Tempest EmanationsJacklyn TruongUniversity of Tulsa

April 16, 2013

Introduction• Tempest emanations• Electromagnetic waves emitted by electric devices

• Generated when device changes voltage of an electric current

• Can travel extensive distances through free space• Travel distance can be extended by conductors

• Can be captured

• Tempest attacks• Captured Tempest emanations can be deciphered to uncover

processed data

History• 1944 – Bell Labs stumble upon Tempest emanations• Bell Labs provided US Military with mixing devices called 131-B2

• Used with a rotor key generator to encrypt messages

• Each step of the mixing device caused a frequency pattern to appear on an oscilloscope• Found that the frequency pattern revealed the plaintext of the

encrypted messages

• Findings reported to the US Military• US Military was skeptical• Bell Labs performed a test to prove threat• Recorded signals from 80 feet away from the Signal Corps’ Varick Street

cryptocenter• Produced 75% of the plaintext being processed

History• Bell Labs directed to develop suppression methods

• Bell Labs’ suppression methods:• Shielding

• Prevent Tempest emanations through free space and magnetic fields

• Filtering• Prevent compromising emanations from traveling through

conductors

• Masking• Purposely create electrical noise to drown out compromising

emanations

History• US Military’s Response• Modified device was bulky and required too much maintenance• Established control zones

• 100 feet in diameter

• Ended research on Tempest emanations

History• 1951 – CIA rediscovered the 131-B2 and Tempest emanations• NSA picked up project in an attempt to find new suppression

methods• 1953 – Policy required all US cryptocenters to either:

• Establish a control zone, 400 feet in diameter• Implement masking• Apply for a waiver based on operational necessity

• 1954 – Soviets published a set of standards for the suppression of radio frequency interference

History• 1960 – British intelligence agency accidently discovered

Tempest emanations in a similar manner to Bell Lab’s discovery

• 1985 – Wim van Eck published a paper demonstrating how contents from a CRT could be extracted using low-cost equipment• First major public description of Tempest emanations• Van Eck phreaking

Executing a Tempest Attack• Use a wide-band receiver tuned to a specific frequency

1. Determine what frequency to be listening in on• Scan entire frequency range and extract plaintext of emanation

according to its amplitude/frequency modulation

2. Improve signal-to-noise ratio• Use narrow-band antennas and filters

3. Intercept emanations and deduce plaintext

Present-Day Tempest Attacks• CRT Monitors• Electron beam strikes screen at various intensities to generate

different pixels• The electric signal that drives the electron beam emits Tempest

emanations• Pixels updated one at a time

• LCD Monitors• Pixels updated row by row• No deflection coils – low radiation• Operate on low voltages• Still vulnerable

• DVI cable• Configurations

Present-Day Tempest Attacks• Keyboards• Each keystroke causes the voltage of the electric current being

sent to the computer to change

• Tempest Viruses• Theoretical (Ross J. Anderson)• Infiltrate machine and automatically transmit retrieved

information to a hidden radio receiver nearby

Tempest Emanations and Businesses• Tempest Emanations• Difficult to suppress• Surpasses advanced encryption algorithms

• The business environment consists of many electronic devices emitting Tempest emanations

• Sensitive information at risk• Personal information• Financial information• Customer information• Login information• Encryption/decryption keys

Mitigation• Modify devices• 1955 – NSA modified teletypewriters to transmit character data

all at once• Resulted in one large (oscilloscope) “spike” per character instead of

five

• Reduce voltage• Weaker emanations

• Soft Tempest Font• Markus Kuhn and Ross Anderson• Free• Minimize strength of compromising emanations• Readable on a computer monitor, but not across Tempest

emanations

Mitigation• Soft Tempest Font

Mitigation• Shield• Individual machines• Faraday cage

• Apply filters• Mask – drown out emanations by generating electrical noise• Physically separate machines (classified and unclassified)• Encrypt signal being sent

• HDCP – High bandwidth Digital Content Protection

• LCD Monitors• Lower refresh rate

Conclusion• Initially very difficult to suppress• Some methods are expensive• Modifying devices• Faraday cages• Physically separating machines

• Moving forward• Encrypt signal being sent

References• [1] D. G. Boak, “A History of U.S. Communications Security,” NSA, Ft. George G. Meade,

MD, Rep. MDR-54498, 1973, vol. 1 and 2. • [2] M. G. Kuhn and R. J. Anderson, D. Aucsmith, "Soft tempest: Hidden data transmission

using electromagnetic emanations", Information Hiding: 2nd Int. Workshop, vol. 1525, pp.124 -142 1998 :Springer-Verlag

• [3] M. Pellegrini. (2008, April 29). Declassified NSA Document Reveals the Secret History of TEMPEST [Online]. Available: http://www.wired.com/threatlevel/2008/04/nsa-releases-se/

• [4] B. Koops, The Crypto Controversy: A Key Conflict in the Information Society, Kluwer Law International, 1999, pp. 211.

• [5] R. Anderson, Security Engineering: A Guide to Building Dependable Distributed Systems, Wiley Computer Publishing, New York, 2001, pp. 538-539.

• [6] Dynamic Sciences International, Inc. (2012). R-1550A TEMPEST Receiver [Online]. Available: http://www.dynamicsciences.com/client/show_product/33

• [7] M. Vuagnoux and S. Pasini. "Compromising electromagnetic emanations of wired and wireless keyboards," In proceedings of the 18th USENIX Security Symposium, pages 1-16, Montreal, Canada, 2009. USENIX Association.

• [8] J. Loughry and D. A. Umphress. Information leakage from optical emanation. ACM Transactions on Information and Systems Security, 5(3):262-289, 2002.

• [9] Introni (2012). La Crittografia [Online]. Available: http://www.introni.it/crittografia.html

Questions?