This is a public service announcement. Using an antenna and some gadgets from your local electronics store, you can spy on your neighbors TV. If you think that’s scary, the National Security Agency can view your cellphone screen from over a kilometer away, listen to signals from your monitor cable, and use your computer’s power supply to snoop on you. This security flaw inherent in all digital devices is the greatest threat to our privacy and has massive implications for the future of the entire digital world.
This article will give some examples of how this technology works, why it matters, and provide you with a plethora of research links to get educated about this rarely discussed topic. I encourage you to read the links, protect your sensitive material as best you can, and demand the same electromagnetic protection for consumer products that the military expects. Though the NSA is not likely to be using this technique on average citizens, you can rest assured that multi-billion dollar corporations are using TEMPEST attacks to keep tabs on activists, Congressmen, and bankers alike. Read on:
What is a TEMPEST Attack?
TEMPEST is a National Security Agency codename referring to technical investigations for compromising emanations from electrically operated processing equipment; these investigations are conducted in support of emission security (EMSEC). TEMPEST contains standards for shielding and separating wires and electronic equipment that are used by the U.S. and other foreign nations to defend against interception of compromising emanations by foreign intelligence.
Compromising emanations (CE) are defined as unintentional intelligence-bearing signals which, if intercepted and analyzed, may disclose the information transmitted, received, handled, or otherwise processed by any information-processing equipment. Compromising emanations consist of electrical, mechanical, or acoustical energy intentionally or by mishap unintentionally emitted by any number of sources within equipment/systems which process national security information. This energy may relate to the original pre- or non-encrypted message, or information being processed, in such a way that it can lead to recovery of the plaintext. Laboratory and field tests have established that such CE can be propagated through space and along nearby conductors. The interception/propagation ranges and analysis of such emanations are affected by a variety of factors, e.g., the functional design of the information processing equipment; system/equipment installation; and, environmental conditions related to physical security and ambient noise. The term “compromising emanations” rather than “radiation” is used because the compromising signals can, and do, exist in several forms such as magnetic- and/or electric field radiation, line conduction, or acoustic emissions.
Also referred to as “Van Eck Phreaking”
Van Eck phreaking is the process of eavesdropping on the contents of a CRT or LCD display by detecting its electromagnetic emissions. It is named after Dutch computer researcher Wim van Eck, who in 1985 published the first paper on it, including proof of concept. Phreaking is the process of exploiting telephone networks, used here because of its connection to eavesdropping.
Van Eck phreaking might also be used to compromise the secrecy of the votes in an election using electronic voting. This caused the Dutch government to ban the use of NewVote computer voting machines manufactured by SDU in the 2006 national elections, under the belief that ballot information might not be kept secret. In a 2009 test of electronic voting systems in Brazil, Van Eck phreaking was used to successfully compromise ballot secrecy as a proof of concept.
NSA spills its guts on TEMPEST attacks
Washington DC – Secret agents have apparently been remotely scanning and decrypting electrical signals since World War II, according to a newly declassified NSA document. Titled “TEMPEST: A Signal Problem”, the document describes leaky signals broadcasting from teletype machines would cause nearby sensors to spike – those signals could then be translated into keystrokes. Known as TEMPEST, this phenomenon was mostly ignored by the United States in the following years, but it appears the Soviet Union, Japan and other countries developed TEMPEST scanning into an art form and used it against the USA.
The document sits right on the NSA website and can be viewed here (link to a PDF). Leaky electrical signals were first documented in 1943 by a Bell Telephone engineer who was operating an old teletype machine typically used for encrypted communications between the military and government. He discovered that an oscilloscope in a far away part of the lab would spike with each character typed and upon further examination found that he could calculate the plaintext of the encrypted documents sent over the wire. In effect, the engineer was looking at every keystroke typed.
Bell Telephone told the US Signal Corps of its findings and the company was challenged to prove that signals could be intercept. Over the course of one hour in a secret location in New York, the Bell engineers were able to decrypt a stunning 75% of secret transmissions from 80 feet away.
The demonstration caused the US intelligence community to mandate a 100-foot diameter of control around crypto centers, but that apparently wasn’t enough. In 1951, the CIA demonstrated that it could decrypt signals from a quarter of a mile away and in 1962 an intelligence agent stationed in Japan noticed a dipole antenna was pointed straight at their crypto center. The antenna, which was mounted on top of a hospital approximately 100-feet away, mysteriously disappeared after the officer informed his superiors – presumably the Japanese decrypted the agent’s message and removed the evidence.
These findings combined with the discovery of microphones and fine metal mesh at several US embassies in Moscow, Prague, Budapest and Warsaw forced the United States to discover new ways of protecting its equipment from TEMPEST sniffing. But apparently this is incredibly hard. One countermeasure was to run ten machines at a time to flood out any sniffer and another was to design machines that would fire off multiple keys at a time. Despite this work, agents were still able to sift through the signals to find the original text. The government finally adopted mandating a 200-foot radius control zone around cypto centers.
The declassified paper also discussed audio surveillance with miniature microphones, something which is actually fairly easy to defeat. The NSA discovered that microphones usually need to be placed inside buildings to be effective and that something as simple as a sheet of paper was enough to muffle the sound. Surprisingly though, the agency also discovered that soundproofing a building actually made it easier to record sounds from the inside because it reduced echoes.
I encourage you to read the declassified NSA paper, not only for its geek value, but for its historical information. It really shows that other countries were on par or drastically ahead of the USA in some signal intelligence areas. Of course, the entire document hasn’t been declassified and there are several missing sections and blank pictures. Only those with proper clearance know the entire story.
Wardriving? How about War Flying:
The Black Hat Security Conference and DEFCON bring together the world’s professional hackers, security researchers, goverment representatives, journalists, and just about anyone who thinks of themselves as a hacker. They listen to talks about security, show off the latest novel hacks, and generally share information about the state of computer security.
Every year there’s a highlight to the conferences, and this year it looks like that highlight may be a flying drone, or unmanned aerial vehicle (UAV). This drone is called the Wireless Aerial Surveillance Platform, or WASP. It’s an ex-U.S. Army spy drone measuirng over 6-feet in length and wingspan that has been modified to make it more useful for hackers in our built-up, communication-heavy urban environments.
If you happen to see this yellow drone flying above your neighborhood you’d be right to be concerned. WASP is equipped with the tools to crack Wi-Fi network passwords made possible by an on-board VIA EPIA Pico-ITX PC running BackTrack Linux equipped with 32GB of storage to record information. BackTrack offers a full suite of digital forensics and penetration testing tools making it a good fit for this setup.
WASP can also act as a GSM network antenna meaning it will be able to eavesdrop on calls/text messages made over that network by any phone deciding to connect through it.
While such a drone may violate a few flying laws, it doesn’t break any FCC regulations as it uses the HAM radio frequency band or a 3G connection for communication. As to the reason for building it, creators Mike Tassey and Richard Perkins just wanted to prove there is a vulnerability that can easily be taken advantage of with a UAV such as this.
WASP is an open source platform using Arduino that Tassey will discuss how to build at DEFCON-19 next week. It was originally unveiled last August with the following video giving you a close up view and interview with the creators:
The main developments since last year seem to be the open-sourcing of the design rather than just relying on the ex-Army drone, and the GSM compatibility being added, which they were really eager to get working last August.
Apart from a manual take off and landing, WASP can be preloaded with GPS co-ordinates and then fly a course using its on-board electric motor. You could put this drone in the air and have it return some time later with 32GB of fresh data to look through, or monitor it from a base station and switch to loiter mode if you find an interesting area. The on-board HD camera also means it’s easy to capture video footage of an area, or a test flight.
The main take-away from the WASP project is that this is just two guys building a UAV in their spare time that can easily collect data from Wi-Fi and GSM networks with little input from the operator. There’s even instructions available to create your own. That makes it more than worthy of a talk at DEFCON, but also worth the time of network operators to see how they could counteract such a system from ever being used successfully.
Further reading on Electromagnetic Emissions and Snooping:
- NSA Devises Radio Pathway Into Computers (not connected to the internet)
- NSTISSAM TEMPEST/1-92, Compromising Emanations Laboratory Test Standard, Electromagnetics
- TEMPEST: A Signal Problem, The story of the discovery of various compromising radiations from communications and Comsec equipment.
- Does Van Eck Phreaking work? [skeptics]
- TEMPEST workshop presentation, Riga, october 2008
- NSA TEMPEST Documents on Cryptome.org
- Protection from Tempest attacks
- CEI Tempest Receiving System
- Emission security-tempest attacks
- TEMPEST attacks “data from electromagnetic waves”
- Compromising Electromagnetic Emanations of Wired and Wireless Keyboards
- Declassified NSA Document Reveals the Secret History of TEMPEST
- Tempest for Eliza: broadcast music from your CRT to your AM radio
- Current Events: Identifying Webpages by Tapping the Electrical Outlet