Not too long ago we posted about Jacek Lipkowski (SQ5BPF)'s project called "Etherify" which seeks to use unintentional RF radiation from Ethernet hardware/cables to transmit arbitrary signals such as morse code and FSK. During his earlier experiments he noted how he felt that the Raspberry Pi 4 had an unusually strong radiated Ethernet signal. In his recent post Jacek investigates this further.
Indeed his new tests seem to confirm that the Pi 4 has excessive RF leakage from the Ethernet hardware. His latest results have shown that he was able to receive the Ethernet leakage strongly from 50 meters away without any cable connected to the Ethernet port to act as a radiator. Jacek's post contains a number of demonstration videos such as the one below.
He admits that his particular Pi 4 unit might be unique in this regard. If anyone else tests this and can confirm excessive leakage, please let us know in the comments.
Ethernet RF leakage received strongly from 50m away without any antenna on the Pi 4
Over on his blog SQ5BPF has been documenting a TEMPEST experiment where he's been able to transmit data via RF being leaked from a Raspberry Pi's Ethernet connection. The idea was born when he found that his Raspberry Pi 4 was leaking a strong RF signal at 125 MHz from the Ethernet cable. He went on to find that it was easy to turn a tone on and off simply changing the Ethernet link speed with the "ethtool" command line tool. Once this was known it is a simple matter of creating a bash script to generate some morse code.
Quite amazingly the Ethernet RF leakage is very strong. With the Raspberry Pi 10 meters away, and a steel reinforced concrete wall in between, SQ5BPF was able to receive the generated morse code via an RTL-SDR connected to a PC. Further experiments show that with a Yagi antenna he was able to receive the signal from 100 meters away.
His post explains some further experiments with data bursting, and provides links to the scripts he created, so you can try this at home.
Update - SQ5BPF also notes the following:
The leakage differs a lot with the hardware used. The Raspberry Pi 4 is exceptional and also allows to switch the link speed quickly, so was a nice candidate for a demo, but other hardware works as well.
The first tests were done on some old laptops I had laying around, and they leak as well. Maybe someday I will publish this, but everyone of them behaves differently.
Etherify 1 demo receiving via SDR and decoding via fldigi
Over on his latest video Tech Minds' explores the use of TempestSDR to eavesdrop on video monitors with his Airspy Mini. TempestSDR is a program that we've posted about several times in the past. With an RTL-SDR or other compatible SDR like a HackRF it allows you to reconstruct an image from a computer monitor or TV just from the radio waves unintentionally emitted by the screen or cable. SDRs with larger bandwidths like the HackRF or Airspy are better at reconstructing the image as they can collect more information.
In his video Tech Minds shows how to download and setup one of the newer branches of TempestSDR which unlike older versions doesn't require much installation work. Using an Airspy Mini he shows that he is able to view what is on his screen via the emitted RF waves.
Eavesdropping Video Monitors With TempestSDR RTL-SDR
TempestSDR is an open source tool made by Martin Marinov which allows you to use any SDR that has a supporting ExtIO (such as RTL-SDR, Airspy, SDRplay, HackRF) to receive the unintentional signals radiated from a screen, and turn that signal back into a live image. This can let you view what is on a screen through a wall without using any physical cables.
We first posted a demonstration of TempestSDR back in 2017 when we were finally able to get it to compile. Compiling the software took a fair amount of work for those without experience, and even running it was a chore. However, getting it to work is worth it as you can do some really interesting demonstrations.
However these problems are over and recently Erwin Ried @eried has made a self-executable version of TempestSDR. This means that no compilation, java installs, mingw or extra dlls are required to get the program to work as now it's just an exe that you can run. You will still need the appropriate ExtIO dlls for your SDR. The video in his twitter post shows it working with a HackRF.
TEMPEST refers to a technique that is used to eavesdrop on electronic equipment via their unintentional radio emissions (as well as via sounds and vibrations). All electronics emit some sort of unintentional RF signals, and by capturing and processing those signals some data can be recovered. For example the unintentional signals from a computer screen can be captured, and converted back into a live image of what the screen is displaying.
Until recently we have relied on an open source program by Martin Marinov called TempestSDR which has allowed RTL-SDR and other SDR owners perform interesting TEMPEST experiments with computer and TV monitors. We have a tutorial and demo on TempestSDR available on a previous post of ours. However, TempestSDR has always been a little difficult to set up and use.
The GNU Radio implementation is a good starting point for further experimentation, and we hope to see more developments in the future. They request that the GitHub repo be starred as it will help them get funding for future work on the project.
The creators have also released a video shown below that demonstrates the code with some recorded data. They have also released the recorded data, with links available on the GitHub. It's not clear which SDR they used, but we assume they used a wide bandwidth SDR as the recovered image is quite clear.
TEMPEST refers to a technique that is used to eavesdrop on electronic equipment via their unintentional radio emissions (as well as via sounds and vibrations). All electronics emit some sort of unintentional RF signals, and by capturing and processing those signals some data can be recovered. For example the unintentional signals from a computer screen could be captured, and converted back into a live image of what the screen is displaying. We have tutorials on how to do this with a program called TempestSDR available on a previous post of ours.
Recently Mikhail Davidov and Baron Oldenburg from duo.com have uploaded a write up about their TEMPEST experiments. The write up introduces the science behind TEMPEST eavesdropping first, then moves on to topics like software defined radios and antennas.
At the end of their post they perform some experiments like constantly writing data to memory on a PC, and putting the PCs GPU under varying load states. These experiments result in clear RFI bursts and pulsing carriers being visible in the spectrum, indicating that the PC is indeed unintentionally transmitting RF. They note that machine learning could be used to gather some information from these signals.
Over on YouTube SignalsEverywhere (aka Corrosive) has uploaded a tutorial video showing how to use TempestSDR with an Airspy SDR. Back in November 2017 we posted about how we were able to get TempestSDR to run with an RTL-SDR, Airspy and SDRplay, and showed some results. Since then several people have managed to repeat our results, but many have also had trouble understanding how to make TempestSDR work and what all the settings are for.
TempestSDR is an open source tool that allows you to use any SDR that has a supporting ExtIO (such as RTL-SDR, Airspy, SDRplay, HackRF) to receive the unintentional signal radiation from a screen, and turn that signal back into a live image. This can let you view what is on a screen without any physical connections.
Corrosive's tutorial video shows us how to tune the signal in the TempestSDR software in order to receive a clear image as well as showing the software in action.
How to Spy on Computer Monitors | TempestSDR Tutorial (with an Airspy)
Recently we've come into knowledge of a program on GitHub called "System Bus Radio" which lets you transmit RF directly from your computer, laptop or phone without any transmitting hardware at all. It works on the principle of manipulating the unintentional RF radiation produced by a computers system bus by sending instructions that can produce different AM tones. An SDR like the RTL-SDR V3 or RTL-SDR with upconverter, or any portable AM radio that can tune down to 1580 kHz can be used to receive the tones. To run the software don't even need to download or compile anything, as there is now a web based app that you can instantly run which will play a simple song.
However, the RF emissions don't seem to occur on every PC, or are perhaps at another frequency. We tested a Windows desktop and Dell laptop and found that no were signals produced. A list of field reports indicates that it is mostly MacBook Pro and Air computers that produce the signal, with some transmitting signals strong enough to be received from a few centimeters to up to 2m away. This could obviously be a security risk if a sophisticated attacker was able to sniff these tones and recover data.
This program runs instructions on the computer that cause electromagnetic radiation. The emissions are of a broad frequency range. To be accepted by the radio, those frequencies must:
Be emitted by the computer processor and other subsystems
Escape the computer shielding
Pass through the air or other obstructions
Be accepted by the antenna
Be selected by the receiver
By trial and error, the above frequency was found to be ideal for that equipment. If somebody would like to send me a SDR that is capable of receiving 100 kHz and up then I could test other frequencies.
There is also an interesting related piece of software based on System Bus Radio called 'musicplayer', which takes a .wav file and allows you to transmit the modulated music directly via the system bus.
If you're interested in unintentionally emitted signals from PCs, have a look at this previous post showing how to recover images from the unintentional signals emitted by computer monitors. This is also similar to RPiTX which is a similar concept for Raspberry Pi's.
