Screaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers

Presented at Black Hat USA 2018, Aug. 8, 2018, 1:30 p.m. (50 minutes).

The drive for ever smaller and cheaper components in microelectronics has popularized so-called "mixed-signal circuits," in which analog and digital circuitry are residing on the same silicon die. A typical example is WiFi chips which include a microcontroller (digital logic) where crypto and protocols are implemented together with the radio transceiver (analog logic). The special challenge of such designs is to separate the "noisy" digital circuits from the sensitive analog side of the system.

In this talk, we show that although isolation of digital and analog components is sufficient for those chips to work, it's often insufficient for them to be used securely. This leads to novel side-channel attacks that can break cryptography implemented in mixed-design chips over potentially large distances. This is crucial as the encryption of wireless communications is essential to widely used wireless technologies, such as WiFi or Bluetooth, in which mixed-design circuits are prevalent on consumer devices.

The key observation is that in mixed-design radio chips the processor's activity leaks into the analog portion of the chip, where it is amplified, up-converted and broadcast as part of the regular radio output. While this is similar to electromagnetic (EM) side-channel attacks which can be mounted only in close proximity (millimeters, and in a few cases a few meters), we show that it is possible to recover the original leaked signal over large distances on the radio. As a result, variations of known side-channel analysis techniques can be applied, effectively allowing us to retrieve the encryption key by just listening on the air with a software defined radio (SDR).


Presenters:

  • Giovanni Camurati - PhD Student, EURECOM
    Giovanni Camurati is currently a PhD student in the Software and Systems Security group of EURECOM. He likes to work on interdisciplinary projects involving Electronics, Computer Science and Security. Lately he focused on symbolic execution of firmware and on electromagnetic side-channel attacks. He has been at EURECOM for his double-degree in Electronic Engineering with Télécom-ParisTech (Diplôme d'ingénieur) and Politecnico di Torino (Laurea Magistrale with Honors). In 2014, he obtained his Bachelor with Honors from Politecnico di Torino. Giovanni has worked six months in ARM as an intern in the CPU design team in Sophia-Antipolis. His research aimed at investigating and implementing hardware support for an innovative programming technique in a next-generation multi-core application processor. The topic is wide and requires multi-disciplinary and multi-layer knowledge and skills. His master degree thesis is based on this work.
  • Marius Muench - PhD Student, EURECOM
    Marius Muench is a PhD student at the Software and Systems Security group of EURECOM in Sophia-Antipolis (France). His main research interests are dynamic binary analysis techniques for binary firmware in order to ease vulnerability detection for embedded devices. To ease this task, he created and maintains the avatar²-framework. Besides this, he is interested in any kind of low-level hardware and embedded system and largely appreciates capturing flags in his spare time.
  • Sebastian Poeplau - PhD Student, EURECOM
    Sebastian Poeplau is a PhD student at EURECOM in Sophia Antipolis, France, working on the security of embedded devices. He received his BSc and MSc degrees in computer science from the University of Bonn, Germany. Before joining the PhD program at EURECOM he was employed at Lastline, a US-based security company, developing their malware analysis system, and at Zalando, a German e-commerce business.
  • Tom Hayes - Researcher, EURECOM
    Tom Hayes is a researcher interested in wireless networks and embedded systems.
  • Aurélien Francillon - Assistant Professor, EURECOM
    Aurélien Francillon is an assistant professor in the Networking and Security department at EURECOM in the System and Software Security group (<a class="theme markdown__link" href="https://protect-eu.mimecast.com/s/yIUXC4Qyyu7YZZKSxOhJj?domain=s3.eurecom.fr" target="_blank" rel="noopener noreferrer">http://s3.eurecom.fr</a>). Before this he received a PhD degree in 2009 from INRIA and Grenoble INP, then he was a postdoctoral researcher in the System Security Group at ETH Zurich. He is mainly interested in practical aspects of the security of embedded devices. In this context he has worked on topics such as software security, wireless security, hardware support for software security, bug finding techniques as well as on broader security and privacy topics. He served in many program committees, was program co-chair of CARDIS 2013 and is part of the steering committees of WOOT and CARDIS.

Links:

Similar Presentations: