NSA article on TEMPEST

Viewing 13 reply threads
  • Author
    Posts
    • #3394
      jason
      Participant

      I’ve always found TEMPEST related topics to be interesting. Here’s a released NSA article from the 70s on the subject. It’s a bit heavily redacted yet, but there are still some good bits:

      http://www.nsa.gov/public_info/_files/cryptologic_spectrum/tempest.pdf

    • #22290
      Don Donzal
      Keymaster

      For those of you who are new to EH-Net or just missed Chris Gates’ article on the topic, it’s a fun read:

      TEMPEST, Conspiracy Theories and Tinfoil Dreams

      Don

    • #22291
      sleepless
      Participant

      You would be surprised at the number of people I come across that think TEMPEST is a myth or purely the realm of TV. I work for a company that does TEMPEST testing and RF security consulting. TEMPEST isn’t really an issue for most people or even most companies, but in certain situations is worth being aware of. Carrying out a TEMPEST attack is not as complicated as most people assume. The difficulty is in large measure proportional to the distance from the device you are attacking. Imagine a shared office space where the attackers can rent office space immediatly adjacent to the intended target. That being said I think TEMPEST is still very unlikely to be the first or only avenue of security attack in any situation.

    • #22292
      Anonymous
      Participant

      @sleepless wrote:

      That being said I think TEMPEST is still very unlikely to be the first or only avenue of security attack in any situation.

      I agree, its probably far easier to just break into that room and do whatever than actually rent the room next door, set up all the TEMPEST gear, and wait.  Pay the janitor 1000 bucks and its done in a nite.

    • #22293
      jason
      Participant

      Depends on the environment I suppose. I’ve seen some recent work in grabbing signals from wired keyboards with a fairly minimal setup. Sneaking minimal equipment like that into a storage closet for a day or two may be far less risky than bribing a janitor who might get a guilty conscience later on.

    • #22294
      sleepless
      Participant

      I agree with Jason. Its partly a matter of how available the technology or know-how is I guess. I have seen some of the stuff that was being done with the remote keyboard logging and detection. The idea and raw technology was not new necessarily. But it is an indicator that some of the ideas and technology may be becoming more widely available. If it were to become sufficiently user friendly there are plenty of situations where it may be a viable line of attack. Trying to make a generic keylogger that operates wirelessly by picking up the emitted RF would be a very interesting project…

    • #22295
      Anonymous
      Participant

      @jason wrote:

      Depends on the environment I suppose. I’ve seen some recent work in grabbing signals from wired keyboards with a fairly minimal setup. Sneaking minimal equipment like that into a storage closet for a day or two may be far less risky than bribing a janitor who might get a guilty conscience later on.

      if i’m already close enough to stick equipment in a storage room or in the room why wouldnt you just take the CPU or install a keylogger or boot into linux and take the data?  There are of course reasons why those wouldnt work.  My point is that any kind of sexy tempest way of doing it is probably much more trouble and money than just doing it the “old fashioned way”

    • #22296
      jason
      Participant

      I’d say that its really a matter of how stealthy you need to be. Eavesdropping on signals has the potential to leave no trace whatsoever, unless the equipment is found or you get caught taking it in or out. Stealing the machine storing the data, keystroke loggers, etc… don’t have this benefit.

    • #22297
      former33t
      Participant

      Chris-G, I’m with Jason on this one.  If all you need is some data (and you’re sure you only need it once) then your approach works.  If you need continued access to an ongoing stream of information, then you should look at making sure the target thinks their security is adequate.

      This being the ethical hacker forums, I’m sure someone is asking why not just hack in?  Maybe the box is no-network.  Maybe having the target increase it’s security posture is just unacceptable.  Maybe you’re a foreign government/competing corporation and your fingerprints just can’t be on this one bit.  In that case moving to a completely passive attack such as TEMPEST may be the way to go.  Unless you are caught in the act (but how would this happen if you rent the office next door as in the scenario above), the target will never know it is under attack.  No IDS can protect you from a passive attack.

    • #22298
      jason
      Participant

      @former33t wrote:

      No IDS can protect you from a passive attack.

      True, but in this case there are countermeasures. You, would have to be in a very hostile environment or incredibly paranoid to implement such a system, but you can get noise generators that broadcast into the proper portions of the spectrum to mask emissions that the bad guys (or good guys) might pick up.

    • #22299
      former33t
      Participant

      Sure, you could do that, or you could enclose the whole office in a faraday cage.  Neither is particularly cost effective or practical (as you noted) so nobody (short of spy agencies and really paranoid people) take such measures.  This makes a TEMPEST attack particularly effective when all else fails.

    • #22300
      jason
      Participant

      @former33t wrote:

      or you could enclose the whole office in a faraday cage

      I was shooting for countermeasures that didn’t require major construction, but true enough.

    • #22301
      Ketchup
      Participant

      I believe that intelligence agencies and military routinely surround sensitive areas in faraday type construction. 

      On a side, but related note, I remember sitting at a cell forensics course.  We had stuck one of our phones in a faraday bag prior to imaging it.  Lo and behold, the thing actually rang with an incoming call.  FAIL.

    • #22302
      jason
      Participant

      There are a bunch of other pieces other than just putting up a faraday cage in/around the area to be shielded:

      http://fas.org/nuke/intro/nuke/emp/toc.htm

      Its a bit of a task to go the whole way.

Viewing 13 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?