How does the fax device in the printer use eavesdropping?

• The NSA might have modified the device, but without installing additional electronics, in order to reduce the probability of discovery. They might have made some minor, purely mechanical changes, to strengthen an existing accidentally emitted signal. An easy way to achieve this is to manipulate the ground-return path. Good electronics designers ensure that any current returns to the source along the same path as it came, e.g. via a twisted-pair cable. By disconnecting a ground-return line and sending the current back on a detour via some other metal structure in the device, you can effectively build a transmitter coil, and substantially increase the signal leakage without leaving any obvious traces (such as additional circuit boards with transmitters). They could also remove shielding material, short-circuit or remove low-pass filters designed to suppress radio interference, basically do the opposite of anything an electromagnetic-compatibility textbook advises.
• They might have installed nearby (within a few meters, possibly on the same mains power circuit) a device that records any compromising emanations as described above, and then retransmits them over a much larger distance for further analysis.
• They might have installed something that “illuminates” the target device with microwave radiation, perhaps through a window, and then look at interesting data in the back-scatter signal. Every bit of wire acts as both a receive and transmit antenna, and reflects electromagnetic waves as a result. It will reflect some frequencies better than others, depending not only on its length, but also on how the ends are terminated (e.g., left open or grounded). If the termination of a wire changes in a data-dependent way, beaming RF energy at a suitable frequency at it and listening to what comes back may allow eavesdropping from a much larger distance than just passive listening.
• If a non-linear device (transistor, diode) is connected at the end of the wire, then the state of that (open, closed) will also affect what harmonics are being created. This can be exploited by an eavesdropper listing to backscatter radiation at an integer multiple of the frequency at which the device is being illuminated.

Many of these techniques have been speculated about or demonstrated in a laboratory setting in the open literature. But there is very little hard evidence of how widely they are used in practice to violate someone’s privacy or steal secrets, because the people who perform such eavesdropping attacks in real life (as opposed to academic laboratories) are not in the habit of publishing their work. Therefore, I am thankful for this little glimpse of a contemporary real-world TEMPEST-style attack!