MALAVIYA NATIONAL INSTITUTE OF TECHNOLOGYJAIPUR

Department of Computer Engineering

A Seminar Report on

TEMPEST and ECHELON

Submitted by:

GAURAV VIJAY(2008UCP405)

Under the guidance of :

Dr. Girdhari Singh(Associate Professor)

1

Acknowledgement

I express my sincere gratitude to my seminar mentor Dr. GirdhariSingh (Associate Professor, Department of Computer Engineering,MNIT Jaipur) for his constant support and valuable suggestionswithout which the successful completion of this seminar would nothave been possible.

I express my immense pleasure and thanks to all the teachers andstaff of the Department of Computer Engineering, MNIT for theirco-operation and support.

Last but not the least, I thank all others, and especially my class-mates who in one way or another helped me in the successful com-pletion of this work.

Gaurav Vijay

2

Certificate

This to certify that the seminar report entitled TEMPEST andECHELON is being submitted by Gaurav Vijay in partial fulfill-ment of degree of Bachelor of Technology in Computer Engineeringfrom Malaviya National Institute of Technology, Jaipur.

This seminar report has been found to be quite satisfactory and isapproved for submission.

Dr. Girdhari Singh

Associate Professor

DATE :

3

Preface

TEMPEST and ECHELON are the method of spying in a sophis-ticated manner; both are developed by National Security Agency(NSA) for monitoring the people. These technologies are originallydeveloped for pure military espionage, but hackers use them nowfor spying in to other peoples activities.

TEMPEST is the technology, which can reproduce what you areseeing in your monitor, what you are typing in your keyboard froma couple of kilometers away. It traces all electromagnetic radiationfrom the victims monitor, keyboard, even pc memory and harddisk, then it reproduces the signals. By using this technology itis possible to intrude (only listening) in to a person’s computerfrom a couple of kilometers away, even it is a computer whichis not networked and enables the intruder to hack without anyconnection to the victims computer.

ECHELON is the spying on a large network by sniffing through thewords. It is the ongoing secret project of NSA and its counterpartsin UK, Canada, Australia and New Zealand. It can intercept asmany as 2 million communications per hour through phone calls,faxes, e-mails, downloads, microwave, cellular, satellite communi-cation etc..

As quoted above it is developed for military purposes but it isnow used for spying on organizations, business and individuals.

This seminar describes about the various methods employed inspying with the help of TEMPEST and ECHELON.

4

Contents

1 Introduction 8

2 The need for an interception system 11

3 Inside ECHELON 143.1 Espionage, what does it means ? . . . . . . . . . . . . . 143.2 Espionage targets . . . . . . . . . . . . . . . . . . . . . . . 153.3 Espionage methods . . . . . . . . . . . . . . . . . . . . . . 153.4 Processing of electromagnetic signals . . . . . . . . . . 163.5 Processing of intercepted communications . . . . . . . 163.6 Technical conditions governing the interception of

telecommunications . . . . . . . . . . . . . . . . . . . . . . 173.6.1 The interceptibility of various communication

media . . . . . . . . . . . . . . . . . . . . . . . . . . . 173.6.2 The interception on the spot . . . . . . . . . . . . 173.6.3 The worldwide interception system . . . . . . . 183.6.4 Access to communication media . . . . . . . . . 183.6.5 Scope for interception from aircraft and ships 203.6.6 The scope for interception by spy satellites

(The Backbone of ECHELON) . . . . . . . . . . 213.6.7 The automatic analysis of intercepted com-

munications (The Backbone of ECHELON) . . 223.6.8 Technical anexxe . . . . . . . . . . . . . . . . . . . 24

3.7 The problems of ECHELON . . . . . . . . . . . . . . . . 313.8 Is ECHELON suitable for industrial espionage ? . . 32

3.8.1 Published cases . . . . . . . . . . . . . . . . . . . . 333.9 Cryptography as a means of self-protection . . . . . . 33

5

3.9.1 “Workfactor reduction” : The subversion ofcryptographic systems . . . . . . . . . . . . . . . . 34

3.10 List of ECHELON sites . . . . . . . . . . . . . . . . . . . . . . 36

4 Inside TEMPEST 374.1 Sources of TEMPEST signals . . . . . . . . . . . . . . . 394.2 Technology behind the TEMPEST . . . . . . . . . . . 39

4.2.1 TEMPEST equipment . . . . . . . . . . . . . . . . 434.2.2 How does TEMPEST work ? . . . . . . . . . . . 45

4.3 Protection from TEMPEST attacks . . . . . . . . . . . 504.3.1 TEMPEST testing and device shielding . . . . 504.3.2 TEMPEST proof walls . . . . . . . . . . . . . . . 514.3.3 TEMPEST fonts . . . . . . . . . . . . . . . . . . . 52

5 Conclusion and futurescope 54

6 References 56

6

List of Figures

4.1 Different broadband antenna types . . . . . . . . . . . . . . . 444.2 R-1250 Super heterodyne reciever . . . . . . . . . . . . . . . . 444.3 Eavesdropping set-up . . . . . . . . . . . . . . . . . . . . . . 454.4 Pixel frequency and deflection frequencies . . . . . . . . . . . 464.5 AM signal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474.6 Radiated TEMPEST scenario . . . . . . . . . . . . . . . . . . 494.7 An EUT (equipment under test) . . . . . . . . . . . . . . . . . 514.8 TEMPEST fonts . . . . . . . . . . . . . . . . . . . . . . . . . 524.9 Reproduced image at attacker side . . . . . . . . . . . . . . . 53

7

Chapter 1

Introduction

The notion of spying is a very sensitive topic after the September 11attack of terrorists in New York. In the novel 1984, George Orwellforetold a future where individuals had no expectation of privacybecause the state monopolized the technology of spying. Now theNational Security Agency of USA developed a secret project tospy on people for keep tracing their messages to make technologyenabled interception to find out the terrorist activities across theglobe, named as ECHELON, leaving the technology ahead of theany traditional method of interception .

The secret project developed by NSA (National Security Agencyof USA) and its allies is tracing every single transmission even asingle of keyboard. The allies of USA in this project are UK, Aus-tralia, New Zealand and Canada. ECHELON is developed withthe highest computing power of computers connected through thesatellites all over the world. In this project the NSA left the won-derful method of TEMPEST and Carnivores behind.

ECHELON is the technology for sniffing through the messages sentover a network or any transmission media, even it is wireless mes-sages. TEMPEST is the technology for intercepting the electro-magnetic waves over the air. It simply sniffs through the electro-magnetic waves propagated from any devices, even it is from themonitor of a computer screen. TEMPEST can capture the sig-nals through the walls of computer screens and keystrokes of key

8

board even the computer is not connected to a network. Thus thetraditional way of hacking has a little advantage in spying.

For the common people it is so hard to believe that their monitorcan be reproduced from anywhere in one kilometer range with-out any transmission media in between the equipment and theircomputer. So we have to believe the technology enabled us to re-produce anything from a monitor of computer to the hard disksincluding the memory (RAM) of a distant computer without anyphysical or visual contact. It is done with the electromagneticwaves propagated from that device.

The main theory behind the TEMPEST(Transient ElectromagneticPulse Emanation Standard.) is that any electronic or electricaldevices emit electromagnetic radiations of specific key when it isoperated. For example, the picture tube of computer monitor emitsradiations when it is scanned up on vertical or horizontal rangebeyond the screen. It will not cause any harm to a human andit is very small. But it has a specific frequency range. You canreproduce that electromagnetic waves by tracing with the powerfulequipments and the powerful filtering methods to correct the errorswhile transmission from the equipment.

For the project named as ECHELON, the NSA is using supercom-puters for sniffing through the packets and messages send throughany transmission media. They are using the advantage of Dis-tributed Computing for this. Every packet is sniffed for spying forthe USA’s NSA for security reasons.

Interception of communications is a method of spying commonlyemployed by intelligence services to spy for the secret services toprovide the security to the government and the people. So theycan use any methods to ensure the security of people includingspying. It depends on the target we are aiming. To capture theterrorists before they can make any harm to people, we must keepthe technology ahead. We, Engineers are behind that project ofNSA and so we have to aware of that technology for enabling our

9

INDIA also in this field. Because it is used mainly by the securityagencies and spies all over the world even though there is a lack ofequipments for this purpose. Equipments for TEMPEST spying isavailable in USA and is prohibited of exporting from there. Somesmuggled equipments may be here. But we have to develop thesystems for our Military and Intelligence Agencies for ensuringthe best security for our people.

While considering about the limitations of the surveillance sys-tem, the issues depends in particular, upon worldwide intercep-tion of satellite communications, although in areas characterisedby a high volume of communications only a very small proportionof those communications are transmitted by satellite; whereas thismeans that the majority of communications cannot be interceptedby earth stations, but only by tapping cables and intercepting ra-dio signals, something which is possible only to a limited extent;whereas the numbers of personnel required for the final analysis ofintercepted communications imposes further restrictions. There-fore, the UKUSA states have access to only a very limited propor-tion of cable and radio communications and can analyze an evenmore limited proportion of those communications, and whereas,further, however extensive the resources and capabilities for theinterception of communications may be, the extremely high vol-ume of traffic makes exhaustive, detailed monitoring of all commu-nications impossible in practice.

10

Chapter 2

The need for an interceptionsystem

Interception of communications is a method of spying commonlyemployed by intelligence services, whereas there can now be nodoubt that the purpose of the system is to intercept, at the veryleast, private and commercial communications, and not militarycommunications, although the analysis carried out in the report hasrevealed that the technical capabilities of the system are probablynot nearly as extensive as some sections of the media had assumed.

Interception of messages is the major work for the intelligenceagencies all over the world, to keep track of the spies and ter-rorists for preserving the security of the country from the leakingof sensitive documents and the terrorist attacks. By the work ofthe intelligence agencies the government is ensuring the security ofthe state. For that we have to enable our intelligence agencies withmodern technologies like USA. For that we must setup an inter-ception system. While developing this we have to consider aboutthe privacy of common people and industrial organization.

The targets for the ECHELON system developed by the NSA areapart from directing their ears towards terrorists and rogue states;ECHELON is also being used for purposes well outside its originalmission. In America the regular discovery of domestic surveillancetargeted at American civilians for reasons of unpopular political

11

affiliation or for no probable cause at all in violation of the First,Fourth and Fifth Amendments of the Constitution of America, areconsistently impeded by very elaborate and complex legal argu-ments and privilege claims by the intelligence agencies and theUS government. The guardians and caretakers of their liberties,their duly elected political representatives, give scarce attention tothese activities, let alone the abuses that occur under their watch.The other ECHELON targets are political spying and industrialespionage.

The existence and expansion of ECHELON is a foreboding omenregarding the future of our Constitutional liberties. If a govern-ment agency can willingly violate the most basic components ofthe Bill of Rights without so much as Congressional oversight andapproval, we have reverted from a republican form of governmentto tyranny.

While considering about the political spying we have to considermany legal issues. It consists of spying the other parties and themessages sent by them. Since the close of World War II, the US in-telligence agencies have developed a consistent record of tramplingthe rights and liberties of the American people. Even after the in-vestigations into the domestic and political surveillance activitiesof the agencies that followed in the wake of the Watergate fiasco,the NSA continues to target the political activity of unpopularpolitical groups and the duly elected representatives.

While considering about the Industrial Espionage we have to dis-cuss and redefine the notion of National Security to include eco-nomic, commercial and corporate concerns. Many of the majorcompanies helped NSA to develop the ECHELON system to tacklethe mammoth task for setting up the largest computing powerthroughout the world.

ECHELON is actually a vast network of electronic spy stations lo-cated around the world and maintained by five countries: the US,England, Canada, Australia, and New Zealand. These countries,

12

bound together in a still-secret agreement called UKUSA, spy oneach other’s citizens by intercepting and gathering electronic sig-nals of almost every telephone call, fax transmission and emailmessage transmitted around the world daily. These signals arefed to the massive supercomputers of the NSA to look for certainkeywords called the ECHELON dictionaries.

For these above reasons our country INDIA must be enabled to copwith the new interception system. For that we, engineers must dothe work other wise our country will also become vulnerable to anyattacks from the other states. For that reason i am presenting thisseminar.

13

Chapter 3

Inside ECHELON

ECHELON stands for NSA’s (National Security Agency of Amer-ica) secret Global Surveillance System developed for interceptingthe messages over the world. As said in the media, NSA is No SuchAgency, but it is not the truth. This massive surveillance systemapparently operates without the oversight of either Congress or thecourts. Shockingly, the NSA has failed to adequately disclose toCongress and the public, the legal guidelines for the project. With-out those legal guidelines and an explanation of what they allowand forbid, there is no way of knowing if the NSA is using ECH-ELON to spy on Americans in violation of federal law. In April2000, the House Intelligence Committee held a hearing to deal withcredible reports that suggest ECHELON is capturing satellite, mi-crowave, cellular and fiber-optic communications worldwide. TheHouse Intelligence Committee intended the hearing to help ensurethat ECHELON does not circumvent any requirement in federallaw and that the government obtains a warrant from a court be-fore it eavesdrops on a conversation to, from, or within the UnitedStates.

3.1 Espionage, what does it means ?

Governments have a need for systematic collection and evaluationof information about certain situations in other states. This servesas a basis for decisions concerning the armed forces, foreign policyand so on. They therefore maintain foreign intelligence services,

14

part of whose task is to systematically assess information availablefrom public sources. The rapporteur has been informed that onaverage this account for at least 80 percent of the work of the in-telligence services. However, particularly significant information inthe fields concerned is kept secret from governments or businessesand is therefore not publicly accessible. Anyone who nonethelesswishes to obtain it has to steal it. Espionage is simply the organisedtheft of information.

3.2 Espionage targets

The classic targets of espionage are military secrets, other govern-ment secrets or information concerning the stability of or dangersto the government. These may for example comprise new weaponssystems, military strategies or information about the stationing oftroops. No less important is information about forthcoming de-cisions in the fields of foreign policy, monetary decisions or insideinformation about tensions within a government. In addition thereis also interest in economically significant information. This mayinclude not only information about sectors of the economy but alsodetails of new technologies or foreign transactions.

3.3 Espionage methods

Espionage involves gaining access to information which the holderwould rather protect from being accessed by outsiders. This meansthat the protection needs to be overcome and penetrated. This isthe case with both political and industrial espionage. Thus thesame problems arise with espionage in both fields, and the sametechniques are accordingly used in both of them. Logically speak-ing there is no difference; only the level of protection is generallylower in the economic sphere, which sometimes makes it easier tocarry out industrial espionage. In particular, businessmen tendto be less aware of risks when using interceptible communicationmedia than does the state when employing them in fields wheresecurity is a concern.

15

3.4 Processing of electromagnetic signals

The form of espionage by technical means with which the publicare most familiar is that which uses satellite photography. In addi-tion, however, electromagnetic signals of any kind are interceptedand analysed (signal intelligence or SIGINT). In the military field,certain electromagnetic signals, eg. those from radar stations, mayprovide valuable information about the organisation of enemy’s airdefence (electronic intelligence or ELINT). In addition, electromag-netic radiation which could reveal details of the position of troops,aircraft, ships or submarines is a valuable source of informationfor an intelligence service. Monitoring other states, spy satelliteswhich take photographs, and recording and decoding signals fromsuch satellites, is also useful. The signals are recorded by groundstations, from low-orbit satellites or from quasi-geostationary SIG-INT satellites. This aspect of intelligence operations using elec-tromagnetic means consumes a large part of services. Interceptioncapacity, however, is not the only use made of technology.

3.5 Processing of intercepted communications

The foreign intelligence services of many states intercept the mili-tary and diplomatic communications of other states. Many of theseservices also monitor the civil communications of other states ifthey have access to them. In some states, services are also au-thorised to monitor incoming or outgoing communications in theirown country. In democracies, intelligence services, monitoring ofthe communications of the country’s own citizens is subject to cer-tain triggering conditions and controls. However, domestic law ingeneral only protects nationals within the territory of their owncountry and other residents of the country concerned.

16

3.6 Technical conditions governing the interceptionof telecommunications

3.6.1 The interceptibility of various communication me-dia

If people wish to communicate with one another over a given dis-tance, they need a medium. This medium may be :- air (sound waves)- light (morse lamp, fibreoptic cable)- electric current (telegraph, telephone)- an electromagnetic wave (all forms of radio)

Any third party who succeeds in accessing the medium can inter-cept the communications. This process may be easy or difficult,feasible anywhere or only from certain locations. Two extremecases are discussed below : the technical possibilities available toa spy working on the spot, on the one hand, and the scope for aworldwide interception system, on the other.

3.6.2 The interception on the spot

On the spot, any form of communication can be intercepted if theeavesdropper is prepared to break the law and the target does nottake protective measures.

Conversations in rooms can be intercepted by means of plantedmicrophones (bugs) or laser equipment which picks up vibrationsin window panes.

Screens emit radiation which can be picked up at a distance ofup to 30 metres, revealing the information on the screen.

Telephone, fax, and e-mail messages can be intercepted if the eaves-dropper taps into a cable leaving the relevant building.

17

Although the infrastructure required is costly and complex, com-munications from a mobile phone can be intercepted if the inter-ception station is situated in the same radio cell (diameter 300 min urban areas, 30 km in the countryside).Closed-circuit communications can be intercepted within the USW-radio range.

3.6.3 The worldwide interception system

Nowadays various media are available for all forms of intercon-tinental communication (voice, fax and data). The scope for aworldwide interception system is restricted by two factors:

(i) Restricted access to the communication medium.

(ii) The need to filter out the relevant communication from a hugemass of communications taking place at the same time.

3.6.4 Access to communication media

Cable communications

All forms of communication (voice, fax, e-mail, data) are transmit-ted by cable. Access to the cable is a prerequisite for the intercep-tion of communications of this kind. Access is certainly possibleif the terminal of a cable connection is situated on the territoryof a state which allows interception. In technical terms, therefore,within an individual state all communications carried by cable canbe intercepted, provided this is permissible under the law. How-ever, foreign intelligence services generally have no legal access tocables situated on the territory of other states. At best, they cangain illegal access to a specific cable, although the risk of detectionis high.

From the telegraph age onwards, intercontinental cable connec-tions have been achieved by means of underwater cables. Accessto these cables is always possible at those points where they emergefrom the water. Electric cables may also be tapped between the

18

terminals of a connection, by means of induction (i.e. electro-magnetically, by attaching a coil to the cable), without creating adirect, conductive connection. Underwater electric cables can alsobe tapped in this way from submarines, albeit at very high cost.

In the case of the older-generation fibreoptic cables used today,inductive tapping is only possible at the regenerators. These re-generators transform the optical signal into an electrical signal,strengthen it and then transform it back into an optical signal.However, this raises the issue of how the enormous volumes ofdata carried on a cable of this kind can be transmitted from thepoint of interception to the point of evaluation without the layingof a separate fibreoptic cable.

The conditions apply to communications transmitted over the In-ternet via cable. The situation can be summarised as follows:

1. Internet communications are carried out using data packetsand different packets addressed to the same recipient may take dif-ferent routes through the network.

2. In the internet communication the routes followed by individualdata packets were completely unpredictable and arbitrary.

3. The commercialisation of the internet and the establishmentof internet providers also resulted in a commercialisation of thenetwork. Today, the route taken through the network by a datapacket is not solely determined by the capacity available on thenetwork, but also hinges on costs considerations.

4. Routers, computers situated at network junctions which deter-mine the route by which data packets will be transmitted, organ-ise the transition to other networks at points known as switches.Previously, the switches for the routing of global internet com-munications were situated in the USA. For that reason, at thattime intelligence services could intercept a substantial proportionof global internet communications.

19

Radio communications

The interceptibility of radio communications depends on the rangeof the electromagnetic waves employed. If the radio waves runalong the surface of the earth (so-called ground waves), their rangeis restricted and is determined by the topography of the earth’ssurface, the degree to which it is built up and the amount of veg-etation. If the radio waves are transmitted towards space (so-called space waves), two points a substantial distance apart can belinked by means of the reflection of the sky wave from layers of theionosphere. Multiple reflections substantially increase the range.The global communications interception system can only interceptshort-wave radio transmissions. In the case of all other types of ra-dio transmission, the interception station must be situated withina 100 km radius (e.g. on a ship, in an embassy). The practicalimplication for the interception with terrestrial listening stationsis that they can intercept only a very limited proportion of radiocommunications.

Communications transmitted by geostationary telecom-munications satellites

If a microwave radio link is set up transmitting to a telecommu-nications satellite in a high, geostationary orbit and the satellitereceives the microwave signals, converts them and transmits themback to earth, large distances can be covered without the use ofcables. The range of such a link is essentially restricted only by thefact that the satellite can receive and transmit only in a straightline. For that reason, several satellites are employed to provideworldwide coverage which operates listening stations in the rele-vant regions of the earth, to intercept all telephone, fax and datatraffic transmitted via such satellites.

3.6.5 Scope for interception from aircraft and ships

It has long been known that special aircrafts are used for the pur-pose of locating other aircraft over long distances. The radar equip-ment in these aircraft works in conjunction with a detection system,

20

designed to identify specific objectives, which can locate forms ofelectronic radiation, classify them and correlate them with radarsightings .They have no separate SIGINT capability. In contrast,the slow-flying EP-3 spy plane used by the US Navy has the capa-bility to intercept microwave, USW and short-wave transmissions.The signals are analysed directly on board and the aircraft is usedsolely for military purposes. In addition, surface ships, and incoastal regions, submarines are used to intercept military radiotransmissions.

3.6.6 The scope for interception by spy satellites (TheBackbone of ECHELON)

Provided they are not focused through the use of appropriate an-tennae, radio waves radiate in all directions, i.e. also into space.Low-orbit signal intelligence satellites can only lock on to the targettransmitter for a few minutes in each orbit. In densely populated,highly industrialised areas interception is hampered to such a de-gree by the high density of transmitters using similar frequenciesthat it is virtually impossible to filter out individual signals. Thesatellites cannot be used for the continuous monitoring of civilianradio communications.

Alongside these satellites, the USA operates so-called quasi-geo-stationary SIGINT satellites stationed in a high earth orbit (42,000km). Unlike the geostationary telecommunications satellites, thesesatellites have an inclination of between 3 and 10 degrees, an apogeeof between 39,000 and 42,000 km and a perigee of between 30,000and 33,000 km. The satellites are thus not motionless in orbit,but move in a complex elliptical orbit, which enables them tocover a larger area of the earth in the course of one day and tolocate sources of radio transmissions. This fact, and the othernon-classified characteristics of the satellites, point to their use forpurely military purposes. The signals received are transmitted tothe receiving station by means of a strongly-focused, 24GHz down-link.

21

3.6.7 The automatic analysis of intercepted communi-cations (The Backbone of ECHELON)

When foreign communications are intercepted, no single telephoneconnection is monitored on a targeted basis. Instead, some or all ofthe communications transmitted via the satellite or cable in ques-tion are tapped and filtered by computers employing keywords nanalysis of every single communication would be completely im-possible.

It is easy to filter communications transmitted along a given con-nection. Specific faxes and e-mails can also be singled out throughthe use of keywords. If the system has been trained to recognise aparticular voice, communications involving that voice can be sin-gled out. However, according to the information available to therapporteur the automatic recognition to a sufficient degree of ac-curacy of words spoken by any voice is not yet possible. Moreover,the scope for filtering out is restricted by other factors: the ulti-mate capacity of the computers, the language problem and, aboveall, the limited number of analysts who can read and assess filteredmessages.

When assessing the capabilities of filter systems, considerationmust also be given to the fact that in the case of an interceptionsystem working on the basis of the vacuum-cleaner principle, thosetechnical capabilities are spread across a range of topics. Someof the keywords relate to military security, some to drug traffick-ing and other forms of international crime, some to the trade indual-use goods and some to compliance with embargoes. Some ofthe keywords also relate to economic activities. Any move to nar-row down the range of keywords to economically interesting areaswould simply run counter to the demands made on intelligence ser-vices by governments; what is more, even the end of the Cold Warwas not enough to prompt such a step.

The ECHELON System developed by NSA and it allies uses thistype of filtering of the messages by use of Directories and Key-

22

words. Thus the system filters the messages using the moderntechniques for searching by use of the sophisticated searching algo-rithms. In this method the NSA uses sophisticated Speech Recog-nition Softwares and the OCR softwares for searching or sniffingthrough the packets. The searching through the packets is doneby the specific keyword and directories. These keyword and di-rectories are the power of an ECHELON System. It is told thatan ECHELON system can intercept about billions of messages ev-ery hour. This makes the ECHELON system as the largest spyingnetwork of the world using the largest computing power that thehuman kind ever experienced. The power of the ECHELON Sys-tem is Dictionaries containing Keywords.

Keywords

When sniffing through the packets and sending the information tothe destination of agencies the computers in the part of ECHE-LON system uses some “sensitive words” to find out the messageswhich carries the sensitive information. These words are knownas the Keywords. The computers automatically search throughmillions of intercepted messages for the ones containing the pre-programmed keywords and then ship the selected messages off tothe computers of the requesting agency.

Processing millions of messages every hour, the ECHELON sys-tems churn away 24 hours a day, 7 days a week, looking for targetedkeyword series, phone and fax numbers, and specified voiceprints.It is important to note that very few messages and phone callsare actually transcribed and recorded by the system. The vastmajority are filtered out after they are read or listened to by thesystem. Only those messages that produce keyword hits are taggedfor future analysis. Again, it is not just the ability to collect theelectronic signals that gives ECHELON its power; it is the toolsand technology that are able to whittle down the messages to onlythose that are important to the intelligence agencies.

23

The ECHELON system compares the intercepted messages withthe keywords and when a ‘Hit’ occurs the system will forward themessages to the corresponding agencies.

The ECHELON dictionaries

The extraordinary ability of ECHELON to intercept most of thecommunications traffic in the world is breathtaking in its scope.And yet the power of ECHELON resides in its ability to decrypt,filter, examine and codify these messages into selective categoriesfor further analysis by intelligence agents from the various UKUSAagencies. As the electronic signals are brought into the station,they are fed through the massive computer systems, such as Men-with Hills SILKWORTH, where voice recognition, optical charac-ter recognition (OCR) and data information engines get to workon the messages.

The database containing the keywords may be huge, these hugedatabase is called as the Dictionaries. Each station maintains a listof keywords (the Dictionary) designated by each of the participat-ing intelligence agencies. A Dictionary Manager from each of therespective agencies is responsible for adding, deleting or changingthe keyword search criteria for their dictionaries at each of the sta-tions. Each of these station dictionaries is given codeword, such asCOWBOY for the Yakima facility and FLINTLOCK for the Wai-hopai facility. These codewords play a crucial identification role forthe analysts who eventually look at the intercepted messages. Bythe rise of post-modern warfare, terrorism gave the establishmentof all the justification it needed to develop even greater ability tospy on our enemies.

3.6.8 Technical anexxe

Project ECHELON made heavy use of NSA global Internet-likecommunication network to enable remote intelligence customersto task computers at each collection site, and receive the resultsautomatically. The key component of the system are local “Dictio-nary” computers, which store an extensive database on specified

24

targets, including names, topics of interest, addresses, telephonenumbers and other selection criteria. Incoming messages are com-pared to these criteria; if a match is found, the raw intelligence isforwarded automatically.

Tasking and receiving intelligence from the Dictionaries involvesprocesses familiar to anyone who has used the Internet. Dictio-nary sorting and selection can be compared to using search en-gines, which select web pages containing key words or terms andspecifying relationships. The forwarding function of the Dictionarycomputers may be compared to e-mail. When requested, the sys-tem will provide lists of communications matching each criterionfor review, analysis, “gisting” or forwarding. Not all but a fractionof the messages selected by Dictionary computers at remote sitesare forwarded to NSA without being read locally.

This technical annexe describes the main systems used to extractand process communications intelligence used by ECHELON.

Fax messages and computer data (from modems) are given prior-ity in processing because of the ease with which they are under-stood and analysed. The main method of filtering and analysingnon-verbal traffic, the Dictionary computers, utilise traditional in-formation retrieval techniques, including keywords. Fast specialpurpose chips enable vast quantities of data to be processed in thisway. The newest technique is “topic spotting”. The processing oftelephone calls is mainly limited to identifying call-related informa-tion, and traffic analysis. Effective voice “wordspotting” systemsdo not exist are not in use, despite reports to the contrary. But“voiceprint” type speaker identification systems have been in use .

The conclusions drawn in the annexe are that ECHELON equip-ment currently available has the capability, as tasked, to intercept,process and analyse every modern type of high capacity communi-cations system to which access is obtained, including the highestlevels of the internet. There are few gaps in coverage. The scale,capacity and speed of some systems are difficult to comprehend

25

fully. Special purpose systems have been built to process pagermessages, cellular mobile radio and new satellites.

Digital communications have almost universally taken over fromanalogue methods. The basic system of digital multi-channel com-munications is time division multiplexing (TDM). In a TDM tele-phony system, the individual conversational channels are first digi-tised. Information concerning each channel is then transmittedsequentially rather than simultaneously, with each link occupyingsuccessive time ”slots”.

Wideband Extraction

The first step in processing such signals for intercepting purposesis “wideband extraction”. An extensive range of SIGINT equip-ment is manufactured for this purpose, enabling newly interceptedsystems to be surveyed and analysed. These include transpondersurvey equipment which identify and classify satellite downlinksincluding demodulators, decoders, demultiplexers, microwave ra-dio link analysers, link survey units, carrier analysis systems, andmany other forms of hardware and software.

COMINT processing products are generally supplied by two spe-cialist NSA niche suppliers: Applied Signal Technology Inc (AST),of Sunnyvale, California, and The IDEAS Operation of Columbia,Maryland (part of Science Applications International Corporation(SAIC)).

A newly intercepted communications satellite or data link can beanalysed using the AST Model 196 “Transponder characterisationsystem”. Once its basic communications structure has been anal-ysed, the Model 195 “Wideband snapshot analyser”, also knownas SNAPPER, can record sample data from even the highest ca-pacity systems, sufficient to analyse communications in minute de-tail. The Model 990 “Flexible Data Acquisition Unit” systemscan record, playback and analyse at data rates up to 2.488 Gbps(SONET OC-48). This is 16 times faster than the largest backbone

26

links in general use on the Internet; larger than the telephonycapacity of any current communications satellite; and equivalentto 40,000 simultaneous telephone calls. It can be fitted with 48Gbyte of memory (500-1000 times larger than found in an aver-age personal computer), enabling relatively lengthy recordings ofhigh-speed data links. The 2.5 Gbps capacity of a single SNAP-PER unit exceeds the current daily maximum data rate found ona typical large Internet exchange. Both AST and IDEAS offer awide range of recorders, demultiplexers, scanners and processors,mostly designed to process signals at data rates of up to 160 Mbps.Signals may be recorded to banks of high-speed tape recorders, orinto high capacity “RAID” hard disk networks. Intercepted opti-cal signals can be examined with the AST Model 257E “SONETanalyser”.

Once communication links have been analysed and broken downto their constituent parts, the next stage involves multi-channelprocessors which extract and filter messages and signals from thedesired channels. There are three broad categories of interest :“voice grade channels”, normally carrying telephony; fax commu-nications; and analog data modems. A wide selection of multi-channel processors are available. Almost all of them separate voice,fax and data messages into distinct “streams” for downstream pro-cessing and analysis.

The AST Model 120 multi-channel processor - used by NSA in dif-ferent configurations known as STARQUAKE, COBRA and COP-PERHEAD - can handle 1,000 simultaneous voice channels and au-tomatically extract fax, data and voice traffic. Model 128, largerstill, can process 16 global channels (a data rate of 500 Mbps) andextract 480 channels of interest. The giant of AST’s range, theModel 132 “Voice Channel Demultiplexer”, can scan up to 56,700communications channels, extracting more than 3,000 voice chan-nels of interest. AST also provides SIGINT equipment to interceptlow capacity VSAT satellite services used by smaller businessesand domestic users. These systems can be intercepted by the ASTModel 285 SCPS processor, which identifies and extracts up to 48

27

channels of interest, distinguished between voice, fax and data.

Once communication channels have been identified and signals ofinterest are extracted, they are analysed further by sophisticatedworkstations using special purpose softwares. In the next stage,downstream intercepted signals are processed according to whetherthey are voice, fax or data.

AST’s ELVIRA Signals Analysis Workstation is typical of this typeof SIGINT equipment. This system, which can be used on a laptopcomputer in covert locations, surveys incoming channels and ex-tracts standard COMINT data, including technical specifications(STRUM) and information about call destinations (SRI, or sig-nal related information). Selected communications are relayedto distant locations using NSA standard “Collected Signals DataFormat” (CSDF). High-speed data systems can also be passed toAST’s TRAILMAPPER software system, which works at a datarate of up to 2.5 Gbps. It can interpret and analyse every typeof telecommunications system, including European, American andoptical standards. TRAILMAPPER appears to have been designedwith a view to analysing ATM (asynchronous transfer mode) com-munications. ATM is a modern, high-capacity digital communi-cations system. It is better suited than standard Internet con-nections to carrying multimedia traffic and to providing businesswith private networks (VPN, LAN or WAN). TRAILMAPPERwill identify and characterise such business networks.

AST’s “Data Workstation” is designed to categorise all aspectsof data communications, including systems for handling e-mail orsending files on the internet. The Data Workstation can stored andautomatically process 10,000 different recorded signals. Fax mes-sages are processed by “Fax Image Workstation”. This is done byusing “user friendly”, interactive analysis tool for rapid examina-tion images stored on disk. Standard fax pre-processing for Dictio-nary computers involves automatic “optical character recognition”(OCR) software. This turns the typescript into computer readable(and processable) text. Theeffectiveness of these systems makes

28

fax-derived COMINT, an important collection subsystem. It hasone drawback. An OCR computer system that can reliably recog-nise handwriting do not exist. No one knows how to design sucha system. It follows that, perversely, hand-written fax messagesmay be a secure form of communication that can evade Dictionarysurveillance criteria, provided always that the associated “signalrelated information” (calling and receiving fax numbers) have notbeen recognised as being of interest and directed to a Fax ImageWorkstation. A “Pager Identification and Message Extraction”system automatically collects and processes data from commercialpaging systems. Video Teleconferencing Processor can simultane-ously view or record many simultaneous teleconferencing sessions.

Traffic analysis, keyword recognition, text retrieval, andtopic analysis

Traffic analysis is a method of obtaining intelligence from signalrelated information, such as the number dialled on a telephone call,or the Calling Line Identification Data (CLID) which identifies theperson making the call. Traffic analysis can be used where messagecontent is not available, for example when encryption is used. Byanalysing calling patterns, networks of personal associations maybe analysed and studied. This is a principal method of examiningvoice communications.

Whenever machine readable communications are available, key-word recognition is fundamental to Dictionary computers, and tothe ECHELON system. The Dictionary function is straightfor-ward. Its basic mode of operation is akin to web search engines.Advanced systems have been developed to perform very high speedsorting of large volumes of intercepted information. Eg : The FastData Finder (FDF) microchip is the fastest, most accurate adap-tive filtering system in the world. The TextFinder chip implementsthe most comprehensive character-string comparison functions ofany text retrieval system in the world. A lower capacity system,the PRP-9800 Pattern Recognition Processor, is manufactured byIDEAS. This is a computer card which can be fitted to a standard

29

PC. It can analyse data streams at up to 34 Mbps, matching everysingle bit to more than 1000 pre-selected patterns.

Powerful though Dictionary methods and keyword search enginesmay be, however, they and their giant associated intelligence databasesmay soon seem archaic. Topic analysis is a more powerful and in-tuitive technique, and one that NSA is developing and promotingwith confidence. Topic analysis enables COMINT customers to asktheir computers to “find me documents about subject X”. X mightbe “Shakespeare in love” or “Arms to Iran”.

The main detectable thrust of NSA research on topic analysis cen-tres on a method called N-gram analysis. Developed inside NSA’sResearch group - responsible for SIGINT automation - N-gramanalysis is a fast, general method of sorting and retrieving machine-readable text according to language and/or topic. The N-gramsystem is claimed to work independently of the language used orthe topic studied. To use N-gram analysis, the operator ignoreskeywords and defines the enquiry by providing the system withselected written documents concerning the topic of interest. Thesystem determines what the topic is from the seed group of doc-uments, and then calculates the probability that other documentscover the same topic.

Speech recognition systems

The fundamental technique in many speech recognition applica-tions is a statistical method called Hidden Markov Modelling (HMM).The IDEAS company supplied a “Voice Activity Detector andAnalyser”, Model TE464375-1, to NSA’s offices which was a com-puter driven voice monitoring system. Research has provided sys-tems which can automatically select telephone communications ofintelligence interest based on the use of particular “key words” bya speaker. The problem is that for COMINT applications, unlikepersonal computer dictation products, speech recognition systemshave to operate in a multi-speaker, multi-language environmentwhere numerous previously never heard speakers may each feature

30

physiological differences, dialect variations, and speech traits.

Continuous speech recognition

Continuous speech recognition software working in real time needsa powerful fast, processor. The key problem, which is familiarto human listeners, is that a single word heard on its own caneasily be misinterpreted, whereas in continuous speech the meaningmay be deduced from surrounding words. The most effective wayof building a reliable wordspotter is to build a large vocabularycontinuous speech recognition (CSR) system.

Speaker identification and other voice message selec-tion techniques

Speech characteristics are used for speaker identification. With thecurrent use of Dictionary, it can be programmed to search or iden-tify particular speakers on telephone channels. But speaker iden-tification is still not a particularly reliable or effective COMINTtechnique.

In the absence of effective wordspotting or speaker identificationtechniques, NSA has sought alternative means of automaticallyanalysing telephone communications. According to NSA’s classifi-cation guide, other techniques examined include speech detection- detecting the presence or absence of speech activity; speaker dis-crimination - techniques to distinguish between the speech of twoor more speakers; and readability estimation - techniques to deter-mine the quality of speech signals.

3.7 The problems of ECHELON

Even the technology made us to access the sophisticated spyingmethods and prevention of terrorist activities up to certain ex-tend. The ECHELON system has its drawbacks.

1. The ECHELON system will not provide any privacy for our

31

own people in home and abroad. Every thing is monitored by theBig- Brother. It will not provide any security of the data of thecorporate firms. It will result in the complete destruction of theindustries and it will lead to the 19th century colonialism. It willcause a threat to our modern culture.

2. Every military secret is public to NSA and it’s allies, eventhough if we are hiding that from their eyes. They will hear andsee with a sixth-sense eyes - “the computers”. It will lead to themass destruction of human kind. Even a single war can cause thecomplete destruction of the man-kind.

3. As stated above the ECHELON systems can be developed toprotect us from the terrorist attacks, but we have to ensure thatthese systems are protected from intrusion becuse if it occurs, theresult will be hazardous. If the terrorists got the sensitive infor-mation about the military secrets and the intelligence secrets, theterrorists can cause a world war.

3.8 Is ECHELON suitable for industrial espionage ?

The strategic monitoring of international telecommunications, canproduce useful information for industrial espionage purposes, butonly by chance. In fact, sensitive industrial information is primar-ily to be found in the firms themselves, which means that industrialespionage is carried out primarily by attempting to obtain the in-formation via employees or infiltrators or by breaking into internalcomputer networks. Only where sensitive data is sent outside viacable or radio (satellite) can a communications surveillance systembe used for industrial espionage. This occurs systematically in thefollowing three cases:

- in connection with firms which operate in three times zones, sothat interim results are sent from Europe to America and then onto Asia;

32

- in the case of videoconferences in multinational companies con-ducted by VSAT or cable;- when important contracts have to be negotiated locally (construc-tion of facilities, telecommunications infrastructure, rebuilding oftransport systems, etc.) and the firms representatives have to con-sult their head office. If firms fail to protect their communicationsin such cases, interception can provide competitors with valuabledata.

3.8.1 Published cases

There are some cases of industrial espionage which have been de-scribed in the press. Among the allegations, that the NSA fedinformation to Boeing and McDonnell Douglas enabling the com-panies to beat out European Airbus Industry for a dollar 6 billioncontract; and that Raytheon received information that helped itwin a dollar 1.3 billion contract to provide radar to Brazil, edg-ing out the French company Thomson-CSF. These claims followprevious allegations that the NSA supplied U.S. automakers withinformation that helped improve their competitiveness with theJapanese .

3.9 Cryptography as a means of self-protection

Every time a message is transmitted, there is a risk of its fallinginto unauthorised hands. To prevent outsiders ascertaining its con-tent in such cases, the message must be made impossible for themto read or intercept, i.e. encrypted. The invention of electricaland electronic communications (telegraph, telephone, radio, telex,fax and Internet) greatly simplified the transmission of intelligencecommunications and made them immeasurably quicker. The down-side was that there was no technical protection against interceptionor recording, so that anyone with the right equipment could readthe communication if he could gain access to the means of com-munication. If done professionally, interception leaves little or notrace. This imparted a new significance to encryption. It wasthe banking sector which first regularly used encryption to protect

33

communications in the new area of electronic money transfers. Thegrowing internationalisation of the economy led to communicationsin this field, too, being at least partly protected by cryptography.The widespread introduction of completely unprotected commu-nications through the Internet also increased the need for privateindividuals to protect their messages from interception.

The use of computers made it possible to generate coded texts,using powerful encryption algorithms, which offer practically nostarting-points for codebreakers. Decryption now entails trying allpossible keys. The longer the key, the more likely it is that thisattempt will be thwarted, even using very powerful computers, bythe time it would take. There are therefore usable methods whichmay be regarded as secure at the present state of technology.

3.9.1 “Workfactor reduction” : The subversion of cryp-tographic systems

Since Cold War, NSA has undermined the effectiveness of cryp-tographic systems made or used in Europe. The most importanttarget of NSA activity was a prominent Swiss manufacturing com-pany, Crypto AG. Crypto AG established a strong position as asupplier of code and cypher systems after the second world war.Many governments would not trust products offered for sale bymajor powers. In contrast, Swiss companies in this sector bene-fited from Switzerland’s neutrality and image of integrity. NSAarranged to rig encryption systems sold by Crypto AG, enablingUKUSA agencies to read the coded diplomatic and military trafficof more than 130 countries.

The purpose of NSA’s interventions were to ensure that while itscoding systems should appear secure to other cryptologists, it wasnot secure. Each time a machine was used, its users would select along numerical key, changed periodically. Naturally users wishedto selected their own keys, unknown to NSA. If Crypto AG’s ma-chines were to appear strong to outside testers, then its codingsystem should work, and actually be strong. NSA’s solution to

34

this apparent condundrum was to design the machine so that itbroadcast the key it was using to listeners. To prevent other lis-teners recognising what was happening, the key too had also to besent in code - a different code, known only to NSA. Thus, everytime NSA intercepted a message sent using these machines, theywould first read their own coded part of the message, called the“hilfsinformationen” (help information field) and extract the keythe target was using. They could then read the message itself asfast or even faster than the intended recipient.

The same technique was re-used, when NSA became concernedabout cryptographic security systems being built into Internet andE-mail software by Microsoft, Netscape and Lotus. The compa-nies agreed to adapt their software to reduce the level of securityprovided to users outside the United States. In the case of LotusNotes, which includes a secure e-mail system, the built-in cryp-tographic system uses a 64 bit encryption key. This provides amedium level of security, which might at present only be brokenby NSA in months or years.

Lotus built in an NSA “help information” trapdoor to its Notessystem, as the Swedish government discovered to its embarrass-ment in 1997. By then, the system was in daily use for confiden-tial mail by Swedish MPs, 15,000 tax agency staff and 400,000 to500,000 citizens. Lotus Notes incorporates a ”workfactor reductionfield” (WRF) into all e-mails sent by non US users of the system.Like its predecessor the Crypto AG “help information field” thisdevice reduces NSA’s difficulty in reading European and other e-mail from an almost intractable problem to a few seconds work.The WRF broadcasts 24 of the 64 bits of the key used for eachcommunication. The WRF is encoded, using a “public key” sys-tem which can only be read by NSA. Lotus, a subsidiary of IBM,admits this. The difference between the American Notes versionand the export version lies in degrees of encryption. They deliver64 bit keys to all customers, but 24 bits of those in the version thatthey deliver outside of the United States are deposited with theAmerican government.

35

Similar arrangements are built into all export versions of the web“browsers” manufactured by Microsoft and Netscape. Each usesa standard 128 bit key. In the export version, this key is notreduced in length. Instead, 88 bits of the key are broadcast witheach message; 40 bits remain secret. It follows that almost everycomputer in Europe has, as a built-in standard feature, an NSAworkfactor reduction system to enable NSA (alone) to break theuser’s code and read secure messages.

3.10 List of ECHELON sites

Following are the ECHELON recieving station all over the globe :

RAF, Menwith Hill, Yorkshire, UK.GCHQ Bude, Cornwall, UK.Sugar Grove, West Virginia, US.Sabana Seca, Peurto Rico, Canada.Yakima training centre, Washington, US.Pine Gap, Northern Territory, AU.Australian Defence Sattelite Communication Station, Geraldton,West AU.Chung Hom Kom, HK.Misawa Air Base, JAPAN.Ayios Nikolaos Cyprus, UK.Bad Aibling Station, Germany.Gander, Newfoundland, Canada.CFS Leitrim, Ontario, Canada.NSA HQ, Fort Gordon, Maryland, US.Buckley Aurora, Colorado, US.Lackland Airforce Base, San Antonio, Texas, US.Kunia, Hawaii, US.Guam, Pacific Ocean, US.

36

Chapter 4

Inside TEMPEST

TEMPEST is a short name referring to investigations and stud-ies of compromising emanations (CE). Compromising emanationsare defined as unintentiorial intelligence-bearing signals which, ifintercepted and analyzed, disclose the national security informa-tion transmitted, received, handled or otherwise processed by anyinformation-processing equipment. Compromising emanations con-sist of electrical or acoustical energy unintentionally emitted by anyof a great number of sources within equipment/systems which pro-cess national security information. This energy may relate to theoriginal message, or information being processed, in such a waythat it can lead to recovery of the plaintext.

Laboratory and field tests have established that such CE can bepropagated through space and along nearby conductors. The in-terception/propagation ranges and analysis of such emanations areaffected by a variety of factors, eg., the functional design of theinformation processing equipment; system/equipment installation;and environmental conditions related to physical security and am-bient noise. “Compromising emanations” rather than “radiation”is used because the compromising signals can, and do, exist in sev-eral forms such as magnetic and/or electric field radiation, lineconduction, (signal and power) or acoustic emissions. More specif-ically, the emanations occurs as :

1. Electromagnetic fields set free by elements of the plaintext pro-

37

cessing equipment or its associated conductors.2. Text-related signals coupled to cipher, power, signal, control orother BLACK lines through (a) common circuit elements such asgrounds and power supplies or (b) inductive and capacitive cou-pling.3. Propagation of sound waves from mechanical or electromechan-ical devices.4. The TEMPEST problem is not one which is confined to cryp-tographic devices; it is a system problem and is of concern for allequipment which process plaintext national security data.

The phenomenon behind compromising emanation emissions lieswithin the circuits where transistors tends to operate at muchfaster transitions, which cause electromagnetic emissions to ra-diated from VHF up to the UHF range (300-3000 MHz). Theintended signals often rides onto these emission frequencies whereit is re-propagated via an efficient radiator. The printed circuitboard - PCB, would effectively become a radiating antenna if thefrequency wavelength as compared to the length of the traces aresmall. Some of the intended signals may also coupled onto powerand signal line cables due to cross-talk.

It is well known that electronic equipment produces electromag-netic fields, which may cause interference to radio and televisionreception. However, interference is not the only problem causedby electromagnetic radiation. It is possible in some cases to ob-tain information on the signals used inside the equipment when theradiation is picked up and the received signals are decoded. Espe-cially in the case of digital equipment this possibility constitutes aproblem, because remote reconstruction of signals inside the equip-ment may enable reconstruction of the data that the equipment isprocessing.

A normal TV receiver made suitable for this purpose will in somecases be able to restore the information displayed on a video dis-play unit or terminal on its own screen, when this field is pickedup. Depending on the type of video display unit or terminal, this

38

reconstruction may under optimum conditions be feasible from dis-tances of up to 1 km.

4.1 Sources of TEMPEST signals

In practice, the most common types of compromising emanations- CE is attenuated RED(a term applied to wire lines, components,equipment, and systems which handle national security signals, andto areas in which national security signals occurs). The sources ofCE or TEMPEST signals are of following types :

1) Functional sources - Functional sources are those designed forthe specific purpose of generating electromagnetic energy. Exam-ples are switching transistors, oscillators, signal generators, syn-chronizers, line drivers, and line relays.

2) Incidental sources - Incidental sources are those which are notdesigned for the specific purpose of generating electromagnetic en-ergy. Examples are electromechanical switches and bush-type mo-tors.

4.2 Technology behind the TEMPEST

Every electronic, electro-optical or electromechanical device, whetheror not it was designed as a transmitter, gives signals, or “ema-nations.” An electric shaver, may radiate strongly off some typeof electromagnetic signals for example, enough to interfere withnearby radio or television reception. Transistor radios are bannedfrom airlines because their unintentional signals can interfere withnavigational equipment. Equipment may also give off unwantedsignals in the form of sound.

Proper design minimizes the unintentional signals given off by a de-vice, but some unintentional signals will always be present. Whena device processes information such as printed text or voice, it may“leak” that information through unintentional signals. A commonexample is “crosstalk” on telephone lines. Signals “leak” from one

39

line to another, and someone else’s voice intrudes on your phonecall.

TEMPEST eavesdropping technology works by capturing and re-constructing the electromagnetic radiations given off by digitalequipment. Computer monitors display information through theuse of an electron gun to manipulate pixels on the screen. Theelectron gun shoots out pulses of electrons, which sweep across thescreen striking pixels, left to right and up and down many timesa second. The voltage level pushing the electrons out, rises andfalls depending on whether the pixel is to be made light or dark.This process generates electromagnetic pulses, which in turn emitelectromagnetic radio waves or electromagnetic radiation - EMR,which emanates outward for a great distance. Hard disks are an-other source because data is stored in binary code, and is processedas 1s and 0s, ONs and OFFs; again causing pulses and EMR. Theseradio waves are as distinct as fingerprints, even in computers of thesame make and model, due to minute differences in the manufac-turing of the components.

Computer cables, phone lines and poorly grounded electrical sys-tems can act as both a receiver and transmitter for EMR, thusallowing the waves to be travel even further afield. These radiowaves can then be captured with an ‘active directional antenna’,fed into a monitor and be zeroed in on and deciphered by using ahorizontal and vertical sync generator.

Monitors, microchips and devices such as printers and PCs all emitEMR into space or into some conductive medium (such as powerlines, communications wires or even water pipes). The EMR thatis emitted contains the information that the device is displaying,creating, storing or transmitting. With the correct equipment andtechniques, it is possible to reconstruct all or a substantial portionof that data.

We discussed that the TEMPEST uses the electromagnetic wavespropagated from the electronic devices intentionally or non inten-

40

tionally. For receiving the texts or data at the other end we have toscrew up to a specific frequency range and just listen or replicatethe data at the other end. TEMPEST is the technology, which canreproduce what you are seeing in your monitor, what you are typ-ing in your keyboard from a couple of kilometres away. It tracesall electromagnetic radiation from the victim’s monitor, keyboard,even pc memory and hard disk, and then it reproduces the signals.By using this technology it is possible to intrude (only listening) into a person’s computer from a couple of kilometres away, even itis a computer which is not “networked” and enables the intruderto hack without any connection to the victim’s computer.

There are techniques that enable the software on a computer tocontrol the electromagnetic radiation it transmits. This can beused for both attack and defence. To attack a system, maliciouscode can encode stolen information in the machine’s RF emissionsand optimize them for some combination of reception range, re-ceiver cost and covertness. To defend a system, a trusted screendriver can display sensitive information using fonts which minimizethe energy of these emissions.

When snooping in to a computer’s video display unit - VDU, simi-lar periodic averaging and cross-correlation techniques can be usedif the signal is periodic or if its structure is understood. VDUoutputs their frame buffer content periodically to a monitor andare therefore a target, especially where the video signal is ampli-fied to several hundred volts. Knowledge of the fonts used withvideo displays and printers allows maximum likelihood of charac-ter recognition techniques to give a better signal/noise ratio forwhole characters than for individual pixels.

Similar techniques can be applied when snooping on CPUs thatexecute known algorithms. Even if signals caused by single in-structions are lost in the noise, correlation techniques can be usedto spot the execution of a known pattern of instructions. Accordingto the reports, when a smartcard performs a DES encryption foridentification, by monitoring its power consumption it is found that

41

a pattern is repeated sixteen times. Several attacks become possi-ble if one can detect in the power consumption that the smartcardprocessor is about to write into EEPROM. For example, one cantry a PIN, deduce that it was incorrect from the power consump-tion, and issue a reset before the non-volatile PIN retry counter isupdated. In this way, the PIN retry limit may be defeated.

Smulders showed that even shielded RS-232 cables can often beeavesdropped at a distance. Connection cables form resonant cir-cuits consisting of the induction of the cable and the capacitancebetween the device and ground; these are excited by the high-frequency components in the edges of the data signal, and theresulting short HF oscillations emit electromagnetic waves.

It has also been suggested that an eavesdropper standing near anautomatic teller machine equipped with fairly simple radio equip-ment could pick up both magnetic stripe and PIN data, becausecard readers and keypads are typically connected to the CPU us-ing serial links. A related risk is cross-talk between cables that runin parallel. For instance, the reconstruction of network data fromtelephone lines has been demonstrated where the phone cable ranparallel to the network cable for only two metres. Amateur radiooperators in the neighbourhood of a 10BASE-T network are wellaware of the radio interference that twisted-pair ethernet trafficcauses in the short-wave bands. Laptop owners frequently hearradio interference on nearby FM radio receivers, especially duringoperations such as window scrolling that cause bursts of systembus activity. A virus could use this effect to broadcast data.

Compromising emanations are not only caused directly by signallines acting as parasitic antennas. Power and ground connectionscan also leak high frequency information. Data line drivers cancause low-frequency variations in the power supply voltage, whichin turn cause frequency shifts in the clock; the data signal is thusfrequency modulated in the emitted radio frequency interference- RFI. Yet another risk comes from ‘active’ attacks, in which par-asitic modulators and data-dependent resonators affect externally

42

applied electromagnetic radiation : an attacker who knows the res-onant frequency of (say) a PC’s keyboard cable can irradiate it withthis frequency and then detect key-press codes in the retransmit-ted signal. In general, transistors are non-linear and may modulateany signals that are picked up and retransmitted by a line to whichthey are connected. This effect is well known in the counter intel-ligence community, where ‘nonlinear junction detectors’ are usedto locate radio microphones and other unauthorised equipment.

4.2.1 TEMPEST equipment

TEMPEST monitoring equipment include various kinds of sensi-tive receivers, which can monitor a wide range of frequencies, and acombination of hardware and software that is capable of processingthe received signals into the original data. The data that is pickedup is often corrupted by things such as external EMR interference,signal weakness over distances and partial transmission. Advancedalgorithms can help provide a more complete picture of the originaldata. Eg : D.I.R.T. (Data Interception by Remote Transmission)is a powerful remote control monitoring tool that allows stealthmonitoring of all activity on one or more target computers simul-taneously from a remote command center. No physical access isnecessary. Application also allows agents to remotely seize and se-cure digital evidence prior to physically entering suspect premises.Although the sale of TEMPEST monitoring devices to the gen-eral public is prohibited by the U.S. government, it is of coursepossible that non-approved organizations and individuals can ac-quire the technology, or even build it themselves as the designs andequipment are relatively easy to acquire.

Broadband antennae and receiver

Most forms of compromising emanations are broadband signals,which means that the lower and upper frequency limit of infor-mation carrying emanations can differ by a factor of two or more.Several broadband antenna types have been developed, which offera reasonably constant impedance over a wide frequency range.

43

Figure 4.1: Different broadband antenna types

Above figure shows examples of different broadband antenna types: log-periodic antenna (2001000 MHz), discone (2001300 MHz),active monopole (100 Hz30 MHz), bi-conical antenna (30300 MHz),and active ferrite loop (H-field, 100 Hz30 MHz with four differentferrite rods).

Figure 4.2: R-1250 Super heterodyne reciever

Above figure shows at bottom : Dynamic Sciences R-1250 wide-range receiver, at middle : R-1250-30 HF preselector for 15 pass-bands in the 0.2520 MHz range (left) and R-1250-20A wide-bandAM detector (right). At Top : R-1160C calibrated impulse gener-ator.

44

Figure 4.3: Eavesdropping set-up

Above figure shows an eavesdropping set-up using a variable os-cillator and a frequency divider to restore synchronization. Thepicture on the TV is picked up from the radiation of the VDU inthe background.

4.2.2 How does TEMPEST work ?

It is feasible to reconstruct video display information on a CRTmonitor with a respective receiver system comprising of an TVaerial antenna, a TV receiver and synchronisation oscillators. Thebasic concept is detecting the compromised video information withuse of higher gain antenna and sensitive receiver to improve imagequality and detection range and perform signal conversion fromanalogue to digital and complex image processing as well as togenerate the required horizontal and vertical sync frequencies tostabilise the reconstructed video image.

The video timing information

In order to detect and reconstruct radiated radio frequency - RFvideo information, we need to understand the video timing signal.In a typical CRT monitor, the pixels are scanned across the screenfrom left to right (usually starts at the top left hand corner of thescreen) all the way to the bottom of the screen at the lower bottomright of the screen to form a frame. It then repeat itself again (a

45

periodic signal) from where it was started. The time where thepixel fly back to the original starting time is called the verticalsynchronisation pulse (about 16msec or 60Hz). The time taken forthe pixel to scan one line is called the horizontal synchronisationpulse (about 20usec or 48kHz depending on the resolution setting).The video timing waveform will fluctuate between high amplitudelevel represented as WHITE and a low amplitude level representedas BLACK and is dependent on the display screen. Every changein the step voltage will change the display tone. A BLACK imageis represented by 0V and WHITE image at 0.7V. In between thesevoltages the image displayed shades of grey.

Pixel clock and deflection frequencies

There is a total of xt and yt amount of horizontal and verticalpixels as shown in figure. To display an image on the screen, therequired number of pixels needed is lesser, as it has to take intoaccount on the time to bring the pixel back to the starting point.The pixel clock frequency fp is the time taken for each pixel toscan from one point to to another. The deflection frequency andthe pixel refresh time can be calculated based on equation (1) and(2) respectively.

Figure 4.4: Pixel frequency and deflection frequencies

46

Where:

xt: Horizontal pixels.yt: Vertical pixels.fh: horizontal synchronisation frequencies.fv: vertical synchronisation frequencies.n: number of frames.

Recovering the video information

The recovering of video information would mean that the receiverhas to tune to one of these multiple pixel clock frequencies thatcarries the video content. Thus the pixel clock is crucial for detec-tion of the video image. The important information to note thatfor CRT monitor the pixel clock information will change accord-ing to the display resolution settings. However for a LCD monitor,the pixel clock frequency is usually fixed based on native resolution(total number of pixels) of the display.

When attempting to reconstruct the video image, the RF signalreceived by the receiver does not contain both the horizontal andvertical synchronisation frequencies. These information is usuallysupplied separately with an external source generator to stabilisethe video image. The video RF signal detected is AM having acarrier frequency fc and an audio tone with a frequency ft whichis demodulated to give the baseband video.

Figure 4.5: AM signal

Passive attack via radiated RF

The amount of leakage compromising emanation signals dependslargely on the design and layout of the electronics within the PCB.

47

Electronics designers designs their electronic systems to ensurethat the emission levels are controlled to prevent interference toanother systems. Despite the preventive measures, there is somedegree of unintended weak compromising video information thatwill leak through conducted and radiated means. Every PCB tracescarry current which produces electromagnetic field properties thatradiates the signal at its resonant frequeny based on the length.This mean that if the intended compromised signal that has wave-length much longer (which is low frequency) than the signal tracepath/s, the RF signal could not effectively radiates out. However,as the frequency gets higher with the wavelength (about a quater)approaches the length of the trace/s, it will effectively radiate thesignal.

Conducted leakage is mainly cause by cross-coupling due to thetight design contraint within the PCB. Signals cross coupled be-tween traces will occur if the design layout within the PCB is notdone properly. If the intended signal of interest gets cross coupledonto the external cables that are connected to the equipment, itwill carry the signal across the lines. Thus it is important that thesignal cable that exit a particular equipment be properly treated,and ensuring that they are grounded to prevent them from actingas stray antenna.

The detection frequencies of these compromising emanation signalscould range from VHF band all the way to the UHF region. Theattack is non-intrusive and the operator has no mean to know thatsomeone is spying information out of his/her computer terminal.Figure below shows the typical attack senarios where a user isprocessing classifed information in a room.

If we assume that F1 being one of the compromising frequenciesemitted out from his/her laptop, this frequency will be interceptedby an adverary residing in another room by means of raidatedleakage emissions.

48

Figure 4.6: Radiated TEMPEST scenario

Reception of monitor emanations with modified TV sets requireseither exact knowledge of the horizontal and vertical deflectionfrequencies or a strong enough signal to adjust the sync pulse gen-erators manually. With larger distances and low signal levels, theemitted information can only be separated from the noise by av-eraging the periodic signal over a period of time, and manual ad-justment of the synch is difficult.

In a professional attack, one might use spread-spectrum techniquesto increase the jamming margin and thus the available range. Theattack software would dither one or more colours in several linesof the screen layout using a pseudorandom bit sequence. A cross-correlator in the receiver gets one input from an antenna and seesat its other input the same pseudorandom bit sequence presentedwith the guessed pixel clock rate of the monitor. It will generatean output peak that provides the phase difference between thereceiver and the target. A phase-locked loop can then control theoscillator in the receiver such that stable long-term averaging ofthe screen content is possible. Information can be transmitted byinverting the sequence depending on whether a 0 or 1 bit is to bebroadcast. Readers familiar with direct sequence spread-spectrummodulation will find the idea familiar, and many spread-spectrumengineering techniques are applicable.

49

The advantages of using spread-spectrum techniques are that higherdata rates and reception ranges can be achieved, and that only thepixel clock frequency and (perhaps) the carrier frequency have tobe selected. This enables fast lock-on and fully automatic opera-tion.

4.3 Protection from TEMPEST attacks

Shielding of devices from EMR is achieved by a number of meth-ods ranging from both hardware and software to safeguard theclassified information that is being processed and protect our com-puters from TEMPEST attack. Following are the methods beingcommonly used today :

1) TEMPEST testing and device shielding2) TEMPEST fonts3) TEMPEST proof walls

Among these three protective measures the TEMPEST proof wallsare the most effective one (It is not like the firewall but a physicalwall which reflects the entire signals back to the room)

4.3.1 TEMPEST testing and device shielding

TEMPEST tests are performed to prove that all or a part of com-munications or information handling systems which are to processnational security information do, in fact provide emission secu-rity. An equipment or system tested is called equipment undertest (EUT). An EUT can be visualized as an input/output boxwhich receives an input signal and produces an output signal. Thefigure shows this :

50

Figure 4.7: An EUT (equipment under test)

In most cases, only EUT input and/or output conductors carry theintentional RED signals; all other conductors usually carry signalsdevoid of classified data. Because of design weaknesses, poor com-ponent quality or location, improper wiring layout, and inadequateshielding by the chassis cabinet, some unintentional signals may begenerated in an EUT and emitted through space or on externalconductors. Such unintentional signals are the object of detectionand measurement during TEMPEST tests, and of particular in-terest are those signals which may be similar to the RED signalsbecause they are compromising emanations (CE).

Generally, shielding involves encompassing the device in a Faradaycage that does not permit stray emanations, along with specialmodifications to the power source. This usually involves a heavymetal case around an object.

4.3.2 TEMPEST proof walls

TEMPEST shielding also involves such issues as the design of aroom and placement of equipment within it, to ensure that no in-formation can escape. TEMPEST proof walls are developed forpreventing from TEMPEST attacks. These walls are specially de-signed for reflecting the electromagnetic waves back to the sameroom it self. Many of the corporate firms have the TEMPESTproof walls for protecting the databases from the hackers and spies,otherwise the secret data will be leaked and the eavesdropper willcause threat to that corporate firm.

51

4.3.3 TEMPEST fonts

TEMPEST fonts are used for protecting the computers form theeavesdropper. There is some specific software for this and thesesoftwares will calculate the power dissisipation of the normal fontsand if it is vulnerable to the TEMPEST attack, the software willfilter and show that font as the most convenient way. This is doneby the principle of low pass filtering to remove the high frequencycomponents since the RF eavesdropper will only get to receive theupper portion of the baseband information spectrum.

The filtered text looks rather blurred and unpleasant in this mag-nified representation, but surprisingly, the loss in text quality isalmost unnoticeable for the user at the computer screen, as themagnified photos in the lower half of figure show. The limited fo-cus of the electron beam, the limited resolution of the eye, as wellas effects created by the mask and the monitor electronics filterthe signal anyway.

Figure 4.8: TEMPEST fonts

The text on the left is displayed with a conventional font, while thetext on the right has been filtered to remove the top 30 percentof the horizontal frequency spectrum. The graphics in the upperrow show the pixel luminosities, while below there are magnifiedscreen photographs of a 21X5 mm text area. While the user cansee practically no difference between the fonts, the filtered textdisappears from the eavesdropping monitor while the normal textcan be received clearly.

52

Figure 4.9: Reproduced image at attacker side

On the left we see what the eavesdropping monitor shows whentext is displayed with normal fonts. The small screen size and themodulo four separation of image lines renders the text unreadableon our simple monitor, but the presence of the signal is clear. Onthe right, the screen content was low pass filtered as in Fig. 4.6 andthe received Tempest signal has vanished except for the horizontalsync pulses.

53

Chapter 5

Conclusion and futurescope

The interception of communication is the main function done bythe intelligence agencies all over the world. The intelligence agen-cies are searching for the sophisticated methods for surveillanceand spying from its own people and from its enemies. Here thescientists in the NSA developed the modern techniques for find-ing the interception of messages. And they developed a networkknown as the ECHELON System. It made them to leap ahead ofthe hackers in one step.

The main topics discussed here is TEMPEST and ECHELON.TEMPEST is the technology for spying from electronic equipmentswith out any physical contact. It is the wonderful technology whichpeople ever experienced. It enables us to replicate the data on anelectronic equipment from a couple of kilometres away. We canreplicate the computer monitor and Hard disk (or even Memory)of computer system by this way.

ECHELON is the vast network formed by NSA and its allies all overthe world to intercept the messages sent through any transmissionmedia. It plays a major role in the intelligence related work ofthe NSA and its allies. It uses the largest computing power ofdistributed systems. It uses search algorithms and sophisticatedsoftwares like speech recognition and OCR software.

54

Even though we discussed about the advantages of the ECHELONand TEMPEST there is some major disadvantages for these sys-tems. These systems are GOD-LIKE and nothing can be hiddenfrom the ECHELON system. But the ECHELON system will notprovide any secrecy for the common people. It will only preservethe states policies. This will cause the leaking of the sensitive dataof the industries and it will cause harm to that companies. Andagain the TEMPEST equipments are available in USA and is pro-hibited of exporting from there, and thus if some terrorists gotthese TEMPEST equipments then it will cause harm to our indus-tries and society. But many of the corporate firms are protectingtheir companies from the TEMPEST attacks by use of softwareand equipments to prevent the TEMPEST attacks.

Discussing about the future scope of TEMPEST and ECHELON,we can say that these can be used to empower our intelligenceagencies to do their job better than before. Unfortunately ourIndia does not have a TEMPEST equipment developed yet. Butwe have to take care of the foreign intelligence agencies stealingour military data and the diplomatic data. We have to take thecounter measures to protect our secret data from them. And weare not a part of ECHELON network developed by NSA, so wehave to develop one such for empowering our intelligence agenciesand military agencies.

55

Chapter 6

References

* www.nsa.gov/public-info/files/cryptologic-spectrum/nacsim-5000.pdfTEMPEST : A Signal Problem (TEMPEST Fundamentals)

* www.eskimo.com/joelm/complete-unofficial-TEMPEST-page.pdf

* www.cl.cam.ac.uk/mgk25/ih98-tempest.pdfMarkus G. Kuhn and Ross J. Anderson Soft Tempest: Hidden Data TransmissionUsing Electromagnetic Emanations

* www.europarl.eu.int/tempcom/ECHELON/rapport-ECHELON-en.pdfEUROPEAN PARLIAMENT Session document 11 July 2001

* www.fas.org/irp/program/process/docs/ic2000.pdfWorking document for the STOA Panel named interception capabilities 2000

56