Introduction
When a new consumer electronic device such as a computer, DVD player, blender, electric razor or other modern electronic marvel is offered for sale to the public the manufacture has to gain a special certification or authorization from the FCC. This process ensures that when the consumer uses the device that they will not interfere with other devices in the area. For example we don't want a DVD player or blender to accidentally jam all the TV, and cellular telephones in a five-block area due to a poor product design.
The FCC (Federal Communications Commission) and its foreign equivalent has created a series of formal standards which new equipment is evaluated against before it is offered to the public.
These new products are taken into a specialized laboratory, and an engineer completes a complicated battery of tests. These test results are then sent to the FCC who then approves or denies the authorization.
When modern electrical devices operate they generate electromagnetic fields. Digital computers, radio equipment, typewriters, and so on generate massive amounts of electromagnetic signals which if properly intercepted and processed will allow certain amounts of information to be reconstructed based on these "compromising emanations". Basically anything with a microchip, diode, or transistor, gives off these fields.
Compromising emanations are these unintentional intelligence-bearing signals, which, if intercepted and analyzed, potentially disclose the national security information, transmitted, received, handled, or otherwise processed by any information-processing equipment.
These compromising emanation signals can then escape out of a controlled area by power line conduction, other fortuitous conduction paths such as the air conditioning duct work, or by simply radiating a signal into the air (like a radio station).
An excellent example of these compromising emanations may be found in modems and fax machines which utilize the Rockwell DataPump modem chip sets and several modems made by U.S. Robotics. When these modems operate they generate a very strong electromagnetic field which may be intercepted, demodulated, and monitored with most VHF radios. This is also a very serious problem with many speaker phone systems used in executive conference rooms.
This is also a very serious problem with many fax machines, computer monitors, external disc drives, CD-R drives, scanners, printers, and other high bandwidth or high speed peripherals.
If an eavesdropper is using high quality intercept equipment the signal may be easily acquired several hundred feet or more away from the target.
In the consumer markets a slight amount of signal leakage really does not present a problem, however; if a computer processing classified information has a leak the results could be devastating.
To deal with this "signal leakage" issue the government developed a series of standards which lay out how equipment should be designed to avoid such leakage. The TEMPEST standard are really nothing more then several industry measurements standards which were adjusted by the NSA (they gave it steroids).
Really the only difference between a TEMPEST approved computer, and a consumer computer is that the NSA TEMPEST approved one will be in a special heavy metal case, will have special shielding, a modified power supply and a few other modifications which increase its price. The TEMPEST approved unit will also require the use of a special torque wrench anytime you have to work on it.
About TEMPEST
TEMPEST is an official acronym for "Telecommunications Electronics Material Protected From Emanating Spurious Transmissions" and includes technical security countermeasures; standards, and instrumentation, which prevent (or minimize) the exploitation of security vulnerabilities by technical means. TEMPEST is nothing more then a fancy name for protecting against technical surveillance or eavesdropping of UNMODIFIED equipment (the unmodified part is important).
Other popular, but unofficial names for TEMPEST are "Transient Emanations Protected From Emanating Spurious Transmissions", "Transient Electromagnetic Pulse Emanation Standard", "Telecommunications Emission Security Standards", and several similar variations (including: "Tiny ElectroMagnetic Pests Emanating Secret Things").
TEMPEST was "invented" in 1918 when Herbert Yardley and his staff of the Black Chamber were engaged by the U.S. Army to develop methods to detect, intercept, and exploit combat telephones and covert radio transmitters. The initial research identified that "normal unmodified equipment" was allowing classified information to be passed to the enemy through a variety of technical weaknesses. A classified program was then created to develop methods to suppress these "compromising emanations". However, the actual acronym known as TEMPEST was only coined in the late 60's and early 70's (and is now considered an obsolete term, which has since, been replaced by the phrase "Emissions Security" or EMSEC).
TEMPEST and it's associated disciplines involve designing circuits to minimize the amount of "compromising emanations" and to apply appropriate shielding, grounding, and bonding. These disciplines also include methods of radiation screening, alarms, isolation circuits/devices, and similar areas of equipment engineering.
TEMPEST disciplines typically involve eliminating or reducing the transients caused by a communication signal and the resulting harmonics. These signals and their harmonics could allow the original signal to be reconstructed and analyzed.
TEMPEST Approved Devices
A TEMPEST approved device (see below) is one that meets stringent technical requirements. The electromagnetic waves it emits have been reduced through shielding or other techniques to a point where it would be extremely difficult for a hostile intelligence agent to gather information from the electromagnetic waves and disclose the classified information being transmitted.
TEMPEST Approval - Type 1: A classified or controlled cryptographic equipment, assembly, component, or item endorsed by the National Security Agency (NSA) for securing telecommunications and automated information systems for the protection of classified or sensitive U.S. Government information exempted by the Warner Amendment for use by the U.S. Government and its contractors, and subject to restrictions in accordance with the International Traffic in Arms Regulation.
TEMPEST Approval - Type 2: An unclassified cryptographic equipment, assembly, component, or item endorsed by the National Security Agency for use in telecommunications and automated information systems for the protection of unclassified but sensitive information. Type 2 equipment is exempted by the Warner Amendment. Type 2 is available to U.S. Government departments, agencies, sponsored elements of state and local government, sponsored U.S. Government contractors, and sponsored private sector entities. It is subject to restrictions in accordance with the International Traffic in Arms Regulation.
TEMPEST Approval - Type 3: An unclassified cryptographic equipment, assembly, component, or item that implements an unclassified algorithm registered with the National Institute of Standards and Technology (NIST) as a FIPS for use in protecting unclassified sensitive, or commercial, information. This definition does not include Warner-Amendment-exempt equipment.
Test Equipment for a TEMPEST in a TEAPOT
While SIGINT deals with the interception and analysis of "compromising emanations", TEMPEST is the protection of those "emanations". TEMPEST, TEAPOT (as in "TEMPEST in a TEAPOT"), NONSTOP, SKIPJACK, HIJACK, and TSCM are all related standards and protocols which deal with containing "compromising emanations". TEMPEST generally deals specifically with shielding, bonding, and grounding (it is a counter-surveillance science, and has nothing to do with actual surveillance or reading or reconstructing these emanations).
TEAPOT refers to the investigation, study, and control of intentional compromising emanations such as those hostilely induced or provoked from telecommunications and computer equipment.
TSCM includes all countermeasures employed to prevent or detect the interception of sensitive, classified, or private information. TSCM is typically an inspection by a technician or engineer of a physical item or place (briefcase, automobile, office, home, boat, etc...). The purpose is to locate possible covert surveillance devices (bugs), technical security weakness, and technical security hazards.
TEMPEST test equipment is very expensive, and is very highly controlled military products (usually classified). While a number of U.S. companies offer such equipment they will only sell it to government agencies. Beware of anybody who tries to foist a security product onto you and claims it involves TEMPEST technology.
Such equipment utilizes both extremely narrow bandwidths (often 100 Hz or less), and very wide bandwidths (above 50 MHz). This kind of equipment also must use super stable time bases, which are very expensive. Even the most basic models of this kind of equipment cost hundreds of thousands of dollars. Of course such equipment is quite inappropriate for eavesdropping (there is no such thing as a "TEMPEST Eavesdropping System").
Van Ecking
In 1985 Wim van Eck (an engineer in the Netherlands) published a white paper entitled "Electromagnetic Radiation from Video Display Units: An Eavesdropping Risk?" which discussed potential methods which could be used for eavesdropping on video monitors.
The "van Eck receiver" was based on older video monitors which utilized a composite video signal with little or no RF/EMI shielding. These video signals were typical broadcast base-band video signals, and the monitors were generally un-shielded which radiated tremendous amounts of RF energy. Very often when these types of monitors were placed near a television set the video monitor would interfere with the television and the "computer stuff" would appear and interfere with the Dallas and Charlies Angels re-runs. Since these monitors utilized the same timing signals and waveform parameters as commercial video signals the display of the signals was very easy and required only a few dollars on components to stabilize the signal.
RAID or Raster Analysis
Effectively what van Eck did was to point out a well-known hardware security vulnerability that existed in composite computer monitors. His paper covered methods that could be used to analyze this vulnerability, and brought "emission analysis" to public attention when it was published. Of course every "lid, kid, con-artist, crank, crackpot, and felon" came forward and anointed him or herself an expert on van Eck and TEMPEST technology (and offered some kind of bogus interception product). The demonstrations that van Eck was able to do back in 1985 would be virtually impossible to do today due to the rather stringent government requirements requiring limited emissions from computer equipment for health and safety reasons.
What Wim van Eck presented is actually called RAID or "Raster Analysis" which is the reconstruction of high bandwidth composite or rasterized signals which are based on a repeating synchronization signal (such as Radar, Video, and so on). A brief tutorial on raster or video signal analysis may be found at the following link http://www.tscm.com/TSCM101video3.html
A RAID or "Raster Analysis" is commonly performed during TSCM sweeps to evaluate a rasterized signals to determine if it is a hostile eavesdropping device. As such the equipment for such an analysis is readily available from various sources for only a few hundred dollars. However, such equipment is quite inappropriate for covert eavesdropping. "Raster Analysis" is actually taught in all legitimate government TSCM schools, and is something that every TSCM'er is familiar with.
Raster Analysis in the Real World
Raster Analysis is primarily useful for evaluating modulated video signals such as those created by a broadcast TV signal or from a covert video transmitter (at say 400 MHz). Emissions from a computer monitor on the other hand are not actually modulated (for the most part), and as such are very difficult to work with. Such signals would be considered a "Baseband Signal" as opposed to a "Modulated Signal".
The baseband signal tends to be strongest near the monitor or computer and actual consists of three types of electromagnetic fields. The first of these fields is the magnetic field which is extremely strong right next to the monitor but rapidly diminishes as we move away (even inches). This is why your computer speakers sometimes causes distortion of the video on your computer monitor. Generally this magnetic field will not be detectable outside of a few feet, and this region dominated by this field is called the "near field".
The next field is the electrical field which can actually radiate out quite far in all directions (but requires a big antenna to pick up). The electrical signal drops off much slower then the magnetic field, and the region dominated by the this field is called the "far-field". For example, to intercept the baseband signals at a distance of 12 feet from a standard 15 inch Compaq computer and monitor would require a log periodic antenna measuring a minimum of 13.8 feet wide by 11.16. Of course the closer you get to the monitor the smaller the antenna can become, but in real life the eavesdropper is not going to use a 4 foot antenna to eavesdrop on a monitor 200 feet away. In fact once you get outside the "Transition Point" (about 12-15 feet away) the size of the antenna has to become huge (ie: 30 feet wide by 24 feet or larger). Since the emissions are typically below 40 MHz, with the majority of the energy being below 25 MHz you must have some rather huge antenna just to collect the energy. Of course the closer you get to the item being watched the smaller the antenna can be, but you're talking about being within a few feet to use any antenna smaller then a couch.
The third field is called a "Plane Wave" (and would take about an hour and a five page tutorial to explain).
Within each of the above mentioned fields are a number of very specific signals which include the sync signals, and the actual video signal(s). In the case of a color monitor the individual signals may also be broken into separate colors. If someone wants to eavesdrop on the monitor they will have to isolate each of these signals from each other, stabilize, and then recombine them properly. Also, the eavesdropper would not see precisely" what is on the screen unless you can get perfect sync lock (which is wicked tough to do), and even then you would only fragments of the data on the screen.
Each of these signals in turn create a tremendous amount of harmonics all up and down the spectrum. Of course the higher the monitor resolution, the higher the signals on the spectrum (which is why the FCC mandates that monitors and cables must be "Shielded, Bonded, Grounded, and Filtered".
Lids, Kids, Con-Artists, Cranks, and Crackpots
It should be mentioned that the only place in the United States that a person can learn anything about TEMPEST is a special school taught and sanctioned by the National Security Agency. Once a technician or engineer completes the appropriate training the NSA will actually certify them as a "TEMPEST Technician" or "TEMPEST Engineer" and they will then be authorized the work on or design TEMPEST approved equipment. The (very expensive) courses are only offered to a limited number of people who have a very high level of security clearance, and who will be working with such equipment on a regular basis.
While van Eck's engineering and white paper was quite legitimate a number of con-artists capitalized on the paper to sell special screening boxes, "van Eck receivers", and special "Classified CIA intercept systems".
Raster Analysis eavesdropping products exist, however; but they are highly restricted and controlled SIGINT/COMINT (Signals or Communications Intelligence) products and are CIA/NSA grade surveillance goodies. Such products are only available from a very small number of defense or intelligence contractors, and only to those with really serious security clearances. TEMPEST products are not sold at Radio Shack, by private investigators, at spy shops in New York City, or by security "experts".
These products are generally considered a rather old hoax, but the con artists are still racking in hundreds of thousands of dollars selling bogus toys. Such a system only requires about $15 to construct a special amplifier or timing circuit. The method is a "no-brainer" which any college freshman could do
Intercepting a composite video signal from an older unshielded monitor is actually quite simple, HOWEVER; the modern computer monitors sold today rarely use a composite video signal. Also, due to the serious shielding and emission standards required by the FCC the presence or interception of such signals is virtually nil (even at close distances).
Keep Your Wallet in Your Pocket
Many people, including the members of the media, have been swallowing what is falsely claimed to be TEMPEST simply because they neither understand the science nor will they do even simple research or inquiries on a vendor who claims to be a TEMPEST expert.
The majority of TEMPEST surveillance "demonstrations" are actually rigged or grossly misrepresented (the spy might as well become a psychic and start channeling Ramtha via his big toenail).
In the past few years there have been quite a few "TEMPEST experts" that demonstrate what they claim will intercept "TEMPEST signals". Most of the Tempest/Van Eck surveillance products out there are nothing more then a scam run by thieves, con men, scam artists, liars, thieves, snake oil salesman, felons, and mental patients (no kidding).
Seriously, if such a person attempts to peddle would-be TEMPEST products on you, ask about their current probation status, prior criminal convictions, and ask about the last time they talked with their parole officer, psychiatrist, or other mental health professional (and then watch them run out the door).
Several firms have even gone so far as to pre-record the display of a computer monitor (with a video camcorder no less) and then conceal a playback VCR in a fancy looking demonstration box. The victim pays the "TEMPEST expert" $20,000 for an identical box and never sees the money again, nor do they ever get a magical TEMPEST box. After several months the victim tries to contact the con artist only to find the phone number given goes to a beeper (the owner of which refuses to re-contact the victim).
Other con artists will install a small video transmitter into a computer monitor, or will illegally modify a monitor in other ways to increase it's emissions. Also, such rigged demonstrations typically take place under highly controlled conditions involving less then 12-15 feet so the con artist can capitalize on the near field signals instead of picking up far field signals.
The Law
Keep in mind that if somebody offers you any type of van Eck "intercept" or TEMPEST surveillance system that they are committing a serious federal felony. In the event that you are gullible enough to actually pay the con artist then YOU have committed a serious federal felony. Also, if you attempt in any way to obtain the equipment, or engage in any kind of activity to help someone else obtain the equipment that is also illegal (even if it's a hoax).
You will leave eavesdropping and interception equipment alone unless you have a strong desire to have extended discussions with the nice agents from the FBI. They would be quite happy to talk to you regarding your upcoming indictment and your "all expenses paid vacation at a federally operated vacation resort".
Remember that ANY possession, attempted sale, attempted purchase, or building of such a surveillance product or device is highly illegal unless you are under a very specific government contract (even if it is a hoax).
The building, possession, sale, or advertising of any device designed or developed to exploit signal leakage or compromising emanations is a very serious criminal act in the United States unless you are under a very specific government contract (or are a police officer with a legitimate court order).
Also, any device, or system which is primarily useful for the interception of communications is also illegal, and the justice system takes a very dim view of people who try to skirt the law by playing cute word games.
The above mentioned "Omnibus Crime Control Act of 1968" prohibits offer the public anything that is primarily useful for covert surveillance. It doesn't matter if there are other uses for the equipment, but if it is PRIMARILY useful for surveillance then it is contraband.
In a nutshell:
References
Here are a few of the more common government specifications (out of hundreds) concerning TEMPEST and it's associated disciplines:
(U) NSA-82-89, NACSIM 5000, TEMPEST Fundamentals, National Security Agency, February 1, 1982 (C)
(U) NACSIM 5004, Tempest Countermeasures for Facilities Within the United States, National COMSEC Instruction, January 1984 (S)
(U) NACSIM 5005, Tempest Countermeasures for Facilities Outside the United States, National COMSEC Instruction, NACSIM 5005, January 1985 (S)
(U) NACSIM 5009, Technical Rational: Basis for Electromagnetic Compromising Emanations Limits (C)
(U) NACSIM 5100A Compromising Emanations Laboratory Test Requirements, Electromagnetics. National Security Telecommunications and Information System Security (NSTISS)
(U) NACSIM 5108, Receiver and Amplifier Characteristics Measurement Procedures (FOUO)
(U) NACSIM 5109, TEMPEST Testing Fundamentals, March 1973
(U) NACSIM 5112, NONSTOP Evaluation Techniques
(U) NACSIM 5201, TEMPEST Guidelines for Equipment System Design, September 1978
(U) NSA 82-90, NACSIM 5203, Guidelines for Facility Design and RED/BLACK Installation, National Security Agency, June 30, 1982 (C)
(U) NSA 65-5, NACSIM 5204, RF Shielded Acoustical Enclosures for Communications Equipment: General Specification, National Security Agency, October 30, 1964 and May 1978 (C)
(U) NSA 65-6, NACSIM 5204, R.F. Shielded Enclosures for Communications Equipment: General Specification, National Security Agency, October 30, 1964
(U) NSA 73-2A, NACSIM 5204, National Security Agency Specification for Foil RF Shielded Enclosure, National Security Agency
NSA 89-01 (Draft), NACSIM 5204, National Security Agency Specification for a High Performance Shielded Enclosure, National Security Agency, May 31, 1989
(U) NCSC 3, TEMPEST Glossary (S)
(U) NTISSI 4002, Classification Guide for COMSEC Information (S)
NTISSI 7000, National Telecommunications and Information Systems Security Instruction, TEMPEST Countermeasures for Facilities, October 7, 1988
NTISSP 300, National Telecommunications and Information Systems Security Policy, National Policy on the Control of Compromising Emanations, October 3, 1988
NSTISSAM TEMPEST 1-92, Compromising Emanations Laboratory Test Requirements, Electromagnetics. National Security Telecommunications and Information System Security (NSTISS), December 15, 1992
NSTISSAM TEMPEST 1-93, Compromising Emanations Field Test Requirements Electromagnetics, August 30, 1993 (U)
(U) NSTISSAM TEMPEST 2-91, Compromising Emanations Analysis Handbook, National Security Telecommunications and Information Systems Security Advisory Memorandum (C)
NSTISSAM TEMPEST 2-92, Procedures for TEMPEST Zoning, December 30, 1992
(U) NSTISSAM TEMPEST 2-95, RED/BLACK Installation Guidance, National Security Telecommunications and Information Systems Security Advisory Memorandum, December 12, 1995 (C)
NSTISSAM TEMPEST 3-91, Maintenance and Disposition of TEMPEST Equipment, December 20, 1991
INFOSEC System Security Products & Services Catalog, October 1990, National Security Agency
DOD Directive C-5000.19, Control of Compromising Emanations (U), February 23, 1990
MIL-HDBK-232, Red/Black Engineering - Installation Guidelines
MIL-HDBK-411A, Long Haul Communications (DCS), Power and Environmental Control for Physical Plant
MIL-HDBK-419, Grounding, Bonding, and Shielding for Electronic Equipment and Facilities
MIL-HDBK-1195, Radio Frequency Shielded Enclosures, September 30, 1988
James M. Atkinson
Granite Island Group
President and Sr. Engineer
http://www.tscm.com/
jmatk@tscm.com
About the Author
James M. Atkinson is one of a small number of people who have been formally certified and trained by the NSA as a TEMPEST Engineer, and Cryptographic Technician. He has extensive experience with the design and development of SIGINT systems to exploit and/or control compromising emanations. Additionally, he has many years of experience working deep inside highly classified U.S. and NATO cryptographic, communications, and computer systems.
Mr. Atkinson is also one of the most respected names in the TSCM industry (Technical Surveillance Counter Measures or "Bug Sweeping"). He has researched and written a great deal on the subject matter including several books, numerous articles, and is the author of the worlds largest and most extensive web site in the world concerning "bug sweeps" and technical security. He has also contributed heavily to numerous books dealing with "bug sweep" subject matters, and in several cases has written entire textbooks or chapters of textbooks on the subject.
He has attended extensive private and government sponsored TSCM, TEMPEST, ECM, SIGINT, technical intelligence, and security training both in the United States and abroad.
Also, he maintains the worlds largest private reference library regarding technical surveillance devices, and TSCM protocols used internationally. Included in this library is a computerized database of over a quarter million eavesdropping devices. This computerized database includes complex mathematic models which permit the quantitative modeling, evaluation, and analysis of eavesdropping devices.
"If it doesn't involve a torque wrench, then it's not TEMPEST..."
Any comments or questions regarding this specific page?
Please feel free to sign our Guest Book
|
To be contacted for a confidential consultation please E-mail: jmatk@tscm.com
or send a letter via US Mail to:
or call:
URL: http://www.tscm.com/ |