Tempest Emanations
Jacklyn Truong
University of Tulsa
April 16, 2013
Introduction
• Tempest emanations
• Electromagnetic waves emitted by electric devices
• Generated when device changes voltage of an electric current
• Can travel extensive distances through free space
• Travel distance can be extended by conductors
• Can be captured
• Tempest attacks
• Captured Tempest emanations can be deciphered to uncover
processed data
History
• 1944 – Bell Labs stumble upon Tempest emanations
• Bell Labs provided US Military with mixing devices called 131-B2
• Used with a rotor key generator to encrypt messages
• Each step of the mixing device caused a frequency pattern to
appear on an oscilloscope
• Found that the frequency pattern revealed the plaintext of the
encrypted messages
• Findings reported to the US Military
• US Military was skeptical
• Bell Labs performed a test to prove threat
• Recorded signals from 80 feet away from the Signal Corps’ Varick Street
cryptocenter
• Produced 75% of the plaintext being processed
History
• Bell Labs directed to develop suppression methods
• Bell Labs’ suppression methods:
• Shielding
• Prevent Tempest emanations through free space and magnetic fields
• Filtering
• Prevent compromising emanations from traveling through
conductors
• Masking
• Purposely create electrical noise to drown out compromising
emanations
History
• US Military’s Response
• Modified device was bulky and required too much maintenance
• Established control zones
• 100 feet in diameter
• Ended research on Tempest emanations
History
• 1951 – CIA rediscovered the 131-B2 and Tempest emanations
• NSA picked up project in an attempt to find new suppression
methods
• 1953 – Policy required all US cryptocenters to either:
• Establish a control zone, 400 feet in diameter
• Implement masking
• Apply for a waiver based on operational necessity
• 1954 – Soviets published a set of standards for the
suppression of radio frequency interference
History
• 1960 – British intelligence agency accidently discovered
Tempest emanations in a similar manner to Bell Lab’s
discovery
• 1985 – Wim van Eck published a paper demonstrating how
contents from a CRT could be extracted using low-cost
equipment
• First major public description of Tempest emanations
• Van Eck phreaking
Executing a Tempest Attack
• Use a wide-band receiver tuned to a specific frequency
1.
Determine what frequency to be listening in on
• Scan entire frequency range and extract plaintext of emanation
according to its amplitude/frequency modulation
2.
Improve signal-to-noise ratio
• Use narrow-band antennas and filters
3.
Intercept emanations and deduce plaintext
Present-Day Tempest Attacks
• CRT Monitors
• Electron beam strikes screen at various intensities to generate
different pixels
• The electric signal that drives the electron beam emits Tempest
emanations
• Pixels updated one at a time
• LCD Monitors
•
•
•
•
Pixels updated row by row
No deflection coils – low radiation
Operate on low voltages
Still vulnerable
• DVI cable
• Configurations
Present-Day Tempest Attacks
• Keyboards
• Each keystroke causes the voltage of the electric current being
sent to the computer to change
• Tempest Viruses
• Theoretical (Ross J. Anderson)
• Infiltrate machine and automatically transmit retrieved
information to a hidden radio receiver nearby
Tempest Emanations and
Businesses
• Tempest Emanations
• Difficult to suppress
• Surpasses advanced encryption algorithms
• The business environment consists of many electronic devices
emitting Tempest emanations
• Sensitive information at risk
•
•
•
•
•
Personal information
Financial information
Customer information
Login information
Encryption/decryption keys
Mitigation
• Modify devices
• 1955 – NSA modified teletypewriters to transmit character data
all at once
• Resulted in one large (oscilloscope) “spike” per character instead of
five
• Reduce voltage
• Weaker emanations
• Soft Tempest Font
•
•
•
•
Markus Kuhn and Ross Anderson
Free
Minimize strength of compromising emanations
Readable on a computer monitor, but not across Tempest
emanations
Mitigation
• Soft Tempest Font
Mitigation
• Shield
• Individual machines
• Faraday cage
•
•
•
•
Apply filters
Mask – drown out emanations by generating electrical noise
Physically separate machines (classified and unclassified)
Encrypt signal being sent
• HDCP – High bandwidth Digital Content Protection
• LCD Monitors
• Lower refresh rate
Conclusion
• Initially very difficult to suppress
• Some methods are expensive
• Modifying devices
• Faraday cages
• Physically separating machines
• Moving forward
• Encrypt signal being sent
References
• [1] D. G. Boak, “A History of U.S. Communications Security,” NSA, Ft. George G. Meade, MD,
Rep. MDR-54498, 1973, vol. 1 and 2.
• [2] M. G. Kuhn and R. J. Anderson, D. Aucsmith, "Soft tempest: Hidden data transmission
using electromagnetic emanations", Information Hiding: 2nd Int. Workshop, vol. 1525,
pp.124 -142 1998 :Springer-Verlag
• [3] M. Pellegrini. (2008, April 29). Declassified NSA Document Reveals the Secret History of
TEMPEST [Online]. Available: http://www.wired.com/threatlevel/2008/04/nsa-releases-se/
• [4] B. Koops, The Crypto Controversy: A Key Conflict in the Information Society, Kluwer Law
International, 1999, pp. 211.
• [5] R. Anderson, Security Engineering: A Guide to Building Dependable Distributed Systems,
Wiley Computer Publishing, New York, 2001, pp. 538-539.
• [6] Dynamic Sciences International, Inc. (2012). R-1550A TEMPEST Receiver [Online].
Available: http://www.dynamicsciences.com/client/show_product/33
• [7] M. Vuagnoux and S. Pasini. "Compromising electromagnetic emanations of wired and
wireless keyboards," In proceedings of the 18th USENIX Security Symposium, pages 1-16,
Montreal, Canada, 2009. USENIX Association.
• [8] J. Loughry and D. A. Umphress. Information leakage from optical emanation. ACM
Transactions on Information and Systems Security, 5(3):262-289, 2002.
• [9] Introni (2012). La Crittografia [Online]. Available: http://www.introni.it/crittografia.html
Questions?