Electromagnetic Threats for Information Security
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Subtitle |
| |
| Title of Series | ||
| Number of Parts | 167 | |
| Author | ||
| License | CC Attribution 4.0 International: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/34808 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
| |
| Keywords |
34th Chaos Communication Congress146 / 167
1
2
3
4
5
6
7
10
11
12
14
15
25
26
29
30
31
33
34
39
40
42
43
45
46
49
50
53
58
59
61
63
65
68
69
71
73
77
78
79
81
82
83
85
86
87
88
91
92
94
99
100
101
102
108
109
110
113
114
115
116
118
119
122
124
125
126
127
129
130
131
132
133
134
136
138
139
140
141
145
147
148
150
151
152
153
154
157
159
160
161
163
164
165
166
167
00:00
Information securityForceType theoryGoodness of fitSpektrum <Mathematik>Vulnerability (computing)Level (video gaming)Lattice (order)Stress (mechanics)Extension (kinesiology)Computer animationLecture/Conference
00:56
System programmingComputer hardwareDigital signal processingPresentation of a groupInternet service providerComputer virusInformation securityInferenceChaos (cosmogony)Food energySource codeExpert systemTelecommunicationContent (media)Physical systemSpektrum <Mathematik>Computer hardwareSignal processingLecture/ConferenceComputer animation
02:04
Presentation of a groupInternet service providerModel theoryKinetic energySpektrum <Mathematik>Information securityWaveGroup actionVulnerability (computing)Lecture/ConferenceComputer animation
02:42
Matrix (mathematics)Arrow of timeSource codePerspective (visual)Information securityText editorMetropolitan area networkLecture/ConferenceComputer animation
03:22
Software developerSystem programmingPulse (signal processing)Food energyMathematical analysisLogicTraffic reportingOrder (biology)Perturbation theorySource codeOcean currentGroup actionWavePortable communications deviceDigital signalSpektrum <Mathematik>Pulse (signal processing)Link (knot theory)Field (computer science)Electromagnetic radiationLevel (video gaming)Lecture/ConferenceComputer animation
04:20
Group actionSource codePoint (geometry)Error messageSoftwareComputer hardwareLecture/Conference
05:07
Software developerSystem programmingPulse (signal processing)Food energyMathematical analysisLogicKeilförmige AnordnungInternetworkingDensity of statesInformation securityPhysical systemComputer networkVirtual machinePhysical systemGame theoryEvent horizonGroup actionVirtual machineInformation securityLatent heatError messagePersonal area networkData managementAuthorizationSource codeSource codeComputer animation
06:04
Event horizonMobile WebTable (information)Source codeOrder (biology)Term (mathematics)Lecture/Conference
06:49
Density of statesInformation securityPhysical systemInternetworkingComputer networkInformationIntegrated development environmentIntegrated development environmentStandard deviationSource codeSpektrum <Mathematik>Nominal numberInformationInternetworkingSoftware testingBit rateComputer animation
07:47
Side channel attackPlastikkartePhysical systemSource codeProcess (computing)Information securityStress (mechanics)InjektivitätLaptopCross-correlationMultiplication signInteractive televisionKey (cryptography)Lecture/Conference
08:51
InformationIntegrated development environmentInformation securitySystem programmingData integritySoftware testingInformation securityInformation systemsKey (cryptography)AreaPhysical lawSlide ruleCross-correlationSheaf (mathematics)Level (video gaming)WordStandard deviationInformationComputer animation
10:07
InformationInformation securitySystem programmingData integritySoftware testingSound effectScale (map)Model theoryDifferent (Kate Ryan album)Computer wormParameter (computer programming)Field (computer science)Fitness functionInformation1 (number)Complete metric spaceINTEGRALField (computer science)Vulnerability (computing)Information securityStatistical hypothesis testingComplex (psychology)Complex systemData managementWireless LANInteractive televisionSoftware testingMultiplication signParameter (computer programming)Bit rateLink (knot theory)Different (Kate Ryan album)Connected spaceTelecommunicationExecution unitWeightScaling (geometry)BuildingRandomizationComputer animation
11:57
WaveParameter (computer programming)Reduction of orderDifferent (Kate Ryan album)ResultantLatent heatModel theoryVulnerability (computing)Configuration spaceSoftware testingField (computer science)Order (biology)Set (mathematics)Group actionInformation securityRandomizationBuildingComputer wormNumberComplex systemDevolution (biology)Lecture/Conference
13:34
Latent heatHausdorff dimensionSource codeLatent heatInformation securitySpektrum <Mathematik>Right angleDimensional analysisBit rateFrequencyMobile WebParameter (computer programming)Variable (mathematics)Computer animation
14:41
BitSource codeRange (statistics)Parameter (computer programming)InformationInternetworkingLatent heat
15:40
Software testingChainInterface (computing)MereologyPhysical systemLink (knot theory)ChainThermal radiationParameter (computer programming)PropagatorWaveGroup actionLatent heatAsynchronous Transfer ModeSource codeIntegrated development environmentAdditionInjektivitätComputer animation
16:44
Field (computer science)Group actionParameter (computer programming)Mathematical analysisStrategy gameLatent heatAxiom of choiceAddress spaceDecision theoryLecture/Conference
17:26
Game theoryVariety (linguistics)Sound effectGroup actionRoundness (object)MathematicsField (computer science)Spektrum <Mathematik>Game theoryDifferent (Kate Ryan album)Complex (psychology)AdditionComputer animation
18:30
Sound effectGame theoryVariety (linguistics)System identificationMetric systemRoboticsVirtuelles privates NetzwerkSource codeEntropie <Informationstheorie>Game theoryGroup actionSocial classPhysical systemComputer simulationMetric systemFunctional (mathematics)Parameter (computer programming)State observerLecture/ConferenceComputer animation
19:32
Error messageVulnerability (computing)Group actionSoftware testingMetric systemOrder (biology)Physical systemPosition operatorMatrix (mathematics)Lecture/Conference
20:30
Interface (computing)Physical systemSound effectGroup actionDifferent (Kate Ryan album)Interface (computing)Operating systemType theoryContext awarenessComputer animation
21:13
InformationComputer hardwareSoftwareSound effectInterface (computing)Group actionSoftwareOperating systemInformationLevel (video gaming)Variety (linguistics)Different (Kate Ryan album)Strategy gamePropagatorProfil (magazine)Software-defined radioPulse (signal processing)State observerBand matrixFlow separationElectromagnetic radiationSoftware testingSource codeAreaBoundary value problemRule of inferenceLecture/ConferenceComputer animation
22:55
Personal identification numberPerturbation theoryPosition operatorInformationRight angleSoftwareCASE <Informatik>PropagatorError messageSet (mathematics)NeuroinformatikConfiguration spaceSoftware testingSource codeEquivalence relationGroup actionLecture/Conference
23:59
Error messageString (computer science)Address spaceCodePrice indexConfiguration spaceSerial portCrash (computing)outputKeyboard shortcutInterface (computing)Software testingComputerTelecommunicationEnumerated typeInjektivitätGroup actionElectromagnetic radiationPhysical lawNeuroinformatikSoftware testingKeyboard shortcutLoginLink (knot theory)CASE <Informatik>Validity (statistics)Computer animation
25:01
TelecommunicationInterface (computing)Control flowPhysical systemSoftware testingRotationGame controllerPosition operatorMathematical optimizationBlock (periodic table)AlgorithmNeuroinformatikGroup actionBackdoor (computing)PeripheralFood energyLink (knot theory)Scalar fieldAlgorithmPhysical systemMereologyAreaNonlinear systemPosition operatorState of matterNormal (geometry)Error messageWordGreen's functionDistortion (mathematics)Power (physics)Speech synthesisTorusServer (computing)Pulse (signal processing)Control systemLecture/ConferenceComputer animation
26:56
Block (periodic table)PlastikkarteBit error rateDistortion (mathematics)Parameter (computer programming)Computer virusPower (physics)Pulse (signal processing)FrequencyWorkstation <Musikinstrument>Right angleAlgorithmNeuroinformatikSource codeError messageTelecommunicationLevel (video gaming)CurveCellular automatonBitLecture/ConferenceComputer animationEngineering drawing
28:31
Block (periodic table)PlastikkarteAnalogyInterface (computing)WärmestrahlungInformationSoftware testingBefehlsprozessorOrder of magnitudeDivisorScaling (geometry)Point (geometry)NeuroinformatikGroup actionLevel (video gaming)Telecommunication2 (number)Front and back endsMusical ensembleSoftware testingBefehlsprozessorData managementOrder of magnitudeTerm (mathematics)AnalogyField (computer science)Electric fieldResultantCASE <Informatik>Data conversionCycle (graph theory)Presentation of a groupDebuggerHomothetieVulnerability (computing)Lecture/ConferenceComputer animation
31:35
BefehlsprozessorSoftware testingDensity of statesPhysical systemSample (statistics)InformationReading (process)CASE <Informatik>Flow separationInformation systemsStrategy gameOrder (biology)Process (computing)Lecture/ConferenceComputer animation
32:13
Software testingAnalogyAuthorizationBefehlsprozessorInterface (computing)Order (biology)Right anglePhysical systemField (computer science)Personal digital assistantFlow separationInformation securityProof theoryUser interfaceSoftware testingPosition operatorState observerGroup actionDebuggerSound cardAnalogyLecture/ConferenceComputer animation
34:15
AnalogyAuthorizationSoftware testingHypermediaComputerVideoconferencingMotion captureSoftwareSoftware testingInterface (computing)CASE <Informatik>PropagatorPower (physics)InjektivitätVideoconferencingHacker (term)Lecture/ConferenceComputer animation
35:08
HypermediaDirected graphDebuggerWebsiteTouchscreenFeedbackSmartphoneVideoconferencingRight angleInteractive televisionFront and back endsDot productRevision controlSoftware testingCycle (graph theory)Lecture/Conference
36:14
Cartesian coordinate systemSource codeInjektivitätFrequencyNeuroinformatikCASE <Informatik>Computer animation
37:00
SimulationCloud computingThumbnailAnalogyAuthorizationSoftware testingSource codeMobile WebPower (physics)BefehlsprozessorSoftware-defined radioSoftware testingWaveformInterface (computing)Observational studyInformationPower (physics)Proof theoryProfil (magazine)Vulnerability (computing)Mathematical analysisVapor barrierComputer virusDiallyl disulfideComputer animation
38:29
InformationMathematical analysisSoftwarePower (physics)Latent heatNeuroinformatikInjektivitätLecture/ConferenceComputer animation
39:13
Group actionInformation securitySummierbarkeitInformationPoint (geometry)View (database)Software testingCartesian coordinate systemDigital divideInterface (computing)Observational studyAdditionMathematical analysisLecture/Conference
40:41
User profilePoint (geometry)Denial-of-service attackContext awarenessWordProfil (magazine)InternetworkingSource codeEvoluteSpektrum <Mathematik>Power (physics)Computer animation
41:49
Multiplication signPoint (geometry)Shared memoryDifferent (Kate Ryan album)Information securityObject (grammar)PhysicalismWordView (database)Side channel attackDigital photographyCryptanalysisLecture/Conference
42:37
Software testingComputerCommercial Orbital Transportation ServicesSound effectAdaptive behaviorSystem programmingAnalog-to-digital converterDigital signal processorComputer hardwareControl flowProxy serverInformationHacker (term)Operations researchSystementwurfPhysical systemExplosionAlgorithmPlastikkarteDatabase transactionAddress spaceCellular automatonTouchscreenNumbering schemeCommitment schemeComputer animationLecture/Conference
43:26
FrequencyCuboidFlow separationSoftware testingCurvatureGroup actionDifferent (Kate Ryan album)Frequency responseComputer clusterNumberLecture/Conference
44:28
Source codeCondition numberRange (statistics)Power (physics)TelecommunicationSoftware testingLevel (video gaming)Characteristic polynomialGroup actionPropagatorBefehlsprozessorNichtlineares GleichungssystemIntegrated development environmentOcean currentUnit testingLatent heatReading (process)Office suiteSphereOperator (mathematics)Euler anglesCASE <Informatik>Lecture/Conference
46:25
Term (mathematics)BefehlsprozessorMotherboardInjektivitätFlow separationNeuroinformatikLine (geometry)Variety (linguistics)Dimensional analysisCoprocessorState observerWellenwiderstand <Strömungsmechanik>Function (mathematics)
47:14
Latent heatGroup actionPixelMereologySheaf (mathematics)Different (Kate Ryan album)1 (number)Dependent and independent variablesTouchscreenTouch typingSide channel attackSpektrum <Mathematik>Lecture/Conference
47:57
Point (geometry)Goodness of fitSheaf (mathematics)Pointer (computer programming)Numerical taxonomyRoundness (object)Lecture/Conference
Transcript: English(auto-generated)
00:17
Hello, all, and welcome. The following talk focuses on the vulnerability of electronic devices to electromagnetic interference
00:25
with regard to IT security. With the subject of VMP threats getting more and more traction nowadays, security specialists Shoki Kasmi and Jose Lopez Estevez will explain and classify the types of attacks that we are exposed to. They both have extensive experience in security research, having worked at the French National
00:44
Cybersecurity Agency, Shoki has a PhD in electronics and has recently joined the TV labs at Dark Matter LLC. Join me in welcoming them on stage.
01:02
Good afternoon, everybody. Hello. Thank you for joining us. So we are Shoki Kasmi and Jose Lopez Estevez here. We are very happy to be here today to talk about EM threats for information security and how we may find ways to induce chaos in digital and analog electronic devices.
01:21
Thanks to directed energy weapons. So we are both electromagnetic security experts. We do also radio communication security analysis, some hardware and embedded system security research, as well as signal processing.
01:44
A quick disclaimer, because I recently joined Dark Matter LLC in UAE, so the research was done during my research activities at the French Network Information Security Agency and all the content that will be presented today was done during those research activities.
02:03
I'm grateful for the support and encouragement provided by Dark Matter in allowing me to present this research today with my colleague Jose Lopez Estevez. So the agenda for today, we will introduce you the topic of electromagnetic security.
02:20
Then, to present you why we are looking for effects induced by EM waves, then we will have a look at EM vulnerability of some devices and how we may involve those effects and turning them into information security issues.
02:43
And at the end of the talk, we will draw some conclusions and perspective concerning our research. So let's start with electromagnetic security. So you may have all seen those nice movies, the Hollywood movies, where they are using some EMP weapons to disable electronic and electric devices like or any facilities using
03:09
those EMP weapons. So even Batman has an EMP weapon in movies. So basically, it's for common people, EMP weapons are a fantasy weapon.
03:24
But since the 90s, many countries have developed capabilities in order to involve EMP weapons, in order to induce perturbation into targeted devices, as well as to try to damage them thanks to high power sources.
03:43
So those sources are involving the same effect as high altitude electromagnetic waves generated by nuclear pulses. And those high intensity fields induce parasitic currents and voltages into targeted
04:00
devices. And all those parasitic currents and voltages induce perturbations on communication devices as well as any digital data link. So VFX vary from very low level effects, so basic disturbances, and can reach also
04:24
permanent damages on devices. So what we are looking for basically is to be able to detect and analyze VFX induced by the sources during parasitic exposure, so that we are able to design appropriate
04:42
protections and to harden critical facilities. One important point is basically to link the hardware errors to software failures, so that we are able to understand how electronic devices react during parasitic
05:01
exposure, as well as the whole infrastructures in which we will place them. And from that we are also able to understand if there are any cascading effects. So basically if we target one system, what kind of effect we may induce on over-connected devices.
05:24
So as we said, it's not fantasy weapons, a couple of events occurred in Europe, and Frank Sabat presented a brief summary of what happens in Europe and other countries. So it starts from very simple RF sources, so RF guns used by some malicious,
05:46
during malicious activities to trigger winning at a game machine in Japan. Then we have some use of EM disruptor to neutralize security systems of critical
06:02
infrastructures and specific places like jewelry, some recent security systems that were disabled during parasitic exposure, as well as some bank in UK and Netherlands. So this summary is interesting because it defines a couple of events in which some
06:24
sources with high mobility or low mobility have been used in order to disrupt some targeted devices. In the same way, we are able to understand that those devices does not require
06:41
very high knowledge or skills to be able to design them. This is the last column of this table. And we can see that basically if someone is interested by building some sources, a couple of information are readily available on internet. So the use of electromagnetic interference to disable or disturb electronic devices
07:08
is directly linked to the topic of electromagnetic compatibility, in which we defined some general standards to test equipment and check that they will not experience
07:22
any abnormal behavior when they are exposed in the normal electromagnetic environment. So this is the topic of immunity testing. In the same way, we try to limit the emanations of any electric and electronic device in the environment by reducing the EM nodes generated by those devices.
07:44
So as you may imagine, as we apply basic standards, it's a world of trust and compliance. We test those devices as the laptop here, and we try to have the best compliance of this device so that it can be used in any place where it should be used.
08:07
In the same way, some information security guys have been working on those topics and have seen that basically we can find some correlation between the process data and the emanation of those devices.
08:21
This topic is called Tempest, and there is also the side channel area, in which we correlate the activity of a chip or a system with the data processed by this device. In the same way, some researchers are working on fault injection on the smart cards
08:42
and FPGAs, so it's using basically the near-field interaction between the source and the target so that we are able to extract some keys or any interesting secrets on the device. So in this way, we see that basically we go beyond the standards applied in the EMC area.
09:08
We don't comply with the standards because we are looking at very small correlations or susceptibility level that may be used to reduce the security of those devices.
09:26
So it's a word of deception. As a risk for information security, it's basically a phenomena that originated from the EMC.
09:43
So it's a physical phenomena. And in the same way, targeting information systems based on electronic devices is highly useful when we are looking at the security of these devices. So the threats are as defined in the previous slide.
10:05
So we have the emanation threats, which introduce a threat for the confidentiality of the information as we are able to recover data from the emanations of the electronic devices. And in the same way, the integrity and availability of the device
10:25
is directly linked to the immunity of this device to parasitic fields. So our challenges are these two ones. The first is how can we assess the vulnerability of any electronic device to parasitic exposure?
10:43
And if we want to do some risk management, we need to be able to rate any EM attack again on any device. So concerning the vulnerability testing of electronic devices, let's have a look at the complexity on how we would like to be able to test devices.
11:06
So we have complex systems with a lot of different kinds of material and communication links. We have wired or wireless connections between devices.
11:23
And we have a lot of undeterministic interaction between the devices. As we are using some specific protocols and at the time we are injecting waves, we need to be able to reproduce this test setup.
11:41
We have a problem of scales because we may want to analyze the security of a chip as well as to be able to analyze the security of a whole building. And this makes a lot of random parameters appearing to analyze the different attack scenarios with different payloads.
12:05
The issue of modeling, as we cannot model the full infrastructures of a huge building with very small electronic devices in there due to modeling issues. And it requires a lot of scientific fields to be used in order to be able to model
12:27
and to analyze the coupling of waves into those buildings. So as we just said, there are a lot of random parameters. And if we want to understand and to be able to predict any vulnerability of the device,
12:43
we need to do some exhaustive testing. But the problem with exhaustivity is that it requires a lot of random configuration so that for specific parameters we are able to reproduce any configuration we would like to work on.
13:01
And this makes some issues with the reproducibility and the generalization of the results. So from a reduced number of configurations, we would like to be able to understand the behavioral device for the whole set of possible configurations.
13:22
And in the same way, when we want to analyze the effect on a complex system, the detection of the effect is complex itself. So as information security researchers, what we would like to be able is to have the ability
13:44
to rate any kind of EM attack against a specific device. So the electromagnetic instrumentation, like the used source to disturb or to induce failure on any electronic devices, can be characterized by those three parameters.
14:05
The variability of the device and its cost. Is it possible to find it on internet or do I have to have a look at specific tutorials to be able to design it?
14:21
The dimension of the source. Can I put it in my bag or in a car? So this defines the mobility of the source. And the capabilities. So do I have the possibility to tune the source for specific frequencies? Can I modify the amplitude of my source?
14:41
And those parameters are very important to understand how they can be used to defeat specific electronic devices. So for that, it requires a lot of technical knowledge. Maybe, maybe not. After looking at the internet, we have seen that there are a lot of resources for that.
15:03
The effective range of the source. Do I have to be close to my target or can I stay a bit far from it? Do I need some information about my target? Do I have to test it before being able to do it in real scenarios?
15:22
Can I industrialize my source? So once I have designed my source, can I set it? And is it target specific? Do I have to design a source for each target I may have to work on?
15:40
So for looking at this problem, there are two ways. The first is starting from the source itself. So I have my source. It can be connected to an antenna or an injection probe. So then we are in propagation mode. The radiation in the free space. Or do I inject my waves in cables?
16:02
Then I am in the conductive one. We have also the link between both of them. We have the coupling to the target. Is it a front door coupling? So am I targeting a wireless interface of my target? Or is it a back door coupling phenomena? I am inducing my waves into some conductive part in the system.
16:21
And I have my effect, which is the last part of my propagation chain. If I start from the source, then I will define specific scenarios for specific devices. But if I start from my target and I check effects in a very general environment,
16:43
then I might be able to check all the parameters that I may experience when I want to harden a critical infrastructure. So we have chosen the second way of having a look at this problem. And we have been working on the effects induced by parasitic field-owned electronic devices.
17:08
Okay, so now I am going to introduce our strategy for the analysis of effects on specific targets. So we will see that it's not a trivial problem. And I will present the decisions, the choices that we have made to address this issue.
17:28
So here we are trying to observe the effects of the presence of electromagnetic, parasitic signals around the target.
17:44
And for that, the game generally is always the same. Whatever the field, the scientific field, you send the stimuli. So it's our parasitic field. And you want to observe changes on the target that will respond to your stimuli. And you want to correlate the stimuli and the changes.
18:04
And the challenges here are that, as Shauke introduced, because of the complexity of the problem, there are a lot of different kinds of stimuli that we can send to the target.
18:20
We can also use additions of different stimulations. And the second problem is that we have to determine what to look at to decide that there is an effect on the target or not.
18:43
So in fact, one of the main challenges in that game is to design the right classes to see the effects of the electromagnetic stimulations. So that's what we proposed. That's what we did.
19:01
And we proposed, well, usually you want to identify the critical functions of the system you want to monitor. So it's kind of the health parameters of your system. And then you have to find a way to monitor those critical functions
19:21
and maybe define some metrics to then compare or classify the different effects that you observed on those observables. So sometimes it can be easy. If you think about a rotating robotic arm, maybe you can just say,
19:40
okay, it still works or it doesn't work anymore. And when it doesn't work anymore, you say, I have an effect. But you also sometimes need to have more finer granularity in your metrics. So for the rotating robotic arm, you can think about the positioning error of your arm
20:05
so you will have to find a way to measure that and then monitor that during the tests to determine then if there was an effect, if that effect was really correlated to your stimuli
20:21
in order to analyze the vulnerability of your system. So we adopted a generic approach. We thought, okay, instead of adapting our approach to the specific context,
20:43
we thought about a generic approach which is system-centric. So our idea was to try to analyze the effect as the operating system can see them. And it's interface-based.
21:01
So as introduced by Xiaoke, there are different types of coupling on the device and we enumerated the interfaces for the physical coupling that are available on the device. And we found a way to have access to some information coming from those interfaces
21:25
at the operating system level. And in the end, we have a software that is running on the operating system and that is monitoring the different interfaces, looking for effects, in fact.
21:45
And what's interesting with that strategy is that we don't really need to understand the propagation of the physical effects to the software effects. In fact, we try to have an observation of the software layer level effects during the tests.
22:13
And as for the vast variety of different stimuli that an attacker could use, we decided to consider the lowest attacker profile, so low-cost source, low bandwidth source.
22:29
So we basically use a software-defined radio with several amplifiers. And the physical electromagnetic waves that we send to the target are what we call RF pulses.
22:50
So it's a low profile, low attacker profile. And we have two setups that are depicted here. On the left, we have our radiated propagation setup.
23:03
So it's in a Faraday cage. We have our targets running the monitoring software that we design. And we have an antenna inside the Faraday cage which will send the stimuli. And outside the cage, we have a monitoring computer which will gather the information
23:22
collected by the monitoring software and our RF sources instrumentation. And on the right, we have the equivalent setup for the conducted propagation.
23:42
So once we define the test scenario and test configuration, we put a couple of devices in the Faraday cage. And now we will show you some effects induced during parasitic exposure. And by understanding how we were able to correlate the effects to the parasitic field,
24:04
we have found a way to involve EM wave as a new technique to inject data into devices or to interact with devices. And we will show you how we did it. So at the beginning, we use some general computers.
24:22
And we monitor some common APIs and even logs on the computer. And we send our parasitic signal to the target. So here we have a couple of logs. You don't need to read them because we summarize them for you.
24:40
And we have seen here, for example, the two keyboard links we were testing, so the PS2 and the USB. And we have seen some, so we were able to get those effects. So we were able to corrupt data that was received by the computer and to randomly inject valid case struct on the computer.
25:05
On the USB, we have been able to disable the hub, disconnect devices, peripherals that were connected to the computer, and also to corrupt descriptors. So this is backdoor coupling effect because we were targeting data links which are not intended to collect energy.
25:27
Then we wanted to test some SCADA systems, so like industrial control system. We put the server motor in Faraday cage. And we tested the behavior of the server motor
25:40
when it was running a specific path. So the normal behavior of the device is the blue one. Here you see the blue, which is the normal behavior device.
26:02
And in green and orange, we send our pulses. And we can see here that we have been able to modify the position of the server motor as well as the speed of it. So we were able to randomly manipulate the server motor using our RF pulses.
26:27
Then we worked on some digital processing algorithm. Here it is the pre-distortion algorithm running on an FPGA.
26:42
The pre-distortion algorithm is used to compensate the power amplifier distortion where we are using it in the non-linear region. So we predict the non-linearities of the power amplifier, which is T minus one. And the actual distortion induced by the power amplifier is two.
27:03
So if you do T minus one by T, you have one. But in the same way, if you're injecting some RF pulses during the computation of the distortion induced by the amplifier, so here it's the G for jamming,
27:21
we were able to modify the behavior of the pre-distortion algorithm. And by modifying this behavior here, this curve here in black, we see here that we have some elevation of the side lobe of the source.
27:44
So it means that we are jamming all devices that are co-located to the radio frequency, for example the mobile station around the targeted one. So we were able to modify the packets emitted by the mobile station.
28:05
Then it sends data with a high bit error rate. So any device that receives those signals receives corrupted data. And on the right, in the same way as we increase the side lobes, all the devices that communicate around this cell with other cells,
28:24
if they are using the frequency band near the targeted one, then we are able to stop the communication on this level. So this is the cascading effect we have been talking about. Yeah, another interesting point in that example is that
28:41
the computation of the pre-distortion factors is not performed usually every second. I mean it's more at the scale of the minute. So in fact with just one malicious intervention, you can make the radio front end self-jam itself
29:04
during several minutes until the recomputation of the pre-distortion factors. We also instrumented analog interfaces, and we are going here to present the results we had on thermal transducer
29:23
and also on acoustic transducers, microphones. So there is some literature from the EMC community about the susceptibility of analog circuits. And it's admitted now that some analog circuits do some envelope detection.
29:44
So it's a kind of amplitude demodulation of the parasitic signal. And especially for operational amplifiers, there is also an offset that is added to the signal
30:04
when a parasitic field is present on the target. And also, as we are talking about analog interfaces, they usually end up on ADCs. So all the work that has been made about the vulnerability of analog to digital converters
30:26
can also be used in that case. So during our tests, we have been monitoring the behavior of the thermistor, the thermal diode of the CPU of our target.
30:42
And we noticed that when our parasitic field was on, we saw that the temperature that was reported by the diode was kind of erratic. So how can it be used by an attacker?
31:00
We tried to derive a scenario exploiting that factor. And we ran additional tests. And we noticed that the temperature that was reported by the thermal diode was kind of homothetic to the parasitic electric field magnitude.
31:29
So that means that the attacker is able to finally control the behavior of the temperature reading on the target.
31:43
So we imagine the scenario where an attacker uses that to send information to a malicious process that is monitoring continuously the temperature on the target. And in some cases, I mean, in cases where you have, for example,
32:06
put an air gap strategy in place in order to separate several information systems of heterogeneous criticality, this kind of threat can be serious.
32:21
And also, of course, if an attacker is able to control the temperature that is transmitted from the diode to the CPU or a reader of the temperature, one can easily think about sabotage scenarios.
32:43
During our tests, we also monitored the audio front end. So we basically just recorded the audio coming from the audio card. And we made that with a microphone on, with a wired microphone plugged in,
33:04
or without microphone. And we always have been able to notice that there were some effects of the presence of the parasitic field.
33:21
And again, we tried to imagine scenarios where this could be a threat for information security on a system. And from that observation, several works were derived. And we considered that the analog microphone is usually a user interface
33:43
that gives access to the voice assistance interfaces. And we designed several proofs of concept exploiting this way to interact with the system in order to execute arbitrary voice commands on the target.
34:12
We did two proofs of concepts. On the right, you see the radiated one. So in that case, the coupling interface was the headphones cable.
34:26
And we also performed additional tests and designed tests to test the conducted propagation path. And we were able to inject voice commands by injecting the parasitic signal
34:45
inside the power network when the phone was charging. So this research has been published at Hack in Paris. But we have still the two quick videos about those tests.
35:06
So I need to recover my mouse. Okay. So in this video is the radiated test setup. We are in the Faraday cage. Our target is the smartphone.
35:21
And we can see the headphone cable on the left side of the screen. And of course, our antenna that is sending the parasitic signal. And we can notice that there is some activity on the audio front end because the red dot on the upper right corner of the phone screen.
35:47
And in that example, we sent a long voice command asking to open a website. And at that time, on that Android version, there was no real feedback to the user.
36:06
And the website was open without any other interaction with the target. And the conducted case, so here you see how our setup. So we have the power supply with the computer plugged in.
36:25
And here we have an injection probe with this cable going to our radio frequency source. And our target is here on the desk and is plugged to the power socket with a genuine charger.
36:42
And in that case, we just asked to open an application.
37:12
So if you need more information about technical details on those proofs of concepts, you can refer to the talks we made in HAC in Paris.
37:21
And we also released IEEE papers. And here we just tried to imagine to perform a quick risk analysis about those kind of vulnerabilities. And of course, anything you can do by using the voice command interface
37:41
can be done using those techniques. What's also interesting is that we completed the study by trying both front door and back door coupling scenarios. We also did the radiated testing and the conducted testing.
38:01
And we tried to estimate the attacker profile and the power and the equipment that is required to perform those kinds of attacks. And of course, these attacks are highly targeted attacks
38:20
because the attacker needs to change at least the waveform, the parasitic waveform to adapt himself to the situation, the target, the phone for example, or the power network specificities.
38:45
Okay, so just some additional details about the voice command injection techniques. Concerning the second one, we have seen that it's a USB cable that is targeted. We have connected this USB cable to the computer also.
39:04
And we have seen that the signal was going through the power network and the grounding of the computer and was reaching through the USB shield, the microphone IC. So this is interesting because it is some known issues from the EMC community.
39:23
So the crosstalk between the USB port and the microphone IC. But from the information security point of view, we didn't have seen any study that was showing that we were able to inject defined signals on this voice command interface.
39:45
Thanks to all those tests, we have been able to detect and analyze the effects induced by IMI, so Intentional Electromagnetic Interference, during parasitic exposure. We have been able to classify the effects,
40:02
so defining the criticality of each effect with regards of the application. We have been able to estimate the impact for the security of the tested devices. And all those informations contribute to the information security risk analysis.
40:21
And to help us to put some additional protective devices, so that IMI cannot be involved to perform those kind of attacks against electronic devices. And more generally, we observed that the electromagnetic attacks are a kind of a realistic threat.
40:49
Even if, generally, if you want to perform more than a denial of service attack, it will be a targeted attack because you will need to adapt your attack setup to your target
41:05
and to the context around the target. We also wanted to emphasize that the attacker profile for these kind of attacks is getting lower and lower because of technological evolutions.
41:23
The devices that are needed to create some of the required sources is more and more affordable and freely available to anyone on the internet. And we can say the same on the power amplifiers, for example.
41:46
And one last word to try to join people to this kind of research. We noticed that the AMC community, the information security community,
42:01
and the specific physical cryptanalysis and the side channel and photo attacks communities worked on their own path. But in reality, we are looking at the same problem, and just we have different points of view and different objectives.
42:22
So maybe it's time to join together and try to share the resources and the knowledge about these issues. So we thank you very much for your attention.
42:45
As usual, you have all the references that we used to create this talk. And our email addresses, if you have any questions or if you want to interact about those topics, we will be happy to do so. Thank you.
43:04
So step up to the microphones. And we also take questions online. We have a signal angel monitoring the question feed. Anybody? Microphone 2. Go ahead. Thank you very much for the interesting topic.
43:20
I saw your lab equipment and you didn't screen the charge or any cables. Why? Or maybe another question. Did you test the screening of the cables and how much is affected the cable in the results?
43:44
On those research topics, we tested several USB cables and several genuine chargers, I mean cuts out of the box chargers. And we observed that we were able to, on the audio frequency band,
44:06
we were able to recover our signal. The frequency response was kind of flat. So it didn't really affect the effect on the target. Thank you. Microphone number 1.
44:23
Thank you for the talk. This was all very new to me, so I'm very, very scared right now. Because I am learning how to fly small aircraft and a lot of it is, there's a lot of communication that happens via radio. And I'm wondering, when you talked about the effective range,
44:40
what kind of threats are we looking at for something say, at an altitude of say even 2,000 feet and a moving target? Does that make it very, very difficult? I'm knowing that I don't know much about what you just said, but it was really quite scary.
45:01
Concerning the range, so as we presented, we did not work on the sewer side. We directly assessed the effects on the target. If you have any kind of device you would like to work on, basically you put it in a test environment,
45:23
you check what kind of effect you may expect, depending on the characteristics of the source you have defined. And then defining the range is just using some general theoretical equations that define the amount of power you need to generate
45:42
to reach the signal level you need to disrupt your device. For small drones or any kind of those devices, we did not specific tests, but it's an open question and we would be really happy to work on that.
46:00
If I can add something. In your case, I guess you have to estimate the propagation path that we described in the specific conditions that you described, in fact. Thank you. Thank you very much. Microphone 2, go ahead.
46:20
Thanks for the talk. I have a very small question about the CPU thermistor that you set up and you can, with RF energy, increase the temperature or observe temperature of the processor. Was it actually a separate sensor and how long was the cable and what's the output impedance of the sensor? Did you check those parameters?
46:41
Yeah, I think it was on an old motherboard on a computer. The thermistor was interrogated by a SuperIO chip and I guess the dimensions of the PCB line between the CPU diode and the SuperIO chip was something like 10 centimetres, I guess.
47:05
Thank you very much. I think we have a question from online. You showed us some example of data injection, so this was an active attack. What about passive ones, like getting the data from the device, for example, pixels of the screen or touch typing of the keyboard?
47:27
The talk was focused on the effects of intentional electromagnetic interfaces, so that's why we didn't talk about the other specific parts of tempest attacks or side-channel attacks.
47:41
I don't know if that answers the question. Well, thank you for your response and I think that's all for questions. Oh, no, there's one more from the online feed. I know that this isn't really a topic of your research,
48:01
but could you give some pointers to recent research on EM emancipation like tempest attacks? There was something on AES last year, I guess. Craig Smith's talk, tempest attacks on AES, it was a side-channel attack but with a several feet range, for example.
48:23
I think it can be a good pointer. Marcus Kohn's research at Cambridge University is also a very good resource to understand the topic of tempest. Thank you very much.
48:40
I think that's it. Let's give a round of applause for our speakers. Thank you.