Across the darkened street, a windowless van is parked. Inside, an antenna is pointed out through a fiberglass panel. It's aimed at an office window on the third floor. As the CEO works on a word processing document, outlining his strategy for a hostile take-over of a competitor, he never knows what appears on his monitor is being captured, displayed, and recorded in the van below.
Breaking News - December 4, 1999 - John Young has found an excellent source for non-classified, military TEMPEST information. The Defense Automated Printing Service has a searchable Web database devoted to military specifications and standards (from nukes to nylons). John reports some of the handbooks and standards contain information the NSA removed from documents that were recently released to him under the FOIA. Here are some of the TEMPEST-related gems. Just enter a title and submit.
MIL-HDBK-232 - Red/Black Engineering-Installation Guidelines
MIL-HDBK-411A - Long Haul Communications (DCS), Power and Environmental
Control for Physical Plant, MIL-HDBK-419 - Grounding, Bonding, and Shielding
for Electronic Equipments and Facilities
MIL-HDBK-1195 - Radio Frequency Shielded Encosures
MIL-STD-188-124 - Grounding, Bonding, and Shielding for Common Long
Haul/Tactical Communications Systems
MIL-STD-285 - Attentuation Measurement for Enclosures, Electromagnetic
Shielding, for Electronic Test Purposes, Method of
MIL-STD-461E - (Replaces previous 461 and 462) Electromagnetic Interference
Characteristics
Warning: These are huge PDF files, so have lots of bandwidth available. Also, if you're interested in these documents, you might want to get them now. There's no telling if and when the DoD might decide to shut down this open source site.
Legal News - November 15, 1999 - I just received an e-mail from a Terrance L. Kawles, Esq. who is representing Frank Jones of Codex fame. Mr. Kawles takes exception to a note I recently added to this page that states some people question Mr. Jones' credibility. Mr. Kawles feels there is some type of smear campaign going on against his client by persons unknown, and is in the process of filing an action against various parties. In the note I suggested that interested readers check USENET archives and decide for themselves about Mr. Jones (over the years there has been a lively discussion on Mr. Jones, both pro and con). Mr. Kawles feels this note is defamatory, and offers me two options: "...either remove the Note, or remove your references and links to the Mr. Jones and Codex."
I'm going to indulge Mr. Kawles and remove all links and information regarding Mr. Jones and his TEMPEST products. Not because I'm caving in to the demands of some lawyer (my legal counsel states I have not published any defamatory statements regarding Mr. Jones). But mostly because anyone that resorts to these kinds of tactics on the Net, really doesn't deserve to be mentioned in this site, which is devoted to public disclosure.
And Mr. Kawles, in regard to your statement, "As I understand, Mr. Jones was instrumental in providing information when you began your studies of TEMPEST, yet you reward him with this unnecessary editorial comment." I'd love to see you substantiate that by providing any logs of communications between Mr. Jones and myself.
Older News - November 30, 1999 - John Young has acquired more NSA TEMPEST documents. His growing collection now includes NSA Endorsed TEMPEST Products Program, NSA Endorsed TEMPEST Test Services Procedures, and NSA Zoned Equipment Program.
November 13, 1999 - Issue 21 of the hacking magazine SET (think of a Spanish Phrack), has a lengthy text file on TEMPEST with some interesting schematics. Check out the Spanish version here, or cut and paste interesting bits into Babelfish for translation here (any readers more fluent in Spanish than I are encouraged to submit a decent translation).
November 8, 1999 - New Scientist has a short TEMPEST article, where Markus Kuhn predicts intercept devices for under £1000 within the next five years (and although not TEMPEST specific, an interview with Ross Anderson included). Slashdot also has a thread going regarding the article.
October 25, 1999 - John Young filed a Freedom of Information Act request for TEMPEST-related material on May 18, 1998. The US government denied access to 22 of the 24 requested documents on grounds of secrecy. Parts of the two released documents (NSTISSAM TEMPEST/1-92 - Compromising Emanations Laboratory Test Requirements, Electromagnetics - Appendix A , Table of Contents, Sections 1 - 5, and Sections 6 - 12, Appendix A, Appendices B-M, Distribution List and NSA/CSS Regulation 90-5, Technical Security Program) are now available for review. John has filed an appeal in an attempt to get additional material disclosed.
I haven't had a chance to carefully read all of the documents yet, but when I get a chance, will provide a brief analysis. One interesting tidbit is the use of the codeword TEAPOT - "A short name referring to the investigation, study, and control of intentional compromising emanations (i.e., those that are hostilely induced or provoked) from telecommunications and automated information systems equipment." Who says the NSA doesn't have a sense of humor. TEMPEST, TEAPOT, ha, ha...
Note: The release just got mentioned over at Wired News and Slashdot, so be sure to check for insightful (or amusing) comments there. This page has gotten a fair amount of publicity lately, and I've added a Tales of the TEMPEST section that has interesting bits of e-mail I've received.
If you're even vaguely familiar with intelligence, computer security, or privacy issues, you've no doubt heard about TEMPEST. Probably something similar to the above storyline. The general principle is that computer monitors and other devices give off electromagnetic radiation. With the right antenna and receiver, these emanations can be intercepted from a remote location, and then be redisplayed (in the case of a monitor screen) or recorded and replayed (such as with a printer or keyboard).
TEMPEST is a code word that relates to specific standards used to reduce electromagnetic emanations. In the civilian world, you'll often hear about TEMPEST devices (a receiver and antenna used to monitor emanations) or TEMPEST attacks (using an emanation monitor to eavesdrop on someone). While not quite to government naming specs, the concept is still the same.
TEMPEST has been shrouded in secrecy. A lot of the mystery really isn't warranted though. While significant technical details remain classified, there is a large body of open source information, that when put together forms a pretty good idea of what this dark secret is all about. That's the purpose of this page.
The following is a collection of resources for better understanding what TEMPEST is. And no, I seriously don't think national security is being jeopardized because of this information. I feel to a certain extent, the "security through obscurity" that surrounds TEMPEST may actually be increasing the vulnerability of U.S. business interests to economic espionage. Remember, all of this is publicly available. A fair amount has come from unclassified, government sites. Up to this point, no one has spent the time to do the research and put it all together in a single location.
I've just begin to scratch the surface. If you have any additions, corrections, or amplifications, let me know. This is a work in progress, so check back often (updates are listed at the bottom of the page).
References marked with an (X), are good primary sources. If you just read these, you'll end up with an excellent overview on TEMPEST-related topics.
References marked with an (O) are reported dead links. These pages may be temporarily or permanently unavailable. Dead links are left for reference sake (you may want to check the main domain name or do further searching with AltaVista, etc.). It's interesting to note the number of military sites that now report 404 - Not Found or Forbibben Request errors for certain documents.
Note: As you start viewing TEMPEST info, you likely will run into vague or confusing acronyms. A great Net resource is the Acronym Finder site.
Joel McNamara - joelm@eskimo.com
Original page - December 17, 1996 - updated December 4, 1999
What is TEMPEST?
TEMPEST History
Just how prevalent
is emanation monitoring?
TEMPEST Urban Folklore
General TEMPEST Information
EMSEC
HIJACK and NONSTOP
Online Sources
Patents
Paper Sources
Monitoring Devices
Do It Yourself Shielding Sources
TEMPEST Hardware & Consulting
US Government Information Sources
Department of Energy
Department of Justice
Geological Survey
Department of State
Treasury Department
National Security Agency
National Institute of Standards and Technology
US Military Information Sources
U.S. Navy
U.S. Air Force
U.S. Army
U.S. Coast Guard
Department of Defense
Other Countries
Used TEMPEST
Tales of the TEMPEST
Non-TEMPEST computer surveillance
During the 1950's, the government became concerned that emanations could be captured and then reconstructed. Obviously, the emanations from a blender aren't important, but emanations from an electric encryption device would be. If the emanations were recorded, interpreted, and then played back on a similar device, it would be extremely easy to reveal the content of an encrypted message. Research showed it was possible to capture emanations from a distance, and as a response, the TEMPEST program was started.
The purpose of the program was to introduce standards that would reduce the chances of "leakage" from devices used to process, transmit, or store sensitive information. TEMPEST computers and peripherals (printers, scanners, tape drives, mice, etc.) are used by government agencies and contractors to protect data from emanations monitoring. This is typically done by shielding the device (or sometimes a room or entire building) with copper or other conductive materials. (There are also active measures for "jamming" electromagnetic signals. Refer to some of the patents listed below.)
Bruce Gabrielson, who has been in the TEMPEST biz for ages, has a nice unclassified general description of TEMPEST that was presented at an Air Force security seminar in 1987.
In the United States, TEMPEST consulting, testing, and manufacturing is a big business, estimated at over one billion dollars a year. (Economics has caught up TEMPEST though. Purchasing TEMPEST standard hardware is not cheap, and because of this, a lesser standard called ZONE (O) has been implemented. This does not offer the level of protection of TEMPEST hardware, but it quite a bit cheaper, and is used in less sensitive applications.)
Emanation standards aren't just confined to the United States. NATO has a similar standard called the AMSG 720B Compromising Emanations Laboratory Test Standard. In Germany, the TEMPEST program is administered by the National Telecom Board. In the UK, Government Communications Headquarters (GCHQ), the equivalent of the NSA, has their own program.
In 1970 the standard was significantly revised and published as National Communications Security Information Memorandum 5100 (Directive on TEMPEST Security), also known as NACSIM 5100. This was again revised in 1974.
Current national TEMPEST policy is set in National Communications Security Committee Directive 4, dated January 16, 1981. It instructs federal agencies to protect classified information against compromising emanations. This document is known as NACSIM 5100A and is classified.
The National Communications Security Instruction (NACSI) 5004 (classified Secret), published in January 1984, provides procedures for departments and agencies to use in determining the safeguards needed for equipment and facilities which process national security information in the United States. National Security Decision Directive 145, dated September 17, 1984, designates the National Security Agency (NSA) as the focal point and national manager for the security of government telecommunications and Automated Information Systems (AISs). NSA is authorized to review and approve all standards, techniques, systems and equipment for AIS security, including TEMPEST. In this role, NSA makes recommendations to the National Telecommunications and Information Systems Security Committee for changes in TEMPEST polices and guidance.
This scope of the threat is backed up with a quote from a Navy manual that discusses "compromising emanations" or CE. "Foreign governments continually engage in attacks against U.S. secure communications and information processing facilities for the sole purpose of exploiting CE." I'm sure those with appropriate security clearances have access to all sorts of interesting cases of covert monitoring.
A general manager of a major aerospace company reports that, during building renovations, two SAPs required not only complete separation between their program areas but also TEMPEST protection. This pushed renovation costs from $1.5 million to $3 million just to ensure two US programs could not detect each other's TEMPEST emanations.
In 1991, a CIA Inspector General report called for an Intelligence Community review of domestic TEMPEST requirements based on threat. The outcome suggested that hundreds of millions of dollars have been spent on protecting a vulnerability that had a very low probability of exploitation. This report galvanized the Intelligence Community to review and reduce domestic TEMPEST requirements.
Currently, many agencies are waiving TEMPEST countermeasures within the United States. The rationale is that a foreign government would not be likely to risk a TEMPEST collection operation in an environment not under their control. Moreover, such attacks require a high level of expertise, proximity to the target, and considerable collection time. Some agencies are using alternative technical countermeasures that are considerably less costly. Others continue to use TEMPEST domestically, believing that TEMPEST procedures discourage collection attempts. They also contend that technical advances will raise future vulnerabilities. The Commission recognizes the need for an active overseas TEMPEST program but believes the domestic threat is minimal.
Contractors and government security officials interviewed by the Commission commend the easing of TEMPEST standards within the last two years. However, even with the release of a new national TEMPEST policy, implementation procedures may continue to vary. The new policy requires each Certified TEMPEST Technical Authority (CTTA), keep a record of TEMPEST applications but sets no standard against which a facility can be measured. The Commission is concerned that this will lead to inconsistent applications and continued expense.
Given the absence of a domestic threat, any use of TEMPEST countermeasures within the US should require strong justification. Whenever TEMPEST is applied, it should be reported to the security executive committee who would be charged with producing an annual national report to highlight inconsistencies in implementation and identify actual TEMPEST costs.
Domestic implementation of strict TEMPEST countermeasures is a prime example of a security excess because costly countermeasures were implemented independent of documented threat or of a site's total security system. While it is prudent to continue spot checks and consider TEMPEST in the risk management review of any facility storing specially protected information, its implementation within the United States should not normally be required.
The Commission recommends that domestic TEMPEST countermeasures not
be employed except in response to specific threat data and then only in
cases authorized by the most senior department or agency head.
As with any risk, you really need to weigh the costs and benefits. Is it cheaper and more efficient to have a spy pass himself off as a janitor to obtain information, or to launch a fairly technical and sophisticated monitoring attack to get the same data? While some "hard" targets may justify a technical approach, traditional human intelligence (HUMINT) gathering techniques are without a doubt, used much more often than emanation monitoring.
Vietnam was the intended final shipping point for restricted U.S.
communications intercept
equipment, iPARTNERSHIP has learned. Shalom Shaphyr, arrested earlier
this week for
allegedly possessing and selling Tempest computer intercept equipment,
planned to first falsify the
nature of the equipment in export papers, ship it to a U.S. NATO
ally, then to Israel, and finally to
Vietnam.
The Tempest computer intercept equipment, also known as a video intercept
receiver, is
considered a defense article under the International Traffic in
Arms Regulations (ITAR), and
cannot be shipped to Vietnam without an export license.
In the U.S. District Court in the Eastern District Virginia late
yesterday, Shaphyr, an Israeli citizen
living in the U.S. under a business visa, requested his detention
hearing be postponed until July 20,
to give his lawyers "time to review the charges against me."
Shaphyr will continue to be held in the City of Alexandria, Va. detention
center until the July 20
detention hearing date.
In papers filed with the court, FBI Special Agent Christian Zajac
testified Shaphyr was "looking
for a Tempest monitoring system" capable of remotely capturing computer
emanations. The
reason for the equipment, Shaphyr had said, was to view what was
on a computer monitor from a
distance of "a few tens of feet maybe to a few hundred feet" away.
Zajac, an FBI Special Agent for the past two years, told the court
Shaphyr indicated the
equipment would be used by the Vietnamese government "in a joint
venture." Along with the
equipment, Zajac told the court, Shaphyr also asked for a syllabus
outlining the training that would
be provided on the Tempest equipment, indicating the trainees would
be Vietnamese.
Shaphyr, iPARTNERSHIP learned, operates a business with offices in
Vietnam and England, and
is an FAA certified pilot, flight engineer and navigator listing
his address in Ho Chi Minh City, Viet
Nam.
Zajac said the joint FBI-U.S. Customs Service investigation, which
began in November 1998, led
to Shaphyr's arrest this past Wednesday after Shaphyr paid an FBI
undercover agent $2,000 in
U.S. currency to export the Tempest equipment to Israel without
a license. The total price
Shaphyr allegedly agreed to pay for the Tempest equipment was $30,000,
Zajac testified.
Zajac said the investigation did not end with Shaphyr's arrest, and
is continuing.
He notes that there are three ways of tapping info: wires (electrical), direct radiation and radiation emitted by screen-to-PC cable.
He continues talking about wether or not it is legal for individuals
and the police to use TEMPEST monitoring.
It turns out that it is illegal for individuals (due to some amendments
to wiretapping laws), and it is illegal for police (since they need explicit
permission to do so, and TEMPEST nor radiation monitoring is mentioned
in Dutch law).
He ends the article proposing a discussion in the parliament on wether
or not PC-tapping would be allowed in the Netherlands, since that is a
political decision.
"Emission Security (EMSEC) better known as TEMPEST has taken a drastic change over the past few years. These changes have necessitated a complete revision of rules and regulations, causing the need for new publications. While these new publications have been drafted and are in the coordination stages, we must continue to keep informed and up-to-date on EMSEC policy and procedures."Hmmm. Just what drastic changes are we talking about? Idle speculation might include:
"WHAT IS COMPROMISING EMISSIONS (sic)? Compromising emissions are unintentional intelligence-bearing signals which, if intercepted and analyzed, disclose the classified information transmitted, received, handled, or otherwise processed by any information processing equipment."It's curious that the term "electromagnetic radiation" isn't used in the definition. So, there are other monitoring vulnerabilities besides TEMPEST. Which leads us to HIJACK and NONSTOP.
NONSTOP is a classified codeword that apparently relates to a form of compromising emanations, but involves the transmital of the signals from radio frequency devices (handheld radio, cell phone, pager, alarm system, cordless phone, wireless network - AM/FM commercial broadcast receivers are excluded) in proximity to a device containing secure information. There are specific guidelines for either turning the RF device off, or keeping it a certain distance away from the secure device (PC, printer, etc.).
HIJACK is a classified codeword that apparently relates to a form of compromising emanations, but involves digital versus electromagnetic signals. An attack is similar in nature to a TEMPEST attack, where the adversary doesn't need to be close to the device that's being compromised. It does require access to communication lines (these can be wire or wireless). The adversary uses antennas, receivers, a display device, a recording device, and one additional piece of equipment (a special detection system that is supposedly very sensitive and very expensive; and there are not very many of them in existence - sorry, I don't have any other details). Also, the technician using this special equipment will supposedly require a great deal of training and experience.
Remember, the above is speculation. And whether the guesses are
accurate or not, at this point you'd need to have a security clearance
to know for sure.
Ian Murphy, CEO of IAM/Secure Data System wrote a very interesting paper on TEMPEST, including a Radio Shack parts list for building a receiver.
I'm currently looking for first hand, real-world accounts of a monitoring device actually being used to gather intelligence (not in a demonstration). PGP-encrypted e-mail through anonymous remailers or nym servers perferred.
If you're handy with a soldering iron, Nelson Publishing produces something called the EMI/RFI Buyers' Guide. This is a comprehensive list of sources for shielding material, ferrites, and other radio frequency interference and electromagnetic interference type products. There's even listings for TEMPEST products and consultants. Unfortunately, most of the sources don't have links. But company names, addresses, and phone/FAX numbers are supplied.
A more general electronics manufacturer data base is electroBase. They have over 7,800 manufacturers of all types listed.
There's an interesting product called Datastop Security Glass, that's advertised as the only clear EMF/RFI protection glass on the market. It's free of metal mesh, so has excellent optical clarity. This is the same stuff the FAA uses in air traffic control towers. Contact TEMPEST SECURITY SYSTEMS INC. for more details.
Just remember, effective emanation security begins with the physical environment. Unless you can shield the wiring (telephone lines, electrical wiring, network cables, etc.), all of the copper around your PC and in the walls isn't going to stop emanations from leaking to the outside world. In shielding, also remember that emanations can pass from one set of wires to another.
ADI Limited(O) is a big Australian defense contractor that does some TEMPEST testing.
AFC (Antennas for Communications) manufacturers TEMPEST sheilding enclosures for antennas.
Advanced Technology System Corporation sells TEMPEST equipment and provides consulting services.
Aerovox manufactures a variety of EMI filters. Nice downloadable catalog (Windows help format) with photos.
Allied Signal Aerospace performs Canadian TEMPEST testing.
Austest Laboratories is a down-under company that provides TEMPEST testing.
DEMCOM provides Soft-TEMPEST fonts in their Steganos II security suite.
Cabrac makes TEMPEST enclosures (nice picture).
Candes Systems Incorporated (X) produces TEMPEST products, including monitors, printers, and laptops. Nice photos and specs.
COS provides TEMPEST design and consulting services.
BEMA Inc. produces shielding products including a slick portable TEMPEST tent.
Braden produces shielded room components.
Computer Security Solutions is a women owned business in Virginia specializing in TEMPEST products.
Compucat (O) is an Australian company that provides a variety of TEMPEST products and services.
Compunetix(O) produces various TEMPEST rated product.
Conductive Coatings, a division of the Chromium Corporation, produces a variety of shielding solutions.
Corcom makes a variety of shielded jacks (RJ type) in its Signal Sentry line.
Corton Inc. manufactures TEMPEST keyboards.
Cryptek(O) sells TEMPEST photocopiers and communication products.
Cycomm sells TEMPEST workstations, terminals, printers, and more to folks like the State Department. Recently merged with Hetra.
D2D/Celestica(O) is a British TEMPEST testing, design, and manufacturing firm.
Dina distibutes Emcon TEMPEST products.
Dynamic Sciences (O) is another TEMPEST-oriented company. Among other things, they produce a piece of hardware called the DSI-110, for surveillance and testing purposes.
Einhorn Yaffee Prescott is an architecture and engineering firm that has built TEMPEST buildings for defense contractors.
Elfinco SA(O) is a British company that produces sheilding products. Most notable is electromagnetic shielded concrete.
Equiptco Electronics (O) sells a variety of general electronic equipment and supplies, some TEMPEST standard (but you need to dig through their catalog to find it).
EMC Technologies is an Australian company that provides TEMPEST testing.
Emcon Emanation Control Limited, in Onatrio, Canada, has been providing TEMPEST equipment to NATO governments for the past 12 years.
EMP-tronic is a Swedish company specializing in shielded rooms.
ERS is a recruiting service that finds jobs for TEMPEST engineers (and others).
Filter Networks produces inline TEMPEST line filters.
Framatome Connectors International manufactures TEMPEST cables and connectors in the UK, especially suited for marine use.
GEC-Marconi Hazeltine(O) produces COMSEC products as well as TEMPEST design and test facilities.
Glenair is a multi-national company that produces some shielding products.
Greco Systems manufactures factory tools and ruggedized TEMPEST computers.
GSCG. Formerly GRiD Government Systems. Tempest laptops, desktops, and printers.
GTE, the phone people, make a TEMPEST version of their Easy Fax (O) product, complete with a STU-III (encrypted phone) gateway.
HAL Communications Corp. provides TEMPEST shielded modems and radio equipment to the government.
Hetra Secure Solutions (X) sells lots of TEMPEST goodies.
Hewitt Refractories Limited produces Manta, a ceramic material that can be used for shielding.
Hyfral is a French company that specializes in room shielding.
IAM Secure Data Systems (O) offers Tempest consulting services.
ILEX Systems sells TEMPEST fax machines and other goodies.
JMK makes a variety of filters (including those of the TEMPEST variety).
Kern Engineering makes TEMPEST backshells for connectors.
Kontron Elektronic is a German company that offers a slick little shielded portable.(O)
LCR Electronics makes Tempest filters.
Lindgren-Rayproof is a British company specializing in shielding.
Logical Solutions builds and sells Tempest cables.
Lynwood is a UK supplier of TEMPEST and ruggedized PCs.
Motorola SSTG EMC/TEMPEST Laboratory(O) - Arizona testing facility.
NAI Technologies (X)(O) produces a variety of TEMPEST standard workstations and peripherals.
Nisshinbo is a Japanese company that provides quite a bit of detail on its TEMPEST shielding products. The DENGY-RITE 20 wideband grid ferrite absorber panels is especially interesting.
P & E Security Analysis - TEMPEST and security consulting. Some good links to government pubs.
Panashield manufactures a variety of shielding enclosures.
Profilon makes a TEMPEST laminate that can be installed over glass.
Pulse Engineering manufactures sheilded COMSEC and INFOSEC hardware.
Racal Communications does TEMPEST evaluations.
Radiation Sciences Inc. is a TEMPEST consulting and training firm in Pennsylvania.
Raytheon Systems Company provides TEMPEST testing services (not much detail).
SCI Consulting has done TEMPEST work for clients like the Department of Energy.
Schaffner EMC supplies EMC filtering and testing devices.
Secure Systems Group (SSG) has been around since 1986, providing a variety of TEMPEST computer products.
Security Engineering Services Inc. is a consulting firm that offers TEMPEST courses and other services. The courses are only offered to students who have a security clearance. The interesting thing is the course books appear to be orderable by any U.S. citizen. TEMPEST Hardware Engineering and Design and TEMPEST Program Management and Systems Engineering, with over 800 pages of total material are available for $200.
Seimens makes TEMPEST versions of HP LaserJets and other product.
Shadow Chaser Investigations is a private investigation firm that supposedly does TEMPEST work.
Solar Electronics sells a variety of EMI filters, including TEMPEST specific.
Southwest Research Institute(O) (SwRI) performs TEMPEST and other testing.
SystemWare Incorporated is another consulting company that offers TEMPEST consulting. Not much information at this site.
TRW Specialized Services offers TEMPEST testing, both in the lab and field. This site has a nice Acrobat brochure that describes their services.
TSCM Consultant supposedly offers TEMPEST security consulting (page was under construction).
Tecknit is one of the leaders in shielding products. They specialize in architectural shielding (copper coated doors, panels, etc.) and smaller gaskets and screens for electronic devices. A very informative site, with downloadable Acrobat catalogs.
Tempest Inc. has been around for 13 years and produces TEMPEST standard hardware for the government and approved NATO countries. Their catalog isn't online, but as an example they offer an interesting Secure Voice Switching Unit that's used in USG executive aircraft. Not much technical information here.
Turtle Mountain Communications makes a TEMPEST fax device and other communications equipment.
TUV is a British firm that does TEMPEST testing.
Tempest Security Systems - Vendor of Pilkington architectural glass that reduces emmanations.
Wang Federal Systems (O) also sells TEMPEST rated hardware as well as performs testing. This site contains their product and services catalog. Some good information.
Windermere Group performs government TEMPEST testing.
Veda Inc. (O) is a defense contractor who landed a 5.6 million dollar Navy contract for TEMPEST and COMSEC services.
XL Computing is a Florida company with a large catalog of TEMPEST hardware.
ZipperTubing manufactures EMI cable sheilding.
There's an interesting EMC-related site that has lots of job listings, many having to deal with TEMPEST. This is a good intelligence source.
A truth in advertising note: Just because a piece of hardware is advertised as "designed to meet NACSIM 5100A" or "designed to meet TEMPEST standards" doesn't mean the device has gone through the rigorous TEMPEST certification process. "Real" TEMPEST hardware will clearly state it has been certified or endorsed.
While not TEMPEST-specific, the DOE's Computer Incident Advisory Capability (CIAC) has an interesting document called CIAC-2304 Vulnerabilities of Facsimilie Machines and Digital Copiers (PDF format). In it, TEMPEST threats to FAX machines and copiers are briefly discussed. There are several papers referenced, including:
The DOE apparently uses a company called DynCorp(O) to perform internal TEMPEST assessments.
Ricoh supplies TEMPEST shielded FAX machines to the FBI, DEA, and U.S. Marshals Service.
Even the map making folks get involved with TEMPEST. Check out the National Security Information Automated Information Systems section of their manual.
NIST has a list of accredited laboratories(O) that perform MIL-STD-462 (electromagnetic interference) testing. Some of these also do TEMPEST testing.
While a bit dated (1986), A GUIDELINE ON OFFICE AUTOMATION SECURITY has a few references to TEMPEST, as well as other computer security nuggets.
Brief mention of the Industrial TEMPEST program as well as contacts (may be dated).
Along with cryptography, the export of TEMPEST standard hardware or devices for suppressing emanations is restricted by the International Traffic in Arms Regulations (ITAR). However, there is an exception in that: "This definition is not intended to include equipment designed to meet Federal Communications Commission (FCC) commercial electro-magnetic interference standards or equipment designed for health and safety."
Jargon alert. You'll sometimes see references to RED/BLACK systems. A red system is any device that stores or transfers classified data. Black systems store/transfer unclassified data. Gee, with all of the black projects and helicopters around these days, I would have thought it would be the other way around.
Chapter 16 of the Navy's AUTOMATED INFORMATION SYSTEMS SECURITY GUIDELINES manual is devoted to emanations security (X). Probably the most interesting section in this chapter deals with conducting a TEMPEST Vulnerability Assessment Request (TVAR). Completing the TVAR questionnaire provides some common sense clues as to how electronic security could be compromised. (The Navy seems to have pulled this. Try this alternate link.(O))
Chapter 21 of the same manual deals with microcomputer security. Section 21.8 Emanations Security, reads: "TEMPEST accreditation must be granted for all microcomputers which will process classified data, prior to actually processing the data. Your security staff should be aware of this and submit the TEMPEST Vulnerability Assessment Request (TVAR) to COMNISCOM. Microcomputers may be able to comply with TEMPEST requirements as a result of a TEMPEST telephone consultation, as permitted by COMNISCOM. Contact the Naval Electronic Security Engineering Center (NESSEC) for further information to arrange a TEMPEST telephone consultation. Use of a secure phone may be required and your request will be followed with written guidance." This leads one to believe that certain PC systems may not be as susceptible as others to emanations monitoring.
C5293-05 TEMPEST Control Officer Guidebook - "Provides guidance to the individual assigned responsibility for TEMPEST implementation at a major activity." Unfortunately, not online, and likely classified.
NISE East Information Warfare-Protect Systems Engineering Division(Information Warfare-Protect Systems Engineering Division - Code 72) puts on a couple of TEMPEST related training courses, (O) including "Tempest Criteria for System/Facility Installation" and "Tempest Fundamentals." These are targeted toward Department of Defense personnel and civilian contractors who must comply with TEMPEST standards as part of their business.
"The Reduction of Radio Noise Eminating from Personal Computers" (O) is a thesis topic at the Department of Electrical Engineering, Naval Postgraduate School.
Electromagnetic Environmental Effects. While not security-related, some good background information.
Check out Grumman Aerospace's spiffy TEMPEST building, where they do development work for the Navy on the EA-6B aircraft.
The Navy's INFOSEC site has lots of interesting information. There's even a TEMPEST related services link. Information Warfare (IW) Protect Systems Engineering Division (Code 72) appears to be the key TEMPEST players.
Even though the DoD started shutting down Web sites back in September for security reasons, there is still a tremendous amount of material being made to the general public. Examples that came from Offut Air Force Base these:
The Air Force's Rome Laboratory has produced a variety of interesting defense related systems. Some developments likely related to TEMPEST include:
Other Air Force documents:
The 497th Intelligence Group (497 IG), out of Bolling Air Force Base, Washington DC, manages TEMPEST related issues for the Air Force.
The Army Corps of Engineers, Construction Engineering Research Laboratories, has also been experimenting with low cost TEMPEST shielding technologies. Low Cost EMP EMI Tempest Shielding Technology (O) fact sheet link doesn't work anymore, but you can get a summary here(O).
The Army's White Sands Missle Range has a Test Support Division(O) that does TEMPEST testing as well as other things. An interesting photo of the inside and outside of a test truck is shown.
The Army's Blacktail Canyon (X) EMI/TEMPEST facility at Ft. Huachuca (spook-related location in Arizona), recently put up a Web page, with lots of interesting info. Also check the main Electronic Proving Ground site (why it is a .com instead of .mil or .gov site I have no idea).
The Army's Protective Design Center in Omaha specializes in structure designs to resist blasts as well as TEMPEST attacks.
From a post to the Cypherpunks list in April of 1994, by Steve Blasingame:
Other Defense Department documents:
Australia
A brief defense document on emmanation security.
One informant used to work at a Defense Reutilization and Marketing Office (DRMOs are the DoD's version of a garage sale). In the past, TEMPEST equipment was demil-ed (crushed), now due to miscoding and classification downgrades, TEMPEST equipment is literally a dime a dozen. Computer surplus goodies go for about 12 cents a pound.
Through a contractural association with a major defense company, Fluid Forming Technologies has been assigned to dispose of a TEMPEST level "secured working environment." Modular construction, 160' x 20' x 10', can probably be segmented into smaller units. Available as of January 1, 1998. E-mail fftllc@eci.com for additional details or snail mail:
Fluid Forming Technologies LLC,
9 Brush Hill Rd, Suite 318
New Fairfield, CT 06812
JC describes two shielded IBM PC cases he picked up from a scrap dealer for $35 each (unfortunately they had already sold the printers and monitors). The cases were labeled EMR XT SYSTEM UNIT (on the front), with a model number of 4455 1 (on the back). The cases are similar to a standard IBM XT case, except depper toward the back, so a filter bank and power supply baffle could be installed. The top is bolted down, requiring an allen wrench to remove. The top part of the case has a gasket groove for the brass colored RF gasket, and the mating surface is a finished in anodized aluminum. The top appears to be a cast aluminum plate. Each of the ports in the rear has a filter, unused ports have a metal blocking cover that mates to the case and make a good eletrical contact.
W.J. Ford Surplus Enterprises(O) had the following printer for sale in December 1996:
LASER PRINTER Make:MITEK Model:100T 300 X 300 DPI LASER PRINTER WITH LETTER SIZE PAPER TRAY, 8 PPM, MEETS NACSIM TEMPEST SPECS, C.W. OWNER'S MANUAL (TONER CARTRIDGE NOT INCL.) Dimensions: 19.00"w x 16.00"h x 16.50"d 1.00 on hand, No Graphic on file, Item No.:1208 RAMP Price: $ 250.00
As of February 8, 1997, Dark Tanget (of DEFCON fame) has a whole collection of TEMPEST shielded equipment for sale. Check out his page (X) for complete info and photos. Lots of great details and specs. Also a related Slashdot thread.
As of June 15, 1998, Hugh Sebra had fifty TEMPEST-shielded Fibercom 7197 DPT Dual Path Fiberoptic Transceivers for sale.
While not for sale, H. Layer has a photo of a circa 1986 Tempest Macintosh as his cool Mind Museum page.
Note: I personally don't own or have access to any surplus TEMPEST equipment. However, if you've encountered such hardware, let me know about it.
C writes:
Interesting page of TEMPEST-related stuff. One additional information source you may want to include for those attempting to proof themselves against an EME-type attack might be the ARRL (Amateur Radio Relay League) Handbook for the Radio Amateur. It has a very complete chapter on preventing radio interference caused by ham radio gear, much of whichF writes:
could be adapted for use with a computer. The book is updated yearly, so the information is usually top-notch. Most libraries have it.BTW, for those on the other side of the question (or who wish to be) there's probably enough info in the book to help them put together a TEMPEST monitoring outfit if they're handy with a soldering iron.
I have an early SVGA 15" Gateway CrystalScan monitor (the ones that are purported to be part of a class-action lawsuit), which, when attached to a Mac, will display *exact* and *readable* text on TVs within a reasonable distance--a measured 60-plus feet for sure, through walls and floors, and quite possibly more, I didn't have the inclination to drag a TV out into the lot on an extension cord to find out how far I could go.M writes:Though it is only readable during the 'dark' between commercials on certain channels, it was a pretty frightening revelation, as I accept and produce some pretty sensitive materials. The scarier part for me was that I had used it for weeks before I finally turned on a TV at the same time that the monitor was not in screen-saver mode (a password-protected mode I generally drop into anytime I leave the desk, alone in the building or not). Anyone in my building, including unassociated neighbors, or anyone within whatever the ultimate range might have been could have seen a bunch of stuff that could have caused serious damage to my firm. If anyone did see anything, they haven't bit me with it--yet.
In addition to displaying readable text, you can also discern images to a limited degree, and I imagine with some simple tweaks of the color guns, some enterprising cracker could get some pretty good imaging.
The monitor has some other more obvious side effects, such as emitting such EMF levels as to *seriously* distort any monitor within about a foot of its left side, and about two feet of its right side. It also gave me frequent eye strain if I used it too long (even though the picture was incredibly sharp for its class).
Since I'm a MacHead and use multiple monitors (three to seven screens, depending on where I am), this situation was unacceptable all by itself, but I was using the monitor ($15 at a local thrift store) as a temporary display while my prime screen was off in warranty land (I never did get that one back).
It will also emit such a frequency as to produce varied-intensity scrolling vertical and horizontal lines on a TV with either rabbit ears or hooked up via 75 Ohm cable to an attic antennae, depending on what channel you are tuned to. I can't recall the exact per-channel results, but (if memory serves) it was minor (but annoying) lines and rolls on the lower VHF, and major interference and ghosting with the readable text on the UHF.
The funny thing is, other people in the building couldn't watch TV without all the serious distortion any time the monitor was not in screen saver mode (just having the monitor powered at all would produce a limited interference), and never noted any readable text, because they avoided the badly affected channels. When they would ask me to look at the TV situation and prescribe a fix (I'm the boss and building owner) , I never saw it, because (of course) I put the monitor to sleep before I would venture out for an inspection. Talk about Keystone Kops! They would joke that the TV was afraid to not be working properly when the boss was
present, and we just wrote it off to rogue cell phone or CB users, because our portable phones and computer speakers would frequently pick up passing car/truck audio signals from such devices.(Yet another bonus was that the staff wasn't prone to hang out in the break room and watch TV anytime I was working)
I'd've never discovered the source of the whole thing, save for a Sunday when I came into get some computer backups and volume house-cleaning done, and I dragged in a little B&W TV to also "watch" the football game. I was going mad trying to get any decent reception at all that close to the damn thing, not noting for at least a couple of events that it cleared up substantially when the screen went into an idle screen saver mode on its own. I finally gave up and settled for just audio, and only
noted the relation hours later when I powered off the monitor to rearrange my desk. A couple of on-off clicks later, I started laughing, finally finding the source of all the problems for the whole building--that is until a commercial pause came on, and I saw the contents of my open-folder list displayed on the screen.I goofed around for the next sixty minutes, trying desperately to discern what I could see in that momentary darkness between commercials, and in those brief moments, I found that I could *easily* read my email, word docs, spreadsheets, database, etc., and I could repeat the ability on every TV screen in every room on every floor to which I had access-- Eeek!
Anyway, this note got a lot longer than I wanted, but I still have the monitor, if it holds any interest to you as a "primary source" of the fact that an SVGA can most definitely be a victim of low-cost TEMPEST (albeit an admittedly and likely rare event on only one monitor I can
name).
"LCD displays on laptops eliminate the risks of TEMPEST attack."S writes:No way. I get a few channels in my apartment via rabbit-ear and UHF loop antenna reception - they're pretty weak, but on a good day and in the absence of major interference, I can watch Ally McBeal. I'm also a longtime notebook computer user, mostly Apple Powerbooks. The TFT LCD screen specifically interferes with the lower-numbered VHF channels on my TV,
which also happen to be more poorly propagated at my location. The CPU and motherboard also interfere, but the screen is by far the worst and can't be within twenty feet and/or two interior walls of the antennae without substantial, patterned interference. And this is a low-power laptop with a relatively small 10" screen (800x600, 60Hz refresh), using under seven watts including the 180MHz CPU. Shutting off the screen independently of the rest of the machine greatly reduces the interference.That doesn't mean that there's intelligible information in all that noise, of course, but given that I can change the appearance of the interference by changing the onscreen display, I'd be willing to bet that there is. It's also worthwhile to note that conventionally (greyscale) antialiased fonts look horrible on crisp LCD screens because there's none of the natural innaccuracy and softening that a CRT produces (in other situations this is a good thing and reduces eyestrain, the main reason I don't use CRTs any
more). This includes the filtered ones your page links to (I'm looking at them now). There is a different mode of antialiasing that makes use of the slight RGB offset on an LCD display (one of the few real innovations to come out of Microsoft, of all places), which might be applied to this purpose. Unfortunately one has to use different fonts depending on whether the screen elements are arranged RGB or BGR (both exist at the moment, in approximately equal proportion).
In a (government) security briefing, I did witness a legitimate Tempest intercept of an IBM Selectric typewriter. However, the typewriter had been modified to produce unusually high levels of signals, the distance over which the intercept occurred was fairly short, and the conductors of the demo insisted all other potential sources of emanations be powered down in the area where the demo was conducted.While my time with the government (Secret Service and Naval Intelligence) did not deal directly with Tempest intercept or
screening, the general consensus, even in the most sensitive circles, was that there were far easier, effective and more efficient methods of gathering information. At one time the threat was taken seriously, but not anymore.Just think, in an average office or even modern home environment, how many sources of radiation there are, and how difficult it would be to target one and one only. Remember the strength of a field decreases with the square of the distance. Your wristwatch at close range produces a stronger signal than a large CRT the other side of the room.
In the early days, before every cigarette lighter and toaster over contained a microprocessor, and CRT technology was not refined, there may have been a threat. Anymore, CRTs operate at much lower levels and the RF/EMI environment is much busier. Remember when we were young and televisions came with warnings about sitting too close? Do you see
those anymore, even on large color screens? Far less energy now is needed to excite the extremely efficient phosphors in the CRT. In the early days, it was done with brute force.It's fun to talk about, but from a practical level I believe there no longer is a threat.
I have never seen a real world demo of a genuine Tempest/Van Eck intercept, and I have been around some. The alleged construction articles leave themselves an out, like saying a lot of experimenting is needed to fine tune or whatever.
Sort of like the chemical formulas with a line buried deep "then a miracle occurs".
"The use of wireless communications (infrared) ports found on most PPCs to interface with printers and other peripheral devices is strictly forbidden when processing classified information. These ports must be disabled on all accredited PPCs and peripherals by covering the window with a numbered security seal or physically removing the infrared transmitter."
Disclaimer: I've never been involved with the TEMPEST community, had a security clearance for TEMPEST, or have access to classified material relating to TEMPEST. The information on this page is completely derived from publicly available, unclassified sources.
revision history
12/17/96 - original document
12/18/96 - added link to van Eck follow-up article, shielding comments
12/21/96 - reorganization and additional comments about Rome Lab,
ZONE, DOE, non-TEMPEST
12/22/96 - added Smulders paper
01/02/97 - added Compliance Engineering, additional NIST, Navy,
Canada, Used, and paper sources
01/08/97 - added UK, patents
01/11/97 - added DA Pamphlet 73-1/Blacktail test facility, Army,
COMPUTERWOCHE, EMC, HAL, Austest, Racal, Compucat, Nisshinbo
02/02/97 - added Naval Postgraduate School, EMC FAQ, DynCorp, Conductive
Coatings, GEC Marconi, CorCom, AFC, Corps of Engineers, Ford Surplus, GTE,
ECM job list, White Sands, Cortron, SwRI, Veda, Emcon
02/14/97 - added DEFCON goodies to Used
02/18/97 - added Redefining Security report, Lynwood
03/10/97 - added Datastop glass to shielding section
03/21/97 - added Moller paper (from Phrack 44)
03/26/97 - added Army Corps of Engineers pub, Elfinco, recommended
Xs
04/12/97 - added Computerwoche translation
06/09/97 - added Blacktail page, Framatome Connectors International
07/02/97 - added JMK
12/15/97 - added LCR, Logical Solutions, IAM, GSGC, Tempest Mac
02/08/98 - added Anderson & Kuhn paper, FFTLLC, dead link check
03/03/98 - added Army EMP, Compunetix, XL Computing
03/30/98 - added USGS, Motorola, Tempest Security Systems
11/14/98 - added EMP-tronic, SSG, Filter Networks, Australia section,
Braden, Hewitt, TUV, Windermere, ERS, ADI, ZipperTubing, Army EPG, Glenair,
Allied Signal, D2D, Truthnet, EC, Hyfral, Navy E3 and other, BEMA, Raytheon,
Shadow Chaser, Dina, ATSC, Profilon, EYP, CSS, ILEX, DOE 5300, Cycomm,
Murphy paper, Cryptek, Greco, Lindgren-Rayproof, Turtle Mt., Kern,
Cabrac, Solar Electronics, National TEMPEST school, Air Force 33-203, HIJACK/NONSTOP
11/17/98 - added Gabrielson papers, SJM News article, Pulse Eng,
US Coast Guard, DRMO, c't article, Chomerics, JY FOIA
11/19/98 - Air Force van, EMSEC, Air Force sec mems, new HIJACK
& NONSTOP info
11/25/98 - anti-TEMPEST fonts link, alt Air Force links, Schwartau
.WAV speech
7/3/99 - Computer Security Solutions, TSCM consultant, student paper,
Seimens, P&E, SATE, dead links
7/11/99 -iDefense TEMPEST bust, Acronym Finder
7/19/99 - Hetra, updated DefCon page, Slashdot article
8/19/99 - Gabrielson piece, DEMCOM
8/21/99 - Durak CPU, Mueller HIP
10/10/99 - ISEC update, 497 IG, Treasury, NRO, Star Wars, Navy Code
72, COS, Koops, Army PDC, c't articles
10/24/99- John Young FOIA news
10/25/99 - more JYA FOIA, added new NSA docs referenced in FOIA,
DOJ, patent, slashdot/wired
11/7/99 - Final JYA, Jones, Koops summary, Tales, Web tracking
11/8/99 - New Scientist
11/13/99 - SET21
11/15/99 - Jones stuff
11/30/99 - More JYA
12/4/99 - DoD DB
Special thanks to John Young for his relentless pursuit of information and archival prowess - see his Cryptome site for additional crypto/government/privacy/security/etc. information.
Copyright 1996,1997, 1998, 1999 Joel McNamara
