Computers leak secrets. Not just through invasive ad tracking, data-stealing malware, and your ill-advised oversharing on social media, but through physics. The movements of a hard drive’s components, keystrokes on a keyboard, even the electric charge in a semiconductor’s wires produce radio waves, sound, and vibrations that transmit in all directions and can—when picked up by someone with sufficiently sensitive equipment and enough spycraft to decipher those signals—reveal your private data and activities.
This category of spying techniques, originally codenamed TEMPEST by the National Security Agency but now encompassed in the more general term “side-channel attacks,” has been a known problem in computer security for close to eight decades, and it’s one that the United States government carefully considers in securing its own classified information. Now a pair of US lawmakers are launching an investigation into how vulnerable the rest of us are to TEMPEST-style surveillance—and whether the US government needs to push device manufacturers to do more to protect Americans.
On Wednesday, Senator Ron Wyden and Representative Shontel Brown released a letter they sent to the Government Accountability Office (GAO) demanding an investigation into the vulnerability of modern computers to TEMPEST-style side-channel attacks, the monitoring and deciphering of accidental emanations from PCs, phones, and other computing devices to surveil their operations. In the letter, Wyden and Brown write that these forms of spying “do not just pose a counterintelligence threat to the US government, but these methods can also be exploited by adversaries against the American public, including to steal strategically important technologies from US companies.”
Along with the letter, Wyden and Brown also commissioned a newly released Congressional Research Service report about the history of TEMPEST and the contemporary threat posed by similar side-channel attacks. It describes the US government’s efforts to protect its devices from those spy techniques, including the use of isolated, radio-shielded spaces for securely accessing secret information known as a Sensitive Compartmented Information Facility, or SCIF. Meanwhile, the government has “neither warned the public about this threat, nor imposed requirements on the manufacturers of consumer electronics, such as smartphones, computers and computer accessories, to build technical countermeasures into their products,” Wyden and Brown point out in the letter. “As such, the government has left the American people vulnerable and in the dark.”
Wyden and Brown’s letter ends by urging GAO to review a list of TEMPEST-related issues: the scale of the modern privacy threat of side-channel attacks, the “cost and feasibility” of implementing protections against them in modern devices, and “potential policy options to mitigate this threat against the public, including mandating device manufacturers add countermeasures to their products,” suggesting that Congress could apply pressure to tech companies to add more defenses to the devices they sell.
Just how practical side-channel attacks like TEMPEST are against modern computing devices—and how often they’re actually used in the wild by hackers and spies—remains far from clear. But the possibility of such attacks has been taken seriously by the US government since as early as the 1940s, when Bell Labs discovered that machines it sold to the US military for encrypting messages produced legible signals on an oscilloscope on the other side of the lab.
The Bell Labs machines were transmitting clues about the inner workings of military cryptography in the radio waves created by their components’ electromagnetic charge. A declassified NSA report from from 1972 later described the problem of the agency’s classified computers transmitting “radio frequency or acoustic energy.” The report added: “These emissions, like tiny radio broadcasts, may radiate through free space for considerable distances” of a half mile or more if the signal is conducted through nearby materials like power lines or water pipes.
