Project Tempest
Leaked Radio Signals - SDR Adventures, RF Spying and why to dust off your Tin Foil Hat for 2023
Almost 30 years ago, while exploring the depths of BBSs and the shadier parts of the early Internet, as every kid does, I stumbled upon an intriguing concept called Project Tempest. At that time, hardware and software were out of my reach, so I filed it under "very interesting but unachievable" in my mind.
Fast forward a decade or two, and I got my hands on a 2832 RTL-SDR, a Software Defined Radio USB dongle that started its life as a Digital TV receiver. I played with it, listened to FM and AM radios, and eavesdropped on some CB communications, as there was no transmit option with the cheap SDR. I thought of it as an interesting toy but not much more.
I knew it could download weather satellite images and the like, but at that time, I had other projects, so it went onto my backburner. However, the concept of Tempest remained at the fringes of my thoughts, and the label I put on it as unachievable without a lot of effort prevented me from doing more research on what had been done on the subject in the past couple of decades.
Every now and then, the Tempest project would find its way into the media, like the HackaDay article "Tempest: a tin foil hat for your electronics and their secrets" from 2015, which detailed what Tempest was and some advances in bringing it to the masses, but it was still more academic than practical. Then, a new HackaDay article, "Pulling data from HDMI RF leakage in 2023," piqued my interest again, and this time I took some time to dive deeper and see what progress had been made by the online community in bringing this to the public. What I found was truly interesting.
First, what is Project Tempest?
The Tempest project has its roots in the Cold War era when the United States and the Soviet Union were engaged in a technological race to gain intelligence on each other. The project was initially aimed at developing techniques to protect sensitive electronic equipment from eavesdropping, as well as intercepting and analyzing the electromagnetic emissions of enemy equipment.
Project Tempest is a codename for a set of standards and guidelines established by the United States National Security Agency (NSA) in the late 1970s and early 1980s. The primary goal of Project Tempest was to research and develop techniques for shielding sensitive electronic equipment from electromagnetic eavesdropping and to intercept and analyze electromagnetic emissions from enemy equipment. The term "TEMPEST" is believed to be an acronym for "Transient Electromagnetic Pulse Emanation Standard," although the true origin of the name remains classified.
The principal discovery was made by Bell Laboratories when they were testing Bell's telephone mixing device. One researcher noticed, as it usually goes, by accident, that each time the machine stepped, a spike appeared on an oscilloscope in a distant part of the lab. “After he examined these spikes more carefully, he found that he could read the plain text of the message being enciphered by the machine! Bell Telephone faced a dilemma. They had sold the equipment to the military with the assurance that it was secure, but it wasn't. The only thing they could do was to tell the Signal Corps about it, which they did. There they met the charter members of a club of skeptics who could not believe these tiny pips could be exploited under practical field conditions.”
They were wrong, It was quite possible to use that in practical field conditions.
There is also a second story on how it was discovered, this time by former MI5 scientist Peter Wright recounts in his book “‘Spycatcher” that in 1960, Britain was negotiating to join the European Economic Community the intelligence community was interested in determining the French negotiating position. “They tried to break the French diplomatic cipher and failed. However, Wright and his assistant Tony Sale noticed that the enciphered traffic carried a faint secondary signal, and constructed equipment to recover it. It turned out to be the plaintext, which somehow leaked through the cipher machine.”
Similar techniques can be applied when snooping on CPUs that execute known algorithms. Even if signals caused by single instructions are lost in the noise, correlation techniques can be used to spot the execution of a known pattern of instructions. Bovenlander reports identifying when a smartcard performs a DES encryption by monitoring its power consumption for a pattern repeated sixteen times. Several attacks become possible if one can detect in the power consumption that the smartcard processor is about to write into EEPROM. For example, one can try a PIN, deduce that it was incorrect from the power consumption, and issue a reset before the non-volatile PIN retry counter is updated. In this way, the PIN retry limit may be defeated.
Project Tempest remained a secret for a long time, but in the following years, other scientists noticed similar emissions. One of the first detailed technical analysis reports that addressed security risks of emanations from computer operations was published in 1985 by Wim van Eck. Before that, the phenomenon was not publicly known, and van Eck's publication was the first unclassified technical analysis. Van Eck demonstrated that the screen content of a video display unit could be reconstructed at a distance using low-cost home-built equipment, such as a TV set whose sync pulse generators were replaced by manually controlled oscillators.
Not only are RS-232 cables or 10BASE-T networks at risk, but even bank ATMs are vulnerable, as card readers and keypads are typically connected to the CPU using serial links.
Compromising emissions are not solely a result of signal lines functioning as unintended antennas. Both power and ground connections can inadvertently disclose high-frequency information. Data line drivers can generate low-frequency fluctuations in the power supply voltage, leading to frequency shifts in the clock and ultimately resulting in the data signal being frequency modulated within the emitted RFI.
Another threat arises from "active" attacks, where malicious modulators and data-dependent resonators manipulate external electromagnetic radiation. Suppose an attacker is aware of the resonant frequency of a device, such as a computer keyboard cable. In that case, they can target it with that specific frequency and then decode the keypress information from the retransmitted signal caused by impedance changes. Generally, transistors are non-linear and can modulate any intercepted signals that are picked up and retransmitted by a connected line. This phenomenon is well recognized within the counterintelligence community, where "nonlinear junction detectors" are employed to detect radio microphones and other unauthorized devices.
In modern days there is no more talk about Project Tempest, it has morphed into what’s called Air-Gap Attack and includes ways of transporting data from secured locations without using a host network. In recent 2023 paper called A Survey on Air-Gap Attacks: Fundamentals, Transport Means, Attack Scenarios and Challenges by Park, J.; Yoo, J.; Yoo, J.; Lee, J.; Song, J. detailed that this is performed by modulating signals (electromagnetic waves, optical signals, acoustic signals, etc.) that are naturally generated by the components of the isolated PC (graphics card, internal fan, keyboard, hard disk drive (HDD), light-emitting diodes (LED), etc.) into a desired frequency or signal, thereby leaking important data to an external network.
In other words, every part of your PC that runs on electricity and is not purposely shielded can be to some extent externally monitored via electromagnetic radiation that occurs during its normal operation.
In 2017, there was this little article on the RTL-SDR news page that came and went with the title of Tempestsdr: an sdr tool for eavesdropping on computer screens via unintentionally radiated RF. It slipped through my RSS feeds unnoticed but as I began my review of that idea a new in 2023 it popped out on the Nth page of Google, not on the first page.
At first, I was ecstatic, but a little bit worried as its a bit older project and would require setting up compile environment and other things which I didn’t have that much time for, luckily someone already did that, Erwin Ried from Norway on his GitHub has precompiled and packed self-executable Java app that needs no other dependencies. The original project was made by Martin Marinov from UK.
Now, if you are like me and don’t have HackRF device but only a lonely 2832 RTL SDR you will need to unpack the .exe file by renaming it from .EXE to .RAR and use WinRAR to open it and remove the HackRF ExtIO file with ExtIO_RTL2832.dll.
Additional ExtIO files can be found on GitHub but I’ve compiled everything into one handy repository with everything needed. Once you start the program under File you will see the Load ExtIO source. Click on that and the SDR plugin will start .. that’s it.
I used the following test pattern on target screen.
While attempting to capture the RF emissions from one of my screens, I accidentally intercepted my colleague's screen instead. With almost 20 other screens nearby, all emitting various levels of RF interference, it was surprising to discover that only his screen was visible. Upon further investigation, I realized that his screen was connected via a DVI cable, while all the other displays were connected with HDMI cables, which have more shielding and consequently less electromagnetic (EM) leakage.
There was so much RF being put out that the screen could be found on multiple frequencies and as expected the higher we went the “clearer” the image. The image is skewed due to the lousy antenna but still, I was really impressed and a little horrified by how easy it was to capture a video signal from the air that was never meant to be sent over the air.
For more on this project check out the video below.