Computers leak secrets. Not just through invasive ad tracking, data-stealing malware, and your ill-advised oversharing on social media, but through physics. The movements of a hard drive’s components, keystrokes on a keyboard, even the electric charge in a semiconductor’s wires produce radio waves, sound, and vibrations that transmit in all directions and can—when picked up by someone with sufficiently sensitive equipment and enough spycraft to decipher those signals—reveal your private data and activities.
This category of spying techniques, originally codenamed TEMPEST by the National Security Agency but now encompassed in the more general term “side-channel attacks,” has been a known problem in computer security for close to eight decades, and it’s one that the United States government carefully considers in securing its own classified information. Now a pair of US lawmakers are launching an investigation into how vulnerable the rest of us are to TEMPEST-style surveillance—and whether the US government needs to push device manufacturers to do more to protect Americans.
On Wednesday, Senator Ron Wyden and Representative Shontel Brown released a letter they sent to the Government Accountability Office (GAO) demanding an investigation into the vulnerability of modern computers to TEMPEST-style side-channel attacks, the monitoring and deciphering of accidental emanations from PCs, phones, and other computing devices to surveil their operations. In the letter, Wyden and Brown write that these forms of spying “do not just pose a counterintelligence threat to the US government, but these methods can also be exploited by adversaries against the American public, including to steal strategically important technologies from US companies.”
Along with the letter, Wyden and Brown also commissioned a newly released Congressional Research Service report about the history of TEMPEST and the contemporary threat posed by similar side-channel attacks. It describes the US government’s efforts to protect its devices from those spy techniques, including the use of isolated, radio-shielded spaces for securely accessing secret information known as a Sensitive Compartmented Information Facility, or SCIF. Meanwhile, the government has “neither warned the public about this threat, nor imposed requirements on the manufacturers of consumer electronics, such as smartphones, computers and computer accessories, to build technical countermeasures into their products,” Wyden and Brown point out in the letter. “As such, the government has left the American people vulnerable and in the dark.”
Wyden and Brown’s letter ends by urging GAO to review a list of TEMPEST-related issues: the scale of the modern privacy threat of side-channel attacks, the “cost and feasibility” of implementing protections against them in modern devices, and “potential policy options to mitigate this threat against the public, including mandating device manufacturers add countermeasures to their products,” suggesting that Congress could apply pressure to tech companies to add more defenses to the devices they sell.
Just how practical side-channel attacks like TEMPEST are against modern computing devices—and how often they’re actually used in the wild by hackers and spies—remains far from clear. But the possibility of such attacks has been taken seriously by the US government since as early as the 1940s, when Bell Labs discovered that machines it sold to the US military for encrypting messages produced legible signals on an oscilloscope on the other side of the lab.
The Bell Labs machines were transmitting clues about the inner workings of military cryptography in the radio waves created by their components’ electromagnetic charge. A declassified NSA report from from 1972 later described the problem of the agency’s classified computers transmitting “radio frequency or acoustic energy.” The report added: “These emissions, like tiny radio broadcasts, may radiate through free space for considerable distances” of a half mile or more if the signal is conducted through nearby materials like power lines or water pipes.
“Thus, conceivably, the machine could be radiating information which could lead to the reconstruction of our daily changing keying variables—and from a Comsec viewpoint, that is absolutely the worst thing that can happen to us,” the report read, referring to secret cryptographic keys for deciphering encrypted information and using the term “comsec” to mean communications security. “This problem of compromising radiation we have given the covername TEMPEST.”
In more recent years, researchers have demonstrated a seemingly endless array of side-channel attacks to pull information out of unsuspecting users’ machines. In 2015, for instance, Tel Aviv University researchers demonstrated a radio spying device that could steal information from a computer based on the electromagnetic emanations of its processor from a couple of feet away. The device cost less than $300 and fit inside a pita bread. The same group of researchers also found that they could listen to the high-pitched sounds created by a computer’s operation—even with a normal mobile phone sitting nearby—to extract cryptographic keys that could be used to decipher secret data.
It’s not entirely clear, however, whether Wyden and Brown have some more pressing reason to highlight the risks of side-channel attacks now. Wyden in particular has a history of voicing public concerns in sometime-cryptic terms that are spurred by his knowledge of classified information. In an email exchange with WIRED, the senator declined to say whether there was any classified information that inspired his letter.
Instead, he described his call for an investigation into side-channel attacks as an attempt to head off a threat that will only become more practical as the surveillance methods improve and become more accessible to hackers. “While the average American does not need to worry about Russian or Chinese spies parked outside their home or office, US businesses that have developed technologies in strategically important areas are obviously a target for espionage,” Wyden wrote in an email.
“Surveillance technologies eventually trickle down from the most sophisticated intelligence agencies, to intelligence agencies in less advanced countries via surveillance mercenaries, to law enforcement, and finally to private investigators and criminals,” Wyden’s email continues. “Since protecting the public against this method of surveillance will likely require phone and computer manufacturers to change the design of their products, fixes are going to take years. Researchers have already demonstrated that this surveillance is possible with easily available equipment and software.”
Security researchers nonetheless say that side-channel attacks likely shouldn’t be on the top of any normal person’s list of privacy concerns. “The takeaway from this letter should not be that every activist needs to build a SCIF and start worrying about side-channel attacks, because I don’t think that’s the case,” says Cooper Quintin, a security researchers at the Electronic Frontier Foundation’s Threat Lab who focuses on digital threats to civil society. “These attacks are possible, but they’re also technically very difficult. The people that need to worry about this are people in national security or who work in fields where international state-backed industrial espionage is a concern.”
In some ways, side-channel attacks are already harder to carry out than in years past: The push to preserve battery life in phones and laptops, for instance, has already led to more efficient computer components that use less electricity and thus transmit less accidental radiation, says Samy Kamkar, a well-known hacker who has focused on side-channel attacks in research like a laser microphone he built to detect computer keystrokes. “The major manufacturers, [companies] like Apple and Google, generally are aren’t super leaky when it comes to electromagnetic emanations or acoustics,” Kamkar says. The new Congressional Research Service report on side-channel attacks itself points out, too, that more computing than ever takes place in the cloud, inside data centers where a would-be spy would likely have a harder time picking up and deciphering emanations.
Yet at the same time, the increasing power and accessibility of AI tools that can find meaningful signals in noisy data may help make side-channel attacks easier to pull off, says Kamkar. And even if phones and laptops are less prone to those spying techniques, industrial control system computing devices or the ever-growing number of “smart” household devices from smart speakers to TVs may still leak secrets, he says.
The Congressional Research Service report commissioned by Wyden and Brown ends with a consideration of how the US government could pressure tech companies to leave their products less prone to side-channel attacks. The Federal Communications Commission, for instance, could use its regulation of radio equipment to impose security requirements. The Federal Trade Commission could also determine that a tech company that makes security claims but doesn’t protect users against TEMPEST-style attacks is engaged in “unfair or deceptive acts or practices,” the report notes.
The US government could also simply share more of what it knows about the threat of side-channel attacks, as Wyden and Brown’s letter calls for. Until then, the rest of us may be left to guess just how many of our secrets are silently broadcast from our machines to any spy with the skills and resources to listen.
The post How Vulnerable Are Computers to an 80-Year-Old Spy Technique? Congress Wants Answers appeared first on Wired.
