Identify Your Devices By Their Unintentional Radiation

RFID was supposed to revolutionize asset tracking, replacing the barcode everywhere. Or at least that was the prediction once tags got under five cents apiece. They still cost seven to fifteen cents, even in bulk, and the barcode is still sitting pretty. [Chouchang (Jack) Yang] and [Alanson Sample] of Disney Research hope to change that.

Instead of tagging every electronic device, they use whatever electromagnetic emissions the device currently produces when it’s powered up. What’s surprising is not that they can tell an iPhone from a toy lightsaber, but that they can tell the toy lightsabers apart. But apparently there’s enough manufacturing and tolerance differences from piece to piece that they appear unique most of the time.

The paper (PDF) goes through the details and procedure. The coolest bit? The sensor they use is an RTL-SDR unit with the radio-mixer front end removed and replaced with a simple transformer. This lets them feed baseband (tuning from 0 to 28.8 MHz) straight into the DAC ADC and on to the computer which does the heavy math. Sawing off the frontend of a TV tuner is a hack, for those of you out there with empty bingo cards.

If you like statistics, you’ll want to read the paper for details about how they exactly do the classification of objects, but the overview is that they first start by figuring out what type of device they’re “hearing” and then focusing on which particular one it is. The measure that they use ends up being essentially a normalized correlation.

While we’re not sure how well this will scale to thousands of devices, they get remarkably good results (around 95%) for picking one device out of five. The method won’t be robust to overclocking or underclocking of the device’s CPU, so we’re concerned about temperature and battery-voltage effects. But it’s a novel idea, and one that’s ripe for the hacker-rebuild. And for the price of an RTL-SDR, and with no additional per-tag outlay as with an RFID system, it’s pretty neat.

Thanks [Static] for the tip! Via Engadget.

46 thoughts on “Identify Your Devices By Their Unintentional Radiation

  1. Am I the only one getting weirded out at the term “Disney Research”?
    … Disney?? I’m almost waiting for the press release “We’ve created a real Mickey Mouse!”
    Although that would be kinda neat, too, I guess. ;)

      1. They recently announced they’re sunsetting that program, though they’ve got a couple movies worth of characters in the pipeline which will be sold this spring & summer. Apparently it’s one of those things where, in grand Disney fashion, despite the fact that the program was profitable, it just wasn’t profitable *enough*. Just not enough extra millions to make it worth continuing. Meanwhile, back in the salt mines…

    1. Short to very short, but I would never use it for anything serious: overclocking aside, the electronic noise generated by devices is highly dependent on what load they are under at that moment, so on a PC or any device with a complete OS you can modify that noise just by rearranging times and priorities of what is running in the background.

      And… yes, by the same principle you can push data out of a machine just by modulating its CPU load and read it without physical contact.

        1. I knew somebody, who did it the other way round. Using a full duplex 70cm amateur radio set with a very small (in the last version) self built adapter in the Austrian “B-Netz” mobile phone system. Which was already nearly obsolete at the time of this experiments and was shut down completely short time later.

  2. Might want to reread the paper and proofread your article. DAC is “digital to analog convertor”. Not likely to help someone receive. And the paper is using baseband from 0 – 500KHz, not 0-28.8 MHz. The paper is OK, but the HaD article is a poor description.

    1. re: DAC / ADC. Thanks for the catch. Fixed.

      The paper only samples at 1 MHZ, so they’re looking at the bottom 500 kHz. But the ADC/mixer on the RTL-SDR _is_ capable of sampling at ~3 MHz anywhere between the 0-28 MHz. They could look around elsewhere too, with the same hardware, if they wanted.


      1. We all make mistakes. Good thing I’m not an editor, they would rip me a new one! Thank you for correcting/replying to us.
        I can proofread 5 times and still miss something blatantly obvious. I am such a grammar nazi, but Android is trying to kill me with crappy speel Czech.

  3. isnt this how smart meters are supposed to determine what is running so they can invade your privacy by for example seeing that you are using a porn toy and even what porn toy to be exact?

  4. “Captain, I’m picking up some strange EM emissions; it might be an active handheld device.”

    Yet another gadget any tricorder worth its salt should have! I swear the real world becomes more and more like Star Trek every day. We already have Uhura’s ear piece (bluetooth headset), the Taser was no doubt inspired by the “stun setting”, the iPad concept was clearly designed by the prop makers of ST:TNG and don’t forget transparent aluminum (aluminum oxynitride)!

  5. You can pick up a surprising amount of stuff from your computer with an RTL-SDR, a while ago someone was able to make out their laptop’s screen from all the emissions- extremely distorted, but still there.

    1. Wow! You are right! That should be trivial to accomplish. I bet some three-letter-agency has had that for at least a decade. And most new models have Wifi, Bluetooth, keyless remotes.
      They are practically yelling out their VIN’s.

      1. Well it is a method that does not require a warrant, they just need a device the stakes out a given location and listens for one or more signatures then phones home if they are detected. Add two or more devices separated by a block and you also have direction of travel. I am just talking about what would even work with an old car with it’s alternator noise etc., so as you say new cars would be even easier.

        1. I think older cars would be easy. If I (and I assume anyone reading this) can detect by sound when the neighbors or the spouse…ect… have driven nearby than certainly EMF noise should be a beacon as pertaining to identity. Each cylinder fires different. The crappy alternator is so noisy in my dad’s truck that it cuts into the radio.
          Who needs a tachometer when I can hear brrrrrrrrrrrrr through the radio. But on the other hand some brands must be better at this. I wonder what a Tesla or a Prius emits.
          I am curious about diesels; no spark, glow plugs. Maybe they would be harder to ‘hear’. Sorry about talking about Wifi and Bluetooth. That doesn’t count as ‘unintentional radiation’ at all.

          1. I believe that old mechanical diesel is required for working vehicles at a certain proximity to the dishes in the US national radio quiet zone in West Virginia. Other than an alternator for charging the starter battery and to run lights, signals, wipers, and blowers what would emit RF?

          2. Anything with switch contacts or electric motor brushes, so even the indicator lights? I’m sure you could make a radio quiet vehicle, but I doubt if any stock models are.

          3. Haha. Just my radio blaring Metallica. I think we’re right, diesels might be a dead zone. Most have fuel pumps, but that can’t be a very stable source. Maybe the radiator fan will give it away!
            That’s all I can think of. Old bare-bones dump truck will be safe from Skynet. : )

  6. Earlier today i happened to see how they checked the time trial bikes in the Giro d’Italia bicycle race for hidden electric motors. They simply used an app on a tablet; i assume it must work in a similar way with a RFID reader looking for electric emissions.

  7. I saw a popup in my news feed on facebook about a device that does something similar but attaches to the lines in your breaker box and uses the “noise signature” to assign power usage to different devices in your house.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.