The Complete, Unofficial
TEMPEST Information Page

Celebrating almost three years of public disclosure, and one-stop shopping for TEMPEST info...

Across the darkened street, a windowless van is parked. Inside, an antenna is pointed out through a fiberglass panel. It's aimed at an office window on the third floor. As the CEO works on a word processing document, outlining his strategy for a hostile take-over of a competitor, he never knows what appears on his monitor is being captured, displayed, and recorded in the van below.



skip the news and go to the introduction

Breaking News - December 4, 1999 - John Young has found an excellent source for non-classified, military TEMPEST information. The Defense Automated Printing Service has a searchable Web database devoted to military specifications and standards (from nukes to nylons). John reports some of the handbooks and standards contain information the NSA removed from documents that were recently released to him under the FOIA.  Here are some of the TEMPEST-related gems. Just enter a title and submit.

MIL-HDBK-232 - Red/Black Engineering-Installation Guidelines
MIL-HDBK-411A - Long Haul Communications (DCS), Power and Environmental Control for Physical Plant, MIL-HDBK-419 - Grounding, Bonding, and Shielding for Electronic Equipments and Facilities
MIL-HDBK-1195 - Radio Frequency Shielded Encosures
MIL-STD-188-124 - Grounding, Bonding, and Shielding for Common Long Haul/Tactical Communications Systems
MIL-STD-285 - Attentuation Measurement for Enclosures, Electromagnetic Shielding, for Electronic Test Purposes, Method of
MIL-STD-461E - (Replaces previous 461 and 462) Electromagnetic Interference Characteristics

Warning: These are huge PDF files, so have lots of bandwidth available. Also, if you're interested in these documents, you might want to get them now.  There's no telling if and when the DoD might decide to shut down this open source site.

Legal News - November 15, 1999 - I just received an e-mail from a Terrance L. Kawles, Esq. who is representing Frank Jones of Codex fame.  Mr. Kawles takes exception to a note I recently added to this page that states some people question Mr. Jones' credibility.  Mr. Kawles feels there is some type of smear campaign going on against his client by persons unknown, and is in the process of filing an action against various parties.  In the note I suggested that interested readers check USENET archives and decide for themselves about Mr. Jones (over the years there has been a lively discussion on Mr. Jones, both pro and con). Mr. Kawles feels this note is defamatory, and offers me two options: "...either remove the Note, or remove your references and links to the Mr. Jones and Codex."

I'm going to indulge Mr. Kawles and remove all links and information regarding Mr. Jones and his TEMPEST products.  Not because I'm caving in to the demands of some lawyer (my legal counsel states I have not published any defamatory statements regarding Mr. Jones).  But mostly because anyone that resorts to these kinds of tactics on the Net, really doesn't deserve to be mentioned in this site, which is devoted to public disclosure.

And Mr. Kawles, in regard to your statement, "As I understand, Mr. Jones was instrumental in providing information when you began your studies of TEMPEST, yet you reward him with this unnecessary editorial comment."  I'd love to see you substantiate that by providing any logs of communications between Mr. Jones and myself.

Older News - November 30, 1999 - John Young has acquired more NSA TEMPEST documents. His growing collection now includes NSA Endorsed TEMPEST Products Program, NSA Endorsed TEMPEST Test Services Procedures, and NSA Zoned Equipment Program.

November 13, 1999 - Issue 21 of the hacking magazine SET (think of a Spanish Phrack), has a lengthy text file on TEMPEST with some interesting schematics. Check out the Spanish version here, or cut and paste interesting bits into  Babelfish for translation here (any readers more fluent in Spanish than I are encouraged to submit a decent translation).

November 8, 1999 - New Scientist has a short TEMPEST article, where Markus Kuhn predicts intercept devices for under £1000 within the next five years (and although not TEMPEST specific, an interview with Ross Anderson included). Slashdot also has a thread going regarding the article.

October 25, 1999 - John Young filed a Freedom of Information Act request for TEMPEST-related material on May 18, 1998. The US government denied access to 22 of the 24 requested documents on grounds of secrecy.  Parts of the two released documents (NSTISSAM TEMPEST/1-92 - Compromising Emanations Laboratory Test Requirements, Electromagnetics - Appendix A , Table of Contents, Sections 1 - 5, and Sections 6 - 12, Appendix A, Appendices B-M, Distribution List and NSA/CSS Regulation 90-5, Technical Security Program) are now available for review.  John has filed an appeal in an attempt to get additional material disclosed.

I haven't had a chance to carefully read all of the documents yet, but when I get a chance, will provide a brief analysis. One interesting tidbit is the use of the codeword TEAPOT - "A short name referring to the investigation, study, and control of intentional compromising emanations (i.e., those that are hostilely induced or provoked) from telecommunications and automated information systems equipment."  Who says the NSA doesn't have a sense of humor.  TEMPEST, TEAPOT, ha, ha...

Note: The release just got mentioned over at Wired News and Slashdot, so be sure to check for insightful (or amusing) comments there. This page has gotten a fair amount of publicity lately, and I've added a Tales of the TEMPEST section that has interesting bits of e-mail I've received.


If you're even vaguely familiar with intelligence, computer security, or privacy issues, you've no doubt heard about TEMPEST. Probably something similar to the above storyline. The general principle is that computer monitors and other devices give off electromagnetic radiation. With the right antenna and receiver, these emanations can be intercepted from a remote location, and then be redisplayed (in the case of a monitor screen) or recorded and replayed (such as with a printer or keyboard).

TEMPEST is a code word that relates to specific standards used to reduce electromagnetic emanations. In the civilian world, you'll often hear about TEMPEST devices (a receiver and antenna used to monitor emanations) or TEMPEST attacks (using an emanation monitor to eavesdrop on someone). While not quite to government naming specs, the concept is still the same.

TEMPEST has been shrouded in secrecy. A lot of the mystery really isn't warranted though. While significant technical details remain classified, there is a large body of open source information, that when put together forms a pretty good idea of what this dark secret is all about. That's the purpose of this page.

The following is a collection of resources for better understanding what TEMPEST is. And no, I seriously don't think national security is being jeopardized because of this information. I feel to a certain extent, the "security through obscurity" that surrounds TEMPEST may actually be increasing the vulnerability of U.S. business interests to economic espionage. Remember, all of this is publicly available. A fair amount has come from unclassified, government sites. Up to this point, no one has spent the time to do the research and put it all together in a single location.

I've just begin to scratch the surface. If you have any additions, corrections, or amplifications, let me know. This is a work in progress, so check back often (updates are listed at the bottom of the page).

References marked with an (X), are good primary sources. If you just read these, you'll end up with an excellent overview on TEMPEST-related topics.

References marked with an (O) are reported dead links. These pages may be temporarily or permanently unavailable. Dead links are left for reference sake (you may want to check the main domain name or do further searching with AltaVista, etc.). It's interesting to note the number of military sites that now report 404 - Not Found or Forbibben Request errors for certain documents.

Note: As you start viewing TEMPEST info, you likely will run into vague or confusing acronyms. A great Net resource is the Acronym Finder site.

Joel McNamara - joelm@eskimo.com
Original page - December 17, 1996 - updated December 4, 1999


Contents

What is TEMPEST?
TEMPEST History
Just how prevalent is emanation monitoring?
TEMPEST Urban Folklore
General TEMPEST Information
EMSEC
HIJACK and NONSTOP
Online Sources
Patents
Paper Sources
Monitoring Devices
Do It Yourself Shielding Sources
TEMPEST Hardware & Consulting
US Government Information Sources
Department of Energy
Department of Justice
Geological Survey
Department of State
Treasury Department
National Security Agency
National Institute of Standards and Technology
US Military Information Sources
U.S. Navy
U.S. Air Force
U.S. Army
U.S. Coast Guard
Department of Defense
Other Countries
Used TEMPEST
Tales of the TEMPEST
Non-TEMPEST computer surveillance


What is TEMPEST?

TEMPEST is a U.S. government code word that identifies a classified set of standards for limiting electric or electromagnetic radiation emanations from electronic equipment. Microchips, monitors, printers, and all electronic devices emit radiation through the air or through conductors (such as wiring or water pipes). An example is using a kitchen appliance while watching television. The static on your TV screen is emanation caused interference. (If you want to learn more about this phenomena, a company called NoRad has an excellent discussion (X) of electromagnetic radiation and computer monitors (and Chomerics has a good electromagnetic interference 101 page), that you don't need to be an electrical engineer to understand. Also, while not TEMPEST-specific, a journal called Compliance Engineering (O), typically has good technical articles relating to electromagnetic interference. There's also the Electromagnetic Compliance FAQ.)

During the 1950's, the government became concerned that emanations could be captured and then reconstructed. Obviously, the emanations from a blender aren't important, but emanations from an electric encryption device would be. If the emanations were recorded, interpreted, and then played back on a similar device, it would be extremely easy to reveal the content of an encrypted message. Research showed it was possible to capture emanations from a distance, and as a response, the TEMPEST program was started.

The purpose of the program was to introduce standards that would reduce the chances of "leakage" from devices used to process, transmit, or store sensitive information. TEMPEST computers and peripherals (printers, scanners, tape drives, mice, etc.) are used by government agencies and contractors to protect data from emanations monitoring. This is typically done by shielding the device (or sometimes a room or entire building) with copper or other conductive materials. (There are also active measures for "jamming" electromagnetic signals. Refer to some of the patents listed below.)

Bruce Gabrielson, who has been in the TEMPEST biz for ages, has a nice unclassified general description of TEMPEST that was presented at an Air Force security seminar in 1987.

In the United States, TEMPEST consulting, testing, and manufacturing is a big business, estimated at over one billion dollars a year. (Economics has caught up TEMPEST though. Purchasing TEMPEST standard hardware is not cheap, and because of this, a lesser standard called ZONE (O) has been implemented. This does not offer the level of protection of TEMPEST hardware, but it quite a bit cheaper, and is used in less sensitive applications.)

Emanation standards aren't just confined to the United States. NATO has a similar standard called the AMSG 720B Compromising Emanations Laboratory Test Standard. In Germany, the TEMPEST program is administered by the National Telecom Board. In the UK, Government Communications Headquarters (GCHQ), the equivalent of the NSA, has their own program.


TEMPEST History

The original 1950s emanations standard was called NAG1A. During the 1960s it was revised and reissued as FS222 and later FS222A.

In 1970 the standard was significantly revised and published as National Communications Security Information Memorandum 5100 (Directive on TEMPEST Security), also known as NACSIM 5100. This was again revised in 1974.

Current national TEMPEST policy is set in National Communications Security Committee Directive 4, dated January 16, 1981. It instructs federal agencies to protect classified information against compromising emanations. This document is known as NACSIM 5100A and is classified.

The National Communications Security Instruction (NACSI) 5004 (classified Secret), published in January 1984, provides procedures for departments and agencies to use in determining the safeguards needed for equipment and facilities which process national security information in the United States. National Security Decision Directive 145, dated September 17, 1984, designates the National Security Agency (NSA) as the focal point and national manager for the security of government telecommunications and Automated Information Systems (AISs). NSA is authorized to review and approve all standards, techniques, systems and equipment for AIS security, including TEMPEST. In this role, NSA makes recommendations to the National Telecommunications and Information Systems Security Committee for changes in TEMPEST polices and guidance.


Just how prevalent is emanation monitoring?

There are no public records that give an idea of how much emanation monitoring is actually taking place. There are isolated anecdotal accounts of monitoring being used for industrial espionage (see Information Warfare, by Winn Schwartau), but that's about it. (However, see a very interesting paper written by Ian Murphy called Who's Listening that has some Cold War TEMPEST spy stories.) Unfortunately, there's not an emanation monitoring category in the FBI Uniform Crime Reports.  (While not TEMPEST-specific, the San Jose Mercury News printed a November 11, 1998 article(O) on how much money American businesses are losing to economic espionage.  Considering some of the countries involved, hi-tech spying techniques are likely being used in some cases.)

Threat?

There are a few data points that lead one to believe there is a real threat though, at least from foreign intelligence services. First of all, the TEMPEST industry is over a billion dollar a year business. This indicates there's a viable threat to justify all of this protective hardware (or it's one big scam that's making a number of people quite wealthy).

This scope of the threat is backed up with a quote from a Navy manual that discusses "compromising emanations" or CE. "Foreign governments continually engage in attacks against U.S. secure communications and information processing facilities for the sole purpose of exploiting CE." I'm sure those with appropriate security clearances have access to all sorts of interesting cases of covert monitoring.

Or not?

In 1994, the Joint Security Commission issued a report to the Secretary of Defense and the Director of Central Intelligence called "Redefining Security." It's worthwhile to quote the entire section that deals with TEMPEST. It's also interesting to note that the National Reconnaissance Office (NRO) eliminated the need for domestic TEMPEST requirements in 1992.

Maybe

The main difficulty in tracking instances of emanation monitoring is because it's passive and conducted at a distance from the target, it's hard to discover unless you catch the perpetrator red-handed (a bad Cold War pun). Even if a spy was caught, more than likely the event would not be publicized, especially if it was corporate espionage. Both government and private industry have a long history of concealing security breaches from the public.

As with any risk, you really need to weigh the costs and benefits. Is it cheaper and more efficient to have a spy pass himself off as a janitor to obtain information, or to launch a fairly technical and sophisticated monitoring attack to get the same data? While some "hard" targets may justify a technical approach, traditional human intelligence (HUMINT) gathering techniques are without a doubt, used much more often than emanation monitoring.


TEMPEST Urban Folklore

Because of the general lack of knowledge regarding TEMPEST topics, there is a fair amount of urban folklore associated with it. Here's some common myths. And if you can provide a primary source to prove me wrong, let me know (no friends of friends please).

General TEMPEST Information

Online Sources

Patents

A quick search of IBM's patent server service revealed several interesting patents: A note about patent 5297201. It references patent 2476337 that was issued July 1, 1949. Unfortunately, the details aren't available online, but the reference may be telling as to just how long emanation monitoring has been taking place.

Paper Sources


EMSEC

Those in the know no longer generically use the term TEMPEST to refer to emanations secruity.  The current buzzword d'jour is EMSEC, or Emissions Security. If you read between the lines, the change to the term EMSEC is interesting. A quote from an Air Force site(O):
"Emission Security (EMSEC) better known as TEMPEST has taken a drastic change over the past few years. These changes have necessitated a complete revision of rules and regulations, causing the need for new publications. While these new publications have been drafted and are in the coordination stages, we must continue to keep informed and up-to-date on EMSEC policy and procedures."
Hmmm. Just what drastic changes are we talking about?  Idle speculation might include: From the same site comes this quote:
"WHAT IS COMPROMISING EMISSIONS (sic)? Compromising emissions are unintentional intelligence-bearing signals which, if intercepted and analyzed, disclose the classified information transmitted, received, handled, or otherwise processed by any information processing equipment."
It's curious that the term "electromagnetic radiation" isn't used in the definition.  So, there are other monitoring vulnerabilities besides TEMPEST.  Which leads us to HIJACK and NONSTOP.


HIJACK and NONSTOP

In my quest for open-source material regarding TEMPEST, I've started to run into two new codewords, HIJACK and NONSTOP. At first there was only some sketchy information: Then, thanks to publicly available documents I found on the Net, we now know a little bit more.  Although the documents had classified information excised, there were still enough tidbits to put together a speculative guess regarding what HIJACK and NONSTOP related to.

NONSTOP is a classified codeword that apparently relates to a form of compromising emanations, but involves the transmital of the signals from radio frequency devices (handheld radio, cell phone, pager, alarm system, cordless phone, wireless network - AM/FM commercial broadcast receivers are excluded) in proximity to a device containing secure information. There are specific guidelines for either turning the RF device off, or keeping it a certain distance away from the secure device (PC, printer, etc.).

HIJACK is a classified codeword that apparently relates to a form of compromising emanations, but involves digital versus electromagnetic signals. An attack is similar in nature to a TEMPEST attack, where the adversary doesn't need to be close to the device that's being compromised. It does require access to communication lines (these can be wire or wireless).  The adversary uses antennas, receivers, a display device, a recording device, and one additional piece of equipment (a special detection system that is supposedly very sensitive and very expensive; and there are not very many of them in existence - sorry, I don't have any other details).  Also, the technician using this special equipment will supposedly require a great deal of training and experience.

Remember, the above is speculation.  And whether the guesses are accurate or not, at this point you'd need to have a security clearance to know for sure.


Monitoring Devices

John Williams (Consumertronics, 2430 Juan Tabo, NE, #259, Albuquerque, NM 87112) sells the Williams Van Eck System, an off the shelf emanation monitoring device. He also has a demonstration video and and a book called "Beyond Van Eck Phreaking." The updated Consumertronics Web site has a variety of interesting products (the $3 paper catalog is a good read too). In past written correspondence with Mr. Williams, he has provided a considerable amount of technical details about his products.

Ian Murphy, CEO of IAM/Secure Data System wrote a very interesting paper on TEMPEST, including a Radio Shack parts list for building a receiver.

I'm currently looking for first hand, real-world accounts of a monitoring device actually being used to gather intelligence (not in a demonstration). PGP-encrypted e-mail through anonymous remailers or nym servers perferred.


Do It Yourself Shielding Sources

After you've read Grady's paper...

If you're handy with a soldering iron, Nelson Publishing produces something called the EMI/RFI Buyers' Guide. This is a comprehensive list of sources for shielding material, ferrites, and other radio frequency interference and electromagnetic interference type products. There's even listings for TEMPEST products and consultants. Unfortunately, most of the sources don't have links. But company names, addresses, and phone/FAX numbers are supplied.

A more general electronics manufacturer data base is electroBase. They have over 7,800 manufacturers of all types listed.

There's an interesting product called Datastop Security Glass, that's advertised as the only clear EMF/RFI protection glass on the market. It's free of metal mesh, so has excellent optical clarity. This is the same stuff the FAA uses in air traffic control towers. Contact TEMPEST SECURITY SYSTEMS INC. for more details.

Just remember, effective emanation security begins with the physical environment. Unless you can shield the wiring (telephone lines, electrical wiring, network cables, etc.), all of the copper around your PC and in the walls isn't going to stop emanations from leaking to the outside world. In shielding, also remember that emanations can pass from one set of wires to another.


TEMPEST Hardware & Consulting

Here's some of the players in the billion dollar plus a year TEMPEST industry (this is by no means a complete list):

ADI Limited(O) is a big Australian defense contractor that does some TEMPEST testing.

AFC (Antennas for Communications) manufacturers TEMPEST sheilding enclosures for antennas.

Advanced Technology System Corporation sells TEMPEST equipment and provides consulting services.

Aerovox manufactures a variety of EMI filters. Nice downloadable catalog (Windows help format) with photos.

Allied Signal Aerospace performs Canadian TEMPEST testing.

Austest Laboratories is a down-under company that provides TEMPEST testing.

DEMCOM provides Soft-TEMPEST fonts in their Steganos II security suite.

Cabrac makes TEMPEST enclosures (nice picture).

Candes Systems Incorporated (X) produces TEMPEST products, including monitors, printers, and laptops. Nice photos and specs.

COS provides TEMPEST design and consulting services.

BEMA Inc. produces shielding products including a slick portable TEMPEST tent.

Braden produces shielded room components.

Computer Security Solutions is a women owned business in Virginia specializing in TEMPEST products.

Compucat (O) is an Australian company that provides a variety of TEMPEST products and services.

Compunetix(O) produces various TEMPEST rated product.

Conductive Coatings, a division of the Chromium Corporation, produces a variety of shielding solutions.

Corcom makes a variety of shielded jacks (RJ type) in its Signal Sentry line.

Corton Inc. manufactures TEMPEST keyboards.

Cryptek(O) sells TEMPEST photocopiers and communication products.

Cycomm sells TEMPEST workstations, terminals, printers, and more to folks like the State Department. Recently merged with Hetra.

D2D/Celestica(O) is a British TEMPEST testing, design, and manufacturing firm.

Dina distibutes Emcon TEMPEST products.

Dynamic Sciences (O) is another TEMPEST-oriented company. Among other things, they produce a piece of hardware called the DSI-110, for surveillance and testing purposes.

Einhorn Yaffee Prescott is an architecture and engineering firm that has built TEMPEST buildings for defense contractors.

Elfinco SA(O) is a British company that produces sheilding products. Most notable is electromagnetic shielded concrete.

Equiptco Electronics (O) sells a variety of general electronic equipment and supplies, some TEMPEST standard (but you need to dig through their catalog to find it).

EMC Technologies is an Australian company that provides TEMPEST testing.

Emcon Emanation Control Limited, in Onatrio, Canada, has been providing TEMPEST equipment to NATO governments for the past 12 years.

EMP-tronic is a Swedish company specializing in shielded rooms.

ERS is a recruiting service that finds jobs for TEMPEST engineers (and others).

Filter Networks produces inline TEMPEST line filters.

Framatome Connectors International manufactures TEMPEST cables and connectors in the UK, especially suited for marine use.

GEC-Marconi Hazeltine(O)  produces COMSEC products as well as TEMPEST design and test facilities.

Glenair is a multi-national company that produces some shielding products.

Greco Systems manufactures factory tools and ruggedized TEMPEST computers.

GSCG. Formerly GRiD Government Systems. Tempest laptops, desktops, and printers.

GTE, the phone people, make a TEMPEST version of their Easy Fax (O) product, complete with a STU-III (encrypted phone) gateway.

HAL Communications Corp. provides TEMPEST shielded modems and radio equipment to the government.

Hetra Secure Solutions (X) sells lots of TEMPEST goodies.

Hewitt Refractories Limited produces Manta, a ceramic material that can be used for shielding.

Hyfral is a French company that specializes in room shielding.

IAM Secure Data Systems (O) offers Tempest consulting services.

ILEX Systems sells TEMPEST fax machines and other goodies.

JMK makes a variety of filters (including those of the TEMPEST variety).

Kern Engineering makes TEMPEST backshells for connectors.

Kontron Elektronic is a German company that offers a slick little shielded portable.(O)

LCR Electronics makes Tempest filters.

Lindgren-Rayproof is a British company specializing in shielding.

Logical Solutions builds and sells Tempest cables.

Lynwood is a UK supplier of TEMPEST and ruggedized PCs.

Motorola SSTG EMC/TEMPEST Laboratory(O) - Arizona testing facility.

NAI Technologies (X)(O) produces a variety of TEMPEST standard workstations and peripherals.

Nisshinbo is a Japanese company that provides quite a bit of detail on its TEMPEST shielding products. The DENGY-RITE 20 wideband grid ferrite absorber panels is especially interesting.

P & E Security Analysis - TEMPEST and security consulting. Some good links to government pubs.

Panashield manufactures a variety of shielding enclosures.

Profilon makes a TEMPEST laminate that can be installed over glass.

Pulse Engineering manufactures sheilded COMSEC and INFOSEC hardware.

Racal Communications does TEMPEST evaluations.

Radiation Sciences Inc. is a TEMPEST consulting and training firm in Pennsylvania.

Raytheon Systems Company provides TEMPEST testing services (not much detail).

SCI Consulting has done TEMPEST work for clients like the Department of Energy.

Schaffner EMC supplies EMC filtering and testing devices.

Secure Systems Group (SSG) has been around since 1986, providing a variety of TEMPEST computer products.

Security Engineering Services Inc. is a consulting firm that offers TEMPEST courses and other services. The courses are only offered to students who have a security clearance. The interesting thing is the course books appear to be orderable by any U.S. citizen. TEMPEST Hardware Engineering and Design and TEMPEST Program Management and Systems Engineering, with over 800 pages of total material are available for $200.

Seimens makes TEMPEST versions of HP LaserJets and other product.

Shadow Chaser Investigations is a private investigation firm that supposedly does TEMPEST work.

Solar Electronics sells a variety of EMI filters, including TEMPEST specific.

Southwest Research Institute(O) (SwRI) performs TEMPEST and other testing.

SystemWare Incorporated is another consulting company that offers TEMPEST consulting. Not much information at this site.

TRW Specialized Services offers TEMPEST testing, both in the lab and field. This site has a nice Acrobat brochure that describes their services.

TSCM Consultant supposedly offers TEMPEST security consulting (page was under construction).

Tecknit is one of the leaders in shielding products. They specialize in architectural shielding (copper coated doors, panels, etc.) and smaller gaskets and screens for electronic devices. A very informative site, with downloadable Acrobat catalogs.

Tempest Inc. has been around for 13 years and produces TEMPEST standard hardware for the government and approved NATO countries. Their catalog isn't online, but as an example they offer an interesting Secure Voice Switching Unit that's used in USG executive aircraft. Not much technical information here.

Turtle Mountain Communications makes a TEMPEST fax device and other communications equipment.

TUV is a British firm that does TEMPEST testing.

Tempest Security Systems - Vendor of Pilkington architectural glass that reduces emmanations.

Wang Federal Systems (O) also sells TEMPEST rated hardware as well as performs testing. This site contains their product and services catalog. Some good information.

Windermere Group performs government TEMPEST testing.

Veda Inc. (O) is a defense contractor who landed a 5.6 million dollar Navy contract for TEMPEST and COMSEC services.

XL Computing is a Florida company with a large catalog of TEMPEST hardware.

ZipperTubing manufactures EMI cable sheilding.

There's an interesting EMC-related site that has lots of job listings, many having to deal with TEMPEST. This is a good intelligence source.

A truth in advertising note: Just because a piece of hardware is advertised as "designed to meet NACSIM 5100A" or "designed to meet TEMPEST standards" doesn't mean the device has gone through the rigorous TEMPEST certification process. "Real" TEMPEST hardware will clearly state it has been certified or endorsed.


US Government Information Sources

"The National TEMPEST School (at Lackland Air Force Base - here's a map(O)) is responsible for providing training on TEMPEST criteria for installing, designing and testing electronic information processing systems for all U.S. Government departments and agencies, selected non-government agencies, and approved personnel from allied nations."  Check out their course listings and schedules (archived here(O)).  Gee, wonder if I can enroll in a class or two?

Department of Energy (DOE)

The Department of Energy is an extremely security conscious agency. A variety of their documents provide revealing glimpses of TEMPEST procedures.

While not TEMPEST-specific, the DOE's Computer Incident Advisory Capability (CIAC) has an interesting document called CIAC-2304 Vulnerabilities of Facsimilie Machines and Digital Copiers (PDF format). In it, TEMPEST threats to FAX machines and copiers are briefly discussed. There are several papers referenced, including:

The DOE's Safeguards and Security Central Training Academy also has some relevant classified training courses.

The DOE apparently uses a company called DynCorp(O) to perform internal TEMPEST assessments.

Department of Justice

Ricoh supplies TEMPEST shielded FAX machines to the FBI, DEA, and U.S. Marshals Service.

Geological Survey (USGS)

Even the map making folks get involved with TEMPEST. Check out the National Security Information Automated Information Systems section of their manual.

National Institute of Standards and Technology (NIST)

In the 1989 Annual Report of the National Computer System Security and Privacy Advisory Board(O), NIST stated that "TEMPEST is of lower priority in the private sector than other INFOSEC issues." It's fairly well known that NIST is influenced by the NSA, so this quote needs to be taken with a grain of salt.

NIST has a list of accredited laboratories(O) that perform MIL-STD-462 (electromagnetic interference) testing. Some of these also do TEMPEST testing.

While a bit dated (1986), A GUIDELINE ON OFFICE AUTOMATION SECURITY has a few references to TEMPEST, as well as other computer security nuggets.

Brief mention of the Industrial TEMPEST program as well as contacts (may be dated).

National Security Agency (NSA)

The NSA publishes something called the Information Systems Security Products and Services Catalogue (X). It contains a list of TEMPEST compliant hardware (as well as other approved security products). The cost of the catalog is $15 for a single copy or $34 for a yearly subscription (four issues). Requests for this document should be addressed directly to: Unfortunately, several of the following classified documents can't be ordered: On May 14, 1998, John Young filed a Freedom of Information Act request with the NSA to provide him with information relating to TEMPEST.  The NSA replied that he would have the material by July, 1999.  See Breaking News at the top of the page.

State Department

While it's not hard to guess, the State Department uses TEMPEST equipment in foreign embassies. There's a position called a Foreign Service Information Management Technical Specialist - Digital(O), that pays between $30,000 to $38,000 a year. The ideal candidate should have a knowledge of TEMPEST standards as well as the ability to repair crypto hardware.

Along with cryptography, the export of TEMPEST standard hardware or devices for suppressing emanations is restricted by the International Traffic in Arms Regulations (ITAR). However, there is an exception in that: "This definition is not intended to include equipment designed to meet Federal Communications Commission (FCC) commercial electro-magnetic interference standards or equipment designed for health and safety."

Treasury Department

The Treasury Department's Office of Security is mandated with handling TEMPEST and emissions security.


US Military Information Sources

Part of the government's mandate to reduce costs is to make information available online. While the average user doesn't have access to Milnet or Intelink, there are a variety of unclassified, military sources on the Internet that directly or indirectly relate to TEMPEST standards.

Jargon alert. You'll sometimes see references to RED/BLACK systems. A red system is any device that stores or transfers classified data. Black systems store/transfer unclassified data. Gee, with all of the black projects and helicopters around these days, I would have thought it would be the other way around.

U.S. Navy

The Navy seems to be a further ahead then the other services in putting content online, including:

Chapter 16 of the Navy's AUTOMATED INFORMATION SYSTEMS SECURITY GUIDELINES manual is devoted to emanations security (X). Probably the most interesting section in this chapter deals with conducting a TEMPEST Vulnerability Assessment Request (TVAR). Completing the TVAR questionnaire provides some common sense clues as to how electronic security could be compromised.  (The Navy seems to have pulled this.  Try this alternate link.(O))

Chapter 21 of the same manual deals with microcomputer security. Section 21.8 Emanations Security, reads: "TEMPEST accreditation must be granted for all microcomputers which will process classified data, prior to actually processing the data. Your security staff should be aware of this and submit the TEMPEST Vulnerability Assessment Request (TVAR) to COMNISCOM. Microcomputers may be able to comply with TEMPEST requirements as a result of a TEMPEST telephone consultation, as permitted by COMNISCOM. Contact the Naval Electronic Security Engineering Center (NESSEC) for further information to arrange a TEMPEST telephone consultation. Use of a secure phone may be required and your request will be followed with written guidance." This leads one to believe that certain PC systems may not be as susceptible as others to emanations monitoring.

C5293-05 TEMPEST Control Officer Guidebook - "Provides guidance to the individual assigned responsibility for TEMPEST implementation at a major activity." Unfortunately, not online, and likely classified.

NISE East Information Warfare-Protect Systems Engineering Division(Information Warfare-Protect Systems Engineering Division - Code 72) puts on a couple of TEMPEST related training courses, (O) including "Tempest Criteria for System/Facility Installation" and "Tempest Fundamentals." These are targeted toward Department of Defense personnel and civilian contractors who must comply with TEMPEST standards as part of their business.

"The Reduction of Radio Noise Eminating from Personal Computers" (O) is a thesis topic at the Department of Electrical Engineering, Naval Postgraduate School.

Electromagnetic Environmental Effects. While not security-related, some good background information.

Check out Grumman Aerospace's spiffy TEMPEST building, where they do development work for the Navy on the EA-6B aircraft.

The Navy's INFOSEC site has lots of interesting information.  There's even a TEMPEST related services link.  Information Warfare (IW) Protect Systems Engineering Division (Code 72) appears to be the key TEMPEST players.

U.S. Air Force

The Air Force Emmission Security Program instruction manual (AF Instruction 33-203) has a remarkable amount of information about TEMPEST.  My guess is this site won't remain available to the public for very long.

Even though the DoD started shutting down Web sites back in September for security reasons, there is still a tremendous amount of material being made to the general public.  Examples that came from Offut Air Force Base these:

I really doubt these will be available very long.  There is a remarkable amount of detail in these documents.

The Air Force's Rome Laboratory has produced a variety of interesting defense related systems. Some developments likely related to TEMPEST include:

The Air Force is currently engaged in research and development for building TEMPEST sheilded vans and command shelters using lightweight composite components.

Other Air Force documents:

Lately the Air Force has developed a program called SATE (Security Awareness Training & Education) that integrates COMSEC, COMPUSEC and EMSEC disciplines.

The 497th Intelligence Group (497 IG), out of Bolling Air Force Base, Washington DC, manages TEMPEST related issues for the Air Force.

U.S. Army

The U.S. Army Information Systems Engineering Command(O) is headquartered at Fort Huachuca, Arizona (here's the new link for ISEC, with access password protected). The Fort engages in a variety of spook-related activities. One of the classified documents that is referenced is: The Army Corps of Engineers released a publication called "Electromagnetic Pulse (EMP) and TEMPEST Protection for Facilities" (X) EP1110-3-2, in December 1990 (unclassified). This is a treasure trove of information related to shielding buildings. (Thanks to John Young for digitizing parts of this massive document.  It's also available in sections, PDF format, from an Army site.)

The Army Corps of Engineers, Construction Engineering Research Laboratories, has also been experimenting with low cost TEMPEST shielding technologies. Low Cost EMP EMI Tempest Shielding Technology (O) fact sheet link doesn't work anymore, but you can get a summary here(O).

The Army's White Sands Missle Range has a Test Support Division(O) that does TEMPEST testing as well as other things. An interesting photo of the inside and outside of a test truck is shown.

The Army's Blacktail Canyon (X) EMI/TEMPEST facility at Ft. Huachuca (spook-related location in Arizona), recently put up a Web page, with lots of interesting info.  Also check the main Electronic Proving Ground site (why it is a .com instead of .mil or .gov site I have no idea).

The Army's Protective Design Center in Omaha specializes in structure designs to resist blasts as well as TEMPEST attacks.

U.S. Coast Guard

The Coast Guard has a TEMPEST security program(O) in their Security Policy and Management Division (G-WKS-5)

Department of Defense

The Department of Defense's Defense Technical Information Center(O) has information regarding the Collaborative Computing Tools Working Group (O) (representatives from private sector and the intelligence and defense communities). The CWG put together some TEMPEST recommendations for video-conferencing products (O).

From a post to the Cypherpunks list in April of 1994, by Steve Blasingame:

DA Pamphlet 73-1, Part One, 16 Oct 1992 (DRAFT) (X)(O) is an obscure document that discusses survivability and mission performance of military systems. The interesting thing in this pamphlet is a fairly detailed description of the military's Blacktail Canyon facility.

Other Defense Department documents:

Some interesting FOIA Star Wars program computer security requirements, including a TEMPEST separation table.


Other Countries

The US isn't the only one playing the TEMPEST game. Here's some additional sources from various countries.

Australia

A brief defense document on emmanation security.

Canada

COMMUNICATIONS SECURITY ESTABLISHMENT PUBLICATIONS

European Commission

I love it when governments can't keep their acronyms/codewords straight.  There is an official TEMPEST testing lab, but TEMPEST stands for Thermal, Electromagnetic & Physical Equipment Stress Testingand deals with devices used in animal tagging.  Sheesh...

UK

The British Central Computer and Telecommunications Agency(O) publishes a variety of computer security titles including:

Used TEMPEST

TEMPEST shielded computer equipment sometimes leaks out into the public in the form of surplus and scrap sales. This section is devoted to descriptions.

One informant used to work at a Defense Reutilization and Marketing Office (DRMOs are the DoD's version of a garage sale).  In the past, TEMPEST equipment was demil-ed (crushed), now due to miscoding and classification downgrades, TEMPEST equipment is literally a dime a dozen.  Computer surplus goodies go for about 12 cents a pound.

Through a contractural association with a major defense company, Fluid Forming Technologies has been assigned to dispose of a TEMPEST level "secured working environment." Modular construction, 160' x 20' x 10', can probably be segmented into smaller units. Available as of January 1, 1998. E-mail fftllc@eci.com for additional details or snail mail:

    Fluid Forming Technologies LLC,
    9 Brush Hill Rd, Suite 318
    New Fairfield, CT  06812

JC describes two shielded IBM PC cases he picked up from a scrap dealer for $35 each (unfortunately they had already sold the printers and monitors). The cases were labeled EMR XT SYSTEM UNIT (on the front), with a model number of 4455 1 (on the back). The cases are similar to a standard IBM XT case, except depper toward the back, so a filter bank and power supply baffle could be installed. The top is bolted down, requiring an allen wrench to remove. The top part of the case has a gasket groove for the brass colored RF gasket, and the mating surface is a finished in anodized aluminum. The top appears to be a cast aluminum plate. Each of the ports in the rear has a filter, unused ports have a metal blocking cover that mates to the case and make a good eletrical contact.

W.J. Ford Surplus Enterprises(O) had the following printer for sale in December 1996:

LASER PRINTER Make:MITEK Model:100T 300 X 300 DPI LASER PRINTER WITH LETTER SIZE PAPER TRAY, 8 PPM, MEETS NACSIM TEMPEST SPECS, C.W. OWNER'S MANUAL (TONER CARTRIDGE NOT INCL.) Dimensions: 19.00"w x 16.00"h x 16.50"d 1.00 on hand, No Graphic on file, Item No.:1208 RAMP Price: $ 250.00

As of February 8, 1997, Dark Tanget (of DEFCON fame) has a whole collection of TEMPEST shielded equipment for sale. Check out his page (X) for complete info and photos. Lots of great details and specs. Also a related Slashdot thread.

As of June 15, 1998, Hugh Sebra had fifty TEMPEST-shielded Fibercom 7197 DPT Dual Path Fiberoptic Transceivers for sale.

While not for sale, H. Layer has a photo of a circa 1986 Tempest Macintosh as his cool Mind Museum page.

Note: I personally don't own or have access to any surplus TEMPEST equipment. However, if you've encountered such hardware, let me know about it.


Tales of the TEMPEST

Recent publicity about this page has resulted in some interesting personal accounts dealing with TEMPEST-related topics. This section lists excerpts from various correspondence.  In most cases, the names have been removed to protect the innocent.

C writes:
 

Interesting page of TEMPEST-related stuff. One additional information source you may want to include for those attempting to proof themselves against an EME-type attack might be the ARRL (Amateur Radio Relay League) Handbook for the Radio Amateur. It has a very complete chapter on preventing radio interference caused by ham radio gear, much of which
could be adapted for use with a computer. The book is updated yearly, so the information is usually top-notch. Most libraries have it.

BTW, for those on the other side of the question (or who wish to be) there's probably enough info in the book to help them put together a TEMPEST monitoring outfit if they're handy with a soldering iron.

F writes:
I have an early  SVGA 15" Gateway CrystalScan monitor (the ones that are purported to be part of a class-action lawsuit), which, when attached to a Mac, will display *exact* and *readable* text on TVs within a reasonable distance--a measured 60-plus feet for sure, through walls and floors, and quite possibly more, I didn't have the inclination to drag a TV out into the lot on an extension cord to find out how far I could go.

Though it is only readable during the 'dark' between commercials on certain channels, it was a pretty frightening revelation, as I accept and produce some pretty sensitive materials. The scarier part for me was that I had used it for weeks before I finally turned on a TV at the same time that the monitor was not in screen-saver mode (a password-protected mode I generally drop into anytime I leave the desk, alone in the building or not).  Anyone in my building, including unassociated neighbors, or anyone within whatever the ultimate range might have been could have seen a bunch of stuff that could have caused serious damage to my firm. If anyone did see anything, they haven't bit me with it--yet.

In addition to displaying readable text, you can also discern images to a limited degree, and I imagine with some simple tweaks of the color guns, some enterprising cracker could get some pretty good imaging.

The monitor has some other more obvious  side effects, such as emitting such EMF levels as to *seriously* distort any monitor within about a foot of its left side, and about two feet of its right side. It also gave me frequent eye strain if I used it too long (even though the picture was incredibly sharp for its class).

Since I'm a MacHead and use multiple monitors (three to seven screens, depending on where I am), this situation was unacceptable all by itself, but I was using the monitor ($15 at a local thrift store)  as a temporary display while my prime screen was off in warranty land (I never did get that one back).

It will also emit such a frequency as to produce varied-intensity scrolling vertical and horizontal lines on a TV with either rabbit ears or hooked up via 75 Ohm cable to an attic antennae, depending on what channel you are tuned to. I can't recall the exact per-channel  results, but (if memory serves) it was minor (but annoying) lines and rolls on the lower VHF, and major interference and ghosting  with the readable text on the UHF.

The funny thing is, other people in the building couldn't watch TV without all the serious distortion any time the monitor was not in screen saver mode (just having the monitor powered at all would produce a limited interference), and never noted any readable text, because they avoided the badly affected channels. When they would ask me to look at the TV situation and prescribe a fix (I'm the boss and building owner) , I never saw it, because (of course) I put the monitor to sleep before I would venture out for an inspection. Talk about Keystone Kops! They would joke that the TV was afraid to not be working properly when the boss was
present, and we just wrote it off to rogue cell phone or CB users,  because our portable phones and computer speakers would frequently pick up passing car/truck  audio signals from such devices.

(Yet another bonus was that the staff wasn't prone to hang out in the break room and watch TV anytime I was working)

I'd've never discovered the source of the whole thing, save for a Sunday when  I came into get some computer backups and volume house-cleaning done, and I dragged in a little B&W TV to also "watch" the football game. I was going mad trying to get any decent reception at all that close to the damn thing, not noting for at least a couple of events that it cleared up substantially when the screen went into  an idle screen saver mode on its own. I finally  gave up and settled for just audio, and only
noted the relation hours later when I powered off the monitor to rearrange my desk. A couple of on-off clicks later, I started laughing, finally finding the source of all the problems for the whole building--that is until a commercial pause came on, and I saw the contents of my open-folder list displayed on the screen.

I goofed around for the next sixty minutes, trying desperately to discern what I could see in that momentary darkness between commercials, and in those brief moments, I found that I could *easily* read my email, word docs, spreadsheets, database, etc., and I could repeat the ability on every TV screen in every room on every floor to which I had access-- Eeek!

Anyway, this note got a lot longer than I wanted, but I still have the monitor, if it holds any interest to you as a "primary source" of the fact that an SVGA can most definitely be a victim of low-cost TEMPEST (albeit an admittedly and likely rare event on only one monitor I can
name).

M writes:
"LCD displays on laptops eliminate the risks of TEMPEST attack."

No way. I get a few channels in my apartment via rabbit-ear and UHF loop antenna reception - they're pretty weak, but on a good day and in the absence of major interference, I can watch Ally McBeal. I'm also a longtime notebook computer user, mostly Apple Powerbooks. The TFT LCD screen specifically interferes with the lower-numbered VHF channels on my TV,
which also happen to be more poorly propagated at my location. The CPU and motherboard also interfere, but the screen is by far the worst and can't be within twenty feet and/or two interior walls of the antennae without substantial, patterned interference. And this is a low-power laptop with a relatively small 10" screen (800x600, 60Hz refresh), using under seven watts including the 180MHz CPU. Shutting off the screen independently of the rest of the machine greatly reduces the interference.

That doesn't mean that there's intelligible information in all that noise, of course, but given that I can change the appearance of the interference by changing the onscreen display, I'd be willing to bet that there is. It's also worthwhile to note that conventionally (greyscale) antialiased fonts look horrible on crisp LCD screens because there's none of the natural innaccuracy and softening that a CRT produces (in other situations this is a good thing and reduces eyestrain, the main reason I don't use CRTs any
more). This includes the filtered ones your page links to (I'm looking at them now). There is a different mode of antialiasing that makes use of the slight RGB offset on an LCD display (one of the few real innovations to come out of Microsoft, of all places), which might be applied to this purpose. Unfortunately one has to use different fonts depending on whether the screen elements are arranged RGB or BGR (both exist at the moment, in approximately equal proportion).

S writes:
In a (government) security briefing, I did witness a legitimate Tempest intercept of an IBM Selectric typewriter. However, the typewriter had been modified to produce unusually high levels of signals, the distance over which the intercept occurred was fairly short, and the conductors of the demo insisted all other potential sources of emanations be powered down in the area where the demo was conducted.

While my time with the government (Secret Service and Naval Intelligence) did not deal directly with Tempest intercept or
screening, the general consensus, even in the most sensitive circles, was that there were far easier, effective and more efficient methods of gathering information. At one time the threat was taken seriously, but not anymore.

Just think, in an average office or even modern home environment, how many sources of radiation there are, and how difficult it would be to target one and one only. Remember the strength of a field decreases with the square of the distance. Your wristwatch at close range produces a stronger signal than a large CRT the other side of the room.

In the early days, before every cigarette lighter and toaster over contained a microprocessor, and CRT technology was not refined, there may have been a threat. Anymore, CRTs operate at much lower levels and the RF/EMI environment is much busier. Remember when we were young and televisions came with warnings about sitting too close? Do you see
those anymore, even on large color screens? Far less energy now is needed to excite the extremely efficient phosphors in the CRT. In the early days, it was done with brute force.

It's fun to talk about, but from a practical level I believe there no longer is a threat.

I have never seen a real world demo of a genuine Tempest/Van Eck intercept, and I have been around some. The alleged construction articles leave themselves an out, like saying a lot of experimenting is needed to fine tune or whatever.
Sort of like the chemical formulas with a line buried deep "then a miracle occurs".


Non-TEMPEST computer surveillance

In researching TEMPEST topics, sometimes I run into little-known tidbits that relate to possible computer surveillance techniques.

Infrared Ports

The Department of Energy Information Systems Security Plan has an interesting section titled, 8.5 Wireless Communications (Infrared Ports). It states:

"The use of wireless communications (infrared) ports found on most PPCs to interface with printers and other peripheral devices is strictly forbidden when processing classified information. These ports must be disabled on all accredited PPCs and peripherals by covering the window with a numbered security seal or physically removing the infrared transmitter."


Disclaimer: I've never been involved with the TEMPEST community, had a security clearance for TEMPEST, or have access to classified material relating to TEMPEST. The information on this page is completely derived from publicly available, unclassified sources.

revision history
12/17/96 - original document
12/18/96 - added link to van Eck follow-up article, shielding comments
12/21/96 - reorganization and additional comments about Rome Lab, ZONE, DOE, non-TEMPEST
12/22/96 - added Smulders paper
01/02/97 - added Compliance Engineering, additional NIST, Navy, Canada, Used, and paper sources
01/08/97 - added UK, patents
01/11/97 - added DA Pamphlet 73-1/Blacktail test facility, Army, COMPUTERWOCHE, EMC, HAL, Austest, Racal, Compucat, Nisshinbo
02/02/97 - added Naval Postgraduate School, EMC FAQ, DynCorp, Conductive Coatings, GEC Marconi, CorCom, AFC, Corps of Engineers, Ford Surplus, GTE, ECM job list, White Sands, Cortron, SwRI, Veda, Emcon
02/14/97 - added DEFCON goodies to Used
02/18/97 - added Redefining Security report, Lynwood
03/10/97 - added Datastop glass to shielding section
03/21/97 - added Moller paper (from Phrack 44)
03/26/97 - added Army Corps of Engineers pub, Elfinco, recommended Xs
04/12/97 - added Computerwoche translation
06/09/97 - added Blacktail page, Framatome Connectors International
07/02/97 - added JMK
12/15/97 - added LCR, Logical Solutions, IAM, GSGC, Tempest Mac
02/08/98 - added Anderson & Kuhn paper, FFTLLC, dead link check
03/03/98 - added Army EMP, Compunetix, XL Computing
03/30/98 - added USGS, Motorola, Tempest Security Systems
11/14/98 - added EMP-tronic, SSG, Filter Networks, Australia section, Braden, Hewitt, TUV, Windermere, ERS, ADI, ZipperTubing, Army EPG, Glenair, Allied Signal, D2D, Truthnet, EC, Hyfral, Navy E3 and other, BEMA, Raytheon, Shadow Chaser, Dina, ATSC, Profilon, EYP, CSS, ILEX, DOE 5300, Cycomm, Murphy paper, Cryptek, Greco,  Lindgren-Rayproof, Turtle Mt., Kern, Cabrac, Solar Electronics, National TEMPEST school, Air Force 33-203, HIJACK/NONSTOP
11/17/98 - added Gabrielson papers, SJM News article, Pulse Eng, US Coast Guard, DRMO, c't article, Chomerics, JY FOIA
11/19/98 - Air Force van, EMSEC, Air Force sec mems, new HIJACK & NONSTOP info
11/25/98 - anti-TEMPEST fonts link, alt Air Force links, Schwartau .WAV speech
7/3/99 - Computer Security Solutions, TSCM consultant, student paper, Seimens, P&E, SATE, dead links
7/11/99 -iDefense TEMPEST bust, Acronym Finder
7/19/99 - Hetra, updated DefCon page, Slashdot article
8/19/99 - Gabrielson piece, DEMCOM
8/21/99 - Durak CPU, Mueller HIP
10/10/99 - ISEC update, 497 IG, Treasury, NRO, Star Wars, Navy Code 72, COS, Koops, Army PDC, c't articles
10/24/99- John Young FOIA news
10/25/99 - more JYA FOIA, added new NSA docs referenced in FOIA, DOJ, patent, slashdot/wired
11/7/99 - Final JYA, Jones, Koops summary, Tales, Web tracking
11/8/99 - New Scientist
11/13/99 - SET21
11/15/99 - Jones stuff
11/30/99 - More JYA
12/4/99 - DoD DB

Special thanks to John Young for his relentless pursuit of information and archival prowess - see his Cryptome site for additional crypto/government/privacy/security/etc. information.


Copyright 1996,1997, 1998, 1999 Joel McNamara

back to main