CEI Tempest Receiving System

© Brooke Clarke, N6GCE 2003 - 2022

SM-9312 Spectrum Monitor	SM-9312 Spectrum Monitor
UHF Tuner SUT-1000C-1	UHF Tuner SUT-1000C-1
VHF Tuner SVT-30C-1	VHF Tuner SVT-30C-1
LF Receiver S302-1
Control Panel Front	Control Panel Rear

Background

To learn what Tempest is see The Complete, Unofficial TEMPEST Information Page or do a Google search on Tempest (Wiki: TEMPEST, Van Eck phreaking, RINT, Markus Kuhn).  Since the 1950s it has been known that it was possible to gather information by means of the electromagnetic emanations from some electrical device.  An example is that early teletype machines using 20 or 60 ma current loop circuits to feed on line encryption equipment sent signals down the wire in addition to the encrypted information that would allow someone to read the plain text message directly (i.e. without even looking at the encrypted signal).  There was a major U.S. project during the cold war where we tunneled under the West German border and tapped a trunk line to get these signals.  This is described in the book  Wilderness of Mirrors by David C. Martim, Ballantine Books as part of their Espionage/Intelligence Library 1981, ISBN 0-345-29636-2.

Other examples of Tempest attacks are using radio equipment in a van outside someone's office to see what is being displayed on their computer monitor.  A newer way to do this is to use a telescope and photo multiplier tube to look at light reflected from the wall or ceiling that's coming from a CRT or LCD and reconstructing the image.  Another modern tempest attack is based on looking at the modulation on the "power on" LED and recovering information.  Or processing the signals from a cell phone that's near some encryption equipment.
Optical Time-Domain Eavesdropping Risks of CRT Displays by Markus Günther Kuhn.

TEMPEST is an acronym for "Telecommunications Electronics Material Protected from Emanating Spurious Transmissions"

CEI and WJ RS-111 receivers - the RS-111 receiver used by Nixon's Watergate team to listen to the bugs is in the same product family as these CEI receivers.

The NSA has recently (9-27-2007) declassified a paper "TEMPEST: A Signal Problem".   Bell Labs discovered a problem with the SIGTOT 131-B mixer used to encrypt teletype messages.

These receivers were typically used in conjunction with a screen room (Wiki) and were used to look for radiated and using power line couplers conducted emissions coming from the equipment under test.  The signals they were looking for would be strong and so these receivers are not at all good for using with an antenna to hear weak radio signals going over the air.

When looking for weak signals that are continuous wave (Wiki CW) the sensitivity of a receiver depends on how narrow the true bandwidth is.  For example the HP 4395A when used as a spectrum analyzer has a true RMS bandwidth of 1 Hz.  But for receiving modulated signals the receiver is most sensitive when it's demodulator is matched to the transmitted signal.  For example the signal from GPS satellites is below thermal noise on the surface of the Earth, but a GPS receiver can take the wide band signal and pull it out of the noise.

CEI

Communications Electronics Inc. (CEI) later bought by Watkins Johnson (WJ) made a test system primarily designed for testing equipment that was to be certified as not having any emanations that could be used to recover any useful data.

From W-J Application Note 1307.50 "RS-125-17 Tempest Receiving System"   Introduction:

"The Watkins-Johnson RS-125-17 TEMPEST Receiving System represents a highly versatile arrangement of equipment's designed primarily to meet the TEMPEST measurements requirements of NACSEM-5100.  The system is also well suited for spectrum surveillance, electromagnetic surveys range monitoring, propagation studies, electromagnetic pulse (EMP), and analysis of electromagnetic emanations.  The RS-125-17 is a manual wide band receiving system providing continuous coverage from 1 kHz to 1 GHz.  The system is extendable on the high end of the tuning range for ultimate coverage to 18 GHz."

The mention of "manual" indicats to me that there was work on systems that were under computer control or they already existed.

The system consisted of 3 sloping face rack panels (holding maybe two dozen rack boxes like these) that were above table height with:

• VLF Receiver and Converter
• HF, VHF and UHF tuners
• IF Demodulators
• Switching hardware
• Display and Monitor Hardware

I think the equipment on this page with the CEI brand is slightly older than that used in the W-J RS-125-17 TEMPEST Receiving System.  Both these CEI boxes and the W-J boxes shown in the app. note have almost identical appearance and function but with minor differences.  Note that these CEI boxes use MC (Mega Cycles) and the WJ App note uses MHz (Mega Hertz).

SM-9312 Spectrum Monitor

This 2 rack unit (3.5") high box takes in the 21.4 MHz IF outputs from the tuners and displays a frequency spectrum.  If you know the frequency range the tuner is scanning you can recognize the modulation type.  For example TV signals look different than FM radio is different form narrow band FM communications signals.  Having a spectrum display makes finding signals much easier since you can see where there's activity.

In addition to using this Spectrum Monitor you can also feed the 21.4 MHz IF tuner outputs into a communications receiver that can then demodulate wide and/or narrow FM as is used in most VHF and UHF communications and for TV sound.

Golden age construction, i.e. transistors and mostly Nuvistors.

Controls

• Gain - When full CCW it takes a +8 dBm signal for full scale deflection, when max CW it takes a -100 dBm signal for full scale
• Sweep Width - the widest setting (CW) provides (left to right) 22.5 MHz to 20.5 MHz, at about 9 o'clock it's 21.51 to 21.64, and with fully CCW the top of the peak fills the screen.
• Center Freq - allows centering the frequency (different from horizontal position).  The center of the range is a little off from 21.4 MHz, but I don't have a manual for this box that tells how to make the centering adjustment.

UHF Tuner SUT-1000C-1

There are two seperate tuners in this 2 rack unit (3.5") high box, one for 225 to 500 MC and another for 490 to 1000 MC.  The SUT-1000B and SUT-1000C each have Slo-Syn motors so that either the front panel multiturn knob or the motor can tune the radio.  The motors are designed to scan up and down between two limits.  You might call this an early scanner radio.  Some say real radios have motors.

The output is a signal at 21.4 MHz that is fed to the Spectrum Display and to Demodulator boxes (which I don't have).  

Construction is "Golden Age", that is to say discrete components, transistors and Nuvistors (6CW4, 7077, 7486, 7587 in the front end) on printed circuit boards.

Instruction Manual for Type SUT-1000C Tuner is about 1/2" thick and includes alignment, maintenance, schematics, parts  list and the remote modification information.

The front panel band switch was removed when I got these tuners.  This was done as part of the motorization option so the the band selection could be remotly controlled from pin "P" (green wire) on the rear panel. Open is low band, -24 VDC for high band.

I replaced the 19 pin MS series connector with barrier strip screw terminals.

VHF Tuner SVT-30C-1

There are two seperate tuners in this 2 rack unit (3.5") high box, one for 30 to 60 MC and another for 54 to 260 MC.  The B and C versions have Slo-Syn motors like the UHF tuner.

The output is a signal at 21.4 MHz that is fed to the Spectrum Display and to Demodulator boxes.

Instruction Manual for Type VT-30C Tuner (and SVT-30C Tuner) is about 1/2" thick and includes alignment, maintenance, schematics, parts  list and the remote modification information.

Construction is "Golden Age", that is to say discrete components, transistors and Nuvistors ( 6CW4s and 7587s in the front end) on printed circuit boards.

Control Panel

This is a 3 rack unit high (5.25") panel. Made mainly to control the CEI tuneers but also to do some other useful control functions.

• On the left is a home brew SP10T coax switch that was used to allow multiple antennas to be routed to one of the instruments in this system.
•  There is a military 600 Ohm speaker to provide a frount mount speaker
• I did not have the LF Receiver at the time I was using this system so included a Palmor Engineers low frequency converter to translate 10 kHz to 500 kHz up into the HF band.  So the band switch has a the following positions:
• 10 kHz to 500 kHz
• 50 kHz to 30 MHz (feeds the DR-33C HF receiver)
• 30 to 62 MHz
• 54 to 260 MHz
• 225 to 500 MHz
• 490 to 1000 MHz

The band switch also sends DC to the relays in the dual band tuners to select which band they operate on.  It also routes the common output from the SP10T antenna switch to the correct Antenna input so the antenna is swithced to the band in use.

• The ON-OFF switch feeds both a wall wart to power the Palmor Engineers converter (instead of a 9 VOlt battery) and the DC supply to drive the band switching relays in the dual band tuners.

LF Receiver Type S302-1

This is a 2 rack unit (3.5") high receiver that has a single tuning knob and a single large Slo-Syn motor.  There are three bands: 30 to 60 kC, 60 to 140 kC and 140 to 300 kC.  There is a front panel 1/4" phone jack and rear panel audio out terminals.  I have no manual for this receiver. 
Terryo: Data Sheet -

Documentation

• W-J App. Note 1307.50 Dedcember 1975, RS-125-17 TEMPEST Receiving System, 20 pages
• CEI Instruction Manual for Type VT-30C Tuner (and SVT-30C), aprox 100 pages
• CEI Instruction Manual for Types UT-1000B and SUT-1000B Tuners, aprox 125 pages
• My hand drawn diagrams, about 26 pages

Patents

Bugs

While bugs are a different subject, they are related to TEMPEST.
YouTube: The Spying Game - "Walls Have Ears" (Complete)

5:57: The Thing (Wiki) passive cavity resonator
8:04: Using mikes that already are in the room
9:45: Berlin Cable Tap (in Wilderness of Mirrors, see Background above)
13:33:  Transistor (Wiki) allow small battery powered RF bugs
18:39: Vietnam outdoor intrusion sensors: TRC-3, ADSID & PSR-1,
20:26: Sweeper (bug hunter) CryptoMuseum: Lee Tracey, "Scanlock", Audiotel,
22:09: Remote turn-on -> Broom Non Linear Junction detector, Charles Bovill,

 - The Spying Game - "Spies in the Skies" (Complete) -
 - Secrets of Spies Documentary on the Tricks Used by Spies -

Nonlinear Junction Detector

Wiki:  excites the target area and looks for harmonics of the excitation signal.

The thing that makes this difficult is the excitation signal source may not be a pure signal, but rather contains some second and third harmonic distortion.  These signals ideally would be nonexistent.
History: "By looking at the ratio between the 2nd and the 3rd harmonic of the base frequency, the operator can tell the difference between a semiconductor (i.e. an electronic part) and a natural structure."

2773253 Method of detecting discontinuities in the reflective properties of surfaces, David E Sunstein, Space Systems Loral (Philco Ford), 1956-12-04, - RADAR set with added discriminator in receiver
3518546 Harmonic communication and navigation system, Harry A Augenblick, John G Vogler, Microlab FXR, 1970-06-30, -
3631484 Harmonic detection system, Harry A Augenblick, Microlab FXR, 1971-12-28, -
3798642 Recognition system, H Augenblick, W Engle, Microlab FXR, 1974-03-19, - uses multiple tank circuits to control reflected harmonics.
4053891 Radar object detector using non-linearities, Charles L. Opitz, Lockheed, 1977-10-11, - RADAR that looks for harmonics rather than the fundamental.
5191343 Radar target signature detector, Paul M. Danzer, Michael J. Brienza, Norden Systems, 1993-03-02, - RADAR uses two transmitters to look for nonlinear aspects of the target.
6057765 Non-linear junction detector, Thomas H. Jones, Bruce R. Barsumian, Research Electronics International, 2000-05-02, -
6897777 Non-linear junction detector, Steven John Holmes, Andrew Barry Stephen, Audiotel International, 2005-05-24, -
20040095243 Non-linear junction detector, Steven Holmes, Andrew Stephen, Audiotel International, 2005-05-24, - about controlling drive power level to improve sensitivity.

9209856 Spread spectrum non-linear junction detector, Bruce R. Barsumian, Thomas H. Jones, Darrell L. Harmon, Research Electronics International, 2015-12-08, - REI NLJD - 900 mHz or 2.4GHz excitation frequency.

Crypto Museum: Charles Bovill, (S-Phone, Scanlock Broom ECM, Rebecca/Eureka (Wiki)) TSCM\NLJD,

GBPRR Non-Linear Junction Detector - DIY + information on commercial units. - DIY Projects: GPS Jammer, Cell Bug, Trunked radio jammer, Laser Warning Receiver, Night Vision Jammer, & many more.  STANAG 3733: Laser Pulse Repetition Frequencies Used for Target Designation and Weapons Guidance

Martin L. Kaiser: Nostalgia - FBI Vendetta Against Martin Luther Kaiser III - Manufacturer of Bomb Detection and Disposal   Equipment   specializing in Improvised Explosive Device (IED) Detection -

SCIFs & Screen Rooms

A SCIF (Wiki) is a space that needs to meet several requirements that are aimed at stopping an adversary from learning what's going on in  the room.  This would include TEMPEST as well as acoustic and probably other types of shielding.

While working at Aertech we had a screen room that came broken down and was assembled where we wanted it.  It was solid metal and about 8 to 10 feet on a side.
Not a place to be if you're claustrophobic. I think there were fancy power line filters so that we could use line powered test equipment in the room.

TRW, who purchased Aertech, had many SCIFs built into their buildings and for some programs we would meet in them.  The door might be used on a bank vault including high quality locks.  But these were much larger than the small shielded room at Aertech so were not as claustrophobic, but the lack of a window was noticeable and once the door closes you know the room is sealed.

---- RF Only-----
2674644 Shielding and sealing gasket for electronic equipment, Alfred M Goodloe, Metal Textiles Corp, 1954-04-06, - for a few decades prior they made kitchen scouring pads.  This is the same woven material they used to make high power resistors.  They also make flame barriers as used on airplanes and in miner's lamps.
2765362 Screen rooms, Erik A Lindgren, 1956-10-02, - 10 to 43 MHz with >120 dB attenuation (common screen rooms of that time were more like 40 - 50 dB)
2853541 Door for screen room, Erik A Lindgren, 1958-09-23, - these were rooms made of metal window screen mesh attached to a wood frame.  RF shielding only for some frequencies.
3009984 Door for a shielded enclosure, Erik A Lindgren, 1961-11-21, - Rf only
----- RF & Accoustic ----
4794206 RF shielded and acoustic room, Jonathan Weinstein, Industrial Acoustics Co, 1988-12-27, - SCIF - web page -

Related

4395 - In the Spectrum Analyzer mode covers 0 to 500 MHz with a true 1 Hz Resolution Bandwidth, so extremely sensitive.
Agilent E4404B ESA-E 9kHz - 6.7 GHz Spectrum Analyzer - Portable and can run on 12 VDC or 120 VAC.
Cryptography & Cryotographic Machines & Cryptographic Patents
FasTrak Vehicle ID Transponder - is an active transponder, not an RF ID tag.
Gamewell - Pen Registers (Wiki) - these were used to capture outgoing phone call numbers in the time of dial phones.
HP 71100A 2.9 GHz Spectrum Analyzer - a modular system
Key, Object & Pet Location Tags - the Apple tag is a real problem
Orion Electronics Ltd. Cellular Base Station ST616-CBS - fake cell tower
Phones & Cell Phones
Probability of Intercept -
Shielding Integrity Monitoring System II RP98G & RP98D - to test RF integrity of shielding
Spying on Cell (Mobil) Phones -
Telephone Patents
Telephone Poles & what's on them

Links