Today we have the long awaited article on shielding. Even if you have not followed this series, if you work in or with TEMPEST secure environments, this is a must read.
This is a bit of shocker.
The Initial Experiment
To gauge the effectiveness of shielding we began by constructing a home-made Faraday cage. This was a big enclosure about 2 meters in length, one meter in width and one meter in height. It was covered by an aluminum mesh with 1mm slots. As far as shielding goes, this was nothing special and in terms of aperture size alone it would have had an upper frequency of around 6Ghz (λ/50). In practice though, given that it was simple aluminum the shielding effectiveness would drop off rapidly as it approached 1Ghz.
Saying this, we got quite good performance out of it across 1Mhz-2.4Ghz. The effective shielding was a little unstable to say the least and values could vary by as much as 30dB for no apparent reason. From 1Mhz-500Mhz we got a loss of between 30-60dB and above this 15-30dB. We did notice intermittent spikes where the shield suddenly doubled its shielding effectiveness for a brief time, but we never had an adequate explanation for this. A 15-30dB loss at 2.4Ghz for this material is unbelievable. If you want a general idea of what the cage looked like, this picture would be similar only the dimensions are different:
We placed the target individual inside the cage and asked him to describe the sensation. The response was clear, there was a fading effect in all aspects of the signal by a significant amount, about 60%. Matching this against the theoretical work I had done, I took this to mean that we were eliminating or attenuating a large portion of the signal beyond the point of usability. After some time in the cage, the target reported that the effects were increasing but were focused on specific areas, rather than being densely distributed as they normally are. It seemed like the A.I. was probing the cage for effectiveness and focusing power on critical aspects, or where weaknesses existed. There also appeared to be a time delay on this on the order of hours.
We noted an increase in perspiration and surface body temperature of the target, indicating that the RF absorption rate had approach about 2.5W/Kg. Normally, this would not be considered dangerous, but given the delivery mechanism is to the nerves directly, rather than whole body absorption I was not comfortable leaving the target in the cage for too long. The A.I. appeared to have similar ideas and attempted to evoke a panic response to an enclosed environment. It appeared to alternate between heating the target and panic response to encourage the target to leave the cage.
Muscle contractions still seemed possible, at least to some degree. The direct inducement of pain appeared to be lost, but it had retained the ability to increase the sense of pressure around the head, chest and leg area. It also appeared that muscle movement had to be performed in large pulsating rhythms, rather than the normal fine manipulation of the smooth muscles. The voice was still present, but on initial introduction to the cage, it did fade instantaneously and did not recover for several hours.
Lastly, the system has the ability to induce what feels like direct current in localized areas of the body. This did appear to be reduced, but it was noted in limited areas of the target later during the experiment.
Given that there is an A.I. behind this, it occurred to me that it could be exploiting the use of a cage to hide its capabilities. I was therefore left with two clear possible conclusions. The first being that the cage did in fact reduce components of the signal forcing the A.I. to consolidate its power, or that the cage was transparent and the A.I. was playing games.
An analysis of the spectrum revealed nothing of interest, but the portability of the equipment used to conduct this as well as the flux in the shielding performance made this rather difficult.
Obviously, we had gone as far as we could with the current solution but the noted temperature increases and perspiration did reveal one very important aspect, that the RF signal was real.
It was time to bring in some serious artillery.
Military Grade Solution
We opted to bring in a custom military grade portable tent. These tents are used in military field operations, embassies, TEMPEST secure environments, jammer protection, etc. To get an idea of what such a tent would look like, you can have a look at this picture:
Our product was slightly different, but I'm sure you get the idea. The tent is dual layer with a frequency range from 1Mhz-24Ghz. The amount of reduction differs in various band. 60-80dB in 1Mhz-150Mhz, 80dB in 150Mhz-1Ghz, 80-90dB in 1Ghz-15Ghz and 70-80dB in 15Ghz-24Ghz.
This should be enough to put a serious dent in any transmission system. At least that was the theory.
We put the target behind both layers to assess the vocal component of the system. Unlike the last cage, there was no perceptible difference in the clarity of the audio and no impact on the ability of the system to listen to the inner monologue and register a wide variety of neural and body activity. As with the previous cage, there was a heat component and the target began sweating profusely, much more than in the previous cage.
This suggests that the RF gain had to be increased to compensate for the increased shielding. It must be remembered that this signal need to both enter and leave the tent. Thus, this signal would need to increase anywhere between 120-180dB to compensate for the loss. Obviously, this was not an issue at least in the case of a single target being in a tent.
This was concerning. Whilst this was occurring we had RF monitoring gear in place both inside and outside the tent. It showed no signs of this powerful signal between 50Mhz and 2Ghz. It did, however, reveal something far more interesting. We observed a wide-band cluster of signals passing through the tent without any loss whatsoever. It was intermittently spread across the entire band we were monitoring with a dense grouping under 450Mhz. This should not be possible.
Every other signal, from airports to FM radio and TV signals were completely gone, but this background cluster of signals was always present and suffered no signal loss as it transitioned the tent. The first reaction is always that this is local noise, but we switched all the hardware, antennas and even brought the antennas next to known sources of RFI within the tent. The signal showed no difference in its strength which it should as RFI loses strength as the antenna moves further from the source.
There were two different sources to this signal, the first showed Doppler effects indicating that the source was in motion and that frequency drift changed directions indicating a handover between two moving objects. In short, it was from a satellite network (this vanished shortly after, within a few hours). The second show no such effects and was coming from a ground-based network.
We cannot say for sure that this is the signal, or an active network that powers the receptions of biological information, only that it was observed. If it was, it would mean that this signal is, at ground level, normally around -190 - -250dB, however, this may be misleading as we will see in a moment. This means that tents based upon the following standards, or similar standards, should not be trusted in secure environments:
IEEE Std 299-1997
I suspect that Mr Computer is using a network of AESA-type radars which have the ability to pass through Faraday cages and jam electronics within this environment. From related patents in this area, it would appear that a complex wavefront can disrupt the charge distribution across the surface of a cage (it may even be ionizing under 2Ghz) and allow signals to pass through the cage. This effect may even be selective in terms of which frequencies can transition the boundary and/or reduce the effectiveness of the cage, but I have no further information on this at present.
Thus, RF shielding is no longer about how much you can attenuate a signal and any product that solely provides such a measurement should be avoided. A new approach to shielding must be adopted that deals with complex wavefronts. For an example of such a transmitter, follow these links:
This will probably turn out to be just one of numerous methods of breaching a Faraday cage and until this process is widely understood and commercial solutions made available, do not trust secure environments, no matter how thick the shielding is.