TEMPEST and Emanation Security
All TEMPEST exercises use your own equipment only. Capturing emanations from equipment you do not own may violate federal law.
| Regulation | Scope | Key Point |
|---|---|---|
| 47 CFR 15.9 | FCC Part 15 | Receive-only devices are generally permitted |
| 18 U.S.C. 2511 (ECPA) | Wiretap Act | Intentional interception of others' communications is prohibited |
| FCC Part 15 | Unintentional radiators | Devices must accept interference, including from emanations |
When in doubt: own equipment only, own premises only.
Learning Objectives
- Explain what electromagnetic emanations are and how they leak information
- Use PortaPack Looking Glass for wideband spectrum survey
- Reconstruct a VGA display signal using TempestSDR and HackRF
- Understand HDMI emanation capture and CNN-enhanced recovery
- Identify keyboard emanation signatures
- Apply countermeasures and assess mesh network implications
Part 1: Emanation Theory (25 min)
Every electronic device radiates electromagnetic energy as a side effect of normal operation. Displays, cables, and keyboards all produce unintentional emissions that can be captured and reconstructed at a distance.
Van Eck phreaking (1985): Wim van Eck demonstrated that CRT display contents could be reconstructed from electromagnetic emanations at a distance, using inexpensive equipment.
| Year | Development | Significance |
|---|---|---|
| 1985 | Van Eck, "Electromagnetic Radiation from Video Display Units" | First public demonstration of display emanation capture |
| 2004 | Kuhn, "Electromagnetic Eavesdropping Risks of Flat-Panel Displays" | Extended to LCD/flat-panel displays |
| 2009 | Vuagnoux and Pasini, "Compromising Electromagnetic Emanations of Wired and Wireless Keyboards" | Keyboard emanations at 20 meters |
| 2020 | gr-tempest (GNU Radio OOT module) | Open-source SDR-based TEMPEST receiver |
| 2024 | Correa-Londono et al., "Deep-TEMPEST" (LADC 2024) | CNN-enhanced HDMI emanation recovery |
How video emanations work: Display cables carry high-frequency signals (pixel clocks of 25-600 MHz). These signals radiate from unshielded or poorly shielded cables and can be received with a wideband SDR, then demodulated by synchronizing to the pixel clock, horizontal sync, and vertical sync.
Lab 1: Spectrum Survey (30 min)
Use the PortaPack H4M in Looking Glass mode for a wideband spectrum survey to identify emanation peaks from lab equipment.
- Power on the HackRF H4M with PortaPack (Mayhem firmware from SD card)
- Navigate to Looking Glass (wideband spectrum view)
- Set range: 50 MHz - 500 MHz (covers VGA pixel clocks)
- Turn on a VGA monitor connected to a test laptop
- Identify the emanation peak -- note center frequency and bandwidth
- Change the display content (white screen vs. text) and observe signal changes
Expected result: Visible peaks near the monitor's pixel clock frequency (typically 25-165 MHz for VGA).
Lab 2: VGA Reconstruction (35 min)
Reconstruct a VGA display signal using TempestSDR with HackRF tethered to a laptop.
- Connect HackRF H4M to laptop via USB (tethered mode, not standalone)
- Start TempestSDR:
# Clone and build TempestSDR git clone https://github.com/martinmarinov/TempestSDR.git cd TempestSDR/JavaGUI make # Launch with HackRF backend java -jar JTempestSDR.jar
- Set the target resolution (e.g., 1024x768 @ 60 Hz for VGA)
- Tune to the emanation frequency identified in Lab 1
- Adjust frame rate and resolution until the image locks
- Move the HackRF antenna to find optimal reception angle and distance
Expected result: Recognizable (noisy) image of the target VGA display at 1-3 meters.
Lab 3: HDMI and deep-tempest (35 min)
| Interface | Pixel Clock | Shielding | Emanation Difficulty |
|---|---|---|---|
| VGA (analog) | 25-165 MHz | Minimal | Easiest |
| DVI (digital) | 25-165 MHz (single-link) | Moderate | Medium |
| HDMI (digital) | 25-600 MHz (TMDS) | Good | Harder, but possible |
| DisplayPort | 162-810 MHz | Good | Hardest |
deep-tempest (Correa-Londono et al., LADC 2024) uses a convolutional neural network to enhance noisy HDMI emanation captures. The CNN is trained on pairs of (noisy capture, clean original) to denoise and sharpen the reconstructed image.
# deep-tempest setup (requires Python 3.10+, CUDA recommended) git clone https://github.com/emidan19/deep-tempest.git cd deep-tempest pip install -r requirements.txt # gr-tempest for raw capture # Build the GNU Radio OOT module for TEMPEST reception git clone https://github.com/nash-pillai/gr-tempest.git cd gr-tempest && mkdir build && cd build cmake .. && make && sudo make install
Workflow: Capture raw IQ with gr-tempest, feed into deep-tempest CNN for enhanced reconstruction.
Keyboard Emanations (20 min)
Vuagnoux and Pasini (2009) demonstrated that wired and wireless keyboards emit detectable electromagnetic signatures for individual keystrokes, recoverable at distances up to 20 meters.
| Keyboard Type | Emanation Range | Recovery Method |
|---|---|---|
| PS/2 wired | Up to 20 m | Clock/data line emanation capture |
| USB wired | Up to 5 m | Differential signaling reduces range |
| Wireless (2.4 GHz) | Up to 30 m | Direct RF interception (KeySweeper-style) |
| Bluetooth LE | Up to 10 m | BLE sniffing (paired, encrypted) |
Key insight: Even encrypted wireless keyboards leak timing metadata. Emanations are a physical-layer attack that bypasses encryption entirely.
Countermeasures (20 min)
| Countermeasure | Effectiveness | Cost |
|---|---|---|
| Ferrite cores on cables | Low -- reduces some high-frequency emissions | $2-5 |
| Shielded cables (STP) | Moderate -- reduces cable emanations | $10-30 |
| Display filters / privacy screens | Low -- optical only, no RF effect | $20-50 |
| Distance (inverse square law) | Moderate -- signal drops 6 dB per doubling | Free |
| RF noise generators | Moderate -- raises noise floor | $50-200 |
| TEMPEST-rated equipment (NSTISSAM/1-92) | High -- military-grade shielding | $5,000+ |
| Faraday cage / shielded room | Very high -- blocks all RF | $500-10,000+ |
For most community mesh operators, distance and awareness are the practical countermeasures. Full TEMPEST protection is primarily relevant for high-security environments.
Mesh Implications (15 min)
TEMPEST attacks are relevant to mesh operators because:
- Encryption does not protect screen content -- AES-256 encrypts radio traffic, but what you display on screen radiates in the clear
- Air-gapped workflows are not immune -- a TAILS session on a laptop still emits video emanations
- Operational security must include physical-layer awareness -- where you read sensitive messages matters
Cross-references:
- Mesh Network Security -- encryption layers, threat modeling
- TAILS and Secure Communications -- 5-layer OpSec model
- Stealth Mode Guide -- reducing device RF signature
Equipment
| Item | Purpose | Provided |
|---|---|---|
| HackRF H4M + PortaPack | Standalone spectrum survey (Looking Glass) and tethered SDR capture | Yes |
| Laptop with USB port | TempestSDR host, gr-tempest, deep-tempest | Bring your own |
| VGA monitor + cable | Target for emanation reconstruction | Yes |
| HDMI monitor + cable | Target for HDMI emanation lab | Yes |
| Directional antenna (optional) | Improved reception at distance | Available |
Software
| Tool | Source | Purpose |
|---|---|---|
| TempestSDR | GitHub | Real-time video emanation reconstruction (Java) |
| gr-tempest | GitHub | GNU Radio OOT module for TEMPEST reception |
| deep-tempest | GitHub | CNN-enhanced HDMI emanation recovery |
| Mayhem firmware | GitHub | PortaPack firmware with Looking Glass, spectrum analysis |
References
- Van Eck, W. (1985). "Electromagnetic Radiation from Video Display Units: An Eavesdropping Risk?" Computers & Security, 4(4), 269-286.
- Kuhn, M.G. (2004). "Electromagnetic Eavesdropping Risks of Flat-Panel Displays." 4th Workshop on Privacy Enhancing Technologies.
- Vuagnoux, M. and Pasini, S. (2009). "Compromising Electromagnetic Emanations of Wired and Wireless Keyboards." USENIX Security Symposium.
- Correa-Londono, S. et al. (2024). "Deep-TEMPEST: Using Deep Learning to Eavesdrop on HDMI from its Unintentional Electromagnetic Emanations." LADC 2024.