TEMPEST and EMSEC: Is it possible to use electromagnetic waves in cyber attacks?

Recently, Venezuela experienced a series of outages , which left 11 states in this country without electricity. From the very beginning of the incident, the government of Nicolas Maduro claimed that it was an act of sabotage , which was made possible by electromagnetic attacks and cyber attacks on the national electric company Corpoelec and its power plants. On the contrary, the self-proclaimed government of Juan Guaydo simply blamed the incident on “the inefficiency [and] the inability of the regime .”

Without an impartial and in-depth analysis of the situation, it is very difficult to establish whether these outages were due to sabotage or were caused by lack of maintenance. Nevertheless, the allegations of alleged sabotage raise a number of interesting issues related to information security. Many management systems at critical infrastructure facilities, such as power plants, are closed, and therefore they do not have external connections to the Internet. Thus, the question arises: could cyber-attackers gain access to closed IT systems without directly connecting to their computers? The answer is yes. In this case, electromagnetic waves can be an attack vector.

How to "capture" electromagnetic radiation

All electronic devices generate emissions in the form of electromagnetic and acoustic signals. Depending on a number of factors, such as distance and obstacles, listening devices can “capture” signals from these devices using special antennas or highly sensitive microphones (in the case of acoustic signals) and process them to extract useful information. Such devices include monitors and keyboards, and as such they can also be used by cyber criminals.
')
If we talk about monitors, then in 1985, researcher Wim van Eyck published the first unclassified document about what security risks carry radiation from such devices. As you remember, then the monitors used cathode ray tubes (CRT). His research demonstrated that radiation from a monitor can be “read” at a distance and used to reconstruct the images shown on the monitor. This phenomenon is known as van Eyck interception, and in fact it is one of the reasons why a number of countries, including Brazil and Canada, consider electronic voting systems too unsafe for use in electoral processes.


Equipment used to access another laptop located in the next room. Source: Tel Aviv University

Although today LCD monitors generate much less radiation than CRT monitors, however, a recent study found that they are also vulnerable. Moreover, experts from the University of Tel Aviv (Israel) clearly demonstrated this . They managed to gain access to encrypted content on a laptop located in the next room, using sufficient simple equipment worth about $ 3000, consisting of an antenna, an amplifier and a laptop with special software for signal processing.

On the other hand, the keyboards themselves may also be sensitive to the interception of their radiations. This means that there is a potential risk of cyber attacks, in which attackers can recover registration data and passwords by analyzing which keys on the keyboard were pressed.

TEMPEST and EMSEC

The use of radiation to extract information received its first use during the First World War, and it was connected with telephone wires. These techniques were widely used during the Cold War with more advanced devices. For example, a declassified NASA document from 1973 explains how in 1962 a security officer of the US embassy in Japan discovered that a dipole located in a nearby hospital was sent to an embassy building to intercept his signals.

But the concept of TEMPEST as such begins to appear already in the 70s with the first emission safety guidelines that appeared in the United States . This code name refers to studies on unintended (incidental) emissions of electronic devices that may contribute to the leakage of classified information. The TEMPEST standard was created by the US National Security Agency (NSA) and led to the emergence of security standards, which were also accepted into NATO .

This term is often used interchangeably with the term EMSEC (emissions safety), which is part of the COMSEC (communications safety) standards.

TEMPEST protection

Red / Black cryptographic architecture diagram for a communication device. Source: David Kleidermacher

Firstly, TEMPEST protection is applied to the basic concept of cryptography, known as the Red / Black architecture (red / black). This concept divides the system into “red” (Red) equipment, which is used to process confidential information, and “black” (Black) equipment that transmits data without a secrecy stamp. One of the purposes of TEMPEST protection is this separation, which separates all the components, separating the “red” equipment from the “black” special filters.

Secondly, it is important to keep in mind the fact that all devices have a certain level of radiation . This means that the highest possible level of protection will be complete protection of the entire space, including computers, systems and components. However, this would be extremely expensive and impractical for most organizations. For this reason, more point techniques are used:

• Zoning Assessment : Used to examine the TEMPEST security level for spaces, installations and computers. After this assessment, resources can be directed to those components and computers that contain the most sensitive information or unencrypted data. Various official communications regulatory authorities, such as the NSA in the USA or the CCN in Spain , certify such equipment.
• Shielded areas : A zoning assessment may show that certain spaces containing computers do not fully meet all security requirements. In such cases, one option is to completely shield this space or use shielded cabinets for such computers. These cabinets are made of special materials that prevent the spread of radiation.
• Computers with their own certificates TEMPEST : sometimes a computer can be in a safe place, but lack the adequate level of security. To enhance the existing level of security, there are computers and communication systems that have their own TEMPEST certification, certifying the security of their hardware and other components.

TEMPEST shows that even if corporate systems have practically safe physical spaces or they are not even connected to external communications, there are still no guarantees that they are completely secure. In any case, most of the vulnerabilities in critical infrastructures are most likely associated with conventional attacks (for example, cryptographers), which we recently reported . In these cases, you can simply avoid such attacks with the help of appropriate measures and advanced information security solutions with advanced protection options . The combination of all these protection measures is the only way to ensure the security of systems that are critical to the future of a company or even the entire country.