The "Chaos Computer Club (CCC)" have recently been uploading videos to YouTube from their "Remote Chaos Experience rC3" online conference. One talk is by Jacek Lipkowski (SQ5BPF) who presents his Etherify project which we have posted about a few times on this blog already. Etherify is a program that allows users to exploit unintentional RF leakage from Ethernet hardware in order to transmit data over the air, essentially creating a primitive software defined radio. In particular the Raspberry Pi 4 was found to have extreme unintentional leakage, with the signal being receivable from over 50m away.
Primitive soft tempest demos: exfiltrating data via leakage from ethernet and more :)
In this talk i will describe shortly the concept of soft tempest, and show a demo of etherify and sonify. Etherify uses radio frequency leakage from ethernet to exfiltrate data. Sonify uses ultrasound. Both demos by design use very primitive tools and hardware, and are easy to replicate.
#rC3 Etherify - bringing the ether back to ethernet
The answer is yes, there is some RF leakage, however unlike the Pi 4 the speed at which the leakage can be modulated is much slower, and also the signal strength is much lower. Despite the slow modulation speed, Jacek was still able to transmit data by using QRSS CW, which is essentially just very slow morse code. Using this idea he was able to transmit, and receive the CW signal with an RTL-SDR over a distance of 3 meters at 375 MHz, 625 MHz and 250 MHz. The signal strength is nothing like the Pi 4's Ethernet RF leakage which can be received strongly from over 50 meters away however.
Not too long ago we posted about Jacek Lipkowski (SQ5BPF)'s project called "Etherify" which seeks to use unintentional RF radiation from Ethernet hardware/cables to transmit arbitrary signals such as morse code and FSK. During his earlier experiments he noted how he felt that the Raspberry Pi 4 had an unusually strong radiated Ethernet signal. In his recent post Jacek investigates this further.
Over on his blog SQ5BPF has been documenting a TEMPEST experiment where he's been able to transmit data via RF being leaked from a Raspberry Pi's Ethernet connection. The idea was born when he found that his Raspberry Pi 4 was leaking a strong RF signal at 125 MHz from the Ethernet cable. He went on to find that it was easy to turn a tone on and off simply changing the Ethernet link speed with the "ethtool" command line tool. Once this was known it is a simple matter of creating a bash script to generate some morse code.
Quite amazingly the Ethernet RF leakage is very strong. With the Raspberry Pi 10 meters away, and a steel reinforced concrete wall in between, SQ5BPF was able to receive the generated morse code via an RTL-SDR connected to a PC. Further experiments show that with a Yagi antenna he was able to receive the signal from 100 meters away.
His post explains some further experiments with data bursting, and provides links to the scripts he created, so you can try this at home.
Update - SQ5BPF also notes the following:
The leakage differs a lot with the hardware used. The Raspberry Pi 4 is exceptional and also allows to switch the link speed quickly, so was a nice candidate for a demo, but other hardware works as well.
The first tests were done on some old laptops I had laying around, and they leak as well. Maybe someday I will publish this, but everyone of them behaves differently.
Etherify 1 demo receiving via SDR and decoding via fldigi
The idea behind the attack is that ethernet cables can act as an antenna, leaking signals at frequencies which can easily be sniffed by a SDR. The specific technique in the paper does not decode normal network traffic, instead it requires that malicious code which modulates a custom signal over the ethernet cable be installed on the PC first. The technique used appears to be similar to what the Etherify software by SQ5BPF uses, which modulates data in morse code by turning the network card on and off.