TEMPEST radio station

Presented at DEF CON 29 (2021), Aug. 7, 2021, 1 p.m. (45 minutes)

TEMPEST is a cyber security term that refers to the use of electromagnetic energy emissions generated by electronic devices to leak data out of a target device. The attacks may be passive (where the attacker receives the emissions and recovers the data) or active (where the attacker uses dedicated malware to target and emit specific data). In this talk I present a new side channel attack that uses GPU memory transfers to emit electromagnetic waves which are then received and processed by the attacker. Software developed for this work encodes audio on one computer and transmits it to the reception equipment positioned fifty feet away. The signals are received and processed and the audio is decoded and played. The maximum bit rate achieved was 33kbit/s and more than 99% of the packets were received. Frequency selection not only enables maximization of signal quality over distance, but also enables the attacker to receive signals from a specific computer when several computers in the area are active. The software developed demonstrates audio packets transfers, but other types of digital data may be transmitted using the same technique. REFERENCES: Eck W. "Electromagnetic radiation from video display units: an eavesdropping risk?" Computers and Security, 4, no. 4: 269-286, 1985. Kuhn, M. G., and Anderson, R. J. Soft. "Tempest: Hidden Data Transmission Using Electromagnetic Emanations." In Information Hiding (1998), ed. D. Aucsmith, vol. 1525 of Lecture Notes in Computer Science, (Springer): 124-142. Thiele, E., "Tempest for Eliza." 2001. http://www.erikyyy.de/tempest/. Kania B., "VGASIG: FM radio transmitter using VGA graphics card." 2009. http://bk.gnarf.org/creativity/vgasig/vgasig.pdf. Guri M., Kedma G., Kachlon A., Elovici Y. "AirHopper: Bridging the air-gap between isolated networks and mobile phones using radio frequencies." In Malicious and Unwanted Software: The Americas (MALWARE), 2014 9th International Conference on IEEE, 2014: 58-67. 2pkaqwtuqm2q7djg,"OVERCLOCKING TOOLS FOR NVIDIA GPUS SUCK, I MADE MY OWN". 2015. https://1vwjbxf1wko0yhnr.wordpress.com/2015/08/10/overclocking-tools-for-nvidia-gpus-suck-i-made-my-own/ nvapioc project: https://github.com/Demion/nvapioc SDRplay API Specification v3, https://www.sdrplay.com/docs/SDRplay_API_Specification_v3.pdf Simon Rockliff's Reed-Solomon encoding-decoding code at http://www.eccpage.com/rs.c

Presenters:

• Paz Hameiri - Hacker
  Paz started his professional life 30 years ago, hacking games and developing tools in his teen years. Since then, he has worked in several companies, developing both hardware and software. Paz has six years of experience with telecommunication systems design and circuits. He explored GPU hardware and software design in his Master's thesis. For 12 years, Paz led multidisciplinary systems development as a systems engineer in an international homeland security company. At home, Paz explores ideas he finds interesting. In 2019 he published his work on a body-tracking device that records keystrokes on a safe's keypad. https://il.linkedin.com/in/paz-hameiri-251b11143

Links:

• https://defcon.org/html/defcon-29/dc-29-speakers.html#hameiri
• https://infocon.org/cons/DEF CON/DEF CON 29/DEF CON 29 video and slides/DEF CON 29 - Paz Hameiri - TEMPEST radio station.mp4
• https://infocon.org/cons/DEF CON/DEF CON 29/DEF CON 29 presentations/Paz Hameiri - TEMPEST radio station.pdf (slides)
• https://infocon.org/cons/DEF CON/DEF CON 29/DEF CON 29 presentations/Paz Hameiri - TEMPEST radio station-Slides.pdf (slides)
• https://infocon.org/cons/DEF CON/DEF CON 29/DEF CON 29 video and slides/DEF CON 29 - Paz Hameiri - TEMPEST radio station.srt (subtitles)
• https://www.youtube.com/watch?v=m9WkEwshNKc

Similar Presentations:

• The Circle Of HOPE (2018) / Making Sense of the Ether
• DeepSec 2015 „DeepSec No. 9“ / Bridging the Air-Gap: Data Exfiltration from Air-Gap Networks
• DEF CON 24 (2016) / Universal Serial aBUSe: Remote Physical Access Attacks