Over on the Hackaday YouTube channel a video by Alex Whittemore has been uploaded showing how to do some basic RF emissions debugging. When creating electronic products it's important to ensure that there is no unintentional RF leakage in excess of emissions standards, and there is often a need to debug a circuit board to determine exactly what part or areas are generating excessive RF noise. To do this expensive EMC analyzers and near field probes are typically used.
Alex's tutorial video shows us how we can create a low cost home made EMC probe using an RTL-SDR, LNA and home made near field probe made out of magnet wire. The video starts by explaining RF compliance, demonstrating some higher end equipment, then moves on to showing how to build a probe yourself, before finally demonstrating it being used on some circuit boards. For software, he uses SDRAngel and QSPectrumAnalzyer which are preinstalled on a DragonOS image.
Over on YouTube SignalsEverywhere (aka Corrosive) has uploaded a tutorial video showing how to use TempestSDR with an Airspy SDR. Back in November 2017 we posted about how we were able to get TempestSDR to run with an RTL-SDR, Airspy and SDRplay, and showed some results. Since then several people have managed to repeat our results, but many have also had trouble understanding how to make TempestSDR work and what all the settings are for.
TempestSDR is an open source tool that allows you to use any SDR that has a supporting ExtIO (such as RTL-SDR, Airspy, SDRplay, HackRF) to receive the unintentional signal radiation from a screen, and turn that signal back into a live image. This can let you view what is on a screen without any physical connections.
Corrosive's tutorial video shows us how to tune the signal in the TempestSDR software in order to receive a clear image as well as showing the software in action.
How to Spy on Computer Monitors | TempestSDR Tutorial (with an Airspy)
All electronic devices emit some sort of unintentional RF signals which can be received by an eavesdropping radio. These unintentional signals are sometimes referred to as TEMPEST, after the NSA and NATO specification which aims to ensure that electronic devices containing sensitive information cannot be spied upon through unintentional radio emissions, sounds or vibrations. TEMPEST can also refers to the opposite, which is spying on unsecured electronic devices by these means.
In their experiments they set up an AES implementation on an FPGA, and used a simple wire loop antenna and RTL-SDR to measure and record the RF emissions. By then doing some analysis on the recorded signal they are able to fairly easily extract the AES encryption key, thus defeating the encryption.
Further testing in an anechoic chamber showed that with a discone antenna they were able to recover the keys from up to a meter away. A directional antenna could probably reach even further distances.
In the past we’ve seen a similar attack using a Funcube dongle, which is an SDR similar to the RTL-SDR. In that attack they were able to remotely recover encryption keys from a laptop running GnuPC. Also, somewhat related is Disney’s EM Sense which uses an RTL-SDR to identify electronic devices by their RF emissions.
The attack works by first infecting a computer with their malware software. The malware then utilizes the USB data bus to create electromagnetic emissions on a connected USB device. In these tests they use a USB flash drive and write a file to the device in such a way that the emissions produced are transmitting decodable data. They write that any binary data can be modulated and transmitted to a nearby receiver, such as an RTL-SDR dongle. Data rates can reach up to 80 bytes/s. The data is modulated with binary frequency shift keying, and their receiver code is implemented in GNU Radio.
This story has also been featured on arstechnica and threatpost. The video below demonstrates the attack.