Etherify: Transmitting Morse Code via Raspberry Pi Ethernet RF Leakage
Over on his blog SQ5BPF has been documenting a TEMPEST experiment where he's been able to transmit data via RF being leaked from a Raspberry Pi's Ethernet connection. The idea was born when he found that his Raspberry Pi 4 was leaking a strong RF signal at 125 MHz from the Ethernet cable. He went on to find that it was easy to turn a tone on and off simply changing the Ethernet link speed with the "ethtool" command line tool. Once this was known it is a simple matter of creating a bash script to generate some morse code.
Quite amazingly the Ethernet RF leakage is very strong. With the Raspberry Pi 10 meters away, and a steel reinforced concrete wall in between, SQ5BPF was able to receive the generated morse code via an RTL-SDR connected to a PC. Further experiments show that with a Yagi antenna he was able to receive the signal from 100 meters away.
His post explains some further experiments with data bursting, and provides links to the scripts he created, so you can try this at home.
Update - SQ5BPF also notes the following:
The leakage differs a lot with the hardware used. The Raspberry Pi 4 is exceptional and also allows to switch the link speed quickly, so was a nice candidate for a demo, but other hardware works as well.
The first tests were done on some old laptops I had laying around, and they leak as well. Maybe someday I will publish this, but everyone of them behaves differently.
Strictly speaking, this is not a TEMPEST experiment. This is using ethernet EMI switching characteristics as a way of conveying low-rate information. Now if he was able to RF sniff the data going across the Ethernet lines, then that would be TEMPEST.
While I’m sure that the Raspberry PI 4 is not the cleanest of devices RF-wise, this is really an EMI radiated emissions issue coming from the unshielded twisted pair (UTP) Ethernet cable which effectively acts as a transmit antenna for whatever is being coupled on the Ethernet cable. You can run this same experiment with almost any other Ethernet device with UTP Ethernet cable and you would see the same kind of results (maybe not at the same frequency). .
The real solution is to use Shielded Twisted Pair (STP) ethernet cable if you’re concerned about EMI.
Here’s a couple of articles that address EMI issues with UTP Ethernet
(TI Application Report: AN-1862 Reducing Radiated Emissions in Ethernet 10/100 LAN applications)
this is not tempest (picking up some unintentional emissions, and trying to get soem information out of it), but soft tempest (putting some code on the device that will let you exfiltrate data from an air-gapped machine via some side channel).
non-emctomagentic examples are acoustic, optical (everything that emits light, from leds to the monitor), thermal (can be observed via an ir camera), powerline (varying the electrical load) etc
Thanks bpf! I had never heard the phrase “Soft TEMPEST” before. It does appear to be the same kind of concept as side channels (unintentional) or covert channel.(intentional). I think we’re talking about the same thing.
I always knew these were dirty little boxes…I think an immediate and final BAN on them in the USofA is needed.
Fun, sure; bad idea to do it in the middle of the VHF AIR BAND.
In the USA, this is one of the few (really, very few) things that will cause the FCC to allow one of the last few field agents to leave the office to investigate.