0

I wonder why certification (common criteria and stuff like that) of security critical hardware that is meant to be used in datacenters (e.g. link encryptors) includes some tests related to TEMPEST attacks.

It seems to me that the actual test procedures and requirements for TEMPEST in these certifications are not publically known. But I wonder: do people really care about that for a device that's in a datacenter? Can't you just say "we trust the server room, nothing will leak out anyway"?

Basically: Is TEMPEST an actual concern for such systems or is any talk of it in that context just marketing, or just in order to be able to say "we looked at everything" in case anyone asks "but did you also think about attack X", even though looking at it is obviously a waste of time? Or is it that the equipment is also supposed to be used in other settings? Or something else I'm missing?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Adomas Baliuka
  • 109
  • 1
  • have you looked up practical TEMPST attacks? – schroeder Jul 26 '22 at 13:56
  • It sounds like you are asking about a risk-informed approach to TEMPEST, which is beyond the scope of a ***certification***. Certification standards tend not to modify themselves based on a risk-informed context, since it would be too easy to game that approach. – schroeder Jul 26 '22 at 13:58
  • Please limit posts to one question. – schroeder Jul 26 '22 at 13:59
  • I looked up TEMPEST attacks but the closest I found to a real-life attack was a report of an antenna being found pointed at some small military outpost in asia, with no indication of any data being actually stolen. There is of course all the work about snooping monitors and keyboards and whatnot but there again all I saw was academic and also that's not what I'm asking about. – Adomas Baliuka Jul 26 '22 at 14:39
  • "Certification standards tend not to modify themselves based on a risk-informed context, since it would be too easy to game that approach. " --- that sounds very interesting but I don't understand what you mean – Adomas Baliuka Jul 26 '22 at 14:41
  • "all I saw was academic " -- what are you looking for? It's a proven risk with all that "academic" demonstration. Are you rejecting evidence because it came from a university? What are you looking for? The top article on this topic demonstrated the extraction of data using cheap equipment. – schroeder Jul 26 '22 at 14:48
  • "not academic" would be an example where some system was attacked in the real world. Of course, no such cases being known does not mean there is no danger. My question is about datacenters though and I found absolutely nothing indicating dangers there. Your comment about certification sounds very interesting. Could you perhaps explain it more? – Adomas Baliuka Jul 26 '22 at 14:51
  • 2
    The context for this question is that you don't think that TEMPEST is a risk to *you* in this particular *context*. That's fine, but *standards* need to take the general case into account. They don't modify themselves because a particular context isn't at risk for the threat that the standard is meant to counter. If that was allowed, then you could say that any control in a standard isn't a risk, in your opinion, and that you don't need to comply with any of the standard, thereby making the standard meaningless. – schroeder Jul 26 '22 at 14:51
  • Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/138041/discussion-between-adomas-baliuka-and-schroeder). – Adomas Baliuka Jul 26 '22 at 14:51

0 Answers0