This page is about surveillance technology. If a search engine mistakenly led you here, try Shakespeare, Pontiacs, or Arcade Games.
Used TEMPEST
Tales of the TEMPEST
Non-TEMPEST computer surveillance
Change log
TEMPEST shielded computer equipment sometimes leaks out into the public in the form of surplus and scrap sales. This section is devoted to descriptions.
One informant used to work at a Defense Reutilization and Marketing Office (DRMOs are the DoD's version of a garage sale). In the past, TEMPEST equipment was de-miled (crushed), now due to miscoding and classification downgrades, TEMPEST equipment is literally a dime a dozen. Computer surplus goodies go for about 12 cents a pound.
Through a contractual association with a major defense company, Fluid Forming Technologies has been assigned to dispose of a TEMPEST level "secured working environment." Modular construction, 160' x 20' x 10', can probably be segmented into smaller units. Available as of January 1, 1998. E-mail fftllc@eci.com for additional details or snail mail:
Fluid Forming Technologies LLC,
9 Brush Hill Rd, Suite 318
New Fairfield, CT 06812
JC describes two shielded IBM PC cases he picked up from a scrap dealer for $35 each (unfortunately they had already sold the printers and monitors). The cases were labeled EMR XT SYSTEM UNIT (on the front), with a model number of 4455 1 (on the back). The cases are similar to a standard IBM XT case, except deeper toward the back, so a filter bank and power supply baffle could be installed. The top is bolted down, requiring an allen wrench to remove. The top part of the case has a gasket groove for the brass colored RF gasket, and the mating surface is a finished in anodized aluminum. The top appears to be a cast aluminum plate. Each of the ports in the rear has a filter, unused ports have a metal blocking cover that mates to the case and make a good eletrical contact.
W.J. Ford Surplus Enterprises(O) had the following printer for sale in December 1996:
LASER PRINTER Make:MITEK Model:100T 300 X 300 DPI LASER PRINTER WITH LETTER SIZE PAPER TRAY, 8 PPM, MEETS NACSIM TEMPEST SPECS, C.W. OWNER'S MANUAL (TONER CARTRIDGE NOT INCL.) Dimensions: 19.00"w x 16.00"h x 16.50"d 1.00 on hand, No Graphic on file, Item No.:1208 RAMP Price: $ 250.00
As of February 8, 1997, Dark Tangent (of DEFCON fame) has a whole collection of TEMPEST shielded equipment for sale. Check out his page (X) for complete info and photos. Lots of great details and specs. Also a related Slashdot thread.
As of June 15, 1998, Hugh Sebra had fifty TEMPEST-shielded Fibercom 7197 DPT Dual Path Fiberoptic Transceivers for sale.
While not for sale, H. Layer has a photo of a circa 1986 Tempest Macintosh as his cool Mind Museum page.
Note: I personally don't own or have access to any surplus TEMPEST equipment. However, if you've encountered such hardware, let me know about it.
Recent publicity about this page has resulted in some interesting personal accounts dealing with TEMPEST-related topics. This section lists excerpts from various correspondence. In most cases, the names have been removed to protect the innocent.
C writes:
Interesting page of TEMPEST-related stuff. One additional information source you may want to include for those attempting to proof themselves against an EME-type attack might be the ARRL (Amateur Radio Relay League) Handbook for the Radio Amateur. It has a very complete chapter on preventing radio interference caused by ham radio gear, much of which could be adapted for use with a computer. The book is updated yearly, so the information is usually top-notch. Most libraries have it.BTW, for those on the other side of the question (or who wish to be) there's probably enough info in the book to help them put together a TEMPEST monitoring outfit if they're handy with a soldering iron.
F writes:
I have an early SVGA 15" Gateway CrystalScan monitor (the ones that are purported to be part of a class-action lawsuit), which, when attached to a Mac, will display *exact* and *readable* text on TVs within a reasonable distance--a measured 60-plus feet for sure, through walls and floors, and quite possibly more, I didn't have the inclination to drag a TV out into the lot on an extension cord to find out how far I could go.Though it is only readable during the 'dark' between commercials on certain channels, it was a pretty frightening revelation, as I accept and produce some pretty sensitive materials. The scarier part for me was that I had used it for weeks before I finally turned on a TV at the same time that the monitor was not in screen-saver mode (a password-protected mode I generally drop into anytime I leave the desk, alone in the building or not). Anyone in my building, including unassociated neighbors, or anyone within whatever the ultimate range might have been could have seen a bunch of stuff that could have caused serious damage to my firm. If anyone did see anything, they haven't bit me with it--yet.
In addition to displaying readable text, you can also discern images to a limited degree, and I imagine with some simple tweaks of the color guns, some enterprising cracker could get some pretty good imaging.
The monitor has some other more obvious side effects, such as emitting such EMF levels as to *seriously* distort any monitor within about a foot of its left side, and about two feet of its right side. It also gave me frequent eye strain if I used it too long (even though the picture was incredibly sharp for its class).
Since I'm a MacHead and use multiple monitors (three to seven screens, depending on where I am), this situation was unacceptable all by itself, but I was using the monitor ($15 at a local thrift store) as a temporary display while my prime screen was off in warranty land (I never did get that one back).
It will also emit such a frequency as to produce varied-intensity scrolling vertical and horizontal lines on a TV with either rabbit ears or hooked up via 75 Ohm cable to an attic antennae, depending on what channel you are tuned to. I can't recall the exact per-channel results, but (if memory serves) it was minor (but annoying) lines and rolls on the lower VHF, and major interference and ghosting with the readable text on the UHF.
The funny thing is, other people in the building couldn't watch TV without all the serious distortion any time the monitor was not in screen saver mode (just having the monitor powered at all would produce a limited interference), and never noted any readable text, because they avoided the badly affected channels. When they would ask me to look at the TV situation and prescribe a fix (I'm the boss and building owner) , I never saw it, because (of course) I put the monitor to sleep before I would venture out for an inspection. Talk about Keystone Kops! They would joke that the TV was afraid to not be working properly when the boss was present, and we just wrote it off to rogue cell phone or CB users, because our portable phones and computer speakers would frequently pick up passing car/truck audio signals from such devices.
(Yet another bonus was that the staff wasn't prone to hang out in the break room and watch TV anytime I was working)
I'd have never discovered the source of the whole thing, save for a Sunday when I came into get some computer backups and volume house-cleaning done, and I dragged in a little B&W TV to also "watch" the football game. I was going mad trying to get any decent reception at all that close to the damn thing, not noting for at least a couple of events that it cleared up substantially when the screen went into an idle screen saver mode on its own. I finally gave up and settled for just audio, and only noted the relation hours later when I powered off the monitor to rearrange my desk. A couple of on-off clicks later, I started laughing, finally finding the source of all the problems for the whole building--that is until a commercial pause came on, and I saw the contents of my open-folder list displayed on the screen.
I goofed around for the next sixty minutes, trying desperately to discern what I could see in that momentary darkness between commercials, and in those brief moments, I found that I could *easily* read my email, word docs, spreadsheets, database, etc., and I could repeat the ability on every TV screen in every room on every floor to which I had access-- Eeek!
Anyway, this note got a lot longer than I wanted, but I still have the monitor, if it holds any interest to you as a "primary source" of the fact that an SVGA can most definitely be a victim of low-cost TEMPEST (albeit an admittedly and likely rare event on only one monitor I can name).
M writes:
"LCD displays on laptops eliminate the risks of TEMPEST attack."No way. I get a few channels in my apartment via rabbit-ear and UHF loop antenna reception - they're pretty weak, but on a good day and in the absence of major interference, I can watch Ally McBeal. I'm also a longtime notebook computer user, mostly Apple Powerbooks. The TFT LCD screen specifically interferes with the lower-numbered VHF channels on my TV, which also happen to be more poorly propagated at my location. The CPU and motherboard also interfere, but the screen is by far the worst and can't be within twenty feet and/or two interior walls of the antennae without substantial, patterned interference. And this is a low-power laptop with a relatively small 10" screen (800x600, 60Hz refresh), using under seven watts including the 180MHz CPU. Shutting off the screen independently of the rest of the machine greatly reduces the interference.
That doesn't mean that there's intelligible information in all that noise, of course, but given that I can change the appearance of the interference by changing the onscreen display, I'd be willing to bet that there is. It's also worthwhile to note that conventionally (greyscale) anti-aliased fonts look horrible on crisp LCD screens because there's none of the natural inaccuracy and softening that a CRT produces (in other situations this is a good thing and reduces eyestrain, the main reason I don't use CRTs any more). This includes the filtered ones your page links to (I'm looking at them now). There is a different mode of anti-aliasing that makes use of the slight RGB offset on an LCD display (one of the few real innovations to come out of Microsoft, of all places), which might be applied to this purpose. Unfortunately one has to use different fonts depending on whether the screen elements are arranged RGB or BGR (both exist at the moment, in approximately equal proportion).
S writes:
In a (government) security briefing, I did witness a legitimate Tempest intercept of an IBM Selectric typewriter. However, the typewriter had been modified to produce unusually high levels of signals, the distance over which the intercept occurred was fairly short, and the conductors of the demo insisted all other potential sources of emanations be powered down in the area where the demo was conducted.While my time with the government (Secret Service and Naval Intelligence) did not deal directly with Tempest intercept or screening, the general consensus, even in the most sensitive circles, was that there were far easier, effective and more efficient methods of gathering information. At one time the threat was taken seriously, but not anymore.
Just think, in an average office or even modern home environment, how many sources of radiation there are, and how difficult it would be to target one and one only. Remember the strength of a field decreases with the square of the distance. Your wristwatch at close range produces a stronger signal than a large CRT the other side of the room.
In the early days, before every cigarette lighter and toaster over contained a microprocessor, and CRT technology was not refined, there may have been a threat. Anymore, CRTs operate at much lower levels and the RF/EMI environment is much busier. Remember when we were young and televisions came with warnings about sitting too close? Do you see those anymore, even on large color screens? Far less energy now is needed to excite the extremely efficient phosphors in the CRT. In the early days, it was done with brute force.
It's fun to talk about, but from a practical level I believe there no longer is a threat.
I have never seen a real world demo of a genuine Tempest/Van Eck intercept, and I have been around some. The alleged construction articles leave themselves an out, like saying a lot of experimenting is needed to fine tune or whatever. Sort of like the chemical formulas with a line buried deep "then a miracle occurs".
V writes:
I read your web page on TEMPEST with quite some interest. I've always wondered about the truth in all the stuff we hear about the US military over here in Australia. i found your web site very interesting and informative.Once upon a time, I owned an Apple ][ c and a matching hi-res "green-screen". ow the cable for this monitor was a bit shorter than I wanted it to be, particularly, I wanted to be able to sit the computer/keyboard on my lap while I typed or played Star Blazer (I still do, although it's now a $250 Wang keyboard). I found that with a pair of very primitive antennas, I could easily make the computer communicate wirelessly with the monitor. Text was quite readable in 80-column mode. This led me to experiment further, and I soon had a wireless link to the TV, using the Apple ][ RF modulator with no antenna, and a loop of ribbon cable attached to my TV. The picture came through in full colour.
Somewhat later, I began to become interested in intercepting data signals. I found that with a fairly high-tech receiver, I could intercept RS232 transmissions, as long as it was only a half-duplex link. If both parties transmitted at once, the data got garbled. This was done with a very sensitive antenna and radio receiver, and a lot of signal processing circuitry. It also only worked over a range of about 1.5m.
That was the only one of my interception experiments that succeeded. however, I wonder if there aren't other busses that can have their data intercepted more easily, now. USB and FireWire are both serial busses. Perhaps if I tried, I could capture data from these busses and record it for later replay. And what about Ethernet? 100baseT would be and ideal standard for clean emission of data. i wonder if anyone has tried to pick up packets? I doubt it would be difficult. It's just a fancy multimaster serial bus.
Once upon a time, all microprocessor-based devices from the USA bore the following notice, or something similar. It varied from device to device (copied from an Apple 400k floppy drive c. 1986):
Certified to comply with the limits
for a Class B computing device pur-
suant to Subpart J of part 15 of FCC
Rules. See instructions if interfer-
ence to radio reception is suspected.Several years ago, the notice was changed to the following (copied from a Texas Instruments TI-82 graphing calculator, c. 1991):
THIS DEVICE COMPLIES WITH PART 15 OF THE FCC RULES.
OPERATION IS SUBJECT TO THE FOLLOWING TWO CONDITIONS:
(1) THIS DEVICE MAY NOT CAUSE HARMFUL INTERFERENCE, AND
(2) THIS DEVICE MUST ACCEPT ANY INTERFERENCE RECEIVED,
INCLUDING INTERFERENCE THAT MAY CAUSE UNDESIRED
OPERATION.This new notice is the same on every device I've seen. No variations. Why this change? The original notice seemed sensible enough, it basically says the device has to be well-behaved and not cause too much interference to any other devices. The second seems to be a license for the US government to remote control your computer or whatever else.
Here in Australia, we now have this C-tick certification scheme. For an electronic device to be sold in Australia, it has to meet ridiculously stringent emission and interference standards. They place it in an EM-shielded room, and blast it with radiation from every part of the RF spectrum, and if it misses a beat, then it fails the test. Then they measure its own emissions. They have to be very low to pass. A lot of manufacturers are opposed to these strict regulations. However, it strikes me that it's probably very hard to do a TEMPEST or NONSTOP attack on a device that meets C-tick standards.
D writes:
I used to be a "Robot Killer" (high tech military scrap) and we used to keep funny named gear around for humor and one of our favorates was a 19" rack mount "Vortex Tempest Generator" with a small crt for lidiuios(sic) paterns and minute time delay, sweep, and odd controls. Always wondered what it was and now, thanks to your amazing page I think that it isn't for testing the airflows off of wingtips, I never did, it came with some of the finest Mil-Spec electronics I ever disasembled, and was elegantly manufactured and the batch it came with was transmission/radio/rtty/ stuff. we would also see many super shielded Computers and P/C s (Many Zieniths!) and other compleatly mysterious and sometimes untouched techno-dukey. I could (and sometimes do) go on about all the strange gear that floated thru the shop.
In researching TEMPEST topics, sometimes I run into little-known tidbits that relate to possible computer surveillance techniques.
The Department of Energy Information Systems Security Plan has an interesting section titled, 8.5 Wireless Communications (Infrared Ports). It states:
"The use of wireless communications (infrared) ports found on most PPCs to interface with printers and other peripheral devices is strictly forbidden when processing classified information. These ports must be disabled on all accredited PPCs and peripherals by covering the window with a numbered security seal or physically removing the infrared transmitter."
12/17/96 - original document
12/18/96 - added link to van Eck follow-up article, shielding comments
12/21/96 - reorganization and additional comments about Rome Lab, ZONE,
DOE, non-TEMPEST
12/22/96 - added Smulders paper
01/02/97 - added Compliance Engineering, additional NIST, Navy, Canada,
Used, and paper sources
01/08/97 - added UK, patents
01/11/97 - added DA Pamphlet 73-1/Blacktail test facility, Army,
COMPUTERWOCHE, EMC, HAL, Austest, Racal, Compucat, Nisshinbo
02/02/97 - added Naval Postgraduate School, EMC FAQ, DynCorp, Conductive
Coatings, GEC Marconi, CorCom, AFC, Corps of Engineers, Ford Surplus, GTE,
ECM job list, White Sands, Cortron, SwRI, Veda, Emcon
02/14/97 - added DEFCON goodies to Used
02/18/97 - added Redefining Security report, Lynwood
03/10/97 - added Datastop glass to shielding section
03/21/97 - added Moller paper (from Phrack 44)
03/26/97 - added Army Corps of Engineers pub, Elfinco, recommended
Xs
04/12/97 - added Computerwoche translation
06/09/97 - added Blacktail page, Framatome Connectors International
07/02/97 - added JMK
12/15/97 - added LCR, Logical Solutions, IAM, GSGC, Tempest Mac
02/08/98 - added Anderson & Kuhn paper, FFTLLC, dead link check
03/03/98 - added Army EMP, Compunetix, XL Computing
03/30/98 - added USGS, Motorola, Tempest Security Systems
11/14/98 - added EMP-tronic, SSG, Filter Networks, Australia section,
Braden, Hewitt, TUV, Windermere, ERS, ADI, ZipperTubing, Army EPG, Glenair,
Allied Signal, D2D, Truthnet, EC, Hyfral, Navy E3 and other, BEMA, Raytheon,
Shadow Chaser, Dina, ATSC, Profilon, EYP, CSS, ILEX, DOE 5300, Cycomm, Murphy
paper, Cryptek, Greco, Lindgren-Rayproof, Turtle Mt., Kern, Cabrac,
Solar Electronics, National TEMPEST school, Air Force 33-203,
HIJACK/NONSTOP
11/17/98 - added Gabrielson papers, SJM News article, Pulse Eng, US Coast
Guard, DRMO, c't article, Chomerics, JY FOIA
11/19/98 - Air Force van, EMSEC, Air Force sec mems, new HIJACK &
NONSTOP info
11/25/98 - anti-TEMPEST fonts link, alt Air Force links, Schwartau .WAV
speech
7/3/99 - Computer Security Solutions, TSCM consultant, student paper,
Seimens, P&E, SATE, dead links
7/11/99 -iDefense TEMPEST bust, Acronym Finder
7/19/99 - Hetra, updated DefCon page, Slashdot article
8/19/99 - Gabrielson piece, DEMCOM
8/21/99 - Durak CPU, Mueller HIP
10/10/99 - ISEC update, 497 IG, Treasury, NRO, Star Wars, Navy Code 72,
COS, Koops, Army PDC, c't articles
10/24/99- John Young FOIA news
10/25/99 - more JYA FOIA, added new NSA docs referenced in FOIA, DOJ,
patent, slashdot/wired
11/7/99 - Final JYA, Jones, Koops summary, Tales, Web tracking
11/8/99 - New Scientist
11/13/99 - SET21
11/15/99 - Jones stuff
11/30/99 - More JYA
12/4/99 - DoD DB
8/2/00 - JYA news, Consumertronics address change, general organizational
stuff
8/11/00 - WSJ/Forbes, JYA update, search engine links to other TEMPEST
stuff
10/2/00 - Uncategorized stuff at the top
11/30/00 - More Uncategorized stuff at the top
12/6/00 - Site reorganization, CNet Fed tap
12/10/00 - JYA timeline, SCSSI, revised dtic links, Blacktail logo
12/30/00 - JYA NSA FOIA docs
1/1/01 - More JYA FOIA
1/14/01-JYA NONSTOP
12/25/01 - final update (missed listing some during the course of the
year)
Special thanks to John Young for his relentless pursuit of information and archival prowess - see his Cryptome site for additional crypto/government/privacy/security/etc. information.
Last changed December 25, 2001
Copyright 1996,1997, 1998, 1999, 2000, 2001 Joel McNamara