Tagged: rfi

Using an RTL-SDR and TEMPEST to attack AES

All electronic devices emit some sort of unintentional RF signals which can be received by an eavesdropping radio. These unintentional signals are sometimes referred to as TEMPEST, after the NSA and NATO specification which aims to ensure that electronic devices containing sensitive information cannot be spied upon through unintentional radio emissions, sounds or vibrations. TEMPEST can also refers to the opposite, which is spying on unsecured electronic devices by these means.

Recently the team at Fox-IT, a cybersecurity specialist company has released a paper showing how an RTL-SDR can be used as a TEMPEST attack device to help recover AES-256 encryption keys (pdf) from a distance by utilizing unintentional RF emissions. AES is an encryption standard commonly used in computing with protocols like HTTPS (e.g. with online banking) and for securing WiFi networks.

In their experiments they set up an AES implementation on an FPGA, and used a simple wire loop antenna and RTL-SDR to measure and record the RF emissions. By then doing some analysis on the recorded signal they are able to fairly easily extract the AES encryption key, thus defeating the encryption.

Further testing in an anechoic chamber showed that with a discone antenna they were able to recover the keys from up to a meter away. A directional antenna could probably reach even further distances.

In the past we’ve seen a similar attack using a Funcube dongle, which is an SDR similar to the RTL-SDR. In that attack they were able to remotely recover encryption keys from a laptop running GnuPC. Also, somewhat related is Disney’s EM Sense which uses an RTL-SDR to identify electronic devices by their RF emissions.

[Also seen on Hackaday]

Fictional scenario involving a hacker recording RFI from a remote PC.
Fictional scenario involving a hacker recording RFI from a remote PC.

HamRadioScience: Why Apple’s iMac May be the Best PC for SDR Applications

Over on on the HamRadioScience blog, the author has uploaded an article that makes the case on why Apple iMac PC’s may be the best choice for SDR receivers (at least for HF frequencies). In the testing he uses an SDRplay and Elad FM-Duo to show that the plastic case of the SDRplay does not affect the picked up RFI. He shows that when the SDR’s are connected to an iMac the interference from RFI on HF frequencies is minimal. However when connected to a Core i5 PC, there is significant amounts of CPU and monitor noise generated.

The differences in generated noise probably come from the fact that the iMac is probably much better shielded with an aluminum case and that they have high build quality standards for their monitors. The author suggests that an alternative to using an iMac could be to build your own PC, ensuring that dual chamber metal enclosures are used, which ensures that the power supply is isolated in its own separate steel compartment.

RFI is visible with the SDRplay in SDRuno when using the PC. But no RFI is seen with the iMac.
RFI is visible with the SDRplay in SDRuno when using the PC. But no RFI is seen with the iMac.

Demonstrating Radio Frequency Interference with an Airspy

Over on YouTube user Ejo Schrama has uploaded a short video showing a demonstration of radio frequency interference (RFI) from various Arduino based devices he’s built. The interference comes from the local oscillators within the devices which are common to many electronic devices. He writes in the video description:

RFI simply means that there is a part in the radio spectrum that we wouldn’t like to see, it is usually unintentionally caused by devices around us (computers, televisions, radios, clocks, watches, etc etc) that carry local oscillators which are low power transmitters. Sometimes it is caused by illegal transmissions, so a deliberate action.

The oscillators of devices around us oftentimes feed digital circuits, sine wave become block wave, as a result higher order harmonics of the block wave pollute the spectrum. If your receiver is sensitive enough then you will pick up the RFI at some point.

In this video I’m two meter away from an antenna and I tuned the receiver to 48 MHz which is the 3rd harmonic of the 16 MHz oscillator used by all nearby Arduino experiments. Lets see what the spectrum does by turning on and off some arduino’s. The worst RFI generator was a 16 MHz atmel 328p multiplexing four 7-segment LEDs displaying the value of a IR temperature sensor. But also a nearby clock experiment clearly caused some RFI.

The receiver that I used was an airspy, and I’ve put the decimation factor high enough to get some resolution in the spectrum. The frequency offset between the different arduino’s is clearly visible. This is caused by the fact that cheap quartz oscillators are used, their accuracy is usually around 100 ppm, and this mostly determines a frequency bias.

Nowadays it is very difficult to clean up your local shortwave spectrum. For this reason reception conditions under 30 MHz and even 2 meter nowadays face the RFI problem. Only when we go to UHF frequencies like 430 MHz, better known as the the 70 cm amateur band, the RFI problem sort of disappears, apparently because higher harmonics have become insignificant.

I do not think that a lot of effort is put into keeping LW, HF but also VHF spectra clean, the worst violators are usually tracked down but only when many listeners start to complain.

Demonstration of radio frequency interference

Tip to Reduce Radio Interference on the RTL-SDR

A few months back we posted about a tip to reduce RFI (Radio Frequency Interference) on the RTL-SDR. Now Akos from the SDR for mariners blog has tried this tip for himself and written about his experience with it, after getting inspired to by a post in the rtl-sdr.com/forum.

To reduce RFI, the tip recommends disconnecting the shield connection of the USB cable from the ground connection of the RTL-SDR dongle. This overcomes a design flaw in the RTL-SDR which allows the shield of the USB extension cable to act as an antenna, causing unwanted RFI.

What Akos did was to remove the metal part of the USB extension cables connector to prevent any ground connection. This already reduced an interfering signal by 10dB. He also found that wrapping the connection point in foil further reduced the noise. Connecting coax to the ground then coiling it up and putting the RTL-SDR in the center of the coil also appears to significantly reduce RFI.

Update: Akos has also tried using ferrite chokes on the USB cable, and also found they significantly reduce interference.

Check out the full post by Akos for more information here

RFI noise reduction in the RTL-SDR