Electromagnetic Waves: Venezuela recently experienced a series of power outages that left 11 states in the country without power. Since the beginning of this incident, the government of Nicolás Maduro has claimed that it was an act of sabotage, made possible by electromagnetic and cyber attacks on the national electricity company Corpoelec and its plants.
In contrast, the self-declared government of Juan Guaidó attributed the incident to “incompetence system failure”.
Without an impartial and in-depth analysis of the situation, it is very difficult to determine whether these outages are caused by sabotage or whether they are caused by poor maintenance.
However, allegations of alleged vandalism raise a number of interesting questions about information security.
Many control systems in critical infrastructure, such as power stations, are turned off and therefore have no external Internet connections.
Thus, the question arises: Can cyber attackers gain access to closed IT systems without direct contact with your computers? The answer is yes. In this case, electromagnetic waves can be an attack vector.
How to “catch” Electromagnetic Waves / Radiation
All electronic devices generate radiation in the form of electromagnetic and acoustic signals.
Depending on various factors such as distance and obstacles, signals from these devices can be “picked up” by listening devices using special antennas or highly sensitive microphones (in the case of audio signals) and processed to extract useful information. These devices include monitors and keyboards and hence can also be used by cybercriminals.
If we talk about monitors, then in 1985, researcher Wim van Eyck published the first unclassified document on the safety risks posed by radiation from these devices. As you remember, at the time, monitors used cathode ray tubes (CRTs).
His research showed that the projector’s radiation could be “read” from a distance and used to reconstruct the images displayed on the screen. This phenomenon is known as van Eyck hijacking and is, in fact, one of the reasons why several countries, including Brazil and Canada, consider electronic voting systems too insecure for use in electoral processes.
Although LCD monitors generate far less radiation than CRT monitors today, a recent study shows that they are also at risk. Moreover, experts from Tel Aviv University (Israel) have clearly demonstrated this.
They were able to access the encoded content on a laptop in the next room using very simple equipment that costs about $3,000, consisting of an antenna, amplifier and a laptop with special signal processing software.
On the other hand, the keyboards themselves can also be sensitive to the interception of their emissions. This means that there is a potential risk of cyber-attacks, as attackers can recover login data and passwords by analyzing keystrokes on the keyboard.
TEMPEST and EMSEC
The use of radiation to extract information was first used during World War I and was associated with telephone wires. These technologies were widely used during the Cold War with more advanced devices.
For example, a declassified NASA document from 1973 explains how, in 1962, a security officer at the US Embassy in Japan discovered that a dipole parked at a nearby hospital was targeting the embassy building to intercept its signals.
But the concept of TEMPEST as such began to emerge as early as the 1970s with the first radiation safety directives appearing in the US.
This codename refers to the search for unintentional (spurious) emissions from electronic devices that could contribute to the leakage of confidential information.
The TEMPEST standard was created by the United States National Security Agency (NSA) and gave rise to security standards that were also adopted by NATO.
This term is often used interchangeably with EMSEC (Emissions Security), which is part of the COMSEC (Communications Security) standards.
First, TEMPEST protection is applied to a basic cryptographic concept known as the red/black architecture.
This concept divides systems into “red” equipment, which is used to process confidential information, and “black” equipment, which transmits data without confidentiality.
One of the purposes of TEMPEST protection is this separation, which separates all components, separating “red” and “black” equipment with special filters.
Secondly, it is important to take into account the fact that all devices have a certain level of radiation.
This means that the highest possible level of protection will be complete protection of the entire space, including computers, systems and components.
However, this would be too expensive and impractical for most organizations. For this reason, more point techniques are used:
Zone Assessment: Used to verify the TEMPEST security level of spaces, facilities and computers.
After this assessment, resources can be directed to the components and computers that contain the most sensitive information or unencrypted data.
Many official communications security regulators, such as the NSA in the United States or the CCN in Spain, certify these technologies.
Protected Areas: A zoning assessment may show that some areas containing computers do not fully meet all security requirements. In these cases, one option is to secure the entire space or use protected enclosures for these computers. These cabinets are made of special materials that prevent the spread of radiation.
Computers with their TEMPEST certificates: Sometimes a computer may be in a secure location but lack an adequate level of security. To increase the existing security level, there are computers and communication systems that have their own TEMPEST certificate, which certifies the security of their devices and other components.
TEMPEST shows that even if corporate systems have virtually secure physical spaces or are not even connected to external communications, there is still no guarantee that they are completely secure.
Electromagnetic Waves: In any case, most vulnerabilities in critical infrastructure are likely to be related to traditional attacks (eg ransomware), as we recently reported. In such cases, it is very easy to prevent such attacks with the help of appropriate measures and advanced information security solutions with advanced protection options.
The combination of all these protections is the only way to guarantee the security of critical systems for the future of a company or even an entire country.