Tagged: unintentional radio emissions

EM Eye: Eavesdropping on Security Camera via Unintentional RF Emissions

Researchers from the University of Michigan and Zhejiang University have recently published their findings on how it's possible to eavesdrop and wirelessly recover images from security cameras via RF unintentionally leaking from the camera electronics.

EM side-channel attacks aka receiving and decoding data from the unintentional RF transmissions from electronics are nothing new.  In the past, we've posted how some laptops unintentionally broadcast audio from the microphone via RF, how a tool called TempestSDR can be used to spy on monitors/TV's via RF leakage, how encryption keys can be stolen from PCs via unintentional RF, and even how Disney is looking to use RF leakage for RF fingerprinting.

In their research, the team discovered that security cameras leak enough sensitive RF that an image can be recovered from the leakage over a distance. In their tests, they used a USRP B210 SDR as the receiver and tested twelve cameras including four smartphones, six smart home cameras, and two dash cams. They found that eight of the twelve leaked strongly enough for the reception of images through windows, doors, and walls. Cameras like the Xiaomi Dafang and Wyze Cam Pan 2 performed the worst, allowing for images to be recovered from distances of 500cm and 350cm respectively.

The team has not only released a paper on the topic but has also released the full code as open-source software on GitHub. The software is based on a modified version of TempestSDR, so it may also work for other supported SDRs, like the HackRF and RTL-SDR.

EM Eye: How Attackers Can Eavesdrop on Camera Videos

Receiving Unintentionally Radiated Signals from the Computer System Bus with an RTL-SDR

Back in 2018 we first posted about "System Bus Radio" which is code and a web based app that allows you to transmit RF directly from your computer without any transmitting hardware. It works on the principle of manipulating the unintentional RF radiation produced by a computers system bus by sending instructions that can produce different AM tones. The idea is to demonstrate how unintentional radiation from computers could be a security risk. 

Recently the creator of System Bus Radio has uploaded a guide on receiving the generated signals with an RTL-SDR. He recommends using an RTL-SDR with upconverter, balun and an AM loop antenna. He then shows how he was able to receive the signals from his  MacBook Pro M1, noting that he was able to receive audible signals from several inches away at frequencies between 63 kHz to 5.5 MHz.

System Bus Radio received with an RTL-SDR and upconverter.

Transmitting RF Music Directly From the System Bus on your PC

Recently we've come into knowledge of a program on GitHub called "System Bus Radio" which lets you transmit RF directly from your computer, laptop or phone without any transmitting hardware at all. It works on the principle of manipulating the unintentional RF radiation produced by a computers system bus by sending instructions that can produce different AM tones. An SDR like the RTL-SDR V3 or RTL-SDR with upconverter, or any portable AM radio that can tune down to 1580 kHz can be used to receive the tones. To run the software don't even need to download or compile anything, as there is now a web based app that you can instantly run which will play a simple song.

However, the RF emissions don't seem to occur on every PC, or are perhaps at another frequency. We tested a Windows desktop and Dell laptop and found that no were signals produced. A list of field reports indicates that it is mostly MacBook Pro and Air computers that produce the signal, with some transmitting signals strong enough to be received from a few centimeters to up to 2m away. This could obviously be a security risk if a sophisticated attacker was able to sniff these tones and recover data.

This program runs instructions on the computer that cause electromagnetic radiation. The emissions are of a broad frequency range. To be accepted by the radio, those frequencies must:

  • Be emitted by the computer processor and other subsystems
  • Escape the computer shielding
  • Pass through the air or other obstructions
  • Be accepted by the antenna
  • Be selected by the receiver

By trial and error, the above frequency was found to be ideal for that equipment. If somebody would like to send me a SDR that is capable of receiving 100 kHz and up then I could test other frequencies.

There is also an interesting related piece of software based on System Bus Radio called 'musicplayer', which takes a .wav file and allows you to transmit the modulated music directly via the system bus.

If you're interested in unintentionally emitted signals from PCs, have a look at this previous post showing how to recover images from the unintentional signals emitted by computer monitors. This is also similar to RPiTX which is a similar concept for Raspberry Pi's.

System Bus Radio web app
System Bus Radio web app

Stealing Encryption Keys from PCs using Software Defined Radio and Unintentional Electromagnetic Emissions

Tel Alviv University researchers D. Genkin, L. Pachmanox, I. Pipman and E. Tromer have released a paper this year detailing their research on extracting encryption keys from PCs via their unintentional radio emissions. They say that they have been able to demonstrate their work by extracting encryption keys from GnuPG on laptops within seconds by using their non-intrusive wireless methods. GnuPG is software which allows you to encrypt and sign your data.

They write about the performance of their results:

Using GnuPG as our study case, we can, on some machines:

  • distinguish between the spectral signatures of different RSA secret keys (signing or decryption), and
  • fully extract decryption keys, by measuring the laptop’s electromagnetic emanations during decryption of a chosen ciphertext.

In their experiments they used a Funcube Dongle Pro+ to measure the unintentional RF emissions coming out of a laptop computer at around 1.6-1.75 MHz, but they also mention that a low cost RTL-SDR with upconverter could also work.

Every time the CPU on a target PC performs a new operation the unintentional frequency signature that is emitted changes. From these emissions they are able to use the unique RF signature to determine what operations are being performed by the CPU, and from that they can work out the operations GnuPG is performing when decrypting data. They write:

Different CPU operations have different power requirements. As different computations are performed during the decryption process, different electrical loads are placed on the voltage regulator that provides the processor with power. The regulator reacts to these varying loads, inadvertently producing electromagnetic radiation that propagates away from the laptop and can be picked up by a nearby observer. This radiation contains information regarding the CPU operations used in the decryption, which we use in our attack.

Recovering CPU assembly operations from its RF emissions.
Recovering CPU assembly code operations from its unintentional RF emissions.

In addition to the above they were also able to create portable attack hardware by connecting the Funcube Dongle Pro+ with a small Android based embedded computer called the Rikomagic MK802 IV. They also show that they were even able to perform the portable attack with a standard AM radio with the output audio being recorded with a smart phone.

A portable version of their attack set up with the Funcube Dongle Pro+ and microcontroller.
A portable version of their attack set up with the Funcube Dongle Pro+ and microcontroller.

The researchers write that they will present their work at the CHES 2015 conference in September 2015.

Previously we also posted about Melissa Elliots talk on unintentional RF emissions, Milos Prvulovic’s work on spying on keyboard presses from unintentional RF emissions and also a security flaw discovered with some HP laptops which caused them to unintentionally convert audio picked up from the microphone into RF signals.

Potential Major Security Flaw on HP Laptop Discovered with RTL-SDR

Over on Reddit, user cronek discovered by using his RTL-SDR that the microphone on his HP EliteBook 8460p laptop computer was continuously and unintentionally transmitting the audio from the built in microphone at 24 MHz in FM modulation. He found that the only requirement needed for the microphone to transmit was that the laptop needed to be turned on – even muting the microphone did nothing to stop the transmission.

Click here to read the original post.

I accidentally stumbled upon a signal in the 24MHz range, appearing to be 4 carriers. I tuned to it and heard silence, then someone came into my office and started talking and I could hear them speak. The signal appeared to be coming from my other laptop (not the one running the SDR) and was pretty weak (my antenna, the crappy one that comes with the dongle, stuck to a metal stapler was right next to the HP laptop).

This is of potential concern as as the US Military is apparently transitioning to this particular laptop. However, this may be an isolated incident, as in the thread cronek explains that other laptops he tested did not display this behavior.

HP Laptop Microphone Leak at 24 MHz