Black Box Explains…TEMPEST..
TEMPEST is an acronym for Telecommunications Electronics Material Protected from Emanating Spurious Transmissions. It pertains to technical security countermeasures, standards, and instrumentation that prevent or minimize the exploitation of vulnerable data communication equipment by technical surveillance or eavesdropping.
What puts your data communication equipment at risk?
Many things. But first and foremost, its microchip.
Any device with a microchip generates an electromagnetic field, often called a “compromising emanation” by security experts. With the proper surveillance equipment, these emanations can be intercepted and the signal reconstructed and analyzed. Unprotected equipment can, in fact, emit a signal into the air like a radio station—and nobody wants to risk his or her job and a whole lot more by broadcasting national security or trade secrets to the wrong people.
Some of the most vulnerable devices are speakerphones, printers, fax machines, scanners, external disc drives, and other high-speed, high-bandwidth peripherals. If the snoop is using a high-quality interception device, your equipment’s signals can be acquired up to several hundred feet away.
Arguably one of the most vulnerable pieces of equipment is an analog VGA monitor. If a spy were to introduce a Trojan into your system, he or she could monitor and store key presses and passwords used during the day. When the system’s not in use at night, the spy could pulse the VGA screen with grayscale images that have a strong signal at particular frequencies. VGA uses single-ended signaling that has a high common-mode emission level not protected by cable shielding, and it’s possible to monitor these signals outside the secure zone using a radio receiver. Even without a Trojan, a sophisticated receiver located nearby picks up and views what’s on the VGA monitor.
What TEMPEST is and isn’t.
It should come as no surprise that the Federal government became concerned about signal leakage. In fact, its interest goes back to the days of World War I when the Army was trying to exploit weaknesses of enemy combat phones and radio transmitters. Since then, the scope of the government’s interests has broadened beyond battlefield equipment. In the last
40 years, the National Security Agency (NSA) has taken several industry measurement standards and greatly beefed them up. These enhanced criteria are commonly referred to as the TEMPEST standards (although the NSA also calls them EMSEC standards, short for “emissions security”).
TEMPEST disciplines involve designing circuits to minimize emanations and the application of appropriate shielding, grounding, and bonding. Some methods used include radiation screening, alarms, and isolation.
A TEMPEST-approved device resembles its non-secure version with a few key differences. If it’s a network component such as a switch, it comes in a heavy metal case. It also has special shielding, a modified power supply, and perhaps a few other modifications from the standard model. If you need to open the device’s case,
a special torque wrench for use with TEMPEST-only products is required.
TEMPEST test equipment is very expensive and is sold exclusively to government agencies. Nobody can sell you commercial TEMPEST testing equipment. And if someone offers you a “TEMPEST surveillance system,” you need to be aware of two things: First, TEMPEST is counter-surveillance science and the offer is a fraud; second, the salesperson is committing a federal felony.
If you buy surveillance equipment—authentic or not—then you have also commited a felony. Construction of, possession of, attempting a sale of, or attempting a purchase of said surveillance equipment is illegal. Even if the product purchased is a hoax, the law will take your intentions into account as much as the salesperson’s. Don’t be surprised if you
both go to jail.
In the United States, you can learn about TEMPEST testing only in special schools sanctioned by, if not run by, the NSA. Courses to earn the TEMPEST Technician or TEMPEST Engineer certifications are very expensive. These classes are offered to a limited number of people who have a very high level of security clearance and who will be working on TEMPEST-approved equipment all the time.
All TEMPEST-approved communication devices have a rating based on their application and/or environment.
Type 1: This rating is for classified cryptographic equipment used for national security purposes. It’s endorsed by the NSA for securing telecommunications and automated information systems and for the protection of classified or sensitive U.S. Government information.
Type 2: This rating is for unclassified cryptographic equipment used by U.S. Government agencies, state and local governments, and sponsored U.S. Government contractors. It’s endorsed by the NSA for securing telecommunications and automated information systems and for the protection of unclassified but sensitive information, such as contract bids.
Type 3: This rating is for unclassified commercial cryptographic equipment that implements an algorithm registered with the National Institute of Standards and Technology (NIST). It’s for use in protecting sensitive information, like a corporation’s network communications.