. Experiments show
that it is possible to intercept data under realistic conditions at a considerable distance. Many different sorts of devices, including
modems and Internet Protocol routers, were found to be vulnerable."
At least the black, electrician's tape is a cheap countermeasure. Later in
the day, Markus Kuhn released a paper entitled Optical
Time-Domain Eavesdropping Risks of CRT Displays. To quote
from the conclusion, "The information displayed on a modern cathode-ray tube computer monitor can be reconstructed by an eavesdropper from its distorted or even diffusely reflected light using easily available components such as a
photo-multiplier tube and a computer with suitably fast analog-to-digital converter."
Kudos to you both gentlemen. Excellent research.
February 25, 2002 - The Complete, Unofficial TEMPEST
Information Page is back. I took the site down around the first of the year
and had John Young archive it at cryptome.org.
However due to popular demand and some time freeing up, I've decided to continue
with updates. - A new Help Wanted
section has been added for companies, agencies, and recruiters looking for folks
with TEMPEST/RFI/EMI experience. If you're trying to find an engineer,
send me your requirements and I'll post them. No guarantees on successful
leads, but this site does generate a fair amount of traffic, and for now the
service is free. - A couple of years ago Frank Jones, AKA "Spy
King" was hyping supposed TEMPEST surveillance products. You may be
interested in his conviction and
probation papers. - TinFoil Hat Linux is a single floppy-based distro
with a variety of privacy features, including some unique
"anti-Tempest" features. Review here,
download Web site here.
December 30, 2001 - From an anonymous UK source: "1. GCHQ in the UK is the #1 monitoring place for TEMPEST, they HAVE NOT scaled down any business to do with
TEMPEST and now even use their techniques for corporate applications. They are STILL the first port of call of
the Ministry of Defence for any queries. 2. The GCHQ standard (BTR) is the bible for the UK Military with regard to installations that may negate
TEMPEST emissions, mainly due to good practices and safe areas around antenna and
cryptographic equipment, also JSP440 is a watered down version of the standard that also covers computer security which is available to all
CIDA's (Installation Design Authorities) within the Ministry. CIDA is one of the main 'businesses'
within the MoD. Stories... these I have 'heard' from people in the know and witnessed
A Ford Transit van was converted to carry an entire Tempest test kit including antennas and terminals. This
was parked on the road outside the building. The antennas were able to pick up the Telephone emissions from
all areas of the building, including 'Shielded' areas due to the pre-1970 external telephone wiring, and as
all conversations are routed to the local telephone exchange before encoding, this posed a major security
threat. Also, static CRT images were reformed on the terminals within the van.
(I have also witnessed this whilst attending a TEMPEST course at GCHQ.)
An old 'story'. There is one main transmission site on Gibraltar where all of the signals to the passing
allied fleets are sent (also submarine signals). These are coded within the building then transmitted via
antenna and satellite. However a number of 'unfriendly' vessels (mainly Russian registered trawlers) were
hovering near to the shore by the chain link fence. The comms officer got curios and asked for a TEMPEST check
to see if they were picking up any signals. A test proved that the fence was picking up uncoded signals that were emanating
from the large capacitors used in th encoding process. The fence then acted as an antenna and the unfriendlies were
receiving uncoded signals. The station was closed down immediately.
Interference and Non-intentionally Interception.
Modern digital mobile phones are the current enemy of the UK teams. Mainly as the signal can act as a carrier
wave for any radiated signal. Also, it has been noted, that people making Mobile calls at the end of the
runway at RNAS Yeovilton can eavesdrop on the tower and pilot conversations.
Another 'story' tells how a British Telecom engineer was testing a mast when his laptop screen started to fill
up as if the computer was typing. What had actually happened was that the voice recognition software on his
laptop had detected the radiated signal from the mast during decoding and regeneration and displayed it on the
screen as plain text.
August 3, 2001 - TEMPEST mentioned in James Bamford's "Body
of Secrets" book (NSA tell-all, follow-up to The Puzzle Palace).
Specifically, ship implemented eavesdropping on Cuba. Ross Anderson also has a
lengthy section on emissions security in his new book "Security
Engineering." (I recommend Anderson's work to anyone interested in
security systems - from ATMs to art galleries to EMSEC to crypto. This book is
destined to become a classic.) NSA's online
TEMPEST Endorsement Program has recently been updated. SANS Institute (the
security folks) have a nice, concise TEMPEST
FAQ (my only complaint is the reference to Codex
Data Systems). Some good info on BEMA's
TEMPEST shielded tents (lots of interest in these at the recent Special
Operations Command Show and Conference). National Security Telecommunications
Information Systems Security Committee Maintenance
and Disposition of TEMPEST Equipment (PDF format dated December 2000). And
finally the Nicodemo Scarfo trial
is underway, and the outcome will definitely have an impact on the future of
legal electronic surveillance. Stay tuned...
January 14, 2001 - John
Young has released a FOIA version of NACSEM 5112, NONSTOP
Evaluation Techniques. This is the first public document to
come to light on NONSTOP surveillance techniques. The document
has been heavily redacted. We do know NONSTOP testing is very
similar to TEMPEST testing. In Side
Channel Cryptanalysis of Product Ciphers (Postscript format),
John Kelsey, Bruce Schneier, David Wagner, and Chris Hall
speculate that NONSTOP and HIJACK refer to the compromise of
cryptographic devices through nearby radio transmitters (such as
a cell phone, handheld radio, intercom). One of the more
interesting things about the document is toward the end. "It
is further noted that UNCLASSIFIED information concerning NONSTOP
should not be discussed or made available to persons without a
need-to-know. No information related to NONSTOP should be
released for public consumption through the press, advertising,
radio-TV or other public media." The original document
came out in 1975, and has gone through several updates.
January 1, 2001 - John
Young has received eight more TEMPEST-related documents from
his October 1999 NSA
FOIA appeal. The printing in the documents is in pretty poor
shape, so text is being hand-typed. Currently available documents
TEMPEST/2-95, 12 December 1995 - "Red/Black Installation
NSA No. 94-106, 24 October 1994 - Specification for Shielded
5000, 1 February 1982 - TEMPEST Fundamentals, and NSTISSI 7000, 29
November 1993 - "TEMPEST Countermeasures for Facilities."
(This last document is especially interesting in that it reveals
the U.S. Government keeps a list of countries it views as having
the ability and motivation to conduct TEMPEST attacks on U.S.
interests. Censors did a bad job of blacking out the text in this
1995 document, and 12 of the 25 countries are identifiable.
Including: Singapore, Norway, Hungary, Netherlands, Taiwan and
some big industrial states that are known to dabble in economic
espionage.) The remaining documents will be added as John has
December 10, 2000 - French
SCSSI TEMPEST site, TEMPEST history, Ft.
Huachuca Blacktail Canyon logo, fixed www.dtic.mil links (an
astute reader pointed out that the "dead" DoD dtic
sites on the TEMPEST
Sources page could be revived by changing the domain - thanks
December 6, 2000 - Over the past four years a
tremendous amount of information has come to light on TEMPEST and
related topics. So much that even though the page had no
graphics, it was taking a couple of minutes to load on slow, dial-up
connections. To celebrate the site's four year birthday, I've
split it into four pages so it will load a bit faster. - CNET
News reports on the Feds using a bugged keyboard to snag a
Philadelphia mobster who was using PGP. I've been telling clients
for years that this is a significant risk. In most cases it's
much easier to do a "black bag" job on a target and
install key monitoring software or hardware (or even hide a
wireless CCD camera positioned to transmit what's being typed on
the keyboard or appearing on the screen), than deal with strong
encryption. Although the risk of discovery is obviously higher
than a TEMPEST intercept, the lower cost and fewer required
technical skills make this a much more likely attack option.
Introduction to this Site
If you're even vaguely familiar with intelligence, computer
security, or privacy issues, you've no doubt heard about TEMPEST.
Probably something similar to the above storyline. The general
principle is that computer monitors and other devices give off
electromagnetic radiation. With the right antenna and receiver,
these emanations can be intercepted from a remote location, and
then be redisplayed (in the case of a monitor screen) or recorded
and replayed (such as with a printer or keyboard).
TEMPEST is a code word that relates to specific standards used
to reduce electromagnetic emanations. In the civilian world,
you'll often hear about TEMPEST devices (a receiver and antenna
used to monitor emanations) or TEMPEST attacks (using an
emanation monitor to eavesdrop on someone). While not quite to
government naming specs, the concept is still the same.
TEMPEST has been shrouded in secrecy. A lot of the mystery
really isn't warranted though. While significant technical
details remain classified, there is a large body of open source
information, that when put together forms a pretty good idea of
what this dark secret is all about. That's the purpose of this
The following is a collection of resources for better
understanding what TEMPEST is. And no, I seriously don't think
national security is being jeopardized because of this
information. I feel to a certain extent, the "security
through obscurity" that surrounds TEMPEST may actually be
increasing the vulnerability of U.S. business interests to
economic espionage. Remember, all of this is publicly available.
A fair amount has come from unclassified, government sites. Up to
this point, no one has spent the time to do the research and put
it all together in a single location.
References marked with an (X), are good primary sources. If you just read
these, you'll end up with an excellent overview on TEMPEST-related
References marked with an (O) are
reported dead links. These pages may be temporarily or
permanently unavailable. Dead links are left for reference sake (you
may want to check the main domain name or do further searching
with AltaVista, etc.). It's interesting to note the number of
military sites that now report 404 - Not Found or Forbidden
Request errors for certain documents.
The site content is listed below. There are three pages in
addition to this one. Introduction
provides detailed background info on TEMPEST. Sources
provides links to hardware manufacturers, software vendors, and
specific government documents. Miscellaneous
is comments from readers and other things that don't fit in the
Note: As you start viewing TEMPEST
info, you likely will run into vague or confusing acronyms. A
great Net resource is the Acronym
Original page - December 17, 1996 - Last update February 25, 2002
how prevalent is emanation monitoring?
It Yourself Shielding Sources
Hardware & Consulting
Government Information Sources
Institute of Standards and Technology
Military Information Sources
of the TEMPEST
Disclaimer: I've never been involved with the TEMPEST
community, had a security clearance for TEMPEST, or have access
to classified material relating to TEMPEST. The information on
these pages is completely derived from publicly available,
Last changed March 5, 2002
Copyright 1996,1997, 1998, 1999, 2000, 2001, 2002 Joel McNamara