Fingerprinting Electronic Devices via their RF Emissions with an RTL-SDR and ImageMagick
Thank you to José Carlos Rueda for submitting his simple shell script that he uses for fingerprinting spurious RF emissions with an RTL-SDR, rtl_power, heatmap.py and imagemagick. The result is something like Disney's EM sense created with much simpler code.
It is well known that almost all electronic devices unintentionally emit unique spurious RF signals when in operation. By using an SDR like an RTL-SDR to record the spectra from electronic devices, it's possible to build up a database of known emissions. We can then detect when an electronic device is active by comparing the live spectrum to spectra stored in the database.
In a previous post we covered Disney's EM sense which is an experimental smart watch that automatically detects what electronic device the wearer is touching. With EM Sense they use an RTL-SDR and a database of raw pre-recorded spectrum data. To detect what the wearer is touching the live signal from the RTL-SDR is correlated against the database, and the closest match is returned.
José's script does something very similar, however instead of correlating with raw spectrum data he instead uses the waterfall image that is generated by rtl_power and heatmap.py. The rtl_power program allows an RTL-SDR to scan the frequency spectrum over a wider bandwidth by rapidly scanning ~2.4 MHz chunks of bandwidth at different frequencies. Heatmap.py is a program that turns the scanned data from rtl_power into a heatmap image of the spectrum.
To add an entry to the database, the electronic device is placed 7-8 centimeters away from the RTL-SDR, and a heatmap image recorded between 24 - 921 MHz is saved to disk. This can be repeated for multiple electronic devices. Each image will record the spurious signals from the electronic device, resulting in a unique heatmap image per electronic device.
Once the database has been created, you can then place any of the devices found in the database next to the RTL-SDR, and record a heatmap for 20-30s. That heatmap will then be compared against the images in the database using imagemagick which is an image analysis and manipulation library. The electronic device associated with the closest matching image in the database will be returned.
In his experiments he tested various electronic devices like an iPhone and was able to successfully determine when it was nearby.
How does this system deal with RF noise and interference? I imagine my neighbour mowing his lawn on the day I am trying to identify a device could make it difficult to find a match.
I suppose that the device has to be in a static place. I’m testing the script while generating intentioned EMIs and still working fine… probably because the “distortion” argument on imagemagick doesn’t mean “equal images”.
Anyone have a reference to the script and procedure not behind a cookie and legal agreement terms?
Just press OK…