Full Report
A pair of US lawmakers are calling for an investigation into how easily spies can steal information based on devices’ electromagnetic and acoustic leaks—a spying trick the NSA once codenamed TEMPEST.
Analysis Summary
# Vulnerability: TEMPEST (Side-Channel Electromagnetic and Acoustic Emanations)
## CVE Details
- **CVE ID**: N/A (General architectural/physical vulnerability class)
- **CVSS Score**: N/A (Varies by specific implementation, but historically classified as a high-priority national security threat)
- **CWE**: [CWE-203](https://cwe.mitre.org/data/definitions/203.html) (Information Exposure Through Discrepancy), [CWE-1300](https://cwe.mitre.org/data/definitions/1300.html) (Improper Handling of Physical Energy Side-Channel Emissions)
## Affected Systems
- **Products**: Nearly all electronic computing devices including smartphones, PCs, laptops, computer accessories, and cryptographic hardware.
- **Versions**: All versions of consumer electronics lacking specialized TEMPEST shielding.
- **Configurations**: Devices processing sensitive data near power lines, water pipes, or within range of sensitive radio/acoustic receivers.
## Vulnerability Description
TEMPEST refers to a class of side-channel attacks involving the interception of unintended electromagnetic (EM), acoustic, or vibratory signals emitted by electronic devices. These accidental emanations are generated by various components:
- **Semiconductors:** Electric charges in wires produce radio waves.
- **Mechanical Parts:** Hard drive movements and cooling fans create specific vibrations.
- **Input Devices:** Keystrokes generate unique acoustic and EM signatures.
- **Screens:** Monitors emit "Van Eck" radiation that can be used to reconstruct images.
If these signals are captured by sensitive equipment (such as oscilloscopes or software-defined radios), an adversary can reconstruct private data, including cryptographic keys, typed text, and screen content.
## Exploitation
- **Status**: Historically exploited by intelligence agencies; PoCs widely available in academic and security research communities.
- **Complexity**: High (Requires specialized hardware and proximity/signal processing expertise).
- **Attack Vector**: Physical / Adjacent (Range can extend from a few meters to over half a mile if signals are conducted through utilities like power lines).
## Impact
- **Confidentiality**: High (Total exposure of processed data, including encryption keys).
- **Integrity**: Low (Primary threat is eavesdropping, not modification).
- **Availability**: N/A.
## Remediation
### Patches
There is no "software patch" for these physical phenomena. Remediation requires hardware-level changes and physical environmental controls.
### Workarounds
- **Physical Shielding:** Utilizing Faraday cages or Sensitive Compartmented Information Facilities (SCIFs).
- **Zoning:** Maintaining a safe physical distance ("Red/Black separation") between sensitive equipment and potential interceptors or conductive materials.
- **Filtering:** Using TEMPEST-rated power filters to prevent signal leakage through electrical wiring.
- **Jamming/Noise:** Introducing "white noise" or signal interference to mask the device's legitimate emanations.
## Detection
- **Indicators of Compromise**: Physical detection of unauthorized listening devices or unexpected radio-frequency (RF) equipment in the vicinity.
- **Detection Methods and Tools**:
- Scanning for unauthorized RF transmitters using spectrum analyzers.
- Periodic physical security sweeps for "bugs" or modified hardware (interposers).
- Monitoring for anomalous electromagnetic signatures within the facility.
## References
- **US Congressional Inquiry:** Letter from Senator Ron Wyden and Rep. Shontel Brown to the GAO.
- **NSA Declassified History:** NSA report (1972) on "Compromising Emanations."
- **Wired Article:** hxxps://www.wired[.]com/story/how-vulnerable-are-computers-to-an-80-year-old-spy-technique-congress-wants-answers/
- **National Research Council:** hxxps://www.nap[.]edu/read/13217/chapter/1 (Information on TEMPEST standards).