The TEMPEST Method of Computer Data Interception!

by Al Muick

THE TEMPEST METHOD OF COMPUTER DATA INTERCEPTION!

by Al Muick OCT 86

Let me begin by a brief history of myself. I spent the better part of six years in Uncle Sam's Cntry Club (better known as the US Army) working in the Intelligence and Security Command (better knw as the ASA--Army Security Agency). During that time, my primary duties were Cryptology, CryptoloicIntercept, Counterintelligence, and Field First Sergeant (whatta drag!).

What I'm about to tell you comes under the heading of Cryptologic Intercept. Incidently, for tho of you in the know, I was stationed at Field Station Augsburg in West Germany (if you're not in th now, read the book, THE PUZZLE PALACE).

The interception of radiated data from computers and computer terminals is known in the world of e ASA as "TEMPEST." TEMPEST intercept may be accomplished in several ways. One, is via a mobile vanwth the commo equipment on board, two is via strategicly stationed intercept sites (Field Station Agsurg) and the third, rarely used, is relay from one site to another.

To run a TEMPEST operation, you will need a good communications receiver, both high frequency andery high frequency with adjustable bandwidths and a VFO. If you plan to just intercept and leave th xploitation of the collected intelligence for later, you will need a HIGH-QUALITY tape deck; not oe f those cheap-assed portables, but a high quality deck. If you plan to do the exploitation now o laer, you will still need to convert the IF of your communications receiver to a recordable frequecy. o do this, simply patch the output of your 1 MHz or below IF to the input plug on your tape dec. Ifyour IF is something above 1 MHz you're S.O.L unless you have an IF downconverter around or hae the bility to construct one. You will, in effect, be recording an RF frequency on your tape deck vice a audio frequency.

Your tape deck MUST run at either 7 1/2 or 15 i.p.s in order for it to record this signal. You wl later play that signal back into your IF for exploitation. As soon as you have your intercept station (it is best to use a van) set up with receiver, antenn and recorder, you are ready to engage your intercept target. Most computers are RF shielded thesedys, so your receiver had better be damn sensitive and have a very selective bandwidth. If you areplnning to intercept such a computer, you will need to be outside its building location (if possibl). ince we know, most microprocessors operate at frequencies between 2-12 MHz, we will look for theradited data here in that frequency range. It is here that a spectrum analyzer, connected to your F outut will aid in discerning the signals and binary emissions of your target computer. If you knw how o use a spectrum analyzer, it will prove invaluable, but since they are so complicated, I wil not atempt to explain their proper use here. You will simply scan the bands between 2-12 MHz until you find the radiated signal (if you must, for the 2nd, 3rd, 4th, etc. harmonics if local interference on the primary frequency is too high) n then tune to the spot where it comes in best. Next adjust your bandwidth until you can just hearth signal as pure as day, with very little to no outside interference.

Once you have your target tuned in, you may want to drive around the block or further away, to avd detection. Remember, not to go too far or you will lose the signal. Mainframe computers (when upotected) sometimes radiate a signal for 3 to four miles! A typical PC computer will radiate a sigalfor at least 1/2 mile if unprotected!

You should, by now, have picked your intercept site, have parked the van, and have made sure thatou still have your signal coming in at good strength. The next step is easy! Simply connect the otut of your low frequency IF to the input of your deck and let 'er rip! I find that 10" reels suitths purpose just fine, and you should be able to get at least one or two UIDs or PWs in the amountof ime you will have at 7 1/2 or 15 i.p.s. After the tape is done (you may want to record both sids) pck up your gear and head for home! Once home, you will need another piece of equipment, possibly two. In various surplus magazines,ou will see a machine called a "visi-corder" advertised. This is a machine that burns a copy of biay code onto light-sensitive paper. They cost some money, but are basically invaluable. You are nw eady for signal exploitation.

You now need to play your recorded tape into the IF input of your communications receiver. The oput of your IF will be connected to the IF input on the visi-corder. This will give your the trues inary representation on the paper. If you so desire, you may connect the audio out of your communcaions receiver to the audio input of the visi-corder. The audio is rectified into DC and then yougeta crisp, clear presentation on the paper. But remember this....DC LIES!!! While the representaton my be clear, the binary spacing will be off slightly, increasing in error as you continue, untilyou fnally wind up with continuous error.

Assuming you have made the proper connections, get some beer for your relaxation (or them funny ll pills, or whatever makes you relax....here comes the hair-pulling part). Begin playback of the dc into your receiver and initiate the visi-corder's print mode. I recommend a medium-fast speed, bcase if you use slow speed to conserve paper (you cheap fucker!), the bauds will be so close togethr a to render the paper useless and wou wind up wasting the paper anyway!

At this point, print out about 2 minutes worth of paper. Once the paper is printed, expose it to ght so it develops and have several 3x5" cards handy. As soon as it develops, scan the paper and tebinary stream on it for a section that has three or four of the smallest (closest together) bits. Ths is ASCII. Once you have found the section, place one 3x5" card at the base of the section and arkoff tick marks where each bit stops and ends (on the smallest bits only!!). You are now ready t do hat we in the ASA call "bustin' bauds." As you know, one ASCII byte consists of 8 bits. simply start at a reasonable point at the beginni of your interception and begin to mark off tick marks along the binary stream. Even if you come arss 1s and 0s that are very wide, mark as many thin ticks from your 3x5" card on them. This is necssry to break the ASCII code.

The complete 8 bit ASCII code is at the end of this tutorial for your convenience.

Once you have marked off the paper, count off the first eight bits, e.g. 10011101 and refer to thASCII chart to find a character that fits it. If you can't find one immediately, don't despair! Tr sing the complement of the 8-bit code in front of you (i.e. the reverse of what you've decoded. Inted of 10011101, try 01100010.). If you still have not found anything, slide your card over one bitandtry to get another byte of ASCII. This time you may come up with 00111010 (complement 11000101). Chek it with the table. Remeber, you may have to do this eight times (that is, shift a bit over eght tmes) before you make any sense out of it. It is long and tedious, but it will pay off in the nd. Note: this is illegal and is punishable under federal law. I assume no responsibility for your aions, and neither does the operator of P-80. This is presented for your information only. If you ae any questions, please leave me mail!......happy hacking!....Al Muick.

ASA LIVES FOREVER!!

The 8 bit ASCII code:

(for 7 bit ASCII, simply delete the last bit...it's not always there...something to keep in mind....)

BINARY MEANING

00000000 Null
10000000 Start of message
01000000 End of address
11000000 End of message
00100000 End of transmission
10100000 WRU (Who are you?)
01100000 RU (Are you...?)
11100000 Bell (audible signal)
00010000 Format effector
10010000 Horizontal tabulation or skip (for card puncher)
01010000 Line feed
11010000 Vertical tabulation
00110000 Form feed
10110000 Carriage return
01110000 Shift out
11110000 Shift in
00001000 Device control reserved for data link escape
10001000 Device control
01001000 Device Control
11001000 Device Control
00101000 Device control (stop)
10101000 Error
01101000 Synchronous idle
11101000 Logical end of media
10001000 Information separator
10011000 Information separator
01011000 Information separator
11011000 Information separator
11001000 Information separator
11011000 Information separator
11101000 Information separator
11111000 Information separator
00000100 Word separator (space, normally non-printing)
10000100 !
01000100 "
11000100 #
00100100 $
10100100 %
01100100 &
01110100 '
00010100 (
10010100 )
01010100 *
11010100 +
00110100 ,
10110100 -
01110100 .
11110100 /
00001100 0
10001100 1
01001100 2
11001100 3
00101100 4
10101100 5
01101100 6
11101100 7
00011100 8
10011100 9
01011100 :
11011100 ;
00111100 <
10111100 =
01111100 >
11111100 ?
00000010 @
10000010 A
01000010 B
11000010 C
00100010 D
10100010 E
01100010 F
11100010 G
00010010 H
10010010 I
01010010 J
11010010 K
00110010 L
10110010 M
01110010 N
11110010 O
00001010 P
10001010 Q
01001010 R
11001010 S
00101010 T
10101010 U
01101010 V
11101010 W
00011010 X
10011010 Y
01011010 Z
11011010 Left bracket
00111010 Reverse slash bar
10111010 Right bracket
01111010 Up arrow
11111010 Left arrow
00000110 Unassigned
10000110 Unassigned
01000110 Unassigned
11000110 Unassigned
00100110 Unassigned
10100110 Unassigned
01100110 Unassigned
11100110 Unassigned
00010110 Unassigned
10010110 Unassigned
01010110 Unassigned
11010110 Unassigned
00110110 Unassigned
10110110 Unassigned
01110110 Unassigned
11110110 Unassigned
00001110 Unassigned
10001110 Unassigned
01001110 Unassigned
11001110 Unassigned
00101110 Unassigned
10101110 Unassigned
01101110 Unassigned
11101110 Unassigned
00011110 Unassigned
10011110 Unassigned
01011110 Unassigned
11011110 Unassigned
00111110 Acknowledge
10111110 Unassigned control
01111110 Escape
11111110 Delete/Idle