Computers reveal secrets not only through their software but also through physical interactions. Devices like hard drives and keyboards generate electromagnetic signals, sounds, and vibrations that can inadvertently leak sensitive information. This vulnerability, known as side-channel attacks, has been a security concern for nearly 80 years and was initially addressed by the NSA under the code name TEMPEST.
Recently, U.S. lawmakers, Senator Ron Wyden and Representative Shontel Brown, called for an investigation into how susceptible modern devices are to these spying techniques. They pointed out that such vulnerabilities could not only harm national security but also put American citizens at risk, as adversaries might exploit these leaks to steal critical technologies.
In a letter to the Government Accountability Office (GAO), the lawmakers emphasized the need for scrutiny regarding side-channel attacks on common devices like computers and smartphones. They noted that while the government has implemented protective measures for classified information, there has been little done to safeguard the general public or mandate better security practices among device manufacturers.
In tandem with their letter, Wyden and Brown released a report from the Congressional Research Service detailing the history of TEMPEST and the ongoing threats of side-channel attacks. The report illustrated how the U.S. government has used secure environments, such as Sensitive Compartmented Information Facilities (SCIFs), to prevent information leaks, yet consumers remain unprotected.
The letter underscored various issues the GAO should investigate, including the scope of modern threats from side-channel attacks, the feasibility of implementing protection measures in devices, and potential policy approaches to enhance public security. This could involve pressure on manufacturers to include countermeasures in their products.
While the practicality of side-channel attacks against contemporary devices remains uncertain, the potential for such espionage has been recognized by the U.S. government since World War II. Historical instances, such as those involving Bell Labs, revealed that military technology could unintentionally transmit sensitive information through electromagnetic emissions.
Recent studies have confirmed that attackers can utilize low-cost devices to steal information based on these emissions, yet executing such attacks typically requires specific technical knowledge and proximity to the target device.
Wyden’s urgency in highlighting these vulnerabilities suggests he may possess classified information that informs his concerns, though he did not elaborate on this. He views the investigation as a proactive measure against rising surveillance capabilities that may increasingly threaten private citizens and businesses, particularly in sensitive technological sectors.
Experts in cybersecurity, however, caution that while side-channel attacks pose a legitimate threat, they are complex and should not majorly concern the average person. Instead, individuals working in national security or sectors subject to espionage are more likely to be affected.
Advancements in technology, including improvements in energy efficiency, have made devices less prone to unintentional emissions. Nevertheless, the rise of AI tools could enhance the feasibility of executing these attacks, and devices that are less secure, like industrial control systems or smart home gadgets, may still pose risks.
The Congressional Research Service report concluded with suggestions for how the U.S. government could push tech companies to improve device security against these attacks. Regulatory bodies like the FCC and FTC could impose security standards and ensure companies that claim to be secure genuinely protect against such vulnerabilities.
In the absence of clear guidelines and public awareness, the risk remains that sensitive information could be unwittingly broadcast from personal devices, leaving individuals and businesses somewhat exposed to potential threats.
