Is it time for enterprises to start thinking about TEMPEST?

looking-through-the-tube-1167404-mTruly innovative attacks are hard to come by. Every so often an old trick implemented in a new way may be counted as innovative.

In 2011 the issue of using mobile phones to collect the vibrations from keyboards was discussed (http://dl.acm.org/citation.cfm?doid=2046707.2046771). In 2009 even t-shirts and teacups were discussed as possible surfaces on which a signal could be bounced and recovered (http://dl.acm.org/citation.cfm?id=1608141).

Using the FOIA, a TEMPEST-related article was released in 2007. It is a short but recommended read.

The latest item in supporting this line of thinking is AirHopper. The DTRF Recognizer in the video is an application that uses the FM Radio that goes unused on most mobile phones as a reception method for the signals that keyboards give off during normal usage.

TEMPEST-related standards are still classified. If you have ever been inside a TEMPEST-compliant facility you will know that it is not streamlined, fluid or convenient to work at one of these places.

We are security advocates tempered by risk. Our suggestion is to examine the value of the conversation or computing transaction that might possibly exposed and act accordingly. A proper risk assessment and a well executed security awareness plan are integral components of any strategy looking to mitigate the risk of exposure of sensitive information.

Posted in blog, Risk Management.