Ethernet Goes To The Ether

Since the ether is an old term for the fictitious space where radio waves propagate, we always thought it was strange that the term ethernet refers to wired communication. Sure, there are wireless devices, but that’s not really ethernet. [Jacek] had the same thought, but decided to do something about it.

What he did is use two different techniques to alter the electromagnetic emission from an ethernet adapter on a Raspberry Pi. The different conditions send Morse code that you can receive at 125 MHz with a suitable receiver.

Practical? Hardly, unless you are looking to exfiltrate data from an air-gapped machine, perhaps. But it does have a certain cool factor. The first method switches the adapter between 10 Mbps and 100 Mbps. The second technique uses a stream of data to accomplish the modulation. The switching method had a range of around 100 meters while the data-based method topped out at about 30 meters. The code is on GitHub if you want to replicate the experiment.

There is plenty of precedent for this sort of thing. In 1976 Dr. Dobb’s Journal published an article about playing music on an Altair 8800 by running code while an AM radio was nearby. We’ve seen VGA adapters forced to transmit data, too.

Continue reading “Ethernet Goes To The Ether”

Listening To An IPhone With AM Radio

Electronic devices can be surprisingly leaky, often spraying out information for anyone close by to receive. [Docter Cube] has found another such leak, this time with the speakers in iPhones. While repairing an old AM radio and listening to a podcast on his iPhone, he discovered that the radio was receiving audio the from his iPhone when tuned to 950-970kHz.

[Docter Cube] states that he was able to receive the audio signal up to 20 feet away. A number of people responded to the tweet with video and test results from different phones. It appears that iPhones 7 to 10 are affected, and there is at least one report for a Motorola Android phone. The amplifier circuit of the speaker appears to be the most likely culprit, with some reports saying that the volume setting had a big impact. With the short range the security risk should be minor, although we would be interested to see the results of testing with higher gain antennas. It is also likely that the emission levels still fall within FCC Part 15 limits.

Continue reading “Listening To An IPhone With AM Radio”

TEMPEST Comes To GNU Radio

As we use our computers, to watch YouTube videos of trucks hitting bridges, to have a Zoom call with our mothers, or even for some of us to write Hackaday articles, we’re unknowingly sharing a lot of what we are doing with the world. The RF emissions from our monitors, keyboards, and other peripherals can be harvested and reconstructed to give a third party a view into your work, and potentially have access to all your darkest secrets.  It’s a technique with origins in Government agencies that would no doubt prefer to remain anonymous, but for a while now it has been available to all through the magic of software defined radio. Now it has reached the popular GNU Radio platform, with [Federico La Rocca]’s gr-tempest package.

He describes it as a re-implementation of [Martin Marinov]’s TempestSDR, which has a reputation as not being for the faint-hearted. The current version requires GNU Radio 3.7, but he promises a 3.8-compatible version in the works. A YouTube video that we’ve placed below the break has a range of examples running, though there seems to be little information on the type of antenna employed. Perhaps a log-periodic design would be most appropriate.

Continue reading “TEMPEST Comes To GNU Radio”

Screaming Channels Attack RF Security

As long as there has been radio, people have wanted to eavesdrop on radio transmissions. In many cases, it is just a hobby activity like listening to a scanner or monitoring a local repeater. But in some cases, it is spy agencies or cyberhackers. [Giovanni Camurati] and his colleagues have been working on a slightly different way to attack Bluetooth radio communications using a technique that could apply to other radio types, too. The attack relies on the ubiquitous use of mixed-signal ICs to make cheap radios like Bluetooth dongles. They call it “Screaming Channels” and — in a nutshell — it is relying on digital information leaking out on the device’s radio signal.

Does it work? The team claims to have recovered an AES-128 key from 10 meters away. The technique reminds us a bit of TEMPEST in that unintended radio transmissions provide insight into the algorithm the device applies to encrypt or decrypt data. Most (if not all) encryption techniques assume you can’t see inside the “black box.” If you can, then it’s because it is relatively easy to break the code.

Continue reading “Screaming Channels Attack RF Security”

TEMPEST In A Software Defined Radio

In 1985, [Wim van Eck] published several technical reports on obtaining information the electromagnetic emissions of computer systems. In one analysis, [van Eck] reliably obtained data from a computer system over hundreds of meters using just a handful of components and a TV set. There were obvious security implications, and now computer systems handling highly classified data are TEMPEST shielded – an NSA specification for protection from this van Eck phreaking.

Methods of van Eck phreaking are as numerous as they are awesome. [Craig Ramsay] at Fox It has demonstrated a new method of this interesting side-channel analysis using readily available hardware (PDF warning) that includes the ubiquitous RTL-SDR USB dongle.

The experimental setup for this research involved implementing AES encryption on two FPGA boards, a SmartFusion 2 SOC and a Xilinx Pynq board. After signaling the board to run its encryption routine, analog measurement was performed on various SDRs, recorded, processed, and each byte of the key recovered.

The results from different tests show the AES key can be extracted reliably in any environment, provided the antenna is in direct contact with the device under test. Using an improvised Faraday cage constructed out of mylar space blankets, the key can be reliably extracted at a distance of 30 centimeters. In an anechoic chamber, the key can be extracted over a distance of one meter. While this is a proof of concept, if this attack requires direct, physical access to the device, the attacker is an idiot for using this method; physical access is root access.

However, this is a novel use of software defined radio. As far as the experiment itself is concerned, the same result could be obtained much more quickly with a more relevant side-channel analysis device. The ChipWhisperer, for example, can extract AES keys using power signal analysis. The ChipWhisperer does require a direct, physical access to a device, but if the alternative doesn’t work beyond one meter that shouldn’t be a problem.

Hacking The Aether: How Data Crosses The Air-Gap

It is incredibly interesting how many parts of a computer system are capable of leaking data in ways that is hard to imagine. Part of securing highly sensitive locations involves securing the computers and networks used in those facilities in order to prevent this. These IT security policies and practices have been evolving and tightening through the years, as malicious actors increasingly target vital infrastructure.

Sometimes, when implementing strong security measures on a vital computer system, a technique called air-gapping is used. Air-gapping is a measure or set of measures to ensure a secure computer is physically isolated from unsecured networks, such as the public Internet or an unsecured local area network. Sometimes it’s just ensuring the computer is off the Internet. But it may mean completely isolating for the computer: removing WiFi cards, cameras, microphones, speakers, CD-ROM drives, USB ports, or whatever can be used to exchange data. In this article I will dive into air-gapped computers, air-gap covert channels, and how attackers might be able to exfiltrate information from such isolated systems.

Continue reading “Hacking The Aether: How Data Crosses The Air-Gap”

Data Exfiltration With Broadcast Radio And CD-ROM Drives

The first music played on personal computers didn’t come out of fancy audio cards, or even a DAC. the first audio system in a personal computer was simply holding an AM radio up to the case and blinking address pins furiously. This worked wonderfully for homebrew computers where EMC compliance hadn’t even become an afterthought, but the technique still works today. [Chris] is playing music on the radio by sending bits over the system bus without using any wires at all.

[Chris]’ code is based on the earlier work of [fulldecent], and works pretty much the same. To play a sound over the radio, the code simply writes to a location in memory when the waveform should be high, and doesn’t when the waveform is low.

Of course the ability to exfiltrate information over an airgap has a few more nefarious purposes, but [Chris] also has another way of doing just that which is undefeatable by a TEMPEST shielded computer. He can send one bit at a time by opening and closing a CD-ROM drive, capturing these bits with a webcam. Is it useful? It’s hard to imagine how this setup could ever capture any valuable data, but it is a proof of concept.