Tagged: funcube dongle pro+

Leif Compares various SDRs including the RSP1, Airspy with SpyVerter, Airspy HF+, FDM-S1, IC706, Perseus

Over on YouTube Leif 'sm5bsz' has uploaded a video that does a lab comparison of various SDRs on the market now including the new Airspy HF+. Leif is known for providing excellent lab based technical reviews of various SDR products on his YouTube channel.

The first video compares the Airspy HF+ with the Perseus SDR. The Airspy HF+ is a new high performance yet low cost ($199 USD) HF/VHF specialty SDR. The Perseus is an older high performance direct sampling HF only SDR, although it comes at the high price of about $1000 USD.

In his tests Leif tests both units at 14 MHz and finds that the HF+ has about 15 dB better sensitivity compared to the Perseus (NF = 7dB vs 22dB). On the other hand the Perseus has about 23 dB better dynamic range compared to the HF+ (Dynamic Range = 127 dBc/Hz vs 150 dBc/Hz), although he notes that a blocking transmitter needs to have a very clean signal to be able to notice this difference which would be unlikely from Amateur transmitters. 

hfplus vs perseus

In the next two videos Leif compares multiple SDRs including the SDRplay RSP1, FUNcube Pro+, Airspy with Spyverter, Airspy HF+, Afedri SDR-Net, ELAD FDM-S1, ICOM IC-706MKIIG and Microtelecom Perseus at 7 MHz.

In the RX4 video Leif compares each SDR on dynamic range at 7 MHz. If you want to skip the testing parts, then the discussion of the results in the RX4 tests start at 1:03:00. A screenshot of the results is also shown below. The SDRs are ranked based on their average results over multiple measurements at different times which is shown in the last column. A lower value is better, and the value represents how much attenuation needed to be added to prevent the SDR from overloading and causing interference in his setup.

Dynamic Range Test Rankings
Dynamic Range Test Rankings

rx4compare

In the RX5 video the results start at 54:20:00. In this video he compares the SDRs with real signals coming in from his antenna at 7 MHz. He tests with the antenna signal wide open, with a 4.5 MHz LPF (to test out of band blocking performance), and with a bandpass filter at 7 MHz. Again lower values are better and the values indicate the amount of attenuation required to prevent overload. The Perseus is used as the reference benchmark. He also tests reciprocal mixing later in the video.

RX5 Results
RX5 Results

rx5compare

Stealing Encryption Keys from PCs using Software Defined Radio and Unintentional Electromagnetic Emissions

Tel Alviv University researchers D. Genkin, L. Pachmanox, I. Pipman and E. Tromer have released a paper this year detailing their research on extracting encryption keys from PCs via their unintentional radio emissions. They say that they have been able to demonstrate their work by extracting encryption keys from GnuPG on laptops within seconds by using their non-intrusive wireless methods. GnuPG is software which allows you to encrypt and sign your data.

They write about the performance of their results:

Using GnuPG as our study case, we can, on some machines:

  • distinguish between the spectral signatures of different RSA secret keys (signing or decryption), and
  • fully extract decryption keys, by measuring the laptop’s electromagnetic emanations during decryption of a chosen ciphertext.

In their experiments they used a Funcube Dongle Pro+ to measure the unintentional RF emissions coming out of a laptop computer at around 1.6-1.75 MHz, but they also mention that a low cost RTL-SDR with upconverter could also work.

Every time the CPU on a target PC performs a new operation the unintentional frequency signature that is emitted changes. From these emissions they are able to use the unique RF signature to determine what operations are being performed by the CPU, and from that they can work out the operations GnuPG is performing when decrypting data. They write:

Different CPU operations have different power requirements. As different computations are performed during the decryption process, different electrical loads are placed on the voltage regulator that provides the processor with power. The regulator reacts to these varying loads, inadvertently producing electromagnetic radiation that propagates away from the laptop and can be picked up by a nearby observer. This radiation contains information regarding the CPU operations used in the decryption, which we use in our attack.

Recovering CPU assembly operations from its RF emissions.
Recovering CPU assembly code operations from its unintentional RF emissions.

In addition to the above they were also able to create portable attack hardware by connecting the Funcube Dongle Pro+ with a small Android based embedded computer called the Rikomagic MK802 IV. They also show that they were even able to perform the portable attack with a standard AM radio with the output audio being recorded with a smart phone.

A portable version of their attack set up with the Funcube Dongle Pro+ and microcontroller.
A portable version of their attack set up with the Funcube Dongle Pro+ and microcontroller.

The researchers write that they will present their work at the CHES 2015 conference in September 2015.

Previously we also posted about Melissa Elliots talk on unintentional RF emissions, Milos Prvulovic’s work on spying on keyboard presses from unintentional RF emissions and also a security flaw discovered with some HP laptops which caused them to unintentionally convert audio picked up from the microphone into RF signals.