TEMPEST monitoring in the real world

From Higher Intellect Wiki
Jump to: navigation, search

                     Reprinted from - Sources eJournal

                     Nowhere to run...Nowhere to hide...
              The vulnerability of CRT's, CPU's and peripherals
                  to TEMPEST monitoring in the real world..

                     Copyright 1996, All Rights Reserved
                               Frank Jones CEO
                         Technical Assistance Group
                           2472 Broadway Suite 328
                        New York, New York 10025 USA
                      24 Hour Voice Mail: 917-277-1983
                        E-Mail: spyking@thecodex.com

George Orwell wrote the classic "1984" in 1949. He depicted a world in which
 the government controlled it's citizens and a world devoid of privacy. Many
    of the things Orwell wrote almost fifty years ago have come to pass.

   Surveillance technology has progressed to the point that is possible to
     identify individuals walking city streets from satellites in orbit.
    Telephone, fax and e-mail communications can routinely be monitored.
 Personal information files are kept on citizens from cradle to grave. There
                   is nowhere to run...nowhere to hide...

    The advent of the personal computer has revolutionized the way we do
 business, keep records, communicate and entertain ourselves. Computers have
    taken the place of typewriters, telephones, fax and telex machines.

    The Internet has opened up a new world of high speed and inexpensive
   communications. How secure and private is it? There are many encryption
programs and hardware devices available for security purposes but what about
the computer terminal itself? How safe is it? What are it's vulnerabilities?
Hackers have been known to cause mischief from time to time...Is it possible
      for an adversary to snoop on your private data? Can Big Brother?

 Suppose it was possible to aim a device or an antenna at your apartment or
home from across the street or down the block. Suppose you were working on a
confidential business project on your PC. Suppose that device down the block
       could read what you were typing and viewing on the CRT? Feeling
 uncomfortable? Suppose that device could monitor everything you do on your
     computer by collecting electromagnetic radiation emitted from your
computer's CRT, CPU and/or peripheral equipment, reconstruct those emissions
  into coherent receivable signals and store them for later review? Feeling
      faint? Good. The technology exists...and it has for some time....

   You don't have to worry about a "middle of the night" break-in by some
  clandestine government black-bag team to plant a bug. They never have to
    enter your home or office. Seedy looking private investigators or the
  information warrior won't be found tampering with your telephone lines in
 the basement either...it's not necessary...all they have to do is point an
  antenna...safely, from a distance away...and collect your private data...

 This surveillance technique has become known as TEMPEST monitoring. TEMPEST
 stands for Transient Electromagnetic Pulse Standard. It is the standard by
which the government measures electromagnetic computer emissions and details
 what is safe (allowed to leak) from monitoring. The standards are detailed
    in NACSIM 5100A, a document which has been classified by the National
 Security Agency. Devices which conform to this standard are called TEMPEST
                                 certified.

 In 1985, a Dutch scientist Wim van Eck published a paper which was written
  about in the prestigious "Computers & Security" journal, "Electromagnetic
  Radiation from Video Display Units: An Eavesdropping Risk?" Vol 4 (4) pp
   269-286. The paper caused a panic in certain government circles and was
      immediately classified as is just about all TEMPEST information.

     Wim van Eck's work proved that Video Display Units (CRT's) emitted
   electromagnetic radiation similar to radio waves and that they could be
intercepted, reconstructed and viewed from a remote location. This of course
  compromises security of data being worked on and viewed by the computer's
    user. Over the years TEMPEST monitoring has also been called van Eck
                    monitoring or van Eck eavesdropping.

In 1990, Professor Erhard Moller of Acchen University in Germany published a
 paper, "Protective Measures Against Compromising Electromagnetic Radiation
 Emitted by Video Display Terminals". Moller's paper which updated in detail
                    van Ecks's work also caused a furor.

The government's policy of TEMPEST secrecy has created a double edged sword.
By classifying TEMPEST standards, they inhibit private citizens and industry
by failing to provide the means of adequately shielding PC's and/or computer
   facilities. There is an old saying, "You can't drive a nail without the
    hammer". If concerned personnel don't know the minimum standards for
protection...how can they shield and protect? Shielding does exist which can
 prevent individuals and companies from being victims to TEMPEST monitoring.
          But without knowing the amount of shielding necessary...

  Perhaps this is the way the government wants it... My work has focused on
      constructing a countermeasures device to collect and reconstruct
   electromagnetic emissions from CRT's, CPU's and peripherals to diagnose
 emission levels and give security personnel a hands-on tool with which they
                     can safeguard their computer data.

   In testing my countermeasures device I concentrated on interception and
   reconstruction of the three types of emitted electromagnetic radiation
                written about in van Eck and Moller's work.

  Electromagnetic radiation emitted from CRT's - similar to radio waves 2.
    Shell waves on the surface of connections and cables 3. Compromising
   radiation conducted through the power line I found my greatest success
(distance & quality) was in the collection of emitted radiation from the CRT
although we were equally successful in our other experiments. In our opinion
  the greatest danger of TEMPEST monitoring comes from off premises and we
  decided early on to concentrate in this area. A workable countermeasures
     tool would give security personnel a handle on distance from which
  compromising electromagnetic radiation could be collected. Hopefully full
                 countermeasures would then be implemented.

       This also is a double edged sword. The device I built albeit a
    countermeasures tool...can be used as an offensive TEMPEST monitoring
 device. My concerns however are that if such a device is not made available
   to the private sector...then the private sector is at the mercy of the
                         information warrior using

                      TEMPEST MONITORING...HOW IT WORKS

  TEMPEST monitoring is passive. It cannot be detected. The computer emits
  compromising radiation which can be reconstructed from a remote location.
 There is no need to ever come near the target. No reason ever to go back to
 change a faulty bug like the Watergate burglars...It can be performed from
   an office or a vehicle with no chance of discovery. The premise is very
                                   simple.

    All electronic devices emit some low level electromagnetic radiation.
     Whenever an electric current changes in voltage level it generates
  electromagnetic pulses that radiate invisible radio waves. Similar to the
  ripples caused by dropping a small rock into a quite pool of water. These
          electromagnetic radio waves can carry a great distance.

  Computer monitors like televisions contain an electron gun in the back of
  the picture tube which transmits a beam of electrons (electric current).
  When the electrons strike the screen they cause the pixels to fluoresce.
   This beam scans across the screen from top to bottom very rapidly in a
   repetitive manner, line by line, flashing on and off, making the screen
light and dark, creating the viewed image. These changes in the high voltage
     system of the monitor, generate the incoherent signal that TEMPEST
            monitoring equipment receive, reconstruct and view.

   We have found that most monitors emit signals in the 2 to 20 Mhz range
    although harmonics are fairly strong and can be intercepted. Radiated
 harmonics of the video signal bear a remarkable resemblance to broadcast TV
          signals although various forms of sync must be restored.

      Associated unshielded cabling can act as an antenna and increase
    interception range. Emissions can be conducted down power cables and
 supplies. Computers attached to unshielded telephone lines are easy prey as
 the telephone line acts as an excellent antenna. Printers and their cables
   are not immune either. The average computer setup in the home or office
 could be compared to a base station transmitting it's signals all over the
                                neighborhood.

Put quite simply, it is easy for someone with basic electronics knowledge to
 eavesdrop on you, while you are using a computer. They might not be able to
steal everything from the hard disk but they can view anything you do....see
                            anything you see...

                       HOW IT'S DONE...THE COMPONENTS

     A good commercial wide band radio receiver preferably designed for
    surveillance (requires a little modification) with spectrum display.
Sensitivity and selectivity are paramount. Not all receivers will do the job
                                 adequately

   * Horizontal and vertical sync generator. Commercially available and will
                           require some modification.
                * Multi-Scan Video Monitor with Shielded cables
   * Active Directional Antenna (phased antenna array) with shielded cables.
                             Think radio telescope.
        * Video tape recording equipment. For capture and later review

                         WHAT WE WERE ABLE TO CAPTURE...

         Bench testing of the unit was quite successful in and around the
       office. Several computers were targeted and interception of the data
      was simple after injecting and restoring vertical and horizontal sync.
       We had no problem viewing computer screens on adjacent floors in the
         building (we were sometimes hindered by noise) and were able to
      differentiate (to my surprise) between different computers in a large
        office. We aimed our device out the window across the street at an
      adjacent office building and were able to view CRT screens without too
                                much difficulty.

       I should mention here that during the field tests NO DATA WAS STORED
        FROM TARGET COMPUTERS. We were not on an eavesdropping mission. We
      simply were interested in testing OUR equipment not spying on others.

      Field testing of the unit was quite different and required continuing
       manipulation of the equipment. From a vehicle in a suburban area we
             were able to view active televisions inside homes ( the
       cable/pay-per-view people could have a field day) and what programs
          residents were watching. When we came across homes with active
       computers we were able to view CRTs. Average range was approximately
                                    300 yards.

        We continued to test the device in a suburb of New York City with
       startling results. We were able to view CRT screens at ATM machines,
     banks, the local state lottery machine in a neighborhood candy store, a
      doctor's office, the local high school, the fire department, the local
     police department doing a DMV license plate check, a branch office of a
         securities trader making a stock trade and the local gas station
         tallying up his days receipts. We didn't expect that any of our
            "targets" would be TEMPEST certified and we were correct.

                           BIGGER FISH IN A BIGGER POND

      We took our DataScan device, as we named it, to New York City. The Big
      Apple. We were interested in testing the integrity of various computer
       facilities and also wanted to see how our device would operate in an
                               urban environment.

      Let me start off by saying New York is in a lot of trouble. We started
     at Battery Park (the southern tip of Manhattan Island) and headed north
       to Wall Street. The US Customs building leaks information as well as
     the Federal Reserve. Wall Street itself was a wealth of information for
      anyone interested. With hundreds of securities and brokerage companies
      located within a few blocks of each other, all an information warrior
     need do is rent an office with a view and aim his antenna. We were able
                    to view CRT's in MANY executive offices.

        The World Trade Center was fertile. It afforded open parking areas
          nearby with millions of glass windows to snoop...we were most
       successful snooping the lower floors from the street. We borrowed a
     friends office at mid-tower in the south building and were able to view
                       CRT's in the north building easily.

     We headed east towards the New York Post newspaper offices and read the
       latest news off their monitors (which was printed the next day). We
        headed north towards City Hall and NYPD Police Headquarters. Guess
        what? They're not TEMPEST certified either...Neither is the United
       Nations, any of the midtown banks, Con Edison (the power company) on
         First Avenue, New York Telephone on 42nd Street or Trump Tower!
      Citicorp's computer center in the SkyRink building on West 33rd Street
                       was a wealth of information also...

      We found that with the proper frequency tuning, antenna manipulation,
       reintroduction of sync and vehicle location , we could monitor just
        about anyone, anywhere, anytime. There is no doubt in my mind that
      TEMPEST eavesdropping is here to stay and something that must be dealt
                   with by computer and security professionals.

       Passwords, files, proprietary data and records are all vulnerable to
       the information warrior using TEMPEST monitoring equipment in a non
                            TEMPEST certified world.

                      POTENTIAL USERS OF TEMPEST MONITORING

                                   Big Brother:

     Yes, that's right. He does bug businesses. Sometimes with a court order
        and sometimes without one. It's unclear under present American law
         whether or not a court order would to needed to collect TEMPEST
     information. You never know when Big Brother's on a witchhunt. Maybe he
          suspects you of being a tax cheat, of insider trading, leftist
      sympathies, etc. Remember Watergate? Now, the FBI wants to be able to
        tap EVERY telephone, fax and data line in America at the turn of a
      switch and they want US to pay for it...Using TEMPEST technology they
               need never enter or come near your home or business.

                          Foreign Intelligence Services:

     In the last days of the Bush Administration, the mission of the CIA was
      partially changed to spy on foreign businesses and steal trade secrets
      in response to the every growing surveillance of American industry by
     foreign competitors and foreign intelligence services. The Japanese are
       the worst. Most of the Japanese students living and attending school
        the USA are economic trade spies. The French intelligence service
       regularly bugged ALL the first class seats on AIR FRANCE flights to
       eavesdrop on traveling foreign businessmen. EVERY foreign service in
         the world is involved in corporate espionage to gain an economic
       advantage for their own companies. Do you have a foreign competitor?
      Then the chances are good that a foreign intelligence agency will spy
          on you. TEMPEST technology is becoming the medium of choice .

                                  The Activist:

      Dedicated, yet misguided activists may wish to further their own cause
        by releasing your private disclosures to the media. Every company
     circulates confidential memos that would be embarrassing if released to
         the public. TEMPEST technology makes corporate snooping simple.

                                  The Dissident:

     Dissidents want to damage more than your company's reputation. They may
         use TEMPEST technology as a means of compromising your internal
       security, valuable products and equipment, and even executive travel
          plans in order to commit crimes against your person, family or
                                    property!

                               Financial Operators

        Unethical financiers can benefit greatly from prior knowledge of a
       company's financial dealings. TEMPEST attacks can be mounted quickly
            and from a distance with virtually no chance of discovery.

                                   Competitors:

         Competitors may seek to gain information on product development,
          marketing strategies or critical vulnerabilities. Imagine the
     consequences of a concerted TEMPEST attack on Wall Street. How much are
      you going to offer for that stock next week? You need to buy how many
                               shares for control?

                                     Unions:

        Unscrupulous union negotiators may use TEMPEST technology to gain
      knowledge of a company's bargaining strategies and vulnerabilities. Is
      your company is having labor problems? Is your company is involved in
      any type of litigation or lawsuit with a union? Does your company have
                                layoffs pending?

                                    Employees:

     One of your company's employees might use TEMPEST technology on another
     to further his own career and to discredit his adversary. It would be a
        simple matter for an adversary to plant a mole in your company who
     could position TEMPEST monitoring equipment in the right direction even
     though they might not be allowed to enter a specific restricted area...

                             The Information Warrior:

      Brokers may profit from selling your company's secrets to the highest
       bidder, or maybe even to anyone who wants to know! Does your company
        have stock that is traded publicly? Or will be soon? With TEMPEST
       technology there is nowhere to run...nowhere to hide...Keep in mind
      that anybody with money, power, influence, or sensitive information is
                                 at serious risk.

                           FINDINGS AND RECOMMENDATIONS

      Using simple off-the-shelf components with minor modifications we were
          able to monitor computer CRTs "at-will" in suburban and urban
       environments. We did not recreate the wheel. The TEMPEST monitoring
        premise is simple and anyone with a basic knowledge of electronics
             could construct such a device and use it with impunity.

      Our DataScan device differs from earlier models because of the unique
         signal amplification and directional antenna array used which we
                 believe enhances the collection process greatly.

     It appears from our research that most individuals and companies do not
        use TEMPEST certified equipment and most have never even heard of
                                     TEMPEST.

       I believe the media should be made aware of the problem in hope that
      publicity about potential TEMPEST attacks will force the government to
         release the information necessary to allow private citizens and
          industry the means to properly secure their proprietary data.

     -----------------------------------------------------------------------
                     Contact the author? SpyKing@thecodex.com


Share your opinion