24 comments

[ 4.3 ms ] story [ 59.7 ms ] thread
900 bits/hour. Slow, but if you're after some crypto keys, useful.
> We demonstrated the effective transmission of encryption keys and passwords from a distance of zero to eight meters, with bit rate of up to 900 bits/hour.
Very inventive method of breaching the air and audio gaps.

I wonder if exploits like this might encourage the use of fanless computers in these ultra-secure locations? There are quite a few processors on the market now which give decent performance without the need for a fan.

Or hardware-lock the fans at maximum speed, if you need more power.
At which point they'd find out how to manipulate specific capacitors on the board to emit noise. Did you ever hold a cheap backlit wristwatch up to your ear as a kid? That sound.

Perhaps a cheaper way to solve this is to hide the physical case inside a locked cabinet, with a ventilation fan? Most users of secure systems don't need physical access to the case, and the ventilator should drown out any signal noise from such malware.

Fair point. I suppose it's about eliminating as many vulnerabilities and exploit vectors as possible, then deploying countermeasures and controls to mitigate the ones you can't remove. Putting a fanless machine inside a closed cabinet with a relatively noisy fan, or at least one with a large frequency spread, would go some way towards accomplishing that.
The "adding noise" method is not, in general, effective.

You can always do something like spread-spectrum modulation of the transmitted signal to recover it from below the noise floor.

I saw a similar article where temperature was used to transmit information. Of course, it was very low bitrate, but it worked.

Perhaps a solution would be to design a CPU where every instruction consumes exactly the same ammount of power.

seems to be something of a waste of time.

even if you could transmit anything usefull at 900 bits per hour.

you still cant install it on the machine in the first place.

and even if you can get equipment close enough to listen.

its not going to be as effective as pulling it from the rf emissions.

and any device that is rf isolated is also going to be audio isolated.

Yes

At 900 bits per hour it should be easier to convert to something printable or just use pen and paper

(112 8-bit characters, I'm sure you could find a way of memorizing it if needed)

Paper? I think you are missing the threat model. Eve does not have physical or network access to machine.
Then how did eve install malware on it to control the system fans?
Think stuxnet
> even if you could transmit anything usefull at 900 bits per hour.

Well, that works out to 7 AES-128 keys per hours. That could be pretty useful.

Skylake motherboards make high pitch noise, when switching between CPU power saving states. States change at ms scale and could carry kbps
Makes you wonder what else can be used.

How about power draw? If you can load and unload the CPU at will, it could send detectable waves all the way out of the facility.

Many designers going after EMI shielding and standard compliance completely miss the concept of conducted emissions - the rf-range noise that goes out of the wires connected to the device, i.e. power, rather than RF.

Then, think of the laptop charge adaptors - most of them whine when plugged, and the pitch of the whine changes with the state of charge of the laptop. The computer might be secured, but a power supply on the other side of the air gap is easy to forget about.

This is why TEMPEST certification is a thing.
I seem to recall some work from late 90s early 00s about researchers measuring signals in a regular wall outlet - but right now all I could find was: http://www.pcworld.com/article/161166/article.html (from 2009, which seems way too recent for what I'm thinking of).
Cool, sure. Practical, no. It would be trivial to add some monitoring to detect this sort of thing. Lots of data centers already monitor fan speeds anyway.
This is why Clive Robinson on Schneier's blog has been saying for close to a decade you need to think in terms of physics. Any way of moving matter or energy in any form to a receiver is a potential side channel. He inventee the term energy gapping to describe systems isolated from all forms of stray energy. Needless to say, it's difficult.

He and I worked out some detsils on the blog years ago. We saw acoustic attacks coming since they were used with lasers in Cold War. So, were emanation and light-based attacks. Even toilets, plumbing, and air ducts can leak things out. So, you start with a SCIF style design with power filters, EMSwC masking, audio masking, careful attention to anything coming/going, and no wireless anything allowed. Then you have to work on endpoint security ground up isolating and deprivileging everything. He also liked decomposing everything into resource-isolated functions with a hypervisor inspecting them on occasion.

Not much attack surface left at that point.

There is precedent for these types of acoustic attacks. One interesting paper from 2014 that comes to mind is this: https://www.tau.ac.il/~tromer/acoustic/

Basically, the idea is that even though clocks run at GHz (which in acoustics, would be impractical ultrasound), modular arithmetic (exponentiation) takes ~milliseconds to run, which means they produce acoustic signatures in the kHz range, which travels easily (and omnidirectionally from the kind of small aperture that the motherboard represents) in air and can be acquired with cheap microphones.