Tagged: rfi

Performing a Side Channel TEMPEST Attack on a PC

TEMPEST refers to a technique that is used to eavesdrop on electronic equipment via their unintentional radio emissions (as well as via sounds and vibrations). All electronics emit some sort of unintentional RF signals, and by capturing and processing those signals some data can be recovered. For example the unintentional signals from a computer screen could be captured, and converted back into a live image of what the screen is displaying. We have tutorials on how to do this with a program called TempestSDR available on a previous post of ours.

Recently Mikhail Davidov and Baron Oldenburg from duo.com have uploaded a write up about their TEMPEST experiments. The write up introduces the science behind TEMPEST eavesdropping first, then moves on to topics like software defined radios and antennas.

At the end of their post they perform some experiments like constantly writing data to memory on a PC, and putting the PCs GPU under varying load states. These experiments result in clear RFI bursts and pulsing carriers being visible in the spectrum, indicating that the PC is indeed unintentionally transmitting RF. They note that machine learning could be used to gather some information from these signals.

Their write up reminds us of previous TEMPEST related posts that we've uploaded in the past. One example is where an RTL-SDR was used to successfully attack AES encryption wirelessly via the unintentional RF emitted by an FPGA performing an encryption algorithm. Another interesting post was where we saw how a HackRF was used to obtain the PIN of a cyprocurrency hardware wallet via TEMPEST. Search TEMPEST on our blog for more posts like that.

TEMPEST PC Side Channel Setup: RF pulses from writing to memory and a GPU.
TEMPEST PC Side Channel Setup: RF pulses from writing to memory and a GPU.

CygnusRFI: New RFI Analysis Tool for Ground Stations and Radio Telescopes

Thank you to Apostolos for submitting information about his new open source program called "CygnusRFI". CygnusRFI is a tool designed for analyzing radio frequency interference (RFI) with a focus on how it affects satellite ground stations and radio telescopes. We note that in the past we've posted several times about Apostolos' other project called PICTOR, which is an open source radio telescope platform that makes use of RTL-SDR dongles. 

Apostolos explains CygnusRFI in the following: 

CygnusRFI is an easy-to-use open-source Radio Frequency Interference (RFI) analysis tool, based on Python and GNU Radio Companion (GRC) that is conveniently applicable to any ground station/radio telescope working with a GRC-supported software-defined radio (SDR). In addition to data acquisition, CygnusRFI also carries out automated analysis of the recorded data, producing a series of averaged spectra covering a wide range of frequencies of interest. CygnusRFI is built for ground station operators, radio astronomers, amateur radio operators and anyone who wishes to get an idea of how "radio-quiet" their environment is, using inexpensive instruments like SDRs.

CygnusRFI Screenshots
CygnusRFI Screenshots

TechMinds: Detecting HF Interference from a VDSL Internet Connection

Over on YouTube user Tech Minds has uploaded a video showing how you can determine if you are getting HF interference from a VDSL internet connection going to your house or neighbors. VDSL or Very High Speed Digital Subscriber Line is an internet connection technology that runs over old copper phone wires allowing for a fast broadband connection. The frequencies used by VDSL are between 25 kHz to 12 MHz, and for VDSL2 up to 30 MHz. Unfortunately the frequencies used can result in high amounts of radio interference from RFI radiating from the copper phone lines which is a major problem for HF amateurs and short wave listeners.

In his video Tech Minds uses an SDRplay RSPdx to record a short IQ file of the VDSL interference that he experiences in his home in the UK. He then opens the IQ file in a piece of software called Lelantos, which was developed by a member of the UK amateur radio organization RSGB. If a VDSL signal is present, this tool will determine various bits of information about the interference, and will give you enough information to make a complaint to OFCOM, the UK's radio communications regulator.

VDSL RFI Detection and how to report it to OFCOM

Using an RTL-SDR and TEMPEST to attack AES

All electronic devices emit some sort of unintentional RF signals which can be received by an eavesdropping radio. These unintentional signals are sometimes referred to as TEMPEST, after the NSA and NATO specification which aims to ensure that electronic devices containing sensitive information cannot be spied upon through unintentional radio emissions, sounds or vibrations. TEMPEST can also refers to the opposite, which is spying on unsecured electronic devices by these means.

Recently the team at Fox-IT, a cybersecurity specialist company has released a paper showing how an RTL-SDR can be used as a TEMPEST attack device to help recover AES-256 encryption keys (pdf) from a distance by utilizing unintentional RF emissions. AES is an encryption standard commonly used in computing with protocols like HTTPS (e.g. with online banking) and for securing WiFi networks.

In their experiments they set up an AES implementation on an FPGA, and used a simple wire loop antenna and RTL-SDR to measure and record the RF emissions. By then doing some analysis on the recorded signal they are able to fairly easily extract the AES encryption key, thus defeating the encryption.

Further testing in an anechoic chamber showed that with a discone antenna they were able to recover the keys from up to a meter away. A directional antenna could probably reach even further distances.

In the past we’ve seen a similar attack using a Funcube dongle, which is an SDR similar to the RTL-SDR. In that attack they were able to remotely recover encryption keys from a laptop running GnuPC. Also, somewhat related is Disney’s EM Sense which uses an RTL-SDR to identify electronic devices by their RF emissions.

[Also seen on Hackaday]

Fictional scenario involving a hacker recording RFI from a remote PC.
Fictional scenario involving a hacker recording RFI from a remote PC.

HamRadioScience: Why Apple’s iMac May be the Best PC for SDR Applications

Over on on the HamRadioScience blog, the author has uploaded an article that makes the case on why Apple iMac PC’s may be the best choice for SDR receivers (at least for HF frequencies). In the testing he uses an SDRplay and Elad FM-Duo to show that the plastic case of the SDRplay does not affect the picked up RFI. He shows that when the SDR’s are connected to an iMac the interference from RFI on HF frequencies is minimal. However when connected to a Core i5 PC, there is significant amounts of CPU and monitor noise generated.

The differences in generated noise probably come from the fact that the iMac is probably much better shielded with an aluminum case and that they have high build quality standards for their monitors. The author suggests that an alternative to using an iMac could be to build your own PC, ensuring that dual chamber metal enclosures are used, which ensures that the power supply is isolated in its own separate steel compartment.

RFI is visible with the SDRplay in SDRuno when using the PC. But no RFI is seen with the iMac.
RFI is visible with the SDRplay in SDRuno when using the PC. But no RFI is seen with the iMac.

Demonstrating Radio Frequency Interference with an Airspy

Over on YouTube user Ejo Schrama has uploaded a short video showing a demonstration of radio frequency interference (RFI) from various Arduino based devices he’s built. The interference comes from the local oscillators within the devices which are common to many electronic devices. He writes in the video description:

RFI simply means that there is a part in the radio spectrum that we wouldn’t like to see, it is usually unintentionally caused by devices around us (computers, televisions, radios, clocks, watches, etc etc) that carry local oscillators which are low power transmitters. Sometimes it is caused by illegal transmissions, so a deliberate action.

The oscillators of devices around us oftentimes feed digital circuits, sine wave become block wave, as a result higher order harmonics of the block wave pollute the spectrum. If your receiver is sensitive enough then you will pick up the RFI at some point.

In this video I’m two meter away from an antenna and I tuned the receiver to 48 MHz which is the 3rd harmonic of the 16 MHz oscillator used by all nearby Arduino experiments. Lets see what the spectrum does by turning on and off some arduino’s. The worst RFI generator was a 16 MHz atmel 328p multiplexing four 7-segment LEDs displaying the value of a IR temperature sensor. But also a nearby clock experiment clearly caused some RFI.

The receiver that I used was an airspy, and I’ve put the decimation factor high enough to get some resolution in the spectrum. The frequency offset between the different arduino’s is clearly visible. This is caused by the fact that cheap quartz oscillators are used, their accuracy is usually around 100 ppm, and this mostly determines a frequency bias.

Nowadays it is very difficult to clean up your local shortwave spectrum. For this reason reception conditions under 30 MHz and even 2 meter nowadays face the RFI problem. Only when we go to UHF frequencies like 430 MHz, better known as the the 70 cm amateur band, the RFI problem sort of disappears, apparently because higher harmonics have become insignificant.

I do not think that a lot of effort is put into keeping LW, HF but also VHF spectra clean, the worst violators are usually tracked down but only when many listeners start to complain.

Demonstration of radio frequency interference

Tip to Reduce Radio Interference on the RTL-SDR

A few months back we posted about a tip to reduce RFI (Radio Frequency Interference) on the RTL-SDR. Now Akos from the SDR for mariners blog has tried this tip for himself and written about his experience with it, after getting inspired to by a post in the rtl-sdr.com/forum.

To reduce RFI, the tip recommends disconnecting the shield connection of the USB cable from the ground connection of the RTL-SDR dongle. This overcomes a design flaw in the RTL-SDR which allows the shield of the USB extension cable to act as an antenna, causing unwanted RFI.

What Akos did was to remove the metal part of the USB extension cables connector to prevent any ground connection. This already reduced an interfering signal by 10dB. He also found that wrapping the connection point in foil further reduced the noise. Connecting coax to the ground then coiling it up and putting the RTL-SDR in the center of the coil also appears to significantly reduce RFI.

Update: Akos has also tried using ferrite chokes on the USB cable, and also found they significantly reduce interference.

Check out the full post by Akos for more information here

RFI noise reduction in the RTL-SDR