How visible is your data? Security is an issue
How many people could be reading this blog, on your device, at the same time as you? Maybe someone could be looking over your shoulder if you are sitting in an open plan office or scrolling down on your laptop or smartphone while on the commute…but not many people right? Wrong! Data security on any computing device is an issue.
We are all familiar with the tricky espionage techniques we see in the Hollywood movies and how encryption can protect our data when it’s stored. But what about when that information is being read or worked on? Did you know that your PC, laptop, smartphone – and pretty much any other electrical device – could be leaking your data to anyone who knows how to pick it up?
Once unencrypted and visible on our screens, information on these devices is being emitted via leaking electrical transmissions/radio waves. Much like tuning in an old television set, if the listener has the right technology to hand they can tune in live to see what you see or record those emissions to review later. It is estimated that in the typical PC set-up - with a keyboard, monitor, mouse and a printer - there are around 80 vulnerabilities that could be exploited to view data. Vulnerable areas include elements such as the CPU, monitor, graphics card, power line, and network connections like USB ports.
Of course, the military, government departments and international organisations such as NATO are very aware of this threat and use a set of specifications called TEMPEST, originally created by the US National Security Agency (NSA), to protect their devices. I would love to be able to tell you that TEMPEST stands for “Tiny Electro Magnetic Particles Emitting Secret Things” – I’ve always thought it would be the perfect acronym, ever since I heard it for the first time many years ago - but it doesn’t.
However, this type of protection is now increasingly being used on a much wider basis. For example, in the public sector and in corporations to protect sensitive commercial information, such as bid information for large contracts, or personal information, such as private health data.
The good news is that any electrical device can be modified to protect against this type of threat. The TEMPEST level of protection required, depends on the proximity of the threat.
If the attackers could have immediate access, say in the next office or hotel room, then the highest level of protection (Level A) is required. If they could be some 20 metres away, in the building or in the car park outside, then Level B protection is required and if access could be within 100 metres then Level C protection will suffice.
As you would expect, the specifics about how to protect the devices are not divulged but certain components and levels of shielding are used to negate the threat and devices are certified in secure testing facilities.
Our institutions handling Top Secret data will no doubt continue to use Tempest and other techniques to encrypt data but in the future we see the biggest increase in requests for Tempest protected devices coming from the public sector and big business. As we increasingly digitise, personal data and commercially sensitive information has moved out of locked cabinets and onto mobile devices.
At my company, Eurotempest, we have certified expert testers and state-of-the-art laboratories in the Netherlands and Sweden to modify or enhance off-the-shelf IT products and networking solutions to meet these TEMPEST standards.
Some of the TEMPEST-Certified devices we regular provide are Panasonic TOUGHBOOK rugged notebooks and tablets. Historically our everyday customers have been defence and government agencies but I suspect that in the future, TEMPEST-Certified will be a phrase much more familiar to more mobile workers.