TEMPEST Emissions Security: What Your LCD Could Be Saying About You
Cybersecurity is both an everyday necessity and a developing mystery. We’ll often think of anti-virus software for our personal computers or employee training on the job to protect company information. But one area that typically flies under the radar is TEMPEST emissions security. Although it might sound like something out of a spy movie, it actually can involve one of the most common technologies we use on a daily basis – LCD screens.
Behind the Screen: Exploring LCD Emissions
What if we tell you that this specific cyber threat is not preventable by passwords or encryption alone? LCD emissions are an unfortunate side effect of connectivity that is invisible to the naked eye. Whenever our device is operating, electromagnetic waves are emanating into the open. While these emissions aren’t harmful to us physically, they can be harmful in the wrong hands.
How it works is that your LCD engages in silent back-and-forth conversation with the environment it’s in. If someone has sophisticated enough equipment, they can “listen in” on that conversation and interpret those emissions – and that means having our digital privacy on the line.
What is TEMPEST in cybersecurity?
TEMPEST (Telecommunications Electronics Material Protected from Emanating Spurious Transmissions) is an official acronym created by the United States National Security Agency. It refers to a cybersecurity protocol that safeguards people and organizations from electromagnetic information leakages.
Interestingly, TEMPEST has a long history that dates back to World War II. At the time, telecommunications company Bell Telephone informed Signal Corps that electromagnetic spikes were detected from a mixer device that was made to encrypt teleprinter signals. Just like many of our modern-day devices, teleprinters were used to send and receive important typed messages. If signals were tampered with, it could result in a dangerous and compromising scenario.
TEMPEST was born to refer to spying on information systems, particularly through unintentional signals that devices might give off. In the context of LCDs, there are several TEMPEST rules to help minimize these security breaches, including appropriate shielding and bonding, designing circuits to minimize emissions, and other methods, such as using radiation screening.
Certain devices are more at risk than others, depending on a variety of factors. Devices that have signals that can be conducted over signal lines, those with amplified signals, and those that produce acoustics (meaning sounds from mechanical devices like keyboards) are all more likely to be intercepted and interpreted.
There are also two types of system classifications related to compromising signals, including RED systems and BLACK systems. Most, if not all, readers of this article won’t likely have to worry about exposing national security information (NSI). This leaves RED systems out of the equation. BLACK systems, however, are all devices that process encrypted data or non-NSI data.
How to Prevent Unauthorized Information Leak Through LCD Screens
TEMPEST testing equipment or surveillance systems might sound like a great device to have. However, these are strict requirements and often only needed for applications used in defense, security and other similar industries. They aren’t something that you’d see in an everyday office or home. If you are developing a product that will for use in an environment that requires protection from data eavesdropping, it will be good to work with a manufacturer that has expertise in creating custom LCDs with designs that reduce electromagnetic emanations.
Of course, your concerns about information leakage should really depend on your situation. Most companies, and especially individuals, shouldn’t have to worry too much about this type of attack. Since devices used to intercept signals don’t produce crisp images or sharp results, these attacks won’t affect the average person. There are often many more tried-and-true ways that criminals can try and access someone’s private information. Connecting to unsecured networks or phishing scams, for instance.
Conclusion
While it’s true that you shouldn’t lose sleep over this sort of information leakage, knowledge is power when it comes to cybersecurity. The more we know, the better we can protect ourselves and our companies proactively. Although the likelihood of becoming victims of these highly specialized attacks is low compared to mainstream cyber attacks, it can play a big role in shaping the way we conduct our digital activities and approach security.