from http://library.psyon.org/tempest.txt
Across the darkened street, a windowless van is parked. Inside, an
antenna is pointed out through a fiberglass panel. It’s aimed at an office
window on the third floor. As the CEO works on a word processing document,
outlining his strategy for a hostile take-over of a competitor, he never
knows what appears on his monitor is being captured, displayed, and recorded
in the van below.
If you’re even vaguely familiar with intelligence, computer security,
or privacy issues, you’ve no doubt heard about TEMPEST. Probably something
similar to the above storyline. The general principle is that computer
monitors and other devices give off electromagnetic radiation. With the
right antenna and receiver, these emanations can be intercepted from a
remote location, and then be redisplayed (in the case of a monitor screen
or recorded and replayed (such as with a printer or keyboard).
TEMPEST is a code word that relates to specific standards used to reduce
electromagnetic emanations. In the civilian world, you’ll often hear about
TEMPEST devices (a receiver and antenna used to monitor emanations) or
TEMPEST attacks (using an emanation monitor to eavesdrop on someone). While
not quite to government naming specs, the concept is still the same.
TEMPEST has been shrouded in secrecy. A lot of the mystery really isn’t
warranted though. While significant technical details remain classified,
there is a large body of open source information, that when put together
forms a pretty good idea of what this dark secret is all about. That’s
the purpose of this page.
The following is a collection of resources for better understanding
what TEMPEST is. And no, I seriously don’t think national security is being
jeopardized because of this information. I feel to a certain extent, the
security through obscurity that surrounds TEMPEST may actually
be increasing the vulnerability of U.S. business interests to economic
espionage. Remember, all of this is publicly available. A fair amount has
come from unclassified, government sites. Up to this point, no one has
spent the time to do the research and put it all together in a single location.
I’ve just begin to scratch the surface. If you have any additions, corrections,
or amplifications, let me know. This is a work in progress, so check back
often (updates are listed at the bottom of the page).
TEMPEST is a U.S. government code word that identifies a classified set of standards for limiting electric or electromagnetic radiation emanations from electronic equipment. Microchips, monitors, printers, and all electronic devices emit radiation through the air or through conductors (such as wiring or water pipes). An example is using a kitchen appliance while watching television. The static on your TV screen is emanation caused interference. (If you want to learn more about this phenomena, a company called NoRad? has an excellent of electromagnetic radiation and computer monitors, that you don’t need to be an electrical engineer to understand. Also, while not TEMPEST-specific, a journal called typically has good technical articles relating to electromagnetic interference. There’s also the Electromagnetic Compliance FAQ.)
During the 1950’s, the government became concerned that emanations could be captured and then reconstructed. Obviously, the emanations from a blender aren’t important, but emanations from an electric encryption device would be. If the emanations were recorded, interpreted, and then played back on a similar device, it would be extremely easy to reveal the content of an encrypted message. Research showed it was possible to capture emanations from a distance, and as a response, the TEMPEST program was started.
The purpose of the program was to introduce standards that would reduce the chances of leakage from devices used to process, transmit, or store sensitive information. TEMPEST computers and peripherals (printers, scanners, tape drives, mice, etc.) are used by government agencies and contractors to protect data from emanations monitoring. This is typically done by shielding the device (or sometimes a room or entire building) with copper or other conductive materials. (There are also active measures for jamming electromagnetic signals. Refer to some of the patents listed below.)
In the United States, TEMPEST consulting, testing, and manufacturing is a big business, estimated at over one billion dollars a year. (Economics has caught up TEMPEST though. Purchasing TEMPEST standard hardware is not cheap, and because of this, a lesser standard called ZONE has been implemented. This does not offer the level of protection of TEMPEST hardware, but it quite a bit cheaper, and is used in less sensitive applications.)
Emanation standards aren’t just confined to the United States. NATO has a similar standard called the AMSG 720B Compromising Emanations Laboratory Test Standard. In Germany, the TEMPEST program is administered by the National Telecom Board. In the UK, Government Communications Headquarters (GCHQ), the equivalent of the NSA, has their own program.
The original 1950s emanations standard was called NAG1A. During the
1960s it was revised and reissued as FS222 and later FS222A.
In 1970 the standard was significantly revised and published as National
Communications Security Information Memorandum 5100 (Directive on TEMPEST
Security), also known as NACSIM 5100. This was again revised in 1974.
Current national TEMPEST policy is set in National Communications Security
Committee Directive 4, dated January 16, 1981. It instructs federal agencies
to protect classified information against compromising emanations. This
document is known as NACSIM 5100A and is classified.
The National Communications Security Instruction (NACSI) 5004 (classified
Secret), published in January 1984, provides procedures for departments
and agencies to use in determining the safeguards needed for equipment
and facilities which process national security information in the United
States. National Security Decision Directive 145, dated September 17, 1984,
designates the National Security Agency (NSA) as the focal point and national
manager for the security of government telecommunications and Automated
Information Systems (AISs). NSA is authorized to review and approve all
standards, techniques, systems and equipment for AIS security, including
TEMPEST. In this role, NSA makes recommendations to the National Telecommunications
and Information Systems Security Committee for changes in TEMPEST polices
and guidance.
Just how prevalent is emanation monitoring?
There are no public records that give an idea of how much emanation
monitoring is actually taking place. There are isolated anecdotal accounts
of monitoring being used for industrial espionage (see Information Warfare,
by Winn Schwartau), but that’s about it. Unfortunately, there’s not an
emanation monitoring category in the FBI Uniform Crime Reports.
Threat?
There are a few data points that lead one to believe there is a real
threat though, at least from foreign intelligence services. First of all,
the TEMPEST industry is over a billion dollar a year business. This indicates
there’s a viable threat to justify all of this protective hardware (or
it’s one big scam that’s making a number of people quite wealthy).
This scope of the threat is backed up with a quote from a Navy manual
that discusses compromising emanations or CE. Foreign
governments continually engage in attacks against U.S. secure communications
and information processing facilities for the sole purpose of exploiting
CE. I’m sure those with appropriate security clearances have access
to all sorts of interesting cases of covert monitoring.
Or not?
In 1994, the Joint Security Comission issued a report to the Secretary
of Defense and the Director of Central Intelligence called Redefining
Security. It’s worthwhile to quote the entire section that deals
with TEMPEST.
TEMPEST (an acronym for Transient Electromagnetic Pulse Emanation Standard
is both a specification for equipment and a term used to describe the process
for preventing compromising emanations. The fact that electronic equipment
such as computers, printers, and electronic typewriters give off electromagnetic
emanations has long been a concern of the US Government. An attacker using
off-the-shelf equipment can monitor and retrieve classified or sensitive
information as it is being processed without the user being aware that
a loss is occurring. To counter this vulnerability, the US Government has
long required that electronic equipment used for classified processing
be shielded or designed to reduce or eliminate transient emanations. An
alternative is to shield the area in which the information is processed
so as to contain electromagnetic emanations or to specify control of certain
distances or zones beyond which the emanations cannot be detected. The
first solution is extremely expensive, with TEMPEST computers normally
costing double the usual price. Protecting and shielding the area can also
be expensive. While some agencies have applied TEMPEST standards rigorously,
others have sought waivers or have used various levels of interpretation
in applying the standard. In some cases, a redundant combination of two
or three types of multilayered protection was installed with no thought
given either to cost or actual threat.
A general manager of a major aerospace company reports that, during
building renovations, two SAPs required not only complete separation between
their program areas but also TEMPEST protection. This pushed renovation
costs from $1.5 million to $3 million just to ensure two US programs could
not detect each other’s TEMPEST emanations.
In 1991, a CIA Inspector General report called for an Intelligence Community
review of domestic TEMPEST requirements based on threat. The outcome suggested
that hundreds of millions of dollars have been spent on protecting a vulnerability
that had a very low probability of exploitation. This report galvanized
the Intelligence Community to review and reduce domestic TEMPEST requirements.
Currently, many agencies are waiving TEMPEST countermeasures within
the United States. The rationale is that a foreign government would not
be likely to risk a TEMPEST collection operation in an environment not
under their control. Moreover, such attacks require a high level of expertise,
proximity to the target, and considerable collection time. Some agencies
are using alternative technical countermeasures that are considerably less
costly. Others continue to use TEMPEST domestically, believing that TEMPEST
procedures discourage collection attempts. They also contend that technical
advances will raise future vulnerabilities. The Commission recognizes the
need for an active overseas TEMPEST program but believes the domestic threat
is minimal.
Contractors and government security officials interviewed by the Commission
commend the easing of TEMPEST standards within the last two years. However,
even with the release of a new national TEMPEST policy, implementation
procedures may continue to vary. The new policy requires each Certified
TEMPEST Technical Authority (CTTA), keep a record of TEMPEST applications
but sets no standard against which a facility can be measured. The Commission
is concerned that this will lead to inconsistent applications and continued
expense.
Given the absence of a domestic threat, any use of TEMPEST countermeasures
within the US should require strong justification. Whenever TEMPEST is
applied, it should be reported to the security executive committee who
would be charged with producing an annual national report to highlight
inconsistencies in implementation and identify actual TEMPEST costs.
Domestic implementation of strict TEMPEST countermeasures is a prime
example of a security excess because costly countermeasures were implemented
independent of documented threat or of a site’s total security system.
While it is prudent to continue spot checks and consider TEMPEST in the
risk management review of any facility storing specially protected information,
its implementation within the United States should not normally be required.
The Commission recommends that domestic TEMPEST countermeasures not
be employed except in response to specific threat data and then only in
cases authorized by the most senior department or agency head.
Maybe
The main difficulty in tracking instances of emanation monitoring is
because it’s passive and conducted at a distance from the target, it’s
hard to discover unless you catch the perpetrator red-handed (a bad Cold
War pun). Even if a spy was caught, more than likely the event would not
be publicized, especially if it was corporate espionage. Both government
and private industry have a long history of concealing security breaches
from the public.
As with any risk, you really need to weigh the costs and benefits. Is
it cheaper and more efficient to have a spy pass himself off as a janitor
to obtain information, or to launch a fairly technical and sophisticated
monitoring attack to get the same data? While some hard targets
may justify a technical approach, traditional human intelligence (HUMINT
gathering techniques are without a doubt, used much more often than emanation
monitoring.
Because of the general lack of knowledge regarding TEMPEST topics, there
is a fair amount of urban folklore associated with it. Here’s some common
myths. And if you can provide a primary source to prove me wrong, let me
know (no friends of friends please).
It’s illegal to shield your PC from emanation monitoring. Seline’s
paper suggests this, but there are no laws that I’ve found that even come
close to substantiating. Export of TEMPEST-type shielded devices is restricted
under ITAR, and most manufacturers will only sell to government authorized
users, but there are no laws banning domestic use of shielded PCs.
Emanation monitoring was used to snare CIA spy Aldrich Ames and
also during the Waco incident. Winn
Schwartau appears to have started the speculation on these two events.
While conventional electronic surveillance techniques were used, there’s
no published evidence to support a TEMPEST attack..
You can put together a emanation monitoring device for under $100
worth of Radio Shack and surplus parts. Perhaps for a dumb video display
terminal (VDT), but certainly not for a VGA or SVGA monitor. And definitely
not for doing serious remote monitoring. There have been anecdotal accounts
of television sets with rabbit ears displaying fragments of a nearby computer
screen. Beyond that, effective, cheap, easy-to-build devices don’t seem
to exist. If they did, the plans would be available on the Net at just
about every hacker site.
LCD displays on laptops eliminate the risks of TEMPEST attacks.
Maybe, maybe not. The technology behind LCD monitors versus typical CRT
monitors may somewhat reduce the risk, but I wouldn’t bet my life on it.
There have been anecdotal accounts of noisy laptop screens being partially
displayed on TVs. If laptops were emanation proof, I seriously doubt there
would be TEMPEST standard portables on the market.
TEMPEST is an acronym. Maybe. There have been a variety of attempts
to turn TEMPEST into a meaningful acronym (such as Transient Pulse Emanation STandard) by government and non-government sources. The
official government line denies this, and states TEMPEST was a code word
originally given to the standards, and didn’t have any particular meaning.
There’s virtually no information about TEMPEST on the Net because
it’s so secret. Nonsense. The world does not revolve around AltaVista. You just need to dig a little deeper.
One of the most distributed sources of TEMPEST information on the Net
is a paper by Christopher Seline called Eavesdropping
On the Electromagnetic Emanations of Digital Equipment: The Laws of Canada,
England and the United States. It deals with laws relating to
eavesdropping on the electromagnetic emanations of digital equipment. Seline
postulates that it is illegal for a U.S. citizen to shield their hardware
against emanation eavesdropping. There are no laws to support this contention.
Other information in the Seline paper has been questioned by informed sources,
however, there is good source material contained in it.
The other widely distributed source is Grady Ward’s TEMPEST
in a teapot post to the Cypherpunks list that discusses practical
countermeasures based on techniques radio operators use to reduce electromagnetic interference. Good technical source material.
Electromagnetic Radiation from
Video Display Units: An Eavesdropping Risk? by Wim van Eck, Computers
& Security, 1985 Vol. 4. This is the paper that brought emanation monitoring
to the public’s attention. Van Eck was a research engineer at the Dr. Neher
Laboratories of The Netherlands’ Post, Telegraph, and Telephone (PTT) Service.
His paper was purposely incomplete on several points, and modifications
were required to actually build a working device based on his plans. (.PDF
format) PC Week, March 10, 1987 v4 p35(2) has an article by Vin McLellan
aboutemanation monitoring and TEMPEST.
A quick search of IBM’s patent
server service revealed several interesting patents:
Patent number 4965606
- Antenna shroud tempest armor (1989
Patent number 5165098
- System for protecting digital equipment against remote access (1992
Patent number 4932057
- Parallel transmission to mask data radiation (1990
Patent number 5297201
- System for preventing remote detection of computer data from tempest
signal emissions (1994
A note about patent 5297201. It references patent 2476337 that was issued
July 1, 1949. Unfortunately, the details aren’t available online, but the
reference may be telling as to just how long emanation monitoring has been
taking place.
Cabinets for Electromagnetic Interference/Radio-Frequency Interference
and TEMPEST Shielding by Kenneth F. Gazarek, Data Processing &
Communications Security, Volume 9, No. 6 [1985].
Information Warfare, Winn Schwartau, Thunder’s Moth Press, New York,
1996 (second edition
Chapter 7, The World of Mr. van Eck, is devoted to TEMPEST-related topics.
There’s some good information, but it’s painted pretty broadly, and really
doesn’t get into technical details (the second edition does present much
more material on HERF guns and other topics, but nothing has been added
to the van Eck chapter). Still, a good read, also some additional sources
not mentioned on this page in the Footnotes section.
Computer Security Basics,
Deborah Russell and G. T. Gangemi Sr., O’Reilly & Associates, Sebastpol,
CA, 1991
Chapter 10, TEMPEST, provides an excellent overview of the risks of emanations
as well as the government TEMPEST program. This is a must read.
A company called The Codex probably
has the most information about TEMPEST-type products on a single Net site.
The CEO, Frank Jones, gave a monitoring demonstration on the Discovery
Channel in October, 1996 a
transcript and video stills are available). The site also houses a
general discussion of emanation
monitoring and a reprint of an Internet
Underground article. Jones sells a monitoring device called a DataScan ,
but unfortunately doesn’t supply much technical detail and I’ve yet to
talk to a third party that’s actually used one. He also sells something
called Safety Shield, which is used to reduce emanations.
John Williams sells the Williams Van Eck System, an off the shelf emanation
monitoring device. He also has a demonstration
video and and a book
called Beyond Van Eck Phreaking. The updated Consumertronics
Web site has a variety of interesting products (the $3 paper catalog is
a good read too). In past written correspondence with Mr. Williams, he
has provided a considerable amount of technical details about his products.
I’m currently looking for first hand, real-world accounts of a monitoring
device actually being used to gather intelligence (not in a demonstration).
PGP-encrypted e-mail through anonymous remailers or nym servers perferred.
After you’ve read Grady’s paper...
If you’re handy with a soldering iron, Nelson Publishing produces something
called the EMI/RFI
Buyers’ Guide. This is a comprehensive list of sources for shielding
material, ferrites, and other radio frequency interference and electromagnetic
interference type products. There’s even listings for TEMPEST products
and consultants. Unfortunately, most of the sources don’t have links. But
company names, addresses, and phone/FAX numbers are supplied.
A more general electronics manufacturer data base is electroBase.
They have over 7,800 manufacturers of all types listed.
There’s an interesting product called Datastop Security Glass, that’s
advertised as the only clear EMF/RFI protection glass on the market. It’s
free of metal mesh, so has excellent optical clarity. This is the same
stuff the FAA uses in air traffic control towers. Contact TEMPEST
SECURITY SYSTEMS INC. for more details.
Just remember, effective emanation security begins with the physical
environment. Unless you can shield the wiring (telephone lines, electrical
wiring, network cables, etc.), all of the copper around your PC and in
the walls isn’t going to stop emanations from leaking to the outside world.
In shielding, also remember that emanations can pass from one set of wires
to another.
Here’s some of the players in the billion dollar a year TEMPEST industry
(this is by no means a complete list):
* http://www.afcsat.com/shelter.html (Antennas for Communications manufacturers TEMPEST sheilding enclosures for antennas. * HTTP://www.visprod.com/aerovox Aerovox manufactures a variety of EMI filters. Nice downloadable catalog (Windows help format with photos. * http://www.austest.com.au Austest Laboratories is a down-under company that provides TEMPEST testing. * http://members.aol.com/tempestcsi/ Candes Systems Incorporated produces TEMPEST products, including monitors, printers, and laptops. Nice photos and specs. * http://www.compucat.com.au/tempserv.html Compucat is an Australian company that provides a variety of TEMPEST products and services. * http://www.ccoatings.com/ Conductive Coatings, a division of the Chromium Corporation, produces a variety of shielding solutions. * http://cor.com/rjjacks/jack.html makes a variety of shielded jacks (RJ type) in its Signal Sentry line. * http://www.cortroninc.com/milapps.htm Corton Inc. manufactures TEMPEST keyboards. * http://www.dynamic-sciences.com/ Dynamic Sciences is another TEMPEST-oriented company. Among other things, they produce a piece of hardware called the DSI-110, for surveillance and testing purposes. * http://www.lfw.com/WWW/CIM/bg/C004255.HTM Equiptco Electronics sells a variety of general electronic equipment and supplies, some TEMPEST standard (but you need to dig through their catalog to find it). * http://www.emctech.com.au/aboutemc.html EMC Technologies is an Australian company that provides TEMPEST testing. * http://www.emcon.com/ Emcon Emanation Control Limited, in Onatrio, Canada, has been providing TEMPEST equipment to NATO governments for the past 12 years. * http://www.systems.gec.com/products/secure.html GEC-Marconi Hazeltine produces COMSEC products as well as TEMPEST design and test facilities. * GTE, the phone people, make a TEMPEST version of their Easy Fax product, complete with a STU-III (encrypted phone) gateway. * http://www.halcomm.com/ HAL Communications Corp. provides TEMPEST shielded modems and radio equipment to the government. * Kontron Elektronic is a German company that offers a slick little http://www.kontron.com shielded portable. * http://www.lynwood.com/ Lynwood is a UK supplier of TEMPEST and ruggedized PCs. * http://www.naitech.com/products/ NAI Technologies produces a variety of TEMPEST standard workstations and peripherals. *http://www.nisshin.co.jp/tempest/english Nisshinbo is a Japanese company that provides quite a bit of detail on its TEMPEST shielding products. The DENGY-RITE 20 wideband grid ferrite absorber panels is especially interesting. * http://www.panashield.com/ Panashield manufactures a variety of shielding enclosures. * http://www.racalcomm.com/cap.htm Racal Communications does TEMPEST evaluations. * http://members.aol.com/rasciences/index.html Radiation Sciences Inc. is a TEMPEST consulting and training firm in Pennsylvania. * http://www.blackmagic.com/ses/ses.html Security Engineering Services Inc. is a consulting firm that offers TEMPEST courses and other services. The courses are only offered to students who have a security clearance. The interesting thing is the course books appear to be orderable by any U.S. citizen. TEMPEST Hardware Engineering and Design and TEMPEST Program Management and Systems Engineering, with over 800 pages of total material are available for $200. * (http://www.swri.org/3pubs/brochure/d10/rfmeas/rfmeas.htm Southwest Research Institute (performs TEMPEST and other testing). * http://home.worldweb.net/home/index.html Incorporated is another consulting company that offers TEMPEST consulting. Not much information at this site. * http://www.trw.com/trwss/emi.html TRW Specialized Services offers TEMPEST testing, both in the lab and field. This site has a nice Acrobat brochure that describes their services. * http://tecknit.com/index.html Tecknit is one of the leaders in shielding products. They specialize in architectural shielding (copper coated doors, panels, etc.) and smaller gaskets and screens for electronic devices. A very informative site, with downloadable Acrobat catalogs. * (http://www.tempest-inc.com Tempest Inc. has been around for 11 years and produces TEMPEST standard hardware for the government and approved NATO countries. Their catalog isn't online, but as an example they offer an interesting Secure Voice Switching Unit that's used in USG executive aircraft. Not much technical information here. * http://www.wangfed.com/products/infosec/homepage/ssystems.html Wang Federal Systems also sells TEMPEST rated hardware as well as performs testing. This site contains their product and services catalog. Some good information. * http://www.veda.com/contrac.html Veda Inc. is a defense contractor who landed a 5.6 million dollar Navy contract for TEMPEST and COMSEC services. * There's an interesting EMC-related site that has lots of job listings, many having to deal with TEMPEST. This is a good intelligence source. http://www.emclab.umr.edu/ieee_emc/jobs.html
A truth in advertising note: Just because a piece of hardware is
advertised as designed to meet NACSIM 5100A or designed
to meet TEMPEST standards doesn’t mean the device has gone through
the rigorous TEMPEST certification process. Real TEMPEST hardware
will clearly state it has been certified or endorsed.
Department of Energy (DOE)
The Department of Energy is an extremely security conscious agency. A variety of their documents provide revealing glimpses of TEMPEST procedures.
While not TEMPEST-specific, the DOE’s Computer Incident Advisory Capability (CIAC) has an interesting document called CIAC-2304 Vulnerabilities of Facsimilie Machines and Digital Copiers (PDF format). In it, TEMPEST threats to FAX machines and copiers are briefly discussed. There are several papers referenced, including:
DOE 5639.6A, Classified Automated Information System Security Program, July 15, 1994
DOE M 5639.6A-1, Manual of Security Requirements for the Classified Automated Information System Security Program, July 15, 1994
DOE 5300.2D, Telecommunications: Emission Security (TEMPEST), August 30, 1993
The DOE’s Safeguards and Security Central Training Academy also has some relevant classified training courses.
The DOE apparently uses a company called DynCorp? to perform internal TEMPEST assessments.
National Institute of Standards and Technology (NIST)
In the 1989 Annual Report of the National Computer System Security and Privacy Advisory Board, NIST stated that TEMPEST is of lower priority in the private sector than other INFOSEC issues. It’s fairly well known that NIST is influenced by the NSA, so this quote needs to be taken with a grain of salt.
NIST has a list of accredited laboratories that perform MIL-STD-462 (electromagnetic interference) testing. Some of these also do TEMPEST testing.
While a bit dated (1986), A GUIDELINE ON OFFICE AUTOMATION SECURITY has a few references to TEMPEST, as well as other computer security nuggets.
Brief mention of the Industrial TEMPEST program as well as contacts (may be dated).
National Security Agency (NSA)
The NSA publishes something called the Information Systems Security Products and Services Catalogue. It contains a list of TEMPEST compliant hardware (as well as other approved security products). The cost of the catalog is $15 for a single copy or $34 for a yearly subscription (four issues). Requests for this document should be addressed directly to:
The Superintendent of Documents U.S. Government Printing Office Washington, D.C. 20402
Unfortunately, several of the following classified documents can’t be ordered:
Tempest Fundamentals, NSA-82-89, NACSIM 5000, National Security Agency, February 1, 1982 (Classified).
Guidelines for Facility Design and RED/BLACK Installation, NSA-82-90, NACSIM 5203, National Security Agency, June 30, 1982 (Classified).
R.F. Shielded Enclosures for Communications Equipment: General Specification, Specification NSA No. 65-6, National Security Agency Specification, October 30, 1964.
Tempest Countermeasures for Facilities Within the United States, National COMSEC Instruction, NACSI 5004, January 1984 (Secret).
Tempest Countermeasures for Facilities Outside the United States, National COMSEC Instruction, NACSI 5005, January 1985 (Secret).
National Security Telecommunications and Information Systems Security Advisory Memorandum (NSTISSAM) TEMPEST/2-95, RED/BLACK Installation Guidance 12 December 1995
State Department
While it’s not hard to guess, the State Department uses TEMPEST equipment in foreign embassies. There’s a position called a Foreign Service Information Management Technical Specialist - Digital, that pays between $30,000 to $38,000 a year. The ideal candidate should have a knowledge of TEMPEST standards as well as the ability to repair crypto hardware.
Along with cryptography, the export of TEMPEST standard hardware or devices for suppressing emanations is restricted by the International Traffic in Arms Regulations (ITAR). However, there is an exception in that: This definition is not intended to include equipment designed to meet Federal Communications Commission (FCC) commercial electro-magnetic interference standards or equipment designed for health and safety.
Part of the government’s mandate to reduce costs is to make information
available online. While the average user doesn’t have access to Milnet
or Intelink, there are a variety of unclassified, military sources on the
Internet that directly or indirectly relate to TEMPEST standards.
U.S. Navy
The Navy seems to be a further ahead then the other services in putting
content online, including:
Chapter 16 of the Navy’s AUTOMATED INFORMATION SYSTEMS SECURITY GUIDELINES
manual is devoted to emanations security. Probably the most interesting
section in this chapter deals with conducting a TEMPEST Vulnerability
Assessment Request (TVAR). Completing the TVAR questionnaire provides some
common sense clues as to how electronic security could be compromised.
Chapter 21 of the same manual deals with microcomputer security. Section 21.8
Emanations Security, reads: TEMPEST accreditation must be granted
for all microcomputers which will process classified data, prior to actually
processing the data. Your security staff should be aware of this and submit
the TEMPEST Vulnerability Assessment Request (TVAR) to COMNISCOM. Microcomputers
may be able to comply with TEMPEST requirements as a result of a TEMPEST
telephone consultation, as permitted by COMNISCOM. Contact the Naval Electronic
Security Engineering Center (NESSEC) for further information to arrange
a TEMPEST telephone consultation. Use of a secure phone may be required
and your request will be followed with written guidance. This leads
one to believe that certain PC systems may not be as susceptible as others
to emanations monitoring.
C5293-05 TEMPEST Control Officer Guidebook - Provides guidance
to the individual assigned responsibility for TEMPEST implementation at
a major activity. Unfortunately, not online, and likely classified.
NISE East Information
Warfare-Protect Systems Engineering Division (Information Warfare-Protect
Systems Engineering Division - Code 72) puts on a couple of TEMPEST
related training courses, including Tempest Criteria for System/Facility
Installation and Tempest Fundamentals. These are targeted
toward Department of Defense personnel and civilian contractors who must
comply with TEMPEST standards as part of their business.
The Reduction of Radio Noise Eminating from Personal Computers is
a thesis topic at the Department of Electrical Engineering, Naval Postgraduate
School.
U.S. Air Force
The Air Force’s Rome Laboratory has
produced a variety of interesting defense related systems. Some developments
likely related to TEMPEST include:
In 1961 the Electromagnetic Vulnerability Laboratory was established.
In terms of emanation monitoring, circa 1965 - 70, a Wullenweber
antenna (called the elephant’s cage) is reputed to have
done an excellent job of retrieving stray signals. While hardly a portable
device, it does suggest the military was actively pursuing emanation monitoring
during this period.
In 1964, Rome developed the AN/MSM-63 Electromagnetic Measurement Van
(no information as to whether it just served a testing function, or could
be used for surveillance).
In June of 1965, RADC a lightweight (350-pound) electromagnetic surveillance
antenna was developed that was operationally equivalent or better than
systems that were up to ten times larger and heavier. During that same
year considerable progress was made in the area of reducing vulnerability
to electromagnetic interference. Mr Woodrow W. Everett, Jr. was among personnel
recognized for technological improvements in wave guides, electronic tube
components, and greater electronic compatibility.
Other Air Force documents:
Ground-based Systems EMP Design Handbook, AFWL-NTYCC-TN-82-2,
Air Force Weapons Laboratory, February 1982.
Systems Engineering Specification 77-4, 1842 EEG SES 77-4,
Air Force Communications Command, January 1980.
U.S. Army
The U.S. Army
Information Systems Engineering Command is headquartered at Fort Huachuca,
Arizona. The Fort engages in a variety of spook-related activities. One
of the classified documents that is referenced is:
AR 380-19-1, Control of Compromising Emanations 4 September 1990
The Army Corps of Engineers, Construction Engineering Research Laboratories,
has been experimenting with low cost TEMPEST shielding technologies. Some
revealing tidbits are described in their fact
sheet.
The Army’s White Sands Missle Range has a Test
Support Division that does TEMPEST testing as well as other things.
An interesting photo of the inside and outside of a test truck is shown.
Department of Defense
The Department of Defense’s Defense
Technical Information Center has information regarding the Collaborative
Computing Tools Working Group (representatives from private sector
and the intelligence and defense communities). The CWG put together some
TEMPEST recommendations for video-conferencing products.
From a post to the Cypherpunks list in April of 1994, by Steve Blasingame:
An overview of TEMPEST can be found in DCA (Defense Communications Agency
Circular 300-95-1, available from your nearest Federal Documents Depository
/ Government Library. The section of interest in is Volume 2, DCS Site
and Building Information, sections SB4 & SB5, (Grounding,Shielding,HEMP).
SB5 though not directly covering RFI/RF Emanation is devoted to shielding
for high altitude electromagnetic pulse radiation (HEMP). The documents
discuss Earth Electrode Systems, Fault Protection Systems, Lightning Protection
Systems, Signal Reference Systems, and RFI containment, they also briefly
discusses radio signal containment (TEMPEST) as well. This is a must-read
for anyone wishing to keep their bits to themselves. Discussions of testing
and validation methods are not discussed in the unclassified documents.
I have included the references to the Secret/Classified documents for the
sake of completeness. It is possible that some of them are by now de-classified,
or may be requested through FOIA.
DA Pamphlet 73-1, Part One, 16 Oct 1992 (DRAFT) is an obscure document
that discusses survivability and mission performance of military systems.
The interesting thing in this pamphlet is a fairly detailed description
of the military’s Blacktail Canyon EMI/TEMPEST facility at Ft. Huachuca
(Army facility located in Arizona). Physical specifications as well as
electronic test equipment (portable and fixed) descriptions are provided.
This document is worth quoting at length:
(g) Electromagnetic Interference/Tempest Test Facility. The Blacktail
Canyon EMI/TEMPEST facility is located in a remote RF isolated area of
Ft. Huachuca. The remote location provides a relatively low electromagnetic
ambient environment which optimizes open-field testing. The facility location
in conjunction with a 400 ft by 360 ft perimeter fence provides the degree
of physical security required for mission tests. Testing can be accomplished
in accordance with the following standards: EMI (MIL-STD-461C and MIL-STD-462
TEMPEST (NACSIM 5100A, NACSIM 5112 and KAG 30) and IEMC (MIL-STD-6051).
(1) Three EMI/TEMPEST test chambers include: a 44 ft long by 22 ft wide
by 18 ft high anechoic chamber which provides 120 db of RF isolation and
will accommodate military equipment up to the sizes of the HMMWV, CUCV,
LAV, and M113 families a 26 ft long by 16 ft wide by 11.5 ft high TEMPEST/EMI
chamber providing 100 db RF isolation and a 12 ft long by 10 ft wide by
11 ft high shielded room for testing of small items.
(2) Facility instrumentation suites consists of the following: two Dynamic
Sciences, Inc. TEMPEST test systems providing automatic NACSIM and KAG
testing requirements two automated AILTECH RFI/EMI data collection systems
providing support to MIL-STD-461C/462 radiated and conducted emission testing
from 20 Hz to 40 GHz an integrated EMI susceptibility system allowing
RF illumination of equipment from 10KHz to 40 GHz and an extensive assortment
of parallel element, rod, biconical, log periodic, and double ridge guide
antennae, along with associated RF amplifiers and electric field probes
which can provide RF illumination and detection capabilities across the
40 GHz spectrum relevant to the EMI/TEMPEST arena.
(3) The EMI/Rab data collection and TEMPEST systems provide sufficient
portability to allow performance of EMI/TEMPEST tests at remote locations.
Remote TEMPEST testing is also accommodated with two mobile vans. One van
is equipped with a Watkins-Johnson manual TEMPEST measurement system. The
remaining van houses a DSI 9000 series automated TEMPEST measurement system.
Other Defense Department documents:
MIL-STD-188-124, Grounding, Bonding, and Shielding for Common
Long Haul/Tactical Communication Systems, U.S. Dept. of Defense,
June 14, 1978.
MIL-HDBK-419, Grounding, Bonding, and Shielding for Electronic
Equipments and Facilities, U.S. Dept. of Defense, July 1, 1981.
Physical Security Standards for Sensitive Compartmented Information
Facilities (SCIF), Manual No. 50-3 Defense Intelligence Agency (For Official
Use Only), May 2, 1980.
Design Practices for High Altitude Electromagnetic Pulse (HEMP
Protection, Defense Communications Agency, June 1981.
EMP Engineering Practices Handbook, NATO File No. 1460-2,
October 1977
The US isn’t the only one playing the TEMPEST game. Here’s some additional
sources from various countries.
COMMUNICATIONS SECURITY ESTABLISHMENT PUBLICATIONS
COMSEC Installation Planning (TEMPEST Guidance and Criteria) (CID/09/7A),
1983, (English only)(Confidential)
Criteria for the Design, Fabrication, Supply, Installation and Acceptance
Testing of Walk- In Radio Frequency Shielded Enclosures (CID/09/12A)(Unclassified
The British Central
Computer and Telecommunications Agency publishes a variety of computer
security titles including:
TEMPEST: The Risk (Restricted) CCTA Library 0 946683 22 0 1989
TEMPEST shielded computer equipment sometimes leaks out into the public
in the form of surplus and scrap sales. This section is devoted to descriptions.
JC describes two shielded IBM PC cases he picked up from a scrap dealer
for $35 each (unfortunately they had already sold the printers and monitors).
The cases were labeled EMR XT SYSTEM UNIT (on the front), with a model
number of 4455 1 (on the back). The cases are similar to a standard IBM
XT case, except depper toward the back, so a filter bank and power supply
baffle could be installed. The top is bolted down, requiring an allen wrench
to remove. The top part of the case has a gasket groove for the brass colored
RF gasket, and the mating surface is a finished in anodized aluminum. The
top appears to be a cast aluminum plate. Each of the ports in the rear
has a filter, unused ports have a metal blocking cover that mates to the
case and make a good eletrical contact.
W.J.
Ford Surplus Enterprises had the following printer for sale in December
1996:
LASER PRINTER Make:MITEK Model:100T 300 X 300 DPI LASER PRINTER WITH
LETTER SIZE PAPER TRAY, 8 PPM, MEETS NACSIM TEMPEST SPECS, C.W. OWNER’S
MANUAL (TONER CARTRIDGE NOT INCL.) Dimensions: 19.00w x 16.00h
x 16.50d 1.00 on hand, No Graphic on file, Item No.:1208 RAMP Price:
$ 250.00
In researching TEMPEST topics, sometimes I run into little-known tidbits
that relate to possible computer surveillance techniques.
Infrared Ports
The Department of Energy Information Systems Security Plan has an interesting
section titled, 8.5 Wireless Communications (Infrared Ports). It states:
The use of wireless communications (infrared) ports found on most
PPCs to interface with printers and other peripheral devices is strictly
forbidden when processing classified information. These ports must be disabled
on all accredited PPCs and peripherals by covering the window with a numbered
security seal or physically removing the infrared transmitter.
Disclaimer: I’ve never been involved with the TEMPEST community,
had a security clearance for TEMPEST, or have access to classified material
relating to TEMPEST. The information on this page is completely derived
from publicly available, unclassified sources.
* 12/17/96 - original document * 12/18/96 - added link to van Eck follow-up article, shielding comments * 12/21/96 - reorganization and additional comments about Rome Lab, ZONE, DOE, non-TEMPEST * 12/22/96 - added Smulders paper * 01/02/97 - added Compliance Engineering, additional NIST, Navy, Canada, Used, and paper sources * 01/08/97 - added UK, patents * 01/11/97 - added DA Pamphlet 73-1/Blacktail test facility, Army, COMPUTERWOCHE, EMC, HAL, Austest, Racal, Compucat, Nisshinbo * 02/02/97 - added Naval Postgraduate School, EMC FAQ, Conductive Coatings, GEC Marcon, AFC, Corps of Engineers, Ford Surplus, GTE, ECM job list, White Sands, Cortron, Veda, Emcon * 02/14/97 - added DEFCON goodies to Used * 02/18/97 - added Redefining Security report, Lynwood * 03/10/97 - added Datastop glass to shielding section * 03/21/97 - added Moller paper (from Phrack 44)
-eof-
(c)nXo/loteknologies
copy/pasted from LibFoam:all_you_ever_wanted_to_know_about_tempest