TEMPEST Comes To GNU Radio

As we use our computers, to watch YouTube videos of trucks hitting bridges, to have a Zoom call with our mothers, or even for some of us to write Hackaday articles, we’re unknowingly sharing a lot of what we are doing with the world. The RF emissions from our monitors, keyboards, and other peripherals can be harvested and reconstructed to give a third party a view into your work, and potentially have access to all your darkest secrets.  It’s a technique with origins in Government agencies that would no doubt prefer to remain anonymous, but for a while now it has been available to all through the magic of software defined radio. Now it has reached the popular GNU Radio platform, with [Federico La Rocca]’s gr-tempest package.

He describes it as a re-implementation of [Martin Marinov]’s TempestSDR, which has a reputation as not being for the faint-hearted. The current version requires GNU Radio 3.7, but he promises a 3.8-compatible version in the works. A YouTube video that we’ve placed below the break has a range of examples running, though there seems to be little information on the type of antenna employed. Perhaps a log-periodic design would be most appropriate.

Via RTL-SDR.com.

Thanks [Lazy Mad Scientist] for the tip.

10 thoughts on “TEMPEST Comes To GNU Radio

  1. My monitors have soviet union high power vacuum tubes on the HV EHT stage. Try harvesting RF from my 9-track tape drive (pertec), punch card loader (RS232), punched tape reader (RS232) or ferite memory (parallel). HDDs are ESDI and SCSI.

  2. Sometimes I wonder if having 4 monitors surrounding one makes things better or worse…
    They sure all refresh at their own frequencies, but they likely make it a mess to discern one from the other.

    Though, from a sufficiently far distance, even my neighbor’s screens would start to be a problem of a similar fashion.

    Tempest is after all rather easy if one has 1 target surrounded by true noise.
    Same thing goes for timing level attacks.

    One can make exceptions when there is interference of a known type. But add sufficiently many devices that all have their own behavior, and it quickly becomes a mess to just work out what potential device a signal might belong to, even if one knows the behavior of said devices.

    I remember doing a project back when I were in school, read a study about tempest mitigation in keyboards, some keyboards scans the keys in a fixed order, while others randomize the order. This means that an attacker can’t know where one scans at current. Though, each column of keys is its own antenna with its own RF properties, so it has a finger print in that regard…. Ie, the paper came to the conclusion that randomizing scan order did make it a bit harder, but it were still relatively easy to figure it out, it only needed a little better SNR.

  3. “It’s a technique with origins in Government agencies that would no doubt prefer to remain anonymous”

    That’s true, but only in the sense that TEMPEST was invented by a Dutch civilian.

    EDS used to supply the military with “Red Seats”, TEMPEST hardened laptops.

    1. Cough. Van Eck was the first (known) unclassified publication, ’85. The danger of that happening was known long before. That’s why we call it van Eck Phreaking.

      The name Tempest comes from an NSA paper from 1982. So, we call the attack TEMPEST after the classified NSA discovery, and we call it Van Eck for the hacker.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.