TEMPEST eavesdropping is a process that an attacker receives unintentionally emitted electromagnetic radiation from electronic devices, evaluates it and uses it to reconstruct data. At the same time, it was the code name of a secret project by the US government that investigated emissions from telecommunications equipment or computers and tried to obtain data from them. With a TEMPEST certification, the protection of devices against the eavesdropping method can be proven.
The operating principle of eavesdropping on unintentionally emitted electromagnetic radiation
Wherever electricity flows, electromagnetic fields arise. Cables, plugs or electrical devices inadvertently emit electromagnetic radiation. LCD screens, computers, fax machines, printers, smartphones and microprocessors also continuously emit radiation. The electromagnetic radiation contains information about functions the device is currently performing and the data it is processing or displaying. In instance, once the electromagnetic radiation is intercepted and analyzed, a complete screen display can be reconstructed. The receiving devices required for this are highly sensitive to electromagnetic radiation and cover a wide frequency spectrum. The emitted radiation can sometimes be received over a distance of several hundred meters without the user being aware of it. In the technical sense, the eavesdropping method is a side-channel attack.
Protective measures against eavesdropping on electromagnetic radiation
To protect yourself against eavesdropping and to prevent the unintentional emission of electromagnetic radiation, various protective measures are possible:
- The most popular measures – purchase of the TEMPEST equipment comprising housings that prevent radiation to the outside.
- Even entire rooms in which the devices are used can be protected with Faraday cages.
The TEMPEST certification
From the secret project of the US government, the NSA (National Security Agency) developed a test and certification program that consists of the Certified TEMPEST Manufacturer Program and the Certified TEMPEST Test Services Program. Depending on the security level, appropriate measures must be taken against electromagnetic radiation.
Use of TEMPEST certified devices
Certified devices are used in the following areas:
- Companies with the highest security requirements
The NATO / EU TEMPEST standards define three levels of protection requirements:
NATO SDIP-27 Level A / IASG 7-03 Level A
“Compromising Emanations Laboratory Test Standard”
This is the most strict standard for devices that will operate in NATO Zone 0 environments, where it is assumed that an attacker has almost immediate access (e.g. neighbouring room, 1 m distance).
NATO SDIP-27 Level B / IASG 7-03 Level B
“Laboratory Test Standard for Protected Facility Equipment”
This is a slightly relaxed standard for devices that operate in NATO Zone 1 environments, where it is assumed that an attacker cannot get closer than about 20 m (or where building materials ensure an attenuation equivalent to the free-space attenuation of this distance).
NATO SDIP-27 Level C / IASG 7-03 Level C
“Laboratory Test Standard for Tactical Mobile Equipment/Systems”
An even more relaxed standard for devices that operate in NATO Zone 2 environments, where attackers have to deal with about 100 m worth of free-space attenuation (or equivalent attenuation through building materials).
Additional standards include:
“Installation of Electrical Equipment for the Processing of Classified Information”
This standard defines installation requirements, for example in respect to grounding and cable distances.
“NATO Zoning Procedures”
Defines an attenuation measurement procedure, according to which individual rooms within a security perimeter can be classified into Zone 0, Zone 1, Zone 2 or Zone 3. This determines which shielding test standard is required for equipment that processes secret data in these rooms.