Five years of public disclosure, and one-stop shopping for TEMPEST info...
Across the darkened street, a windowless van is parked. Inside, an antenna is pointed out through a fiberglass panel. It's aimed at an office window on the third floor. As the CEO works on a word processing document, outlining his strategy for a hostile take-over of a competitor, he never knows what appears on his monitor is being captured, displayed, and recorded in the van below.
This page is about surveillance technology. If a search engine mistakenly led you here, try Shakespeare, Pontiacs, or Arcade Games. (The graphic on the right is the logo for the US Army Blacktail Canyon TEMPEST Test Facility.)
News & Updates
skip the news and go to the introduction
January 1, 2002 - This will be the final update of The Complete, Unofficial TEMPEST Information Page. My time and efforts are being pulled in other directions, and after five years of collecting open-source information on TEMPEST, I believe the site's purpose has been fulfilled. The security community now has a much better understanding of what TEMPEST is all about, and can make informed judgments when it comes to threat assessments. Also I like to think the site has served as an example of the power of the Internet in open-source intelligence gathering. Five years ago TEMPEST was shrouded in mystery to the average computer security consultant with no government connections. Now, by collecting and shifting through non-classified information sources, we have a decent understanding of the technology. I'd like to thank everyone who has provided me with information over the years, especially John Young, who will be archiving this body of work as a historical archive at cryptome.org. - Joel McNamara
December 30, 2001 - From an anonymous UK source: "1. GCHQ in the
UK is the #1 monitoring place for TEMPEST, they HAVE NOT scaled down any
business to do with TEMPEST and now even use their techniques for corporate
applications. They are STILL the first port of call of the Ministry of Defence
for any queries. 2. The GCHQ standard (BTR) is the bible for the UK
Military with regard to installations that may negate TEMPEST emissions,
mainly due to good practices and safe areas around antenna and cryptographic
equipment, also JSP440 is a watered down version of the standard that also
covers computer security which is available to all CIDA's (Installation Design
Authorities) within the Ministry. CIDA is one of the main 'businesses' within
the MoD. Stories... these I have 'heard' from people in the
know and witnessed myself:
A Ford Transit van was converted to carry an entire Tempest test kit including antennas and terminals. This was parked on the road outside the building. The antennas were able to pick up the Telephone emissions from all areas of the building, including 'Shielded' areas due to the pre-1970 external telephone wiring, and as all conversations are routed to the local telephone exchange before encoding, this posed a major security threat. Also, static CRT images were reformed on the terminals within the van. (I have also witnessed this whilst attending a TEMPEST course at GCHQ.)
An old 'story'. There is one main transmission site on Gibraltar where all of the signals to the passing
allied fleets are sent (also submarine signals). These are coded within the building then transmitted via
antenna and satellite. However a number of 'unfriendly' vessels (mainly Russian registered trawlers) were hovering near to the shore by the chain link fence. The comms officer got curios and asked for a TEMPEST check to see if they were picking up any signals. A test proved that the fence was picking up uncoded signals that were emanating from the large capacitors used in th encoding process. The fence then acted as an antenna and the unfriendlies were receiving uncoded signals. The station was closed down immediately.
Interference and Non-intentionally Interception.
Modern digital mobile phones are the current enemy of the UK teams. Mainly as the signal can act as a carrier wave for any radiated signal. Also, it has been noted, that people making Mobile calls at the end of the runway at RNAS Yeovilton can eavesdrop on the tower and pilot conversations. Another 'story' tells how a British Telecom engineer was testing a mast when his laptop screen started to fill up as if the computer was typing. What had actually happened was that the voice recognition software on his laptop had detected the radiated signal from the mast during decoding and regeneration and displayed it on the screen as plain text.
August 3, 2001 - TEMPEST mentioned in James Bamford's "Body of Secrets" book (NSA tell-all, follow-up to The Puzzle Palace). Specifically, ship implemented eavesdropping on Cuba. Ross Anderson also has a lengthy section on emissions security in his new book "Security Engineering." (I recommend Anderson's work to anyone interested in security systems - from ATMs to art galleries to EMSEC to crypto. This book is destined to become a classic.) NSA's online TEMPEST Endorsement Program has recently been updated. SANS Institute (the security folks) have a nice, concise TEMPEST FAQ (my only complaint is the reference to Codex Data Systems). Some good info on BEMA's TEMPEST shielded tents (lots of interest in these at the recent Special Operations Command Show and Conference). National Security Telecommunications Information Systems Security Committee Maintenance and Disposition of TEMPEST Equipment (PDF format dated December 2000). And finally the Nicodemo Scarfo trial is underway, and the outcome will definitely have an impact on the future of legal electronic surveillance. Stay tuned...
January 14, 2001 - John Young has released a FOIA version of NACSEM 5112, NONSTOP Evaluation Techniques. This is the first public document to come to light on NONSTOP surveillance techniques. The document has been heavily redacted. We do know NONSTOP testing is very similar to TEMPEST testing. In Side Channel Cryptanalysis of Product Ciphers (Postscript format), John Kelsey, Bruce Schneier, David Wagner, and Chris Hall speculate that NONSTOP and HIJACK refer to the compromise of cryptographic devices through nearby radio transmitters (such as a cell phone, handheld radio, intercom). One of the more interesting things about the document is toward the end. "It is further noted that UNCLASSIFIED information concerning NONSTOP should not be discussed or made available to persons without a need-to-know. No information related to NONSTOP should be released for public consumption through the press, advertising, radio-TV or other public media." The original document came out in 1975, and has gone through several updates.
January 1, 2001 - John Young has received eight more TEMPEST-related documents from his October 1999 NSA FOIA appeal. The printing in the documents is in pretty poor shape, so text is being hand-typed. Currently available documents include: NSTISSAM TEMPEST/2-95, 12 December 1995 - "Red/Black Installation Guidance", Specification NSA No. 94-106, 24 October 1994 - Specification for Shielded Enclosures, NACSIM 5000, 1 February 1982 - TEMPEST Fundamentals, and NSTISSI 7000, 29 November 1993 - "TEMPEST Countermeasures for Facilities." (This last document is especially interesting in that it reveals the U.S. Government keeps a list of countries it views as having the ability and motivation to conduct TEMPEST attacks on U.S. interests. Censors did a bad job of blacking out the text in this 1995 document, and 12 of the 25 countries are identifiable. Including: Singapore, Norway, Hungary, Netherlands, Taiwan and some big industrial states that are known to dabble in economic espionage.) The remaining documents will be added as John has them transcribed.
December 10, 2000 - French SCSSI TEMPEST site, TEMPEST history, Ft. Huachuca Blacktail Canyon logo, fixed www.dtic.mil links (an astute reader pointed out that the "dead" DoD dtic sites on the TEMPEST Sources page could be revived by changing the domain - thanks Rob!).
December 6, 2000 - Over the past four years a tremendous amount of information has come to light on TEMPEST and related topics. So much that even though the page had no graphics, it was taking a couple of minutes to load on slow, dial-up connections. To celebrate the site's four year birthday, I've split it into four pages so it will load a bit faster. - CNET News reports on the Feds using a bugged keyboard to snag a Philadelphia mobster who was using PGP. I've been telling clients for years that this is a significant risk. In most cases it's much easier to do a "black bag" job on a target and install key monitoring software or hardware (or even hide a wireless CCD camera positioned to transmit what's being typed on the keyboard or appearing on the screen), than deal with strong encryption. Although the risk of discovery is obviously higher than a TEMPEST intercept, the lower cost and fewer required technical skills make this a much more likely attack option.
November 30, 2000 - More new links not yet categorized. A couple of new letters. Dark Tangent (of Defcon fame) sends in some updated and new Real Media audio links: Winn Schwartau: Overview of Tempest and VanEck shielding and radiation and somewhat related, Winn Schwartau - HERF Guns, EMP Bombs and Weapons of Mass Disruption (Unclassified) - parts 1, 2.
October 2, 2000 - New links not yet categorized. Demcom, makers of the excellent Steganos security suite have released a freeware Windows text editor (called Zero Emission Pad) that incorporates anti-TEMPEST font technology. NSA Endorsed TEMPEST Product List part of the NSA's TEMPEST Endorsement Program. Cute, full color illustration of a military TEMPEST secure room. NONSTOP has been around for awhile, NACSEM-5112 (RP-4) 1, 2, 3 & 4 NONSTOP Evaluation Techniques (SECRET) dates back to April 1975.
August 11, 2000 - The Wall Street Journal published an article on TEMPEST on August 7, 2000. I did several e-mail interviews with the reporter, and was pretty disappointed to see the final result. A whole lot of good information on TEMPEST went by the wayside, in favor of a lot of fairly sensational column inches. On August 10, the folks at Forbes questioned the credibility of the WSJ article. See their response (which I completely agree with) here. I'm always willing to help journalists with questions about TEMPEST. But figure it out folks. Every time your article totally blows it, your source isn't going to want to play with you or your fellow journalists again. I know a whole bunch of intelligent, well-informed people who have sworn off dealing with the media because of misquoted information or general cluelessness when an article is finally published (and for those reporters in the house, please don't whine and blame your editors). Unfortunately, the ranks of decent and willing sources will continue to thin as long as this behavior continues...
If you're even vaguely familiar with intelligence, computer security, or privacy issues, you've no doubt heard about TEMPEST. Probably something similar to the above storyline. The general principle is that computer monitors and other devices give off electromagnetic radiation. With the right antenna and receiver, these emanations can be intercepted from a remote location, and then be redisplayed (in the case of a monitor screen) or recorded and replayed (such as with a printer or keyboard).
TEMPEST is a code word that relates to specific standards used to reduce electromagnetic emanations. In the civilian world, you'll often hear about TEMPEST devices (a receiver and antenna used to monitor emanations) or TEMPEST attacks (using an emanation monitor to eavesdrop on someone). While not quite to government naming specs, the concept is still the same.
TEMPEST has been shrouded in secrecy. A lot of the mystery really isn't warranted though. While significant technical details remain classified, there is a large body of open source information, that when put together forms a pretty good idea of what this dark secret is all about. That's the purpose of this page.
The following is a collection of resources for better understanding what TEMPEST is. And no, I seriously don't think national security is being jeopardized because of this information. I feel to a certain extent, the "security through obscurity" that surrounds TEMPEST may actually be increasing the vulnerability of U.S. business interests to economic espionage. Remember, all of this is publicly available. A fair amount has come from unclassified, government sites. Up to this point, no one has spent the time to do the research and put it all together in a single location.
References marked with an (X), are good primary sources. If you just read these, you'll end up with an excellent overview on TEMPEST-related topics.
References marked with an (O) are reported dead links. These pages may be temporarily or permanently unavailable. Dead links are left for reference sake (you may want to check the main domain name or do further searching with AltaVista, etc.). It's interesting to note the number of military sites that now report 404 - Not Found or Forbidden Request errors for certain documents.
The site content is listed below. There are three pages in addition to this one. Introduction provides detailed background info on TEMPEST. Sources provides links to hardware manufacturers, software vendors, and specific government documents. Miscellaneous is comments from readers and other things that don't fit in the other pages.
Note: As you start viewing TEMPEST info, you likely will run into vague or confusing acronyms. A great Net resource is the Acronym Finder site.
Original page - December 17, 1996 - Final update December 25, 2001
Introduction to TEMPEST
What is TEMPEST?
Just how prevalent is emanation monitoring?
TEMPEST Urban Folklore
General TEMPEST Information
HIJACK and NONSTOP
Do It Yourself Shielding Sources
US Government Information Sources
Department of Energy
Department of Justice
Department of State
National Security Agency
National Institute of Standards and Technology
US Military Information Sources
U.S. Air Force
U.S. Coast Guard
Department of Defense
Tales of the TEMPEST
Non-TEMPEST computer surveillance
Disclaimer: I've never been involved with the TEMPEST community, had a security clearance for TEMPEST, or have access to classified material relating to TEMPEST. The information on these pages is completely derived from publicly available, unclassified sources.
Last changed January 1, 2002
Copyright 1996,1997, 1998, 1999, 2000, 200, 2002 Joel McNamara