Declassified NSA Document Reveals the Secret History of TEMPEST

Declassified NSA Document Reveals the Secret History of TEMPEST
Declassified NSA Document Reveals the Secret History of TEMPEST 

By Ryan Singel 
Threat Level
April 29, 2008

It was 1943, and an engineer with Bell Telephone was working on one of 
the U.S. government's most sensitive and important pieces of wartime 
machinery, a Bell Telephone model 131-B2. It was a top secret encrypted 
teletype terminal used by the Army and Navy to transmit wartime 
communications that could defy German and Japanese cryptanalysis.

Then he noticed something odd.

Far across the lab, a freestanding oscilloscope had developed a habit of 
spiking every time the teletype encrypted a letter. Upon closer 
inspection, the spikes could actually be translated into the plain 
message the machine was processing. Though he likely didn't know it at 
the time, the engineer had just discovered that all information 
processing machines send their secrets into the electromagnetic ether.

Call it a TEMPEST in a teletype.

This story of how the United States first learned about the fundamental 
security vulnerability called "compromising emanations" is revealed for 
the first time in a newly-declassified 1972 paper TEMPEST: A Signal 
Problem (.pdf) [1], from the National Security Agency's secret in-house 
journal Cryptologic Spectrum [2].

"There has always been speculation about TEMPEST coming out of the Cold 
War period," says Joel McNamara, author of Secrets of Computer 
Espionage: Tactics and Countermeasures, who maintained for years the 
best compilation of public information on TEMPEST [3].  "But the 1943 
Bell Labs discovery is roughly ten years earlier than I would have 

The unnamed Bell Telephone technician was the Alexander Graham Bell of a 
new, secret science, in which electronic eavesdroppers -- as far away as 
hundreds of feet from their target tune into radio waves leaking from 
electronic equipment to steal secrets.

Building on the breakthrough, the U.S. developed and refined the science 
in an attempt to spy on the Soviets during the Cold War. And it issued 
strict standards for shielding sensitive buildings and equipment. Those 
rules are now known to government agencies and defense contractors as 
TEMPEST [4], and they apply to everything from computer monitors to 
encrypted cell phones that handle classified information.

Until now, little has been known about when and how the U.S. government 
began trying to protect itself from this threat, and the NSA paper tells 
the story well.

    Bell Telephone faced a dilemma. They had sold the equipment to the 
    military with the assurance that it was secure, but it wasn't. The 
    only thing they could do was to tell the [U.S. Army] Signal Corps 
    about it, which they did. There they met the charter members of a 
    club of skeptics who could not believe that these tiny pips could 
    really be exploited under practical field conditions. They are 
    alleged to have said something like: "Don't you realize there's a 
    war on? We can't bring our cryptographic operations to a screeching 
    halt based on a dubious and esoteric laboratory phenomenon. If this 
    is really dangerous, prove it."

    So the Bell engineers were place in a building on Varick Street in 
    New York. Across the street and 80 feet away was Signal Corps Varick 
    Street cryptocenter. The engineers recorded signals for about an 
    hour. Three or four hours later, they produced about 75% of the 
    plain text that was being processed--a fast performance, by the way, 
    that has been rarely equaled.

Oddly, the lessons were forgotten at the close of the World War II -- 
even as the Soviets seemed to have learned to insulate their machines. 
In 1951, the CIA told the nascent NSA that they had been playing with 
the Bell teletype machines and found they could read plain text from a 
quarter mile down the signal line.

In 1962, the Japanese, then our allies, attempted just that by aiming 
antenna on top of a hospital at a U.S. crypto center, according to the 
article. And the Russians did the same -- planting not just the famous 
40 microphones in the U.S.'s Moscow embassy, but also seeding mesh 
antenna in the concrete ceiling, whose only purpose could have been 
stealing leaked energy pulses.

The principal of the TEMPEST attack is deceptively simple. Any machine 
that processes information -- be it a photocopier, an electric 
typewriter or a laptop -- have parts inside that emit electromagnetic 
and acoustic energy that radiates out, as if they were tiny radio 
stations. The waves can even be picked up and amplified by nearby power 
lines, telephone cables and even water pipes, carrying them even 
further. A sophisticated attacker can capture the right frequency, 
analyze the data for patterns and recover the raw information the 
devices were processing or even the private encryption keys inside the 

Decades ago the FCC has set standards prohibiting electrical devices 
from interfering with other ones, concerned merely about noise. These 
days we know that computer monitors, audio cables and other information 
machines like credit card machines in restaurants actually emit 
sensitive information.

Outside of the government, almost nothing was known about how such 
eavesdropping worked until 1985, when a computer researcher named Wim 
van Eck published a paper explaining how cheap equipment could be used 
to pick up and redisplay information from a computer monitor. The first 
mentions of TEMPEST began in the mid 60s, and Gene Hackman introduced 
the Faraday cage to the public in the 1970s in the classic eavesdropping 
movie The Conversation.

In addition to explaining how the U.S. discovered compromising 
emanations, the declassified NSA document provides a surprising 
historical snapshot of Cold War espionage techniques, says McNamara.

"It is ... interesting that CIA rediscovered the vulnerability in 1951 
and work on countermeasures soon followed," he says.  "One can assume 
that the U.S. Intelligence Community also begin using the electronic 
surveillance technique against foreign powers during this same time 
frame. From the 1953 and 1954 dates mentioned in the document, it seems 
the Russians were aware of the vulnerability by then, and were taking 
measures to secure their communications equipment.

Princeton University science professor Matt Blaze also expressed some 
amazement at the Bell researchers discovering as early as 1943 that 
digital equipment leaked information.

    The earliest reference to emissions attacks I'm aware of ... is 
    Peter Wright's recollections, in his book Spycatcher, of following 
    around spies in 1950's London by tracking the local oscillators of 
    their radio receivers. But that's analog, not digital.

The NSA did not declassify the entire paper however, leaving the 
description of two separate, but apparently related, types of attacks 
enticingly redacted.

One attack is called "Flooding" and the other "Seismic."

The idea of being able to steal plain text of an encrypted message using 
earthquake sensors? Stinkin' cool.

THREAT LEVEL anxiously awaits the back story on that attack to be told.


Subscribe to the InfoSec News RSS Feed 

Site design & layout copyright © 1986-2014 CodeGods