This class of espionage techniques, originally named TEMPEST by the National Security Agency but now subsumed under the more general term “side-channel attack”, has been a known problem in computer security for nearly eight decades, and is a problem that the United States government considers carefully to protect its own classified information. Now a pair of US lawmakers are launching an investigation into just how vulnerable the rest of us are to Tempest-style surveillance – and whether the US government is requiring device makers to do more to protect Americans.
On Wednesday, Senator Ron Wyden and Representative Shontel Brown released a letter sent to the Government Accountability Office (GAO) calling for it to investigate the vulnerability of modern computers to Tempest-style side-channel attacks, monitoring and interpreting accidental emissions from PCs, phones and other computing devices so that their operations can be surveilled. In the letter, Wyden and Brown wrote that these forms of espionage “not only pose a counterintelligence threat to the U.S. government, but these methods could also be used by adversaries against the American public, including to steal strategically important technologies from American companies.”
Along with the letter, Wyden and Brown also commissioned a newly released Congressional Research Service report about the history of Tempest and the contemporary threat posed by similar side-channel attacks. It describes the US government’s efforts to protect its equipment from those espionage techniques, including the use of isolated, radio-shielded locations to safely access classified information, known as a Sensitive Compartmented Information Facility, or SCIF. Meanwhile, the government “has neither warned the public about this threat, nor imposed requirements on manufacturers of consumer electronics such as smartphones, computers, and computer accessories to build technical countermeasures into their products,” Weeden and Brown reported in the letter. “In this way, the government has left the American people unprotected and in the dark.”
Weeden and Brown’s letter ends with a request to GAO to review a list of Tempest-related issues: the scale of the modern privacy threat of side-channel attacks, the “cost and feasibility” of implementing protections against them in modern devices, and “potential policy options to mitigate this threat against the public, including requiring device manufacturers to add countermeasures to their products,” suggesting that Congress pressure tech companies to add more protections to the devices they sell. Can put.
How practical side-channel attacks like Tempest are against modern computing equipment – and how often they are actually used by hackers and spies – is unclear. But the possibility of such attacks has been taken seriously by the US government since the early 1940s, when Bell Labs discovered that machines sold to the US military to encrypt messages produced signals legible on an oscilloscope on the other side of the lab.
Bell Labs machines were transmitting clues about the inner workings of military cryptography in radio waves created by the electromagnetic charges of their components. A declassified NSA report from 1972 later described the problem of “radio frequency or acoustic energy” being transmitted by the agency’s classified computers. The report states: “These emissions, like small radio transmissions, can spread through free space to distances of half a mile or more” if the signal is conducted through nearby material such as power lines or water pipes.
<a href