Data, with the able assistance of the black hat hacking community, is constantly trying to escape the confines of its various containers while information security professionals everywhere are vigorously trying to stem its illicit flow. In the late 1960s, an increasingly controversial facet of this struggle piqued the U.S. government's interest, and it created the TEMPEST program to address the information security implications of data leakage through spurious electromagnetic and acoustic emissions.
The work was mostly theoretical at first, but then in 1985 Dutch scientist Wim van Eck shocked the cybersecurity community with the first practical demonstration of “Van Eck Phreaking”. This technique relied upon receiving the electromagnetic emissions from cathode ray tubes (CRTs) and their wiring in computer monitors. The high voltages, fast rise times, and long cabling required to drive CRTs made this component particularly vulnerable to this form of exploitation. The proof-of-concept required only a slightly modified television set and about $15 worth of readily available parts. Van Eck concluded that his technique could be used to exfiltrate data undetected at distances of up to a kilometer.
Needless to say the eventual advent of liquid crystal display (LCD) monitors, which operated at substantially lower voltages and with much shorter leads, was warmly received by security professionals. In the meanwhile, TEMPEST became a powerful weapon in the struggle against the black hats and addressed a wide variety of potential leakage paths from crosstalk between cable segments to key click variations on a keyboard. The program, which still operates but remains largely classified, specifies such parameters as minimum distances from equipment to outer walls, distances between secure and non-secure cables, types of cable shielding, and virtually anything else that could contribute to data leakage via spurious electromagnetic emissions or mechanical vibrations. There are three levels of certification, with the two most secure available only to the government and its contractors. The third, while benefiting from the research driving the other two, is less stringent and available to commercial users.
This month at Black Hat 2015, Columbia University's Ang Cui, also of Red Balloon Security, breathed new life into the art of data exfiltration by spurious electromagnetic emissions with a project that he called “Funtenna.” By infecting a device with malware, Ang was able to reliably encode data from it on a wide range of electromagnetic frequencies. Happily, his exploit had only a limited range because of his use of pins from the device's USB port as antennae to broadcast the signal.
Whether or how TEMPEST will address the implications of this new challenge is not yet clear. The most disturbing of the implications, though, is the possibility that someone will find a way to drive the Ethernet pins of a wired network device instead of its USB port pins. When that occurs, long runs of networking cable in compromised systems will become huge antennae broadcasting data to hackers listening far enough away that they will be completely undetectable.
There's good news for those who are already using optical cabling, however, and incentive to do so for those who are not. Fiber optic cables are electrically non-conductive and do not radiate electromagnetic fields. That this scenario cannot occur in a network connected by optical fiber links is yet another argument in favor of this technology. For more information about Ang's “Funtenna” project and a brief introduction to TEMPEST, see the links below.
Find out more about Compromising Emanations, the phenomenon driving TEMPEST, in this educational eBook:
The Frequently Overlooked Hole in Your Cyber Security Platform