T E M P E S T Over the years, there has been a number of different studies and discoveries that would alter personal and electronic security over time. Devices able to "listen" to almost any form of communications have become commonplace and are available "over the counter" from a varied number of sources. Such units range from ten to fifteen dollars to expensive set-ups that employ microwaves and lasers for the interception of almost any audio signal in the spectrum. But now with somewhat needed protection from outsiders in reference to this problem, a number of solutions have been put in place and global protection is insured in environments that have such need. But the coverage of environment has had a a major change in protective attention now being place on the actual electronic emmanations that are so common with todays standard electronic apparatus. Electronic telephones, computers and communications networks, ATM's, radio and television stations are just part of the overall electronic bubble that we have placed our society into with the hopes of providing better and faster methods to make daily life a bit easier. But with such a fragile structure as the electronic bubble, we have new opportunities to discover secrets never before possible due to the lack of technology. The same technology that helps us in one way or another may also be helping others unbeknownist to those who are protecting the environment in the first place. Signal leakage, either by design or by accident may lead to total collapse of protective measures due to "wide open spaces" in the protective sphere. In this particular paper, we will discuss the possible problems of common office technology may bring in un-securing your installation. Our main focus will be in the areas concerning with the emmanations or transmissions of "Tempest" frequencies. "Tempest", is the code name given to a specfic area concerned with radio frequencies radiated by computing equipment by the U.S. Dept. of Defense. This "concern" from such equipment dates back to the late 50's. The concern ranged from the possible interception of "informational information" by sources other than the intended users of such. The problem is more easily recognized by the current requirement of normal electronic equipment having to conform to emmision standards put forth by the Federal Communications Commission in reference to the amount of electronic "noise" generated by common standard technology so that such signals do not interfear with other such pieces of equipment or their operations. To describe in simple terms, Tempest frequencies are almost straight through from commerical AM stations to the upper reaches of 600 Mhz. They are generated or transmitted by any number of different common daily life electrical and electronic systems. Your TV puts out one frequency, the stereo another, the common electronic telephone, cordless phones still another, the microwave oven puts out another and the wireless alarm does it to, and story goes on. So just as all of these pieces of equipment emmit a signal, so does the personal computer. We will describe possible examples of such informational information. It should be noted that the current specifications for "Tempest" approved systems is considered classified by the DOD and these specs were not available to the author. But if one was to look at the specs for normal computing equipment and reduce the allowed emmission output by at least 50 percent, that may be a realistic emmission standard accepted by the DOD. Example 1 "We had better "Czech" this out! ------------------------------- In 1987, a very strange occurence concerning forgein nationals from an Eastern bloc nation entered this country in a large camper-like truck via the border checkpoint at Niagra Falls, New York. The visitors numbering 4 or 5, were in the country under tourist visa's and were reported to be representives of the countries automobile and truck industries here on a promotional tour to garnner interest in their exportable products. The one problem with the "visitors" is that none of them had any connection with such industries in their home country. In fact, the visitors were far from what they supposedly represented. The group descripton read like a Whos' Who of mid-level management of Eastern bloc intelligence operations. The group reportedly consisted of a nuclear physists, a specialist in aerial map-making complete with a small ultra-light powered aircraft, a communications and computer expert and two communist party officals. Over a 5 month period, the group was reported to have visited 17 states looking at 40 to 48 sites dealing with military and defense contractor sites. The vehicle and its occupants were reportedly followed by over 100 agents of the FBI, NSA, Secret Service and State department and at least one over flight of a military reservation was reported. Even though the overflown site was not identified, one site was. This site, was the "sensitive" naval communications center for the Pacific Fleet located in San Diego. It was reported that the truck and it's occupants were parked a few hundred yards from the facility for several days and according to law, were in no violation of any current statute at the time. The group was also at or around at the 2800 acre North Island Naval Air Station based in Coronado, California. The spokesman for the base stated that you could not see much of anything going on except for the take-off and landing of aircraft which you could see from almost any place. Common sense states that you do not have to be inside the facility in either a physical or electronic standpoint to collect information. You can park in any lot or street close enough to your supposed target and stick up your antennas. No property violations, no photo restrictions to comply with, no restrictions at all because you are sitting in a public place, parked or having coffee with your "ears" on. A good example of such parking was reported in a paper published in Computers and Security 4, titled Electromagnetic Radiation from Video Display Units: An Eavesdropping Risk? by William Van Eck, copyright 1985. He stated that when they were conducting their experiments in the open on public roadways, with a van and antenna system that was quite noticable, no one asked what they were doing or had any thought about the time spent doing such things. The end of this particular story is as follows: At the end of the suspect journey, the truck was searched at the Nosgales, AZ border checkpoint and was then released. Nothing considered illegal was found in the search and the truck and it's passengers were released and entered Mexico. Now even though the truck was suspected of performing passive "eavesdropping" operations, the federal goverment had no legal right to hold either the truck or crew. And the possible intercepted information was then released from the country. It should be noted that the truck could have a number of standard "off the shelf" items. These items could have consisted of 2 general coverage radios with a combined tuning range between 100 Khz to 2 Ghz., an IBM personal computer clone, various cheap video and signal enhancment equipment, printers and modems, and other such complement devices. None of the equipment would be any "James Bond" type of gear and the basic suspected set-up would cost the operation less than 10,000 dollars if budgeted correctly. And if possible, use of other simple off the shelf type radios like the 200.00 unit available from Radio Shack that covers 150 Khz to 30 Mhz is not at all unheard of due to some budget constraints. And since most emmanated signals generated by logical devices are within commerical AM and FM frequencies, the use of a standard auto radio antenna would suffice to use as a pickup. So the major concern with such actions comes from the ability of simple equipment to detect, register and decipher such emmanations with relative ease. The ability of such persons and possible actions able to penetrate the electronic fog of our society should be a clear distinct warning to those concerned with security in general. In addition to all of the above, the author contacted various federal goverment agencies in reference to this information and was told that they had no knowledge of such an investigation and could not tell where such supposed counter-intelligence operations were controlled from or who to contact in reference to supplying such information. Current "Freedom of Information Act" requests for information concerning this supposed federal project are underway. An interesting note about filing the forms for access to information about the Czech incident is described to give guidance to others who may wish to investigate this incident and seek help from such elected officals. When the papers were filed for the desemenation of information through the Freedom of Information Act, members of the U.S. Senate and Congress were contacted in reference to this matter. The first contact was placed through Senator Arlen Spectors office in Philadelphia, Pa. We were first rebuffed by persons who refused to identify themselves with the statement " I am sorry, but that information is covered by the 1974 Privacy Act, Click! Well we called back and informed the person who answered the call of the situation and then were re-connected and informed them that Czech citizens were not covered by US privacy laws and that there was no invasion of privacy. They called the FBI and asked if they were the way such things were handled, and were told yes or no. But they had no answer for any question put forward and said " They were sorry!", but we don't know how to help you!. Our second contact to Senator Spectors office in Philadelphia as in essance like the first, they would not assist nor would explain why they took this position in the first pace. During our second contact we spoke to a Miss or Mrs. Anderson. She stated that such requests were not in the senator's perview and they could not assist in this matter. When asked why it as not in the senators preview, we were informed that they do not have to give a response. When asked for an offical response, we were informed that no offical response would be given. But as a side note, Senator Hienz office said that they would forward the requests to Spectors office in Washington. One other thought on this matter: I am sure that if the good senator wants to get some information, his staff jumps through hoops to get him all he wants and then some! A pre-publish copy of this article will be delivered so that even he (or his office staff, who were of no help at all due to a tough question placed to them by a citizen) may learn of what may be going on in his own country. So much for gaining assitance from a senator who sits on a judical panel. We visited next the office of John Hienz. Again, funny looks about the Freedom of Information Act and they hemmed and hawed at the questions presented. They took the requests and said they would try and see what could be done. Our final visit was to our local congressman, Tom Foglietta, whos office still stated the 1974 Privacy law, but took the requests when presented in person. It pays to visit your elected representives working areas. So much to do (if you work there!) in a goverment office. Other federal agencies including the FBI were most helpful in complying with the requests. Of course we found this most interesting. Is it so they could possibly reclassify the information to a "Secret" status instead of what it may be now. Other agencies contacted in reference to FOIA requests include the CIA, NSA, NRO, Customs, State Dept., Army Automated Intelligence and Military Police, FBI, FCC . Now to explain such basic interceptions are now commonplace with horrific results to those who do not believe that such things can happen. For a simplistic view of such emmited signals, take a standard "Walkman" type of radio and visit one of the many locations of ATM's or better known as "money machines". (This excerise may also be performed near any standard personal computer if such machines are not available.) and tune through the FM band. With careful tuning, one will be able to "hear" machine funcitions occuring. Taking basic simple electronics, one may have the ability to recieve and reconstruct such impulses to a readable form. Interception -------------------------------------- Think about possible interception points pertaining to logical security methods. Communications may be encrypted, data may be stored in an in-active form and access is only a matter of time while the interceptee is waiting for the dispersal. The next security concerned area covered would be for the encryption of the information in its stored and transmitted form. The encryption is all wonderful and good for the transmission and storage, but does nothing for the information as it is in its final stage to the human eyes! And you only have two ways to get it to the eyes, in hard copy or by a video screen. Now you think that interception is not possible since the information is encrypted, but the data must be decrypted so that the human connection may use the information. The human connection allows for the reception of said information by the afore mentioned devices and lets interception to happen through the clear or decryption points of the attacked devices. And one other point to mention; other possible effects of reception / transmission to security in general, could affect other controls ranging from building energy management to security access and monitoring controls. To give a better understanding of such equipment, we will discuss some of the devices known. One such device known as the Van Eck device and the other is called the Re-Process Sync Amplifier. Some may feel that there are two different systems involved in this discussion, but the author finds no major difference between the two, with the exception of the Van Eck device is built for operation on European voltages and has a built-in digital frequency meter. The one major difference found is with the dates of copyrights for the two devices. The Don Britton device is dated 1979, while the Van Eck unit is dated October,1985. We will begin with a basic understanding of the inner workings of the device. The one other major basic difference with the two reader boxes is that the Van Eck box is designed for use with tv's and VDT's used in Europe as compared with the Britton box built for use in the United States. This device in general, is designed to restore and regenerate the sync and colorburst signals and ignores all information appearing during either the vertical or horizontal blanking. Its basic result is to reconfigure through the use of supplying artifical external signals inputed directly to any video monitor through a simple 10-50 dollar modification of the TV or video monitor, or in simple english, takes a weak video signal and tries to shape or match it and then boost its output to a normal television screen. One other interesting thought comes to mind with the use of video tape copy protection methods. Since these methods use a means that makes it tough on the VCR not the TV from generating signals for tape duplication, there have been a number of devices that assist in the retoring and re-structure of the picture and sound. One device is known as the "Line Zapper". The device helps to adjust the brightness changes, vertical jumping and jittering, and video noise. It is available in kit or complete form. Pricing starts at $69.95 and complete tested units cost $124.95. Now if this unit can assist in the filtering and structuring of commerically induced weak signals, then it should be able to take a boosted signal presented to it and clean the picture to something of useable form. Some may see this only as a filter for video processing with a focal point on the actual copy-guard techniques, but such a device incorporated into the Van Eck type of gear should assist in the overall signal restructuring. Now one other interesting point about possible video signaling re-construction methods was addressed in a multi-part series published in Radio-Electronics based on the methodology used for the construction of video signals scrambeled by different vendors of cable and over-the air pay television. The series dealt with all aspects and methods of video and audio, (complete with discussions on the DES methods used for the VideoCipher units and the like,) used in commerical systems in use. One other thought comes to mind of an experimental nature. Since the screen of a computer is not always changing and for the most part stable in its display, why not take the received signal and digitize it! You could filter out signal noise clean up any true video signal present. This is no great techno-wonder, the basic gear could be put together with Radio Shack or the like types of equipment. And the cost is still most reasonable. If not available there, costs for home-brew gear would not be that high. The simple electronics blocks would consist of comparators, video detectors, data seperator gates, a to d - d to a converters, data amp and a signal level converter. Or the better version, might be a modified slow scan television system with error correction and clean-up circuits. Such units work over normal phone lines or standard radio channels and since the units can take signals from these two different types of inputs, there should be no problem in adapting the unit to accept a cleaned up analog signal from a digitizer. Away from the world of the experimental thoughts, we return to the point at hand.... Now there are two types of monitors used today. The first, called composite and the second using TTL logic to control the screen and its pattern. The composite screen is nothing more than a television set or Apple computer type of monitor. The construction of the picture is performed by a beam of electrons that are scanned across the screen at a rate of 525 lines per second. Since the majority of screens are of a composite nature ( this is even true in most IBM environments) the ability to receive the signal is very possible from a radio emmission standpoint. The reception of such signals is not fairytales, but comes with reality attached through the use of simple electronics. The first part of the reception project is to have a method of signal acaquisition and amplifcation. Such gathering may be performed by the use of standard electronics store technology. For this example, we will use common Radio Shack electronics. The reason is due too the common variety electronics that are available to most persons needing such science to accomplish the required gathering. To start, since a base station is out of the question due to the weak signals one would have to recieve. So the need for transportable equipment is a must. Antenna, amplifier, sync process unit and display medium must be powered in the transit unit. Depending on budget and (BEL) (Basic Equipment List) requirements a fully battery operated set-up can be constructured for a modest amount of money. Our two systems described here will be different only in basic construction and budgetary BEL's. The "Radio Shack" Reader ------------------------ 1. The directional antenna could consist of a Radio Shack TV/FM # 15-1611 for 49.95 2. If needed, Radio Shack in-line signal amplifier 10 db gain # 15-1117 for 15.95 3. Radio Shack RF Video Modulator # 15-1273 for 26.95 4. The Britton or Van Eck type unit: a. A horizantal/vertical video sync generator that is modified according to the above description of Van Eck equipment. b. A multi-scan computer video monitor, preferably Apple compatible. 5. The tuning unit may consist different available FM,TV,UHF tuners available for the tuning of TV Sound & Picture reception and possible recording. Costs for such units range from 319.95 to 119.95 The 319.95 unit can operate on AC / DC, has audio / video input jacks and can operate on 9 "D" batteries. Other possible useable units would be # either # 16-109 or 16-111. The units cost 219.95 and the other 159.95 Both are able to tune in the full commerical AM / FM and VHF/UHF Television signals, The low end of the cost spectrum would be the RS # 16-113 at 119.95 This unit also has the same spectrum tuning abilities. The Gold Plated Unit -------------------- 1. The antenna could consist of a Radio Shack TV/FM # 15-1611 for 49.95 (Or due to the use of better reception electronics having built in antennas. But due to the need for amplified signals being inputed to the reciever we will still possibly use the RS amplified antennas.) a. It is also possible to use any number of amature radio antennas. For the purpose of maintaining a low profile, we will use one of the standard active recieving antennas that has a spectrum of reception from 50Mhz to 1 Ghz. Such units are available from mail order supply houses. 2. If still needed, Radio Shack in-line signal amplifier 10 db gain # 15-1117 for 15.95 It is also possible to use # 15-1105 Indoor FM Signal Booster with switchable 0,10 or 20 Db gain at a cost of 24.95. 3. Radio Shack RF Video Modulator # 15-1273 for 26.95 4. The Britton or Van Eck type unit: a. A horizantal/vertical video sync generator that is modified according to the above description of Van Eck equipment. b. A multi-scan computer video monitor, preferably Apple compatible. 5. Tuning units- The tuning units would consist of 2 seperate radio units. The units, both ICOM's have a combined tuning range of 100 Khz to 2 Ghz. a. Unit 1 (R-71a) tunes from 100 Khz to 30 Mhz. This unit is nothing more than a shortwave reciever with excellent signal reception and frequency stability that offers far better overall signal interception quality. The unit offers 1 Hz tuning and has digital frequency readout. As an option, this unit may be controlled by an IBM or compatable PC. Cost for this unit is $949.00 b. Unit 2 (R7000) covers 30 Mhz to 2 Ghz. This unit is a general coverage reciever with excellent signal reception and frequency stability that offers far better overall signal tuning and interception quality. Also this unit can be computer controlled through an IBM or compatiable. The unit offers .01 Hz tuning and has digital frequency readout. Additional abilities of the unit include signal output and a IF output of 10.7 Mhz with other frequencies available. The cost for the unit is $1099.99. This particular unit also has an option for the output of the video signal and connection of any standard video monitor for 130 dollars. For an additional 160 dollars the unit can have the ability to recieve signals from 20 Khz and go all the way to the specified 2 Ghz. The unit needed is called a Kuranishi FC-7000 frequency converter. With additional commerical television MDS tuning equipment, ranges can exceed 2.7 Ghz. Costs for this will range between 79 and 109 dollars. Since we will be mostly dealing in the lower ranges of frequencies, an added piece of gear may be used to gain the best signal reception points available. This is through the use a Radio Direction Finder available from American Electronics for 100 dollars. Now with all this equipment for both systems, another basic system with minumum cost is readilly available to many for under 100.00 dollars. This we speak of is the common Black & White Television set available in mass quanties from any number of sources. It has been reported that such interception capabilities are possible and have occured without the interceptee knowing until the Communications Commission have contacted the source of the emmited signals. For example, some personal computers and their respective screen have been known to been picked up on the TV screens of their neighbors and through nothing more than rough or fine tuning the reception. The reason is due to the TV having the ability to automatically adjust the Sync signals to those close to the frequency of intercepted computer screens sync frequency. This "ability" is available through the use of a common manual type tuner on a standard Black & White set with a normal directional antenna and an standard antenna amplifier. All three devices in common life and attached to your own television recievers! You have such devices if you have an antenna on your roof or attached to your set. Most have attached signal amplification due to the ever growing background noise generated by normal commercial stations and reception characteristics. In simple terms, the guy next door can read your screen and you don't know it. Now take the number of personal type computers in a standard corporate environment, caulculate the possible dollar figures of the combined information contained in these machines, and substantial sums become more evident than ever before. If business plans, formulas or patent-trade information, client lists, or any other type of valuable information and since that information will be called up at any time or current work performed is wanted in the surveillance gathering operation and then you have a completely wide open way of monitoring the daily practices and transactional actions with complete impunity and securty of such areas is completely unguarded due to the lack of knowledge. For experimental purposes, we will use very simplistic computer systems to give an idea of what may be possible. The equipment shall be basic, over the counter, cheap, electronic systems to gather and produce the signals we which to collect. The equipment list is as follows: 1. Apple Computer with Modem 2. Video Monitor (40 or 80 characters display) 18 Mhz ( Standard IBM monitors radiate at 15 to 16 Mhz ) 3. Epson Printer Our basic reception / interception equipment consists of: 1. Bearcat 250 (50 Channel) Scanner (Coverage from 32-50,146-148,148-174,420-450,450-470,470-512 Mhz) 2. Soundesign FM Stereo Tuner (86.5 Mhz to 109.5 Mhz) 3. Electrobrand AM-FM-SW-CB-TV-PB-AIR-Weather The AM and FM are standard commerical band recievers. SW is short-wave from 4 Mhz to 12 Mhz TV coverage is from audio channels 2 through 13 AIR band from 108 through 135 Mhz Public Band is 145 through 175 Mhz 4. A Gould OS 1100 A Osocilliscope 25 Mhz range Since we will not try to re-construct the actual video signal generated, as this has already been done, we will not have to explain what we receive as a picture. What we will cover is the gross signal output of standard population computerized logical systems. In our observations, we have seen a wide spectrum of emmitted signals with a strong signal between 9.0 and 9.250 Mhz for the display of standard text scrolling by. Better signal display was found at the lower frequencies of 9 Mhz. Monitor frequencies were found in the area of 11 through 19.5 - 20 Mhz. Printer frequencies are in the range of 140 to 200 Mhz. Disk operations were detected in the ranges of 88 to 250 Mhz. Overall frequency generation was from 4 through 500 Mhz. The modem was found between 28 and 300 Mhz. So, in closing, the capability of these units is well within the range of any person with the intent comes closer to home than ever before. The equipment is nothing of major technical wonderment, just a few simple block circuits put together to each other so that they work together to do the final requested product. . In closing, to steal a phrase from someone else, "The truth shall set you free (or may keep you from being over exposed from free form energy)!