Reprinted from - Sources eJournal
Nowhere to run...Nowhere to hide...
The vulnerability of CRT's, CPU's and peripherals
to TEMPEST monitoring in the real world..
Copyright 1996, All Rights Reserved
Frank Jones CEO
Codex
167 Route 304
Bardonia, New York 10954USA
24 Hour Voice Mail: 917-277-1983
E-Mail: spyking@thecodex.com
George Orwell wrote the classic "1984" in 1949. He depicted a world in which the
government controlled it's citizens and a world devoid of privacy. Many of the things
Orwell wrote almost fifty years ago have come to pass.
Surveillance technology has progressed to the point that is possible to identify
individuals walking city streets from satellites in orbit. Telephone, fax and e-mail
communications can routinely be monitored. Personal information files are kept on citizens
from cradle to grave. There is nowhere to run...nowhere to hide...
The advent of the personal computer has revolutionized the way we do business, keep
records, communicate and entertain ourselves. Computers have taken the place of
typewriters, telephones, fax and telex machines.
The Internet has opened up a new world of high speed and inexpensive communications. How
secure and private is it? There are many encryption programs and hardware devices
available for security purposes but what about the computer terminal itself? How safe is
it? What are it's vulnerabilities? Hackers have been known to cause mischief from time to
time...Is it possible for an adversary to snoop on your private data? Can Big Brother?
Suppose it was possible to aim a device or an antenna at your apartment or home from
across the street or down the block. Suppose you were working on a confidential business
project on your PC. Suppose that device down the block could read what you were typing and
viewing on the CRT? Feeling uncomfortable? Suppose that device could monitor everything
you do on your computer by collecting electromagnetic radiation emitted from your
computer's CRT, CPU and/or peripheral equipment, reconstruct those emissions into coherent
receivable signals and store them for later review? Feeling faint? Good. The technology
exists...and it has for some time....
You don't have to worry about a "middle of the night" break-in by some
clandestine government black-bag team to plant a bug. They never have to enter your home
or office. Seedy looking private investigators or the information warrior won't be found
tampering with your telephone lines in the basement either...it's not necessary...all they
have to do is point an antenna...safely, from a distance away...and collect your private
data...
This surveillance technique has become known as TEMPEST monitoring. TEMPEST stands for
Transient Electromagnetic Pulse Standard. It is the standard by which the government
measures electromagnetic computer emissions and details what is safe (allowed to leak)
from monitoring. The standards are detailed in NACSIM 5100A, a document which has been
classified by the National Security Agency. Devices which conform to this standard are
called TEMPEST certified.
In 1985, a Dutch scientist Wim van Eck published a paper which was written about in the
prestigious "Computers & Security" journal, "Electromagnetic Radiation
from Video Display Units: An Eavesdropping Risk?" Vol 4 (4) pp 269-286. The paper
caused a panic in certain government circles and was immediately classified as is just
about all TEMPEST information.
Wim van Eck's work proved that Video Display Units (CRT's) emitted electromagnetic
radiation similar to radio waves and that they could be intercepted, reconstructed and
viewed from a remote location. This of course compromises security of data being worked on
and viewed by the computer's user. Over the years TEMPEST monitoring has also been called
van Eck monitoring or van Eck eavesdropping.
In 1990, Professor Erhard Moller of Acchen University in Germany published a paper,
"Protective Measures Against Compromising Electromagnetic Radiation Emitted by Video
Display Terminals". Moller's paper which updated in detail van Ecks's work also
caused a furor.
The government's policy of TEMPEST secrecy has created a double edged sword. By
classifying TEMPEST standards, they inhibit private citizens and industry by failing to
provide the means of adequately shielding PC's and/or computer facilities. There is an old
saying, "You can't drive a nail without the hammer". If concerned personnel
don't know the minimum standards for protection...how can they shield and protect?
Shielding does exist which can prevent individuals and companies from being victims to
TEMPEST monitoring. But without knowing the amount of shielding necessary...
Perhaps this is the way the government wants it... My work has focused on constructing a
countermeasures device to collect and reconstruct electromagnetic emissions from CRT's,
CPU's and peripherals to diagnose emission levels and give security personnel a hands-on
tool with which they can safeguard their computer data.
In testing my countermeasures device I concentrated on interception and reconstruction of
the three types of emitted electromagnetic radiation written about in van Eck and Moller's
work.
Electromagnetic radiation emitted from CRT's - similar to radio waves 2. Shell waves on
the surface of connections and cables 3. Compromising radiation conducted through the
power line I found my greatest success (distance & quality) was in the collection of
emitted radiation from the CRT although we were equally successful in our other
experiments. In our opinion the greatest danger of TEMPEST monitoring comes from off
premises and we decided early on to concentrate in this area. A workable countermeasures
tool would give security personnel a handle on distance from which compromising
electromagnetic radiation could be collected. Hopefully full countermeasures would then be
implemented.
This also is a double edged sword. The device I built albeit a countermeasures tool...can
be used as an offensive TEMPEST monitoring device. My concerns however are that if such a
device is not made available to the private sector...then the private sector is at the
mercy of the information warrior using
TEMPEST MONITORING...HOW IT WORKS
TEMPEST monitoring is passive. It cannot be detected. The computer emits compromising
radiation which can be reconstructed from a remote location. There is no need to ever come
near the target. No reason ever to go back to change a faulty bug like the Watergate
burglars...It can be performed from an office or a vehicle with no chance of discovery.
The premise is very simple.
All electronic devices emit some low level electromagnetic radiation. Whenever an electric
current changes in voltage level it generates electromagnetic pulses that radiate
invisible radio waves. Similar to the ripples caused by dropping a small rock into a quite
pool of water. These electromagnetic radio waves can carry a great distance.
Computer monitors like televisions contain an electron gun in the back of the picture tube
which transmits a beam of electrons (electric current). When the electrons strike the
screen they cause the pixels to fluoresce. This beam scans across the screen from top to
bottom very rapidly in a repetitive manner, line by line, flashing on and off, making the
screen light and dark, creating the viewed image. These changes in the high voltage system
of the monitor, generate the incoherent signal that TEMPEST monitoring equipment receive,
reconstruct and view.
We have found that most monitors emit signals in the 2 to 20 Mhz range although harmonics
are fairly strong and can be intercepted. Radiated harmonics of the video signal bear a
remarkable resemblance to broadcast TV signals although various forms of sync must be
restored.
Associated unshielded cabling can act as an antenna and increase interception range.
Emissions can be conducted down power cables and supplies. Computers attached to
unshielded telephone lines are easy prey as the telephone line acts as an excellent
antenna. Printers and their cables are not immune either. The average computer setup in
the home or office could be compared to a base station transmitting it's signals all over
the neighborhood.
Put quite simply, it is easy for someone with basic electronics knowledge to eavesdrop on
you, while you are using a computer. They might not be able to steal everything from the
hard disk but they can view anything you do....see anything you see...
HOW IT'S DONE...THE COMPONENTS
A good commercial wide band radio receiver preferably designed for surveillance (requires
a little modification) with spectrum display. Sensitivity and selectivity are paramount.
Not all receivers will do the job adequately
* Horizontal and vertical sync generator. Commercially available and
will require some modification.
* Multi-Scan Video Monitor with Shielded cables
* Active Directional Antenna (phased antenna array) with shielded
cables. Think radio telescope.
* Video tape recording equipment. For capture and later review
WHAT WE WERE ABLE TO CAPTURE...
Bench testing of the unit was quite successful in and around the office. Several computers
were targeted and interception of the data was simple after injecting and restoring
vertical and horizontal sync. We had no problem viewing computer screens on adjacent
floors in the building (we were sometimes hindered by noise) and were able to
differentiate (to my surprise) between different computers in a large office. We aimed our
device out the window across the street at an adjacent office building and were able to
view CRT screens without too much difficulty.
I should mention here that during the field tests NO DATA WAS STORED FROM TARGET
COMPUTERS. We were not on an eavesdropping mission. We simply were interested in testing
OUR equipment not spying on others.
Field testing of the unit was quite different and required continuing manipulation of the
equipment. From a vehicle in a suburban area we were able to view active televisions
inside homes ( the cable/pay-per-view people could have a field day) and what programs
residents were watching. When we came across homes with active computers we were able to
view CRTs. Average range was approximately 300 yards.
We continued to test the device in a suburb of New York City with startling results. We
were able to view CRT screens at ATM machines, banks, the local state lottery machine in a
neighborhood candy store, a doctor's office, the local high school, the fire department,
the local police department doing a DMV license plate check, a branch office of a
securities trader making a stock trade and the local gas station tallying up his days
receipts. We didn't expect that any of our "targets" would be TEMPEST certified
and we were correct.
BIGGER FISH IN A BIGGER POND
We took our DataScan device, as we named it, to New York City. The Big Apple. We were
interested in testing the integrity of various computer facilities and also wanted to see
how our device would operate in an urban environment.
Let me start off by saying New York is in a lot of trouble. We started at Battery Park
(the southern tip of Manhattan Island) and headed north to Wall Street. The US Customs
building leaks information as well as the Federal Reserve. Wall Street itself was a wealth
of information for anyone interested. With hundreds of securities and brokerage companies
located within a few blocks of each other, all an information warrior need do is rent an
office with a view and aim his antenna. We were able to view CRT's in MANY executive
offices.
The World Trade Center was fertile. It afforded open parking areas nearby with millions of
glass windows to snoop...we were most successful snooping the lower floors from the
street. We borrowed a friends office at mid-tower in the south building and were able to
view CRT's in the north building easily.
We headed east towards the New York Post newspaper offices and read the latest news off
their monitors (which was printed the next day). We headed north towards City Hall and
NYPD Police Headquarters. Guess what? They're not TEMPEST certified either...Neither is
the United Nations, any of the midtown banks, Con Edison (the power company) on First
Avenue, New York Telephone on 42nd Street or Trump Tower! Citicorp's computer center in
the SkyRink building on West 33rd Street was a wealth of information also...
We found that with the proper frequency tuning, antenna manipulation, reintroduction of
sync and vehicle location , we could monitor just about anyone, anywhere, anytime. There
is no doubt in my mind that TEMPEST eavesdropping is here to stay and something that must
be dealt with by computer and security professionals.
Passwords, files, proprietary data and records are all vulnerable to the information
warrior using TEMPEST monitoring equipment in a non TEMPEST certified world.
POTENTIAL USERS OF TEMPEST MONITORING
Big Brother:
Yes, that's right. He does bug businesses. Sometimes with a court order and sometimes
without one. It's unclear under present American law whether or not a court order would to
needed to collect TEMPEST information. You never know when Big Brother's on a witchhunt.
Maybe he suspects you of being a tax cheat, of insider trading, leftist sympathies, etc.
Remember Watergate? Now, the FBI wants to be able to tap EVERY telephone, fax and data
line in America at the turn of a switch and they want US to pay for it...Using TEMPEST
technology they need never enter or come near your home or business.
Foreign Intelligence Services:
In the last days of the Bush Administration, the mission of the CIA was partially changed
to spy on foreign businesses and steal trade secrets in response to the every growing
surveillance of American industry by foreign competitors and foreign intelligence
services. The Japanese are the worst. Most of the Japanese students living and attending
school the USA are economic trade spies. The French intelligence service regularly bugged
ALL the first class seats on AIR FRANCE flights to eavesdrop on traveling foreign
businessmen. EVERY foreign service in the world is involved in corporate espionage to gain
an economic advantage for their own companies. Do you have a foreign competitor? Then the
chances are good that a foreign intelligence agency will spy on you. TEMPEST technology is
becoming the medium of choice .
The Activist:
Dedicated, yet misguided activists may wish to further their own cause by releasing your
private disclosures to the media. Every company circulates confidential memos that would
be embarrassing if released to the public. TEMPEST technology makes corporate snooping
simple.
The Dissident:
Dissidents want to damage more than your company's reputation. They may use TEMPEST
technology as a means of compromising your internal security, valuable products and
equipment, and even executive travel plans in order to commit crimes against your person,
family or property!
Financial Operators
Unethical financiers can benefit greatly from prior knowledge of a company's financial
dealings. TEMPEST attacks can be mounted quickly and from a distance with virtually no
chance of discovery.
Competitors:
Competitors may seek to gain information on product development, marketing strategies or
critical vulnerabilities. Imagine the consequences of a concerted TEMPEST attack on Wall
Street. How much are you going to offer for that stock next week? You need to buy how many
shares for control?
Unions:
Unscrupulous union negotiators may use TEMPEST technology to gain knowledge of a company's
bargaining strategies and vulnerabilities. Is your company is having labor problems? Is
your company is involved in any type of litigation or lawsuit with a union? Does your
company have layoffs pending?
Employees:
One of your company's employees might use TEMPEST technology on another to further his own
career and to discredit his adversary. It would be a simple matter for an adversary to
plant a mole in your company who could position TEMPEST monitoring equipment in the right
direction even though they might not be allowed to enter a specific restricted area...
The Information Warrior:
Brokers may profit from selling your company's secrets to the highest bidder, or maybe
even to anyone who wants to know! Does your company have stock that is traded publicly? Or
will be soon? With TEMPEST technology there is nowhere to run...nowhere to hide...Keep in
mind that anybody with money, power, influence, or sensitive information is at serious
risk.
FINDINGS AND RECOMMENDATIONS
Using simple off-the-shelf components with minor modifications we were able to monitor
computer CRTs "at-will" in suburban and urban environments. We did not recreate
the wheel. The TEMPEST monitoring premise is simple and anyone with a basic knowledge of
electronics could construct such a device and use it with impunity.
Our DataScan device differs from earlier models because of the unique signal amplification
and directional antenna array used which we believe enhances the collection process
greatly.
It appears from our research that most individuals and companies do not use TEMPEST
certified equipment and most have never even heard of TEMPEST.
I believe the media should be made aware of the problem in hope that publicity about
potential TEMPEST attacks will force the government to release the information necessary
to allow private citizens and industry the means to properly secure their proprietary
data.
------------------------------------------------------------------------
Contact the author? SpyKing@thecodex.com
------------------------------------------------------------------------
© Copyright 1996-1998 CodexOnline - All Rights Reserved-All Wrongs Revenged
Return to Readings TOP