Tagged: tempest

Etherify Talk from The rC3 Online Conference

The "Chaos Computer Club (CCC)" have recently been uploading videos to YouTube from their "Remote Chaos Experience rC3" online conference. One talk is by Jacek Lipkowski (SQ5BPF) who presents his Etherify project which we have posted about a few times on this blog already. Etherify is a program that allows users to exploit unintentional RF leakage from Ethernet hardware in order to transmit data over the air, essentially creating a primitive software defined radio. In particular the Raspberry Pi 4 was found to have extreme unintentional leakage, with the signal being receivable from over 50m away.

Primitive soft tempest demos: exfiltrating data via leakage from ethernet and more :)

In this talk i will describe shortly the concept of soft tempest, and show a demo of etherify and sonify. Etherify uses radio frequency leakage from ethernet to exfiltrate data. Sonify uses ultrasound.
Both demos by design use very primitive tools and hardware, and are easy to replicate.

#rC3 Etherify - bringing the ether back to ethernet

Etherify 4: Using PC Ethernet RF Leakage to Transmit QRSS CW

Recently we've posted about Etherify a few times, mostly about how the unintentional RF leakage from the Raspberry Pi 4 Ethernet hardware is really strong and can be modulated to transmit data. In one of his latest posts Jacek Lipkowski (SQ5BPF) explores if Ethernet ports on PC's exhibit any sort of RF leakage too, and if it can be modulated into a data signal.

The answer is yes, there is some RF leakage, however unlike the Pi 4 the speed at which the leakage can be modulated is much slower, and also the signal strength is much lower. Despite the slow modulation speed, Jacek was still able to transmit data by using QRSS CW, which is essentially just very slow morse code. Using this idea he was able to transmit, and receive the CW signal with an RTL-SDR over a distance of 3 meters at 375 MHz, 625 MHz and 250 MHz. The signal strength is nothing like the Pi 4's Ethernet RF leakage which can be received strongly from over 50 meters away however.

Etherify: Transmitting QRSS CW via Ethernet RF leakage from PC to PC

Etherify: Pi 4 Exhibits Very Strong Ethernet RF Leakage

Not too long ago we posted about Jacek Lipkowski (SQ5BPF)'s project called "Etherify" which seeks to use unintentional RF radiation from Ethernet hardware/cables to transmit arbitrary signals such as morse code and FSK. During his earlier experiments he noted how he felt that the Raspberry Pi 4 had an unusually strong radiated Ethernet signal. In his recent post Jacek investigates this further.

Indeed his new tests seem to confirm that the Pi 4 has excessive RF leakage from the Ethernet hardware. His latest results have shown that he was able to receive the Ethernet leakage strongly from 50 meters away without any cable connected to the Ethernet port to act as a radiator. Jacek's post contains a number of demonstration videos such as the one below.

He admits that his particular Pi 4 unit might be unique in this regard. If anyone else tests this and can confirm excessive leakage, please let us know in the comments.

Ethernet RF leakage received strongly from 50m away without any antenna on the Pi 4

Etherify 3 demo

Etherify: Transmitting Morse Code via Raspberry Pi Ethernet RF Leakage

Over on his blog SQ5BPF has been documenting a TEMPEST experiment where he's been able to transmit data via RF being leaked from a Raspberry Pi's Ethernet connection. The idea was born when he found that his Raspberry Pi 4 was leaking a strong RF signal at 125 MHz from the Ethernet cable. He went on to find that it was easy to turn a tone on and off simply changing the Ethernet link speed with the "ethtool" command line tool. Once this was known it is a simple matter of creating a bash script to generate some morse code.

Quite amazingly the Ethernet RF leakage is very strong. With the Raspberry Pi 10 meters away, and a steel reinforced concrete wall in between, SQ5BPF was able to receive the generated morse code via an RTL-SDR connected to a PC. Further experiments show that with a Yagi antenna he was able to receive the signal from 100 meters away.

His post explains some further experiments with data bursting, and provides links to the scripts he created, so you can try this at home.

Update - SQ5BPF also notes the following:

The leakage differs a lot with the hardware used. The Raspberry Pi 4 is exceptional and also allows to switch the link speed quickly, so was a nice candidate for a demo, but other hardware works as well.

The first tests were done on some old laptops I had laying around, and they leak as well. Maybe someday I will publish this, but everyone of them behaves differently.

Etherify 1 demo receiving via SDR and decoding via fldigi

Tech Minds: Eavesdropping on Video Monitors with TempestSDR

Over on his latest video Tech Minds' explores the use of TempestSDR to eavesdrop on video monitors with his Airspy Mini. TempestSDR is a program that we've posted about several times in the past. With an RTL-SDR or other compatible SDR like a HackRF it allows you to reconstruct an image from a computer monitor or TV just from the radio waves unintentionally emitted by the screen or cable. SDRs with larger bandwidths like the HackRF or Airspy are better at reconstructing the image as they can collect more information.

In his video Tech Minds shows how to download and setup one of the newer branches of TempestSDR which unlike older versions doesn't require much installation work. Using an Airspy Mini he shows that he is able to view what is on his screen via the emitted RF waves.

Eavesdropping Video Monitors With TempestSDR RTL-SDR

A Self-Executable version of TempestSDR is now Available

TempestSDR is an open source tool made by Martin Marinov which allows you to use any SDR that has a supporting ExtIO (such as RTL-SDR, Airspy, SDRplay, HackRF) to receive the unintentional signals radiated from a screen, and turn that signal back into a live image. This can let you view what is on a screen through a wall without using any physical cables.

We first posted a demonstration of TempestSDR back in 2017 when we were finally able to get it to compile. Compiling the software took a fair amount of work for those without experience, and even running it was a chore. However, getting it to work is worth it as you can do some really interesting demonstrations.

However these problems are over and recently Erwin Ried @eried has made a self-executable version of TempestSDR. This means that no compilation, java installs, mingw or extra dlls are required to get the program to work as now it's just an exe that you can run. You will still need the appropriate ExtIO dlls for your SDR. The video in his twitter post shows it working with a HackRF.

GNU Radio TEMPEST Implementation Now Available

TEMPEST refers to a technique that is used to eavesdrop on electronic equipment via their unintentional radio emissions (as well as via sounds and vibrations). All electronics emit some sort of unintentional RF signals, and by capturing and processing those signals some data can be recovered. For example the unintentional signals from a computer screen can be captured, and converted back into a live image of what the screen is displaying.

Until recently we have relied on an open source program by Martin Marinov called TempestSDR which has allowed RTL-SDR and other SDR owners perform interesting TEMPEST experiments with computer and TV monitors. We have a tutorial and demo on  TempestSDR available on a previous post of ours. However, TempestSDR has always been a little difficult to set up and use.

More recently a GNU Radio re-implementation of TempestSDR called gr-tempest has been released. Currently the implementation requires the older GNU Radio 3.7, but they note that a 3.8 compatible version is on the way.

The GNU Radio implementation is a good starting point for further experimentation, and we hope to see more developments in the future. They request that the GitHub repo be starred as it will help them get funding for future work on the project.

The creators have also released a video shown below that demonstrates the code with some recorded data. They have also released the recorded data, with links available on the GitHub. It's not clear which SDR they used, but we assume they used a wide bandwidth SDR as the recovered image is quite clear.

Examples using gr-tempest

GR-TEMPEST: GNU Radio TEMPEST Implementation
GR-TEMPEST: GNU Radio TEMPEST Implementation

Performing a Side Channel TEMPEST Attack on a PC

TEMPEST refers to a technique that is used to eavesdrop on electronic equipment via their unintentional radio emissions (as well as via sounds and vibrations). All electronics emit some sort of unintentional RF signals, and by capturing and processing those signals some data can be recovered. For example the unintentional signals from a computer screen could be captured, and converted back into a live image of what the screen is displaying. We have tutorials on how to do this with a program called TempestSDR available on a previous post of ours.

Recently Mikhail Davidov and Baron Oldenburg from duo.com have uploaded a write up about their TEMPEST experiments. The write up introduces the science behind TEMPEST eavesdropping first, then moves on to topics like software defined radios and antennas.

At the end of their post they perform some experiments like constantly writing data to memory on a PC, and putting the PCs GPU under varying load states. These experiments result in clear RFI bursts and pulsing carriers being visible in the spectrum, indicating that the PC is indeed unintentionally transmitting RF. They note that machine learning could be used to gather some information from these signals.

Their write up reminds us of previous TEMPEST related posts that we've uploaded in the past. One example is where an RTL-SDR was used to successfully attack AES encryption wirelessly via the unintentional RF emitted by an FPGA performing an encryption algorithm. Another interesting post was where we saw how a HackRF was used to obtain the PIN of a cyprocurrency hardware wallet via TEMPEST. Search TEMPEST on our blog for more posts like that.

TEMPEST PC Side Channel Setup: RF pulses from writing to memory and a GPU.
TEMPEST PC Side Channel Setup: RF pulses from writing to memory and a GPU.