Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Computers leak secrets. Not just through Invasive advertising tracking, Data stealing malwareand your Unwise oversharing on social mediaBut through physics. Movements of hard drive components, keystrokes on a keyboard, and even the electrical charge in semiconductor wires produce radio waves, sound, and vibrations that travel in all directions and can — when picked up by someone with sensitive enough equipment and enough spy tools to decipher those signals — reveal your private data and activities.
This class of espionage techniques, originally called TEMPEST by the National Security Agency but now included in the more general term “side-channel attacks,” has been a known problem in computer security for nearly eight decades, and is a problem that the United States government takes into account when securing its classified information. Now, two US lawmakers are launching an investigation into how vulnerable the rest of us are to TEMPEST-style surveillance, and whether the US government needs to push device manufacturers to do more to protect Americans.
On Wednesday, Senator Ron Wyden and Representative Shontell Brown released a letter to the Government Accountability Office (GAO) requesting an investigation into the vulnerability of modern computers to TEMPEST-style side-channel attacks, monitoring and decoding accidental emissions from PCs, phones, and other computers to monitor their operations. In the letter, Wyden and Brown wrote that these forms of espionage “not only pose a counterintelligence threat to the U.S. government, but these methods can also be exploited by adversaries against the American public, including stealing strategically important technologies from U.S. companies.”
In addition to the letter, Wyden and Brown also commissioned a newly released Congressional Research Service report on the history of TEMPEST and the contemporary threat posed by similar side-channel attacks. It describes the US government’s efforts to protect its devices from spy technologies, including the use of isolated, radio-shielded spaces to securely access classified information known as a Sensitive Compartmented Information Facility, or SCIF. Meanwhile, the government “did not warn the public about this threat, nor did it impose requirements on manufacturers of consumer electronics, such as smartphones, computers, and computer accessories, to build technical countermeasures into their products,” Wyden and Brown noted in the letter. “As such, the government has left the American people vulnerable and in the dark.”
Wyden and Brown’s letter ends by urging the GAO to review a list of issues related to TEMPEST: the scale of the modern privacy threat of side-channel attacks, the “cost and feasibility” of implementing protections against them in modern devices, and “potential policy options to mitigate this threat to the public, including mandating device manufacturers to add countermeasures to their products,” suggesting that Congress could put pressure on tech companies to add more defenses to the devices they sell.
How effective side-channel attacks like TEMPEST are against modern computing devices — and how often they are actually used by hackers and spies — remains unclear. But the possibility of such attacks has been taken seriously by the US government as early as the 1940s, when Bell Labs discovered that devices it sold to the US military for encrypting messages produced clear signals on an oscilloscope on the other side of the laboratory.
Bell Labs machines were transmitting clues about the inner workings of military cryptography in the radio waves generated by the electromagnetic charge of their components. A declassified NSA report from 1972 later described the problem of the agency’s secret computers transmitting “radio frequency or acoustic energy.” “These emissions, like small radio broadcasts, may radiate through free space over large distances” of up to half a mile or more if the signal is delivered through nearby materials such as power lines or water pipes, the report added.