How Vulnerable Are Computers to an 80-Year-Old Spy Technique? Congress Wants Answers

Computers divulge secrets. Not just through invasive ad tracking, data-stealing malware, and your misguided oversharing on social media, but also through physics. The movements of components on a hard drive, keystrokes on a keyboard, and even the electrical charge in the wires of a semiconductor produce radio waves, sounds, and vibrations that transmit in all directions and can, when picked up by someone with sensitive enough equipment and enough espionage to decipher these signals, reveal your private data and activities.

This category of espionage techniques, originally dubbed TEMPEST by the National Security Agency but now subsumed under the broader term “side-channel attacks,” has been a known problem in computer security for nearly eight decades, and it is one that the United States government carefully considers when securing its own classified information. Today, two U.S. lawmakers are launching an investigation into how vulnerable the rest of us are to TEMPEST-style surveillance and whether the U.S. government needs to push device makers to do more to protect Americans.

On Wednesday, Senator Ron Wyden and Representative Shontel Brown released a letter they sent to the Government Accountability Office (GAO) demanding an investigation into the vulnerability of modern computers to TEMPEST side-channel attacks, the monitoring and decryption of accidental emissions from PCs, phones and other computing devices to monitor their operations. In the letter, Wyden and Brown write that these forms of espionage “not only pose a counterintelligence threat to the U.S. government, but these methods can also be exploited by adversaries against the American public, including to steal strategically important technology from U.S. companies.”

Along with the letter, Wyden and Brown also commissioned a recently released report by the Congressional Research Service on the history of TEMPEST and the contemporary threat posed by similar side-channel attacks. It describes the U.S. government’s efforts to protect its devices from these espionage techniques, including the use of isolated, radio-shielded spaces to securely access secret information known as the Sensitive Compartmented Information Facility, or SCIF. Meanwhile, the government “neither warned the public about this threat nor required manufacturers of consumer electronic devices, such as smartphones, computers, and computer accessories, to incorporate technical countermeasures into their products,” Wyden and Brown point out in the letter. “As such, the government has left the American people vulnerable and in the dark. »

Wyden and Brown’s letter concludes by urging the GAO to consider a list of issues related to TEMPEST: the scale of the modern threat to privacy posed by side-channel attacks, the “cost and feasibility” of implementing protections against these attacks in modern devices, and “potential policy options for mitigating this threat to the public, including requiring device manufacturers to add countermeasures to their products,” suggesting that Congress could pressure tech companies to that they add more defenses to the devices they sell.

The effectiveness of side-channel attacks like TEMPEST against modern computing devices, and how often they are actually used by hackers and spies, remains far from clear. But the possibility of such attacks was taken seriously by the U.S. government as early as the 1940s, when Bell Labs discovered that the machines it sold to the U.S. military to encrypt messages produced signals readable on an oscilloscope on the other side of the lab.

Bell Labs machines transmitted clues to the inner workings of military cryptography in radio waves created by the electromagnetic charge of their components. A declassified NSA report from 1972 later described the problem of the agency’s classified computers transmitting “radio frequency or acoustic energy.” The report adds: “These emissions, like tiny radio emissions, can radiate through free space over considerable distances” of half a mile or more if the signal is routed through nearby materials like power lines or water pipes.