This page is about surveillance technology. If a search engine mistakenly led you here, try Shakespeare, Pontiacs, or Arcade Games.
What is
TEMPEST?
TEMPEST
History
Just
how prevalent is emanation monitoring?
TEMPEST
Urban Folklore
General
TEMPEST Information
EMSEC
HIJACK and
NONSTOP
Online
Sources
Patents
Paper
Sources
Monitoring
Devices
Do
It Yourself Shielding Sources
TEMPEST is a U.S. government code word that identifies a classified set of standards for limiting electric or electromagnetic radiation emanations from electronic equipment. Microchips, monitors, printers, and all electronic devices emit radiation through the air or through conductors (such as wiring or water pipes). An example is using a kitchen appliance while watching television. The static on your TV screen is emanation caused interference. (If you want to learn more about this phenomena, a company called NoRad has an excellent discussion (X) of electromagnetic radiation and computer monitors (and Chomerics has a good electromagnetic interference 101 page), that you don't need to be an electrical engineer to understand. Also, while not TEMPEST-specific, a journal called Compliance Engineering (O), typically has good technical articles relating to electromagnetic interference. There's also the Electromagnetic Compliance FAQ.)
During the 1950's, the government became concerned that emanations could be captured and then reconstructed. Obviously, the emanations from a blender aren't important, but emanations from an electric encryption device would be. If the emanations were recorded, interpreted, and then played back on a similar device, it would be extremely easy to reveal the content of an encrypted message. Research showed it was possible to capture emanations from a distance, and as a response, the TEMPEST program was started. (For some interesting perspectives on the history of TEMPEST, see this timeline and do a text search for TEMPEST at this UK list archive.)
The purpose of the program was to introduce standards that would reduce the chances of "leakage" from devices used to process, transmit, or store sensitive information. TEMPEST computers and peripherals (printers, scanners, tape drives, mice, etc.) are used by government agencies and contractors to protect data from emanations monitoring. This is typically done by shielding the device (or sometimes a room or entire building) with copper or other conductive materials. (There are also active measures for "jamming" electromagnetic signals. Refer to some of the patents listed below.)
Bruce Gabrielson, who has been in the TEMPEST biz for ages, has a nice unclassified general description of TEMPEST that was presented at an Air Force security seminar in 1987.
In the United States, TEMPEST consulting, testing, and manufacturing is a big business, estimated at over one billion dollars a year. (Economics has caught up TEMPEST though. Purchasing TEMPEST standard hardware is not cheap, and because of this, a lesser standard called ZONE (O) has been implemented. This does not offer the level of protection of TEMPEST hardware, but it quite a bit cheaper, and is used in less sensitive applications.)
Emanation standards aren't just confined to the United States. NATO has a similar standard called the AMSG 720B Compromising Emanations Laboratory Test Standard. In Germany, the TEMPEST program is administered by the National Telecom Board. In the UK, Government Communications Headquarters (GCHQ), the equivalent of the NSA, has their own program.
The original 1950s emanations standard was called NAG1A. During the 1960s it was revised and reissued as FS222 and later FS222A.
In 1970 the standard was significantly revised and published as National Communications Security Information Memorandum 5100 (Directive on TEMPEST Security), also known as NACSIM 5100. This was again revised in 1974.
Current national TEMPEST policy is set in National Communications Security Committee Directive 4, dated January 16, 1981. It instructs federal agencies to protect classified information against compromising emanations. This document is known as NACSIM 5100A and is classified.
The National Communications Security Instruction (NACSI) 5004 (classified Secret), published in January 1984, provides procedures for departments and agencies to use in determining the safeguards needed for equipment and facilities which process national security information in the United States. National Security Decision Directive 145, dated September 17, 1984, designates the National Security Agency (NSA) as the focal point and national manager for the security of government telecommunications and Automated Information Systems (AISs). NSA is authorized to review and approve all standards, techniques, systems and equipment for AIS security, including TEMPEST. In this role, NSA makes recommendations to the National Telecommunications and Information Systems Security Committee for changes in TEMPEST polices and guidance.
There are no public records that give an idea of how much emanation monitoring is actually taking place. There are isolated anecdotal accounts of monitoring being used for industrial espionage (see Information Warfare, by Winn Schwartau), but that's about it. (However, see a very interesting paper written by Ian Murphy called Who's Listening that has some Cold War TEMPEST spy stories.) Unfortunately, there's not an emanation monitoring category in the FBI Uniform Crime Reports. (While not TEMPEST-specific, the San Jose Mercury News printed a November 11, 1998 article(O) on how much money American businesses are losing to economic espionage. Considering some of the countries involved, hi-tech spying techniques are likely being used in some cases.)
There are a few data points that lead one to believe there is a real threat though, at least from foreign intelligence services. First of all, the TEMPEST industry is over a billion dollar a year business. This indicates there's a viable threat to justify all of this protective hardware (or it's one big scam that's making a number of people quite wealthy).
This scope of the threat is backed up with a quote from a Navy manual that discusses "compromising emanations" or CE. "Foreign governments continually engage in attacks against U.S. secure communications and information processing facilities for the sole purpose of exploiting CE." I'm sure those with appropriate security clearances have access to all sorts of interesting cases of covert monitoring.
In 1994, the Joint Security Commission issued a report to the Secretary of Defense and the Director of Central Intelligence called "Redefining Security." It's worthwhile to quote the entire section that deals with TEMPEST.
TEMPEST (an acronym for Transient Electromagnetic Pulse Emanation Standard) is both a specification for equipment and a term used to describe the process for preventing compromising emanations. The fact that electronic equipment such as computers, printers, and electronic typewriters give off electromagnetic emanations has long been a concern of the US Government. An attacker using off-the-shelf equipment can monitor and retrieve classified or sensitive information as it is being processed without the user being aware that a loss is occurring. To counter this vulnerability, the US Government has long required that electronic equipment used for classified processing be shielded or designed to reduce or eliminate transient emanations. An alternative is to shield the area in which the information is processed so as to contain electromagnetic emanations or to specify control of certain distances or zones beyond which the emanations cannot be detected. The first solution is extremely expensive, with TEMPEST computers normally costing double the usual price. Protecting and shielding the area can also be expensive. While some agencies have applied TEMPEST standards rigorously, others have sought waivers or have used various levels of interpretation in applying the standard. In some cases, a redundant combination of two or three types of multilayered protection was installed with no thought given either to cost or actual threat.
A general manager of a major aerospace company reports that, during building renovations, two SAPs required not only complete separation between their program areas but also TEMPEST protection. This pushed renovation costs from $1.5 million to $3 million just to ensure two US programs could not detect each other's TEMPEST emanations.
In 1991, a CIA Inspector General report called for an Intelligence Community review of domestic TEMPEST requirements based on threat. The outcome suggested that hundreds of millions of dollars have been spent on protecting a vulnerability that had a very low probability of exploitation. This report galvanized the Intelligence Community to review and reduce domestic TEMPEST requirements.
Currently, many agencies are waiving TEMPEST countermeasures within the United States. The rationale is that a foreign government would not be likely to risk a TEMPEST collection operation in an environment not under their control. Moreover, such attacks require a high level of expertise, proximity to the target, and considerable collection time. Some agencies are using alternative technical countermeasures that are considerably less costly. Others continue to use TEMPEST domestically, believing that TEMPEST procedures discourage collection attempts. They also contend that technical advances will raise future vulnerabilities. The Commission recognizes the need for an active overseas TEMPEST program but believes the domestic threat is minimal.
Contractors and government security officials interviewed by the Commission commend the easing of TEMPEST standards within the last two years. However, even with the release of a new national TEMPEST policy, implementation procedures may continue to vary. The new policy requires each Certified TEMPEST Technical Authority (CTTA), keep a record of TEMPEST applications but sets no standard against which a facility can be measured. The Commission is concerned that this will lead to inconsistent applications and continued expense.
Given the absence of a domestic threat, any use of TEMPEST countermeasures within the US should require strong justification. Whenever TEMPEST is applied, it should be reported to the security executive committee who would be charged with producing an annual national report to highlight inconsistencies in implementation and identify actual TEMPEST costs.
Domestic implementation of strict TEMPEST countermeasures is a prime example of a security excess because costly countermeasures were implemented independent of documented threat or of a site's total security system. While it is prudent to continue spot checks and consider TEMPEST in the risk management review of any facility storing specially protected information, its implementation within the United States should not normally be required.
The Commission recommends that domestic TEMPEST countermeasures not be
employed except in response to specific threat data and then only in cases
authorized by the most senior department or agency head.
It's also interesting to note that the National Reconnaissance Office (NRO) eliminated the need for domestic TEMPEST requirements in 1992.
The main difficulty in tracking instances of emanation monitoring is because it's passive and conducted at a distance from the target, it's hard to discover unless you catch the perpetrator red-handed (a bad Cold War pun). Even if a spy was caught, more than likely the event would not be publicized, especially if it was corporate espionage. Both government and private industry have a long history of concealing security breaches from the public.
As with any risk, you really need to weigh the costs and benefits. Is it cheaper and more efficient to have a spy pass himself off as a janitor to obtain information, or to launch a fairly technical and sophisticated monitoring attack to get the same data? While some "hard" targets may justify a technical approach, traditional human intelligence (HUMINT) gathering techniques are without a doubt, used much more often than emanation monitoring.
Because of the general lack of knowledge regarding TEMPEST topics, there is a fair amount of urban folklore associated with it. Here's some common myths. And if you can provide a primary source to prove me wrong, let me know (no friends of friends please).
The article says that authorities had long known about compromising radiation, but the information had leaked to business only recently. It was usually neglected by commercial computing centers and completely unknown to users. Experts estimate that screen contents can be received over a distance of 1 km, and of 300 m using amateur equipment. SCS GmbH gave recommendations on low-radiation screens determined in experiments. Room protection with Faraday cages is explained. Radiation-free computers, typically implemented by a Faraday cage inside the box, existed but were not available to the market. Beginning March 1 that year, authorities processing sensitive data were required by order of the ministry of interior to use only Tempest-protected devices approved by the ZfCH (= central office for encipherment, the predecessor of the BSI). The producers of those devices are obliged to secrecy and may deliver to authorities only. Ericsson was the market leader for security screens with a special version of the S41 terminal with an annual turnover of 10,000,000 DM. They would have liked to sell more of them, but were not allowed to deliver them to private companies.
7/9/99
iDEFENSE
By Bill Pietrucha
Vietnam was the intended final shipping point for restricted U.S. communications intercept
equipment, iPARTNERSHIP has learned. Shalom Shaphyr, arrested earlier this week for
allegedly possessing and selling Tempest computer intercept equipment, planned to first falsify the
nature of the equipment in export papers, ship it to a U.S. NATO ally, then to Israel, and finally to
Vietnam.
The Tempest computer intercept equipment, also known as a video intercept receiver, is
considered a defense article under the International Traffic in Arms Regulations (ITAR), and
cannot be shipped to Vietnam without an export license.
In the U.S. District Court in the Eastern District Virginia late yesterday, Shaphyr, an Israeli citizen
living in the U.S. under a business visa, requested his detention hearing be postponed until July 20,
to give his lawyers "time to review the charges against me."
Shaphyr will continue to be held in the City of Alexandria, Va. detention center until the July 20
detention hearing date.
In papers filed with the court, FBI Special Agent Christian Zajac testified Shaphyr was "looking
for a Tempest monitoring system" capable of remotely capturing computer emanations. The
reason for the equipment, Shaphyr had said, was to view what was on a computer monitor from a
distance of "a few tens of feet maybe to a few hundred feet" away.Zajac, an FBI Special Agent for the past two years, told the court Shaphyr indicated the
equipment would be used by the Vietnamese government "in a joint venture." Along with the
equipment, Zajac told the court, Shaphyr also asked for a syllabus outlining the training that would
be provided on the Tempest equipment, indicating the trainees would be Vietnamese.Shaphyr, iPARTNERSHIP learned, operates a business with offices in Vietnam and England, and
is an FAA certified pilot, flight engineer and navigator listing his address in Ho Chi Minh City, Viet
Nam.Zajac said the joint FBI-U.S. Customs Service investigation, which began in November 1998, led
to Shaphyr's arrest this past Wednesday after Shaphyr paid an FBI undercover agent $2,000 in
U.S. currency to export the Tempest equipment to Israel without a license. The total price
Shaphyr allegedly agreed to pay for the Tempest equipment was $30,000, Zajac testified.Zajac said the investigation did not end with Shaphyr's arrest, and is continuing.
In the article Drs. B.J. Koops -- a researcher at the Katholieke Universiteit Brabant and the Technische Universiteit Tilburg (Catholic University Brabant and Technical University Tilburg, both in the Netherlands) gives a short introduction to what TEMPEST is, what it can be used for.
He notes that there are three ways of tapping info: wires (electrical), direct radiation and radiation emitted by screen-to-PC cable.
He continues talking about wether or not it is legal for individuals and the police to use TEMPEST monitoring.
It turns out that it is illegal for individuals (due to some amendments to wiretapping laws), and it is illegal for police (since they need explicit permission to do so, and TEMPEST nor radiation monitoring is mentioned in Dutch law).He ends the article proposing a discussion in the parliament on wether or not PC-tapping would be allowed in the Netherlands, since that is a political decision.
A quick search of IBM's patent server service revealed several interesting patents:
A note about patent 5297201. It references patent 2476337 that was issued July 1, 1949. Unfortunately, the details aren't available online, but the reference may be telling as to just how long emanation monitoring has been taking place.
Chapter 7, The World of Mr. van Eck, is devoted to TEMPEST-related topics. There's some good information, but it's painted pretty broadly, and really doesn't get into technical details (the second edition does present much more material on HERF guns and other topics, but nothing has been added to the van Eck chapter). Still, a good read, also some additional sources not mentioned on this page in the Footnotes section.
EMSEC Those in the know no longer generically use the term TEMPEST to refer to emanations secruity. The current buzzword d'jour is EMSEC, or Emissions Security. If you read between the lines, the change to the term EMSEC is interesting. A quote from an Air Force site(O):
"Emission Security (EMSEC) better known as TEMPEST has taken a drastic change over the past few years. These changes have necessitated a complete revision of rules and regulations, causing the need for new publications. While these new publications have been drafted and are in the coordination stages, we must continue to keep informed and up-to-date on EMSEC policy and procedures."
Hmmm. Just what drastic changes are we talking about? Idle speculation might include:
From the same site comes this quote:
"WHAT IS COMPROMISING EMISSIONS (sic)? Compromising emissions are unintentional intelligence-bearing signals which, if intercepted and analyzed, disclose the classified information transmitted, received, handled, or otherwise processed by any information processing equipment."
It's curious that the term "electromagnetic radiation" isn't used in the definition. So, there are other monitoring vulnerabilities besides TEMPEST. Which leads us to HIJACK and NONSTOP.
In my quest for open-source material regarding TEMPEST, I've started to run into two new codewords, HIJACK and NONSTOP. At first there was only some sketchy information:
Then, thanks to publicly available documents I found on the Net, we now know a little bit more. Although the documents had classified information excised, there were still enough tidbits to put together a speculative guess regarding what HIJACK and NONSTOP related to.
NONSTOP is a classified codeword that apparently relates to a form of compromising emanations, but involves the transmital of the signals from radio frequency devices (handheld radio, cell phone, pager, alarm system, cordless phone, wireless network - AM/FM commercial broadcast receivers are excluded) in proximity to a device containing secure information. There are specific guidelines for either turning the RF device off, or keeping it a certain distance away from the secure device (PC, printer, etc.).
HIJACK is a classified codeword that apparently relates to a form of compromising emanations, but involves digital versus electromagnetic signals. An attack is similar in nature to a TEMPEST attack, where the adversary doesn't need to be close to the device that's being compromised. It does require access to communication lines (these can be wire or wireless). The adversary uses antennas, receivers, a display device, a recording device, and one additional piece of equipment (a special detection system that is supposedly very sensitive and very expensive; and there are not very many of them in existence - sorry, I don't have any other details). Also, the technician using this special equipment will supposedly require a great deal of training and experience.
Remember, the above is speculation. And whether the guesses are
accurate or not, at this point you'd need to have a security clearance to know
for sure.
John Williams (Consumertronics, P.O. Box 23097, Albuquerque, NM 87192) sells the Williams Van Eck System, an off the shelf emanation monitoring device. He also has a demonstration video and and a book called "Beyond Van Eck Phreaking." The updated Consumertronics Web site has a variety of interesting products (the $3 paper catalog is a good read too). In past written correspondence with Mr. Williams, he has provided a considerable amount of technical details about his products.
Ian Murphy, CEO of IAM/Secure Data System wrote a very interesting paper on TEMPEST, including a Radio Shack parts list for building a receiver.
I'm currently looking for first hand, real-world accounts of a monitoring device actually being used to gather intelligence (not in a demonstration). PGP-encrypted e-mail through anonymous remailers or nym servers perferred.
Legal News - November 15, 1999 - I just received an e-mail from a Terrance L. Kawles, Esq. who is representing Frank Jones of Codex and DataScan fame. Mr. Kawles takes exception to a note I recently added to this page that states some people question Mr. Jones' credibility. Mr. Kawles feels there is some type of smear campaign going on against his client by persons unknown, and is in the process of filing an action against various parties. In the note I suggested that interested readers check USENET archives and decide for themselves about Mr. Jones (over the years there has been a lively discussion on Mr. Jones, both pro and con). Mr. Kawles feels this note is defamatory, and offers me two options: "...either remove the Note, or remove your references and links to the Mr. Jones and Codex."
I'm going to indulge Mr. Kawles and remove all links and information regarding Mr. Jones and his TEMPEST products from this section. Not because I'm caving in to the demands of some lawyer (my legal counsel states I have not published any defamatory statements regarding Mr. Jones). But mostly because anyone that resorts to these kinds of tactics on the Net, really doesn't deserve to be mentioned in this site, which is devoted to public disclosure.
And Mr. Kawles, in regard to your statement, "As I understand, Mr. Jones was instrumental in providing information when you began your studies of TEMPEST, yet you reward him with this unnecessary editorial comment." Ha! I'd love to see you substantiate that by providing any logs of communications between Mr. Jones and myself.
Update - See an interesting Forbes online article that appeared August 10, 2000.
After you've read Grady's paper...
If you're handy with a soldering iron, Nelson Publishing produces something called the EMI/RFI Buyers' Guide. This is a comprehensive list of sources for shielding material, ferrites, and other radio frequency interference and electromagnetic interference type products. There's even listings for TEMPEST products and consultants. Unfortunately, most of the sources don't have links. But company names, addresses, and phone/FAX numbers are supplied.
A more general electronics manufacturer data base is electroBase. They have over 7,800 manufacturers of all types listed.
There's an interesting product called Datastop Security Glass, that's advertised as the only clear EMF/RFI protection glass on the market. It's free of metal mesh, so has excellent optical clarity. This is the same stuff the FAA uses in air traffic control towers. Contact TEMPEST SECURITY SYSTEMS INC. for more details.
Just remember, effective emanation security begins with the physical environment. Unless you can shield the wiring (telephone lines, electrical wiring, network cables, etc.), all of the copper around your PC and in the walls isn't going to stop emanations from leaking to the outside world. In shielding, also remember that emanations can pass from one set of wires to another.
last changed December 10, 2000
Copyright 1996,1997, 1998,
1999, 2000 Joel McNamara