Most security focuses on networks and endpoints.
Very little attention is given to what devices emit into the physical environment.
This isn’t a dormant risk. It’s an unaddressed one.
In March 2026, U.S. lawmakers formally requested a renewed investigation into TEMPEST-related threats, citing:
• Lack of public awareness
• Absence of modern regulatory requirements for consumer devices
• Potential exploitation by criminals, private investigators, and non-state actors
Image 1: Extract from Congressional letter (March 4, 2026) describing TEMPEST as a “serious national security threat”.
The request highlights a critical point:
The U.S. government has not conducted a follow-up review of this threat since 1986, despite the risk being known for over 80 years.
The accompanying Congressional Research Service memorandum reinforces this, outlining:
• The ability to reconstruct data from electromagnetic, acoustic, and RF emissions
• That these techniques have been repeatedly rediscovered in academic research
• That the equipment required to observe these emissions is now easily obtainable
What TEMPEST is
TEMPEST refers to the unintentional electromagnetic emissions generated by electronic devices during operation.
These emissions are not just noise.
They can carry structured information.
Under the right conditions, it is sometimes possible to reconstruct elements of what a system is processing, including screen content, signals, or data flows, from emitted RF energy.
This is a physical side-channel. It exists whether it is monitored or not.
Image 2: Simulated TEMPEST reconstruction using GNU Radio (gr-tempest open-source implementation)
The setup
From a practical standpoint, observing these emissions does not require exotic infrastructure.
A typical research setup may include:
• Software-defined radio platforms (e.g. HackRF class devices)
• Near-field or directional antennas
• Signal processing via tools such as GNU Radio
With correct tuning and filtering, emissions from monitors, video cables, power lines, and internal components can be captured and analysed.
Importantly:
No network interaction is required.
No system access is required.
This is passive collection from the electromagnetic environment.
Beyond policy and classification, the underlying reality is simpler:
TEMPEST is often framed within classified programmes, hardened environments, and military-grade shielding.
What determines the risk are three factors:
• how detectable the emissions are
• how far they travel
• how much information they expose
This shifts TEMPEST from a classified concern to a physical reality with direct operational implications.
What the documents explicitly confirm
The CRS memo is very direct about how this works in practice:
• Acoustic — keystrokes can be derived from recorded typing sounds
• RF — emissions may be observable at distance under favourable conditions
• Electromagnetic — signals generated by internal currents can be measured and analysed
It also confirms something often missed:
These attacks rely on observing unintended signals generated during operation.
What has not changed
The same memorandum highlights a structural gap:
• No uniform TEMPEST mitigation policy across U.S. government systems
• No requirement for consumer device manufacturers to implement countermeasures
• Limited public guidance despite long-standing awareness
At the same time:
• Techniques have been publicly demonstrated (2009–2022 research examples)
• Methods now fall under what is broadly called side-channel attacks
• The barrier to entry is no longer restricted to state actors
Threat level — low, but specific
For most organisations, TEMPEST does not present an immediate or scalable risk.
Constraints remain significant:
• Effective range is limited
• Signal clarity degrades rapidly
• Environmental RF noise introduces distortion
• Skill and interpretation barriers are non-trivial
However, context matters.
In environments where:
• systems are air-gapped
• data sensitivity is high
• physical proximity can be achieved
TEMPEST becomes a relevant niche collection method.
Not widespread.
But not theoretical.
Closing note
Most organisations monitor networks, endpoints, and cloud environments.
Very few consider what their systems emit into the physical environment.
INTSPIRED®
OFFENSIVE BY DESIGN. INTELLIGENT BY NATURE.
Full references and further detail available in the article.
• U.S. Congressional letter (March 2026)
https://www.wyden.senate.gov/imo/media/doc/wyden_gao_tempest_letter.pdf
• Congressional Research Service memorandum
https://www.wyden.senate.gov/imo/media/doc/memo_-_tempest.pdf
• GNU Radio TEMPEST implementation (gr-tempest)
https://github.com/git-artes/gr-tempest
Top comments (0)