TEMPEST Attack

There's a new paper on a low-cost TEMPEST attack against PC cryptography:

We demonstrate the extraction of secret decryption keys from laptop computers, by nonintrusively measuring electromagnetic emanations for a few seconds from a distance of 50 cm. The attack can be executed using cheap and readily-available equipment: a consumer-grade radio receiver or a Software Defined Radio USB dongle. The setup is compact and can operate untethered; it can be easily concealed, e.g., inside pita bread. Common laptops, and popular implementations of RSA and ElGamal encryptions, are vulnerable to this attack, including those that implement the decryption using modern exponentiation algorithms such as sliding-window, or even its side-channel resistant variant, fixed-window (m-ary) exponentiation.

We successfully extracted keys from laptops of various models running GnuPG (popular open source encryption software, implementing the OpenPGP standard), within a few seconds. The attack sends a few carefully-crafted ciphertexts, and when these are decrypted by the target computer, they trigger the occurrence of specially-structured values inside the decryption software. These special values cause observable fluctuations in the electromagnetic field surrounding the laptop, in a way that depends on the pattern of key bits (specifically, the key-bits window in the exponentiation routine). The secret key can be deduced from these fluctuations, through signal processing and cryptanalysis.

From Wired:

Researchers at Tel Aviv University and Israel's Technion research institute have developed a new palm-sized device that can wirelessly steal data from a nearby laptop based on the radio waves leaked by its processor's power use. Their spy bug, built for less than $300, is designed to allow anyone to "listen" to the accidental radio emanations of a computer's electronics from 19 inches away and derive the user's secret decryption keys, enabling the attacker to read their encrypted communications. And that device, described in a paper they're presenting at the Workshop on Cryptographic Hardware and Embedded Systems in September, is both cheaper and more compact than similar attacks from the past -- so small, in fact, that the Israeli researchers demonstrated it can fit inside a piece of pita bread.

Another article. NSA article from 1972 on TEMPEST. Hacker News thread. Reddit thread.

Posted on June 29, 2015 at 1:38 PM • 34 Comments

Comments

CommentJune 29, 2015 2:35 PM

I remarked upon this in another thread when the story was first released. It seems an extremely practical attack although is somewhat stymied by the proximity required to extract the keys.

parrotJune 29, 2015 2:47 PM

@Comment

I presume that more money can buy you at least a few meters of distance. That might be interesting in a multi-tenant hosting environment or in a corporate cube farm.

orcmidJune 29, 2015 3:04 PM

Um, when the abstract gets to sending "carefully-crafted ciphertexts" to the target computer, I am left wondering exactly how does *that* happen in an unobserved way?

This would seem to require a highly-targeted attack and a few other conditions beside proximity.

BrotherChewJune 29, 2015 3:17 PM

@ orcmid


Um, when the abstract gets to sending "carefully-crafted ciphertexts" to the target computer, I am left wondering exactly how does *that* happen in an unobserved way?

From the article: "GnuPG is often invoked to decrypt externally-controlled inputs, fed into it by numerous frontends, via emails, files, chat and web pages. The list of GnuPG frontends contains dozens of such applications, each of them can be potentially used in order to make the target decrypt the chosen ciphertexts required by our attack. As a concrete example, Enigmail (a popular plugin to the Thunderbird e-mail client) automatically decrypts incoming e-mail (for notification purposes) using GnuPG. An attacker can e-mail suitably-crafted messages to the victims (using the OpenPGP and PGP/MIME protocols), wait until they reach the target computer, and observe the target's EM emanations during their decryption"

Looks like some basic knowledge of what's running on the system is required, although you'd probably have that requisite information anyway if you were to execute this targeted attack.

parrotJune 29, 2015 3:22 PM

@orcmid

Hmm. This was my thought at first, but after some though I wonder if this isn't all that hard to do.

One could imagine a state actor who has full view of the network could simply watch and wait for ciphertexts that match their needs (e.g. a large amount of ones). Then, through other means, they install their EM sniffing devices and just correlate what it sees on the network with what emissions the sniffer sees.

Of course, I'm assuming that this attack isn't just possible for low-bandwidth PGP, but potentially high bandwidth TLS applications where signatures are made constantly by a highly trafficked server.

And that being said, browsers control one-half of the channels with servers. They may have some power here to force a useful message to be signed during the TLS handshake.

parrotJune 29, 2015 3:41 PM

@Bob S.

I know, right? Pita bread is such a weird thing to compare it to. Maybe they're hackin' folks in Greek restaurants doing their online banking.....

CommentJune 29, 2015 4:05 PM

@parrot

The range can be extended *slightly* by the use of more powerful equipment but with it comes interference from other nearby devices.

It would have to be concealed under a desk or maybe in a wall to be effective. And even then it would need to pick up the keys at just the right time.

gordoJune 29, 2015 4:20 PM

@ parrot

Pita bread is such a weird thing to compare it to.

Portable Instrument for Trace Acquisition (Pita)

The idea to actually cloak the device in a pita—and name it as such—was a last minute addition, Tomer says. The researchers found a piece of the bread in their lab on the night before their deadline and discovered that all their electronics could fit inside it. (Wired article)

That also brings these to mind:

The Practice of Everyday Life

"Today's NSA secrets become tomorrow's PhD theses and the next day's hacker tools."

ThothJune 29, 2015 7:36 PM

@all
These are very common problems with cryptography on any electronic devices. @Clive Robinson have spoken a lot about this problem very widely and for a very long time. EMSEC is something hard to get right and even the "EMSEC-protected" machines may use fixed methodologies which one may be able to adapt and re-issue an adapted attack vector. It is kind of a cat and mouse game in the end.

The best protection is active offense which is to generate tonnes of noises with lots of redundancy (multi-core processors with huge amount of redundant and dynamically changing steps) which me and @Clive Robinson have suggested for active protection systems.

Nick PJune 29, 2015 8:39 PM

The Hacker News and Reddit threads seemed quite clueless. We've had a nice information page for a long time:

http://www.jammed.com/~jwa/tempest.html

Might be a good side project for someone to use Wayback Machine or ask people for cached copies to produce a nice zip file (or series of them) with all the relevant information. A number of those companies still exist. One that did classified training on TEMPEST said general TEMPEST info got unclassified and they can teach whoever. They have a book for sale on it. The Swedish shielding company's office enclosures were pretty nice. As are the descriptions of shielded PC cases people acquired in surplus.

Universities need to be working and publishing on this subject en masse. Especially trying to figure out what the "seismic" category is. Or pushing limits of active attacks that bounce a beam off the electronics. Also, remember that ultrasound is a more recent threat that government panicked on. I don't think they're looking into infrasound yet so get on that now to earn your black patent. ;)

Note: Even your water pipes are a threat. Someone needs to circulate a "Restrooms considered harmful" paper in ACM or IEEE. Mwahahahaha.

DoNotEnterJune 29, 2015 9:05 PM

"Note: Even your water pipes are a threat. Someone needs to circulate a "Restrooms considered harmful" paper in ACM or IEEE. Mwahahahaha."

I once worked on a project with a real paranoid client. We worked in the basement behind double sets of steel doors with 6 digit combo locks on each. One day the client visited and freaked out when he saw two copper pipes that went to the outside A/C compressor. No air ducts, just the cooling freon pipes. The air would get so stagnant that late at night we would momentarily hold all the doors open with fans blowing just to get some fresh air inside. We were told to remove the pipes because someone might use those as signal conduits. even though the building was buried deep in a campus of high security buildings.

Jack LJune 29, 2015 10:38 PM

Article quoted by Bruce:


The attack can be executed using cheap and readily-available equipment: a consumer-grade radio receiver or a Software Defined Radio USB dongle.

hmm so this could be pulled using the radio inside cell phones (the one that communicates with the cell towers)...

in other words, better not to have your cell phone close to your laptop when logging into secure sites...

Slime Mold with MustardJune 29, 2015 10:47 PM

You can build your own SENSITIVE COMPARTMENTED INFORMATION FACILITY (SCIF)
(If you have a 6 figure budget)
This from the Department of Homeland Security 2004

http://fas.org/irp/offdocs/dcid6-9.htm

There us a 2007 version out there somewhere.

Could some one save this link and post when this comes up on the Squid Thread - as it almost always does!

Slime Mold with MustardJune 29, 2015 11:05 PM

@ Jack L

You give your cell phone to the "attendant" (the guy with the gun) before you go in. I have seen magnetometers installed to help people remember. Also, they can't transmit from inside, although they can certainly record and photograph.

Oh, and turn it off. We don't want to drive the guy with the gun nuts.

It's MeeeJune 30, 2015 12:12 AM

> I wonder if this isn't all that hard to do.

Jack, if they want into your computer, they're gonna get in, by hook, nack, or cranny. If they don't get in it just means you're not that important.

WaelJune 30, 2015 12:36 AM

@Slime Mold with Mustard,

You can build your own [...] (If you have a 6 figure budget)

Or you can visit your military surplus store and keep an eye on a Security Tent. And if you convince the clerk that it's a camping tent, you may even get it for $20.00...

WaelJune 30, 2015 12:38 AM

@Jack L,

hmm so this could be pulled using the radio inside cell phones

Probably not without modifications.

MorePowerJune 30, 2015 12:38 AM

@comment
The range can be extended *slightly* by the use of more powerful equipment

Hamburger buns? Or perhaps a Bagel?

WaelJune 30, 2015 1:05 AM

@Nick P,

Even your water pipes are a threat. Someone needs to circulate a "Restrooms considered harmful" paper in ACM or IEEE. Mwahahahaha.

As a matter of fact, water pipes are a threat! Remember the toilet-bowl bug? (the last paragraph.) They could be used as antennas or transmission lines as well...

65535June 30, 2015 2:23 AM

@ parrot

“This was my thought at first, but after some though I wonder if this isn't all that hard to do. One could imagine a state actor who has full view of the network could simply watch and wait for ciphertexts that match their needs (e.g. a large amount of ones). Then, through other means, they install their EM sniffing devices and just correlate what it sees on the network with what emissions the sniffer sees… I'm assuming that this attack isn't just possible for low-bandwidth PGP, but potentially high bandwidth TLS applications where signatures are made constantly by a highly trafficked server…”

That’s a good possibility.

@ Thoth

“These are very common problems with cryptography on any electronic devices. @Clive Robinson have spoken a lot about this problem very widely and for a very long time. EMSEC is something hard to get right and even the "EMSEC-protected" machines may use fixed methodologies which one may be able to adapt and re-issue an adapted attack vector.”

I agree.

Here is Clive’s idea to solve the distance problem with a device to “call home” or to “store and forward” the stolen keys to out:

“…the application the researchers developed for the "smart phone connected to an AM band radio audio output" could be easily modified to "do an ET" and phone home or act as a "store and forward" so that it can be called up… You could also put the sensor in a laptop power supply addaptor, and just send out the information via "Home mains networking" or short hop HF through UHF bugging device to a couple of Km wih little or no difficulty as you have an inbuilt power source and antenna...

“It is when all is said and done just another "end run" attack, just like putting a miniture WiFi CCTV camera in the "smoke detector" in a hotel room where it can see what the weary business traveler types in on the keyboard when downloading their email etc… [1] Think of the bits inside of a "Mobile Broadband Dongle"(MBD), it would not take any kind of genius to "augment" one to act as an appropriate EM detector as an extra function, likewise the Near Field Conectivity(NFC) in dongles and now being built into mobile phones as standard would be ideal as sensing heads. It is something I've been thinking about off and on for a few years due to some work I was asked to do for an organisation that was contracting services to a state level organisation. Oh and as the Chinese make by far the majority of the MBDs NFCs and almost certainly the IoT devices as well, we might well not be talking "in the future tense" it might well have happened already...”

https://www.schneier.com/blog/archives/2015/06/friday_squid_bl_483.html#c6699014

There are probably a lot of ways to ex-filtrate the keys via some modified cell phone, hacked router, hidden device connected to a bot net’d box and so on.

65535June 30, 2015 2:37 AM

@ Nick P

“Note: Even your water pipes are a threat. Someone needs to circulate a "Restrooms considered harmful" paper in ACM or IEEE. Mwahahahaha.”

Ha!

A lot of things can serve as a “wire” to send data down. Even the AC power outlets in your home or office could be used.

“Barbed wire telephone lines were local networks created in rural America at the end of the 19th century and beginning of 20th century. In some isolated farmers' communities, it was not cost effective for corporations to invest on the telephone infrastructure. Instead, the existing extent of barbed wire fences could be use to transmit electric signals and connect phones in neighboring farms.” –Wikipedia

https://en.wikipedia.org/wiki/Barbed_wire_telephone_lines

Wesley ParishJune 30, 2015 2:46 AM

And there I was thinking that pita bread was only used for making felafel and the like ... boy, was I mistaken! What happens if someone actually tries to eat it? (It is a big bigger than I was led to believe. I was picturing something the size of a hearing-aid.)

One counterattack is to buy up big in pita bread whenever you suspect someone's going to scatter inedible pita around. Then feed the surplus to random beggars and sundry strangers. That way, if you were served up with a helping of eavesdropping pita, you can use your loaf and let some beggar curse you for giving him a lump of inedible electronics - though if said beggar has nous enough, he'll sell the electronics to some random recycler and $PROFIT$ from someone else's stupidity.

Clive RobinsonJune 30, 2015 8:10 AM

You could hide all of this not in a Pita but one of those nice leather bound writing pad holders.

That nice "welted" edge would be a realy nice place to put the magnetic loop antenna, and reasonable sized batteries and a micro memory card put under the sprung pad holder. The fact that most such holders have a stiff internal board and padding under the leather would mean that the board could be double sided FR4 PCB with all the electronics being surface mount. You could also have. Miniture "reed switch" in the pen holder such that a small magnet in a very expensive Monte Blanc etc pen could be used to turn it off and on.

Whilst putting a pita in range of the laptop might be odd and prone to discovery, putting an expensive pad holder down next to or close to the laptop to take notes most certainly would not.

Oh and the range of magnetic antennas goes up proportional to the area of the loop, so with around ten times the area the range is going to increase by between 10^-3 and 10^-2 which is pushing it up to the meter range. Also if you have two loops one in either cover and you hold them at around ninty degrees to each other you can feed this data into a few interesting computer algorithims such that you can "notch out" even quite strong interfering signals providing you don't hit the receivers end stops on dynamic range...

I could make it even more senitive using other tricks...

However if I was to manufacture such items how much would you think folks would be willing to pay? I recon 10,000 USD would not be unreasonable with the appropriate software. Oh and for say 5000 more I could add encryption to the data going onto the memory cards.

As for "copper pipes" remember they have insides as well as outsides, the inside will make a rather good 12Ghz and up waveguide. Further if you have two pipes run as a parallel pair they will act rather more efficiently as a high impedence "transmission line" than an antenna. Which means that they will carry the signal way way way further for any given power as well as dificult to find with most "bug hunter" receivers, and such low power would mean a long battery life or better still a couple of thermo couples using the heat differential between the pipes and other fixings...

Clive RobinsonJune 30, 2015 8:50 AM

@ Bob S,

Be wary of strangers carrying pita bread.

If I remember correctly the original was,

    Be wary of Greeks bearing gifts

Which might be sage advice currently if you are a senior official in Germany, the European Central Bank or International Monitary Fund.

And as for one senior European official saying "A slow death is better than suicide" to the Greeks, he realy should have his brains examined by a Dr, before a Greek comes along and does it with a hammer and chisel.... We realy do not need moronic EU officials trying to "pour oil on troubled waters" when the Greeks are standing on the shore "burning with anger", it's only going to cause a conflagration which may have world wide repercussions, the very least of which might be another recession.

Anonymous CowJune 30, 2015 12:52 PM

...Even the AC power outlets in your home or office could be used...

Does your home/office have a smart meter from the power co.? Some of them can transmit data back to the power co. over the service lines; they don't need to connect even with wi-fi to your internet gateway.

JesseJune 30, 2015 12:57 PM

@Meee

> If they don't get in it just means you're not that important.

All that you are doing here is restating the foundation of all security planning: there exists no perfect security, only a capacity to make a compromise *more expensive* for the attacker.

So, for every hook, nook, or cranny that you seal from intrusion you are increasing the value of "that" in the "you're not that important" equation.

Nick PJune 30, 2015 3:55 PM

@ Anonymous Cow

That's actually a clever brainstorm. I hadn't thought about it and don't know anyone else posting on it. The countermeasures remain the same whether it was considered or not: power filters, EMSEC safes, shielded rooms, etc. Yet, it might be fun research for someone to see what one could learn at that point in the electrical system.

Jake BrodskyJuly 1, 2015 8:12 AM

Grandpa called. He said something to effect that HE had done things like this once upon a time.

Look up TEMPEST. It was a concept that went back to the early 1980s at least, and probably even before that. You'd think by now that people would have heard of this and done something about it. But apparently this is one of the many things that they don't teach in undergraduate courses these days.

What's old is new again...

Jonathan WilsonJuly 1, 2015 9:01 AM

All this talk about TEMPEST and EM shielding and etc reminds me of the stuff in Cryptonomicon about "Van Eck Phreaking".

Clive RobinsonJuly 1, 2015 11:07 AM

@ Jake Brodsky,

Look up TEMPEST. It was a concept that went back to the early 1980s at least, and probably even before that.

You're joking?

It goes back a lot lot further than that to the trenches of WWI. There were listening post both in and under the trenches that used early transducers and amplifiers (some used magamps).

There were a number of types of listening post including acoustic for finding artillery and mining operation, "phantom circuit" to pick up the signals from field telephones and early spark transmitters. If you look up "barbedwire telephony" you will find the knowledge of how to do this was well known to mid west farmers, who set up their own "party phone" system because the likes of Bell and Westinghouse did not think there was profit to be made there.

But the early "telegraph" systems from then were known to Bell enginers to be detected and decoded from considerable distance using quite modest equipment.

By WWII things had progressed to the point that the difference between the "hold and release" times in the relays of One Time Tape super encryptors could be easily stripped off.

Have a look at the history of the UK Diplomatic Wireless Service and the Rockex super encryptor. It took a very long time to sort out both the electrical and acoustic side channels it suffered from. The work was carried out by a Canadian Prof of Electrical Engineering and it required the personall approval of Winston Churchill.

N45July 3, 2015 4:02 PM

Amazing, really good, but not for real life, the distance action is too short and the key extraction is noisy... thougth

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.