
Finding Radio Frequency Side Channels - fanf2
https://duo.com/labs/research/finding-radio-sidechannels
======
smaddox
That first link
([https://www.win.tue.nl/~aeb/linux/hh/tempest.pdf](https://www.win.tue.nl/~aeb/linux/hh/tempest.pdf))
is absolutely fascinating.

~~~
anfractuosity
Oona Räisänen has an awesome video of van eck phreaking against HDMI:
[https://www.youtube.com/watch?v=BpNP9b3aIfY](https://www.youtube.com/watch?v=BpNP9b3aIfY)

Also I think this paper is amazing -
[http://s3.eurecom.fr/docs/ccs18_camurati_preprint.pdf](http://s3.eurecom.fr/docs/ccs18_camurati_preprint.pdf)

"The well-known electromagnetic (EM) leakage from digital logic is
inadvertently mixed with the radio carrier, which is amplified and then
transmitted by the antenna. We call the resulting leak “screaming channels”"

You might find this interesting too, leaking AM emissions from a computer by
twiddling the memory bus - [https://github.com/fulldecent/system-bus-
radio](https://github.com/fulldecent/system-bus-radio)

I made a silly program to play .wav files based on that.

~~~
segfaultbuserr
> _leaking AM emissions from a computer by twiddling the memory bus_

This technique is as old as computers themselves, it's well-known back to the
mainframe and minicomputer era. For example, here's a video of a DEC PDP-8
(LAB-8/e) minicomputer (1971) playing music using the same technique [0], the
software was Richard Wilson's "Music Compiler" written back in 1975, you
should watch it. Later it was also rediscovered by the microcomputer hackers,
members of the Homebrew Computer Club played Beatles on the Altair 8800.

Acoustic leakage is also possible. Here [1] is a program that runs on a
Thinkpad, and here's the video [2]. It changes the Intel CPU P-state to induce
a coil whine at a specific frequency, and it plays PC Speaker music via the
inductor coil on the switched-mode power supply of the CPU.

On one hand, we can say it's a time-honored tradition in computing and
hacking, on the other hand, it means the same huge side-channel exploit is
still here despite that it has been half-a-century already...

[0]
[https://www.youtube.com/watch?v=akvSE5Z474c](https://www.youtube.com/watch?v=akvSE5Z474c)

[1] [https://rkapl.cz/thinkpad-coilwhine/](https://rkapl.cz/thinkpad-
coilwhine/)

[2]
[https://www.youtube.com/watch?v=1xYZHdhYfSE](https://www.youtube.com/watch?v=1xYZHdhYfSE)

~~~
anfractuosity
Cheers, I like the coil whine video and the DEC one too, I'd not seen them
before :)

In a related note that's what Genkin et. al exploited along with capacitors
changing size too, to extract RSA keys:

[https://www.tau.ac.il/~tromer/acoustic/](https://www.tau.ac.il/~tromer/acoustic/)

~~~
segfaultbuserr
> _Cheers, I like the coil whine video :)_

I have personally tried it on my Thinkpad, I even modified the program to play
different tunes. Although my Thinkpad is a different model, it works!

> _Genkin et. al exploited along with capacitors changing size too, to extract
> RSA keys:_

In my opinion, the most fascinating work of side-channel attacks by Genkin et.
al, is the chassis ground potential side-channel [0]. Apparently, the
conducted electromagnetic emission also induces a small voltage on the
computer chassis ground (Earthing/Grounding is only for 50 Hz/60 Hz AC, it
doesn't do anything at RF). Direct attack by probing the chassis is not the
only way to attack, anything connected to the chassis ground, such as a CAT-5
cable, can be used. The most mind-blowing thing is, it even works across a
human body! So basically, someone can steal your private key by touching your
computer.

[0]
[https://www.tau.ac.il/~tromer/handsoff/](https://www.tau.ac.il/~tromer/handsoff/)

~~~
anfractuosity
Neat, I don't think I've seen that paper before, sounds very cool!

I will have to read that properly, but would I be right in thinking they would
be able to see their leakage on the earth wire too?

I saw this where they captured PS/2 keystrokes from the earth wire:
[http://dev.inversepath.com/download/tempest/tempest_2009.pdf](http://dev.inversepath.com/download/tempest/tempest_2009.pdf)

But I'm wondering if using a high sample rate ADC would pick up other
emissions like Genkin et. al are doing?

~~~
segfaultbuserr
> _but would I be right in thinking they would be able to see their leakage on
> the earth wire too?_

Yes, I think it should work. As you said, the main difference appears to be
just the ADC. The PS/2 research only used a 1 Msps ADC on a microcontroller,
it's a laughingly simple setup, but already productive (it's literally a
10-dollar instrument today, ideal spy gadget if your victim is still using
PS/2 I guess).

> _But I 'm wondering if using a high sample rate ADC would pick up other
> emissions like Genkin et. al are doing?_

Someone should try again using the latest USRP SDR receiver [0] and see what
they are able to get. RTL-SDR can be used but the sampling depth (8-bit) is
not ideal for hunting weak signals near a strong signal.

Probing the power earth wiring instead of the chassis or data cable will be
noisier, there are a lot of appliances connected. And at higher frequencies,
the SNR will be worse due to attenuation, but I think nothing stops one from
performing a successful attack.

To my knowledge, using a power line filter is mandatory in many high-security
facilitates.

[0] [https://www.ettus.com/](https://www.ettus.com/)

------
paddlesteamer
I also like this approach: [https://www.wired.com/2017/02/malware-sends-
stolen-data-dron...](https://www.wired.com/2017/02/malware-sends-stolen-data-
drone-just-pcs-blinking-led/)

~~~
squarefoot
This approach can work, however increasing the time constant of the leds would
make it so slow to the point of being unusable in practice. It can be done via
firmware, but also adding a very cheap external circuit which would be
impossible to disable via malware. The idea is that if any pulse sent to the
led would lit it for say at least one second, the attacker would be forced to
have their malware modulate the led much slower, to the point that
transmitting a small file could require way more time than the drone can fly.

------
motohagiography
ML vs. emanations security of popular devices is just one blackhat POC talk
and some sample code away from a total interception vortex.

