What is TEMPEST
TEMPEST is an acronym for Telecommunications Electronics Material Protected from Emanating Spurious Transmissions. It pertains to technical security countermeasures, standards, and instrumentation that prevent or minimize the exploitation of vulnerable data communications equipment by technical surveillance or eavesdropping.
Any device with a microchip generates an electromagnetic field, often called a “compromising emanation” by security experts. With the proper surveillance equipment, these emanations can be intercepted and the signal reconstructed and analyzed. Unprotected equipment can, in fact, emit a signal into the air like a radio station—and nobody wants to risk his or her job and a whole lot more by broadcasting national security or trade secrets to the wrong people.
Vulnerable devicesSome of the most vulnerable devices are speakerphones, printers, fax machines, scanners, external disc drives, and other high-speed, high-bandwidth peripherals. If the snoop is using a high-quality interception device, your equipment’s signals can be acquired up to several hundred feet away.
For exampleArguably one of the most vulnerable pieces of equipment is an analog VGA monitor. If a spy were to introduce a Trojan into your system, he or she could monitor and store key presses and passwords used during the day. When the system’s not in use at night, the spy could pulse the VGA screen with grayscale images that have a strong signal at particular frequencies. VGA uses single-ended signaling that has a high common-mode emission level not protected by cable shielding, and it’s possible to monitor these signals outside the secure zone using a radio receiver. Even without a Trojan, a sophisticated receiver located nearby picks up and views what’s on the VGA monitor.
National Security AgencyIn the last 40 years, the (American) National Security Agency (NSA) has taken several industry measurement standards and greatly beefed them up. These enhanced criteria are commonly referred to as the TEMPEST standards (although the NSA also calls them EMSEC standards, short for “emissions security”). TEMPEST disciplines involve designing circuits to minimize emanations and the application of appropriate shielding, grounding, and bonding.
Common CriteriaIt’s an international standardized process for information technology security evaluation, validation, and certification. The Common Criteria scheme is supported by the (North American) National Security Agency through the National Information Assurance Program (P).
EAL4+: secure from design to distributionA common set of tests to evaluate the security of an IT product relating to its supply chain, from design and engineering to manufacturing to distribution. This evaluation tests the process of the design, testing, verification, and shipping of new security products. Customers, in turn, can have a level of trust in how a product has been designed, tested, built, and shipped. What this means is the low radiated emissions profile of these switches meets the appropriate requirements for conducted/radiated electromagnetic emissions.
The TEMPEST designation is required by military organizations. As a security standard, it pertains to technical security countermeasures, standards, and instrumentation that prevent or minimize the exploitation of vulnerable data communications equipment by technical surveillance or eavesdropping.