Computer Security Basics, 2nd Edition (2011)
Part V. Appendixes
Appendix B. TEMPEST
It took a while for the computer industry to realize that the emanations from most computer terminals and screens radiated fields strong enough that a sensitive receiver could decipher the screen contents. Although intuitive to someone with a background in radio transmission, many computer geeks simply didn’t get it. To help them understand the nature of the threat, some researchers have developed files that create patterns of emanations from monitors that can be decoded by an AM shortwave receiver as music. Although spreadsheets may not be pretty to listen to, it sinks the message home. Emanations are a threat to security.
This capability, first discussed publicly by authors such as Wim van Eck, was exposed to the world as a technical curiosity (much to the chagrin of agencies that may have secretly used the techniques to eavesdrop or gather intelligence).
It is a particularly nasty effect from a security point of view because whatever is transmitted is whatever is on the screen, before any encryption systems are employed at the transmission side or after the text is decoded at the receive side.
The code word used to describe the U.S. government countermeasures to such risks is TEMPEST. Tempest is supposedly an acronym, but so many reliable sources report it to mean so many things that most users just leave it as TEMPEST.
The Problem of Emanations
All electronic equipment—hair dryers, typewriters, telephones, microwave ovens, personal computers, laptops, and personal digital assistants—emits electrical and electromagnetic radiation through the air or through conductors. It has long been recognized that such emanations can cause interference to radio and television reception. In addition, concerns about possible health hazards associated with emanations have led to increased shielding of monitors (see the sidebar "Hazardous to Your Health?“).
HAZARDOUS TO YOUR HEALTH?
In the security world, fears about uncontrolled electromagnetic emissions focus on the interception and deciphering of these emissions by intruders. Of more immediate concern to most of us may be the growing evidence that emissions are physically dangerous as well. Since 1977, studies have looked at the health consequences of exposure to three types of fields: VLF (very low frequency, such as those given off by a computer’s horizontal-scan frequency), ELF (extremely low frequency, such as those given off by a computer’s vertical-scan frequency), and 60-Hz AC (alternating current, such as those given off by power lines and computer monitors’ power transformers):
§ In 1979, epidemiologists Nancy Wertheimer and Ed Leeper reported on an investigation showing that children living in Denver homes located near high-current electric wires died of cancer at twice the expected rate.
§ In 1988, Kaiser Permanente researchers reported that of 1,583 case-controlled women who attended their clinics, women who worked with VDTs for more than 20 hours a week suffered miscarriages at a rate 80 percent higher than women performing similar work without VDTs.
§ In 1989, Johns Hopkins epidemiologists reported that the risk of leukemia for New York Telephone Company cable splicers, who work close to power lines, was seven times greater than that of other company workers.
In December of 1990, the Environmental Protection Agency reported that environmental studies have shown “a causal link [between power lines and] EM fields and certain forms of site-specific cancer.” Large-scale studies have since been undertaken, but the results have received more attention in Europe than in the United States. Nevertheless, monitor shielding has improved, to the point that they greatly limit exposure to emissions. LCD monitors may create radio frequency (RF) energy, but they produce a tiny fraction of the magnetic flux on which CRT based monitors relied. Nevertheless, there is a good chance that the safety of VDTs and related equipment may be a recurring concern in the future, along with the safety of cell phones and other radio frequency-emitting apparatus. The topic already occupies much attention among alternative medical providers, who usually advocate long walks in tree-filled areas as a curative. The inertia of the established interests, however, has kept this topic on the fringes.
In the past, TEMPEST has focused almost exclusively on the protection of classified information. As people discover that TEMPEST-type shielding can protect people as well as data, the TEMPEST technology described in this appendix may get a new lease on life, providing human safety as well as data security.
As early as the 1950s, government and industry observers became concerned about the possibility that electronic eavesdroppers could intercept emanations to decipher them, or could obtain information about the signals used inside the equipment, and use this information to reconstruct the data being processed. They speculated that eavesdroppers could breach security even some distance from the equipment.
Studies of signal interception and decoding have borne out these speculations. It turns out that with virtually no risk of detection, eavesdroppers using relatively unsophisticated equipment can intercept and decipher signals from an electronic source. Modern listening devices allow an eavesdropper to detect emissions and reproduce data streams or video screen images—for example, to read the computer display screens on the desktops in a remote building. Although opinions about the ease of interception vary, in theory a modified TV could do the job if its sweep circuits were adjusted to match common computer monitor frequencies. The components needed to perform such a penetration are garden variety. Some early computer terminals broadcast signals so strong that an ordinary television set, placed beside the terminal, could broadcast everything displayed on the terminal’s screen.
The TEMPEST Program
In the late 1950s, the U.S. government established the TEMPEST program to attack the emanations problem. TEMPEST has become an umbrella name for the technology that contains or suppresses signal emanations from electronic equipment, and for the investigations and studies of these emanations. An unclassified government publication describes TEMPEST emanations as “unintentional, intelligence-bearing . . . signals which might disclose sensitive information transmitted, received, handled, or otherwise processed by an information processing system.”
In 1974, government and industry began to work more closely together through the Industrial TEMPEST Program (ITP). ITP was founded with the following objectives:
§ Specify a TEMPEST standard that sets allowable limits on the levels of emission from electronic equipment. The idea was to state clearly how much the equipment could leak and still be acceptable.
§ Outline criteria for testing equipment that, according to its vendors, meets the TEMPEST standard.
§ Certify vendor equipment that successfully meets the TEMPEST standard.
The idea of ITP was to standardize TEMPEST requirements and technologies, and to encourage vendors to develop and test off-the-shelf TEMPEST equipment that the government could buy. The early TEMPEST products were typically standalone computer systems. Today, TEMPEST versions of most types of computer products have become available, and the actual certification efforts are supervised by the National Security Agency.
Because they’re built to control electromagnetic emanations, TEMPEST products are larger, heavier, and more expensive than comparable commercial products. TEMPEST products control emanations either by shielding the signals—building a container around them so they can’t emanate beyond the container—or by suppressing the signals—engineering the equipment so signals don’t emanate at all. (Sometimes, a product combines both methods.)
A shield attenuates electromagnetic signals, conducting them to ground before they can escape. A shield, which can be as small as a cable casing or as large as an entire building, is constructed in such a way that signals can’t emanate outside it. This shielding to stop the flow of electromagnetic radiation is commonly called a Faraday screen.
The simplest but most expensive shield approach is to install regular computer equipment in a shielded room that provides special protection against electromagnetic leaks. Smaller shields or containment devices serve the same purpose as a shielded room; shields can be constructed for computers, workstations, peripheral devices, circuit boards, and inside wiring. Modern PCs and monitors are usually coated with radiation-dampening materials that help to prevent emanations.
The containment approach to TEMPEST security resembles the steps that were once taken to protect equipment and buildings from electromagnetic pulse—which is a product of nuclear explosions in the atmosphere. This in fact may have contributed to the secrecy that surrounded TEMPEST. Explaining how to avoid an influx of nuclear EMP also explained some things about preventing electromagnetic leakage of information, and discussing secrets about one technology may have inadvertently given away some information about the other. In short strokes, electromagnet containment was tricky. Every cable and pipe that entered or left the screened portion of a facility required special treatment. But trying to curb the electromagnetic effects of the bomb was no easy task either.
Some TEMPEST products use a different engineering approach. With source suppression, products are engineered in such a way that compromising signals are suppressed at the source. Sometimes this is done by adding confusing or spurious signals.
The source suppression approach can be technologically more difficult than the shield approach, but it’s more foolproof. Its effectiveness doesn’t depend on the proper use of the equipment by human beings, and it tends to be a more appropriate approach for products installed in an office environment.
Recent advances in microchip design have led to chips that do not radiate as much as their predecessors. Some of the best source suppression may take place in modern software. The hard edges of dark letters against white pages generate a great deal of square waves, which throw off electromagnetic radiation much more readily than gentle transitions. New techniques produce softer edges on letters, which decrease the sharp transitions and their radiations. Of course, a similar effect may be achieved by darkening the background. You may have seen this effect on some of the more hardcore cracker sites.
The National TEMPEST Standard specifies the level of emanation permitted for TEMPEST equipment. Since the original TEMPEST standard was published in the late 1950s, this standard has been revised a number of times. At one point, even accessing the standards on TEMPEST was a tricky business. The TEMPEST documents NACSIM 5100A and NACSI 5004 were classified and accessible only on need-to-know basis.
Basic TEMPEST standards were made available to the public in 1995. The TEMPEST standard, NSTISSAM TEMPEST/1-92 is now publicly available. The U.S. army acknowledges its TEMPEST testing facility, the U.S. Army Information Systems Engineering Command, at Fort Huachuca, Arizona. Information about TEMPEST certified products, which may be needed to service or provision certain government contracts, is readily available at the NSA web site: http://www.nsa.gov/ia/industry/tempest.cfm.
The TEMPEST Endorsement Programs (TEP) today consists of three closely related NSA programs:
§ The Endorsed TEMPEST Products Program
§ The Endorsed TEMPEST Test Services Program
§ The Zoned Equipment Program
In the Endorsed TEMPEST Products Program, NSA provides lists of commercially developed and produced TEMPEST telecommunications equipment, which NSA has endorsed. (Formerly, NSA provided the testing, but that is now handled by certified laboratories.) The equipment lists are used by government entities and their contractors to select products for processing classified information. Separate lists are provided for products that meet different levels of compliance.
In the Zoned Equipment Program, NSA provides a listing of commercial off-the-shelf (COTS) telecommunications equipment that is not designed to meet the National Standard, but has been tested against a portion of that standard and has been assigned a “zone” of B or C. The zoning system calculates a TEMPEST risk, which takes into account such characteristics as geographic location (rural or city), type of facility (public or private), construction of the building (wood, cinder block, brick), and the likelihood of reconnaissance. If a facility’s mathematically computed penetration index is below a stated cutoff, certain COTS equipment can be used.
Hard As You Try
Just as you thought it was safe to discuss TEMPEST countermeasures, another form of emanation eavesdropping has come onto the scene. “Optical TEMPEST” is the nickname given to compromising emanations based on the LED status indicators of data communication equipment. Apparently, under certain conditions, the LEDs that indicate the status of links and data flows can end up being modulated by the information passing through the device. Exposure to prying eyes may yield information about the traffic being passed. Most LEDs connect to regulated power supply rails, but if the equipment is constructed in a certain way, and if the operating voltages are such that voltage regulators are forced to operate in difficult regions, there may be enough correlation to deduce a message, or at least a class of message. One suggested countermeasure: put a small patch of black electrical tape over anything in the telecommunications room that glows.