Screaming Channels When Electromagnetic Side Channels Meet Radio Transceivers Giovanni Camurati, Sebastian Poeplau, Marius Muench, Tom Hayes, Aurélien Francillon RESSI 15-05-2019
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Screaming Channels
When Electromagnetic Side Channels Meet Radio Transceivers
Giovanni Camurati, Sebastian Poeplau, Marius Muench,
Tom Hayes, Aurélien Francillon
RESSI
15-05-2019
Who are we?
3
System and Software Security Group at EURECOMs3.eurecom.fr
I am a PhD student“on radio side channels”
Side Channels, The Idea
4
TheorySecure lock is impossible to open
Side Channels, The Idea
4
TheorySecure lock is impossible to open
Side Channels, The Idea
4
TheorySecure lock is impossible to open
ImplementationDifferent sound if we make a partial correct guess
Side Channels, The Idea
4
TheorySecure lock is impossible to open
ImplementationDifferent sound if we make a partial correct guess
AttackOpen it with a few attempts
Embedded Devices and Side Channels
5
Secure systems:E-Passport, Smartcard, …
Embedded Devices and Side Channels
5
Secure systems:E-Passport, Smartcard, …
Crypto againststealing, cloning, tampering, …
Embedded Devices and Side Channels
5
Secure systems:E-Passport, Smartcard, …
Crypto againststealing, cloning, tampering, …
Generally protected against attacks which require physical access
Conventional Side Channels
6
Physical activity depends on logic
data
Conventional Side Channels
6
A
Physical activity depends on logic
data
Power (current)
Conventional Side Channels
6
A
B E
Physical activity depends on logic
data
Power (current)
Direct EM
Conventional Side Channels
6
A
B E
CLK
P(f)
𝟔𝟒𝑴𝑯𝒛
Physical activity depends on logic
data
Power (current)
Direct EM
Clock harmonics as carriers
𝟔𝟒𝑴𝑯𝒛
In Practice
7
AES
High correlation (strong leak)
Many Analyses/AttacksSPA, CPA, TPA, …SEMA, CEMA, TEMA, …
CollectionE.g. loop probe + oscilloscope
Many Side Channels Involving EM
8
𝒎𝒎𝒄𝒎
15 cmwall
30 cm1 m
>10 m
Many Side Channels Involving EM
8
𝒎𝒎𝒄𝒎
15 cmwall
30 cm1 m
>10 m
Many Side Channels Involving EM
8
𝒎𝒎𝒄𝒎
15 cmwall
30 cm1 m
>10 m
Many Side Channels Involving EM
8
𝒎𝒎𝒄𝒎
15 cmwall
30 cm1 m
>10 m
Many Side Channels Involving EM
8
𝒎𝒎𝒄𝒎
15 cmwall
30 cm1 m
>10 m
Many Side Channels Involving EM
8
𝒎𝒎𝒄𝒎
15 cmwall
30 cm1 m
>10 m
Many Side Channels Involving EM
8
𝒎𝒎𝒄𝒎
15 cmwall
30 cm1 m
>10 m
Embedded Devices and Side Channels
9
Secure systems:E-Passport, Smartcard, …
Crypto againststealing, cloning, tampering, …
Generally protected against attacks which require physical access
Embedded Devices and Side Channels
9
Secure systems:E-Passport, Smartcard, …
Crypto againststealing, cloning, tampering, …
Generally protected against attacks which require physical access
Connected devices:Smart watch,camera, …
Embedded Devices and Side Channels
9
Secure systems:E-Passport, Smartcard, …
Crypto againststealing, cloning, tampering, …
Generally protected against attacks which require physical access
Connected devices:Smart watch,camera, …
Crypto protects the communication channel
Embedded Devices and Side Channels
9
Secure systems:E-Passport, Smartcard, …
Crypto againststealing, cloning, tampering, …
Generally protected against attacks which require physical access
Connected devices:Smart watch,camera, …
Crypto protects the communication channel
Only remote attacks are considered
Remote Side Channels
10
Remote TimingNon constant time Caches
AES, TLS, …WPA3 (Dragonblood)
EM?Physical accessLocal
11
Problems When Adding Wireless
Capabilities
Implementation: Mixed-signal Chips
Idea:CPU + Crypto + RadioSame chip
12
Implementation: Mixed-signal Chips
Idea:CPU + Crypto + RadioSame chip
Benefits:Low Power, Cheap, SmallEasy to integrate
12
Implementation: Mixed-signal Chips
Idea:CPU + Crypto + RadioSame chip
Benefits:Low Power, Cheap, SmallEasy to integrate
Examples:BT, BLE, WiFi, GPS, etc
12
Issues
13
ReminderTime vs. FrequencyUp-conversion
Issues
13
ReminderTime vs. FrequencyUp-conversion
A(f)
f
a(t)
t
Issues
13
ReminderTime vs. FrequencyUp-conversion
A(f)
f
a(t)
tC(f)
f
c(t)
t
Issues
13
ReminderTime vs. FrequencyUp-conversion
A(f)
f
a(t)
t
R(f)
f
r(t)
t
C(f)
f
c(t)
t
Issues
14
Issues
14
Analog/RFNoise Sensitive
R(f)
f
r(t)
t
Issues
14
Analog/RFNoise Sensitive
R(f)
f
r(t)
t
DigitalNoise resilientNoise Source ft
Issues
14
Analog/RFNoise Sensitive
R(f)
f
r(t)
t
DigitalNoise resilientNoise Source ft
Same ChipNoise Coupling
ft
Issues
14
Analog/RFNoise Sensitive
R(f)
f
r(t)
t
DigitalNoise resilientNoise Source ft
Same ChipNoise Coupling
ft
Careful DesignRadio Still Works
Problems, the global view
15
Mixed-signal chip
Noise sensitivetransmitter
Problems, the global view
15
Mixed-signal chip
Strongnoise
source
Noise sensitivetransmitter
Problems, the global view
15
Mixed-signal chip
Strongnoise
source
Noise sensitivetransmitter
Problems, the global view
15
Mixed-signal chip
Strongnoise
source
Noise sensitivetransmitter
Easy propagation
Screaming Channels
The Idea
16
Screaming Channels Idea
17
Mixed-signal chip
Strongnoise
source
Noise sensitivetransmitter
Easy propagation
𝟔𝟒𝑴𝑯𝒛 𝟐. 𝟒 𝑮𝑯𝒛
P(f)
Screaming Channels Idea
17
Mixed-signal chip
Strongnoise
source
Noise sensitivetransmitter
Easy propagation
𝟔𝟒𝑴𝑯𝒛 𝟐. 𝟒 𝑮𝑯𝒛
P(f)
Screaming Channels Idea
17
Mixed-signal chip
Strongnoise
source
Noise sensitivetransmitter
Easy propagationLeak Propagation
𝟔𝟒𝑴𝑯𝒛 𝟐. 𝟒 𝑮𝑯𝒛
P(f)
Screaming Channels Idea
17
Mixed-signal chip
Strongnoise
source
Noise sensitivetransmitter
Easy propagationLeak Propagation
𝟔𝟒𝑴𝑯𝒛 𝟐. 𝟒 𝑮𝑯𝒛
P(f)
Screaming Channels in Action
Cortex-M4 + BT TX
Antenna + SDR RX
𝟐𝒎
19
Screaming Channels in Action
Cortex-M4 + BT TX
Antenna + SDR RX
𝟐𝒎
Radio Off
Noise
19
Screaming Channels in Action
Cortex-M4 + BT TX
Antenna + SDR RX
𝟐𝒎
Radio Off Radio TX
Noise
19
Packet
Screaming Channels in Action
Cortex-M4 + BT TX
Antenna + SDR RX
𝟐𝒎
Radio Off Radio TX
Noise
19
Packet
Screaming Channels in Action
Cortex-M4 + BT TX
Antenna + SDR RX
𝟐𝒎
Radio Off Radio TX AES On
Noise
19
Packet
Screaming Channels in Action
Cortex-M4 + BT TX
Antenna + SDR RX
𝟐𝒎
Radio Off Radio TX AES On
Noise
AES Starts
19
Packet
Screaming Channels in Action
Cortex-M4 + BT TX
Antenna + SDR RX
𝟐𝒎
Radio Off Radio TX AES On
Noise
AES Starts
Time domain
19
Packet
Quick Demo
FFT
Spectrogram
Demodulated
Center frequency
Quick Demo
Transmit continuous wave
FFT
Spectrogram
Demodulated
Center frequency
Quick Demo
Transmit continuous wave
FFT
Spectrogram
Demodulated
AESCenter frequency
Screaming Channels: Leak Broadcast
22
Alice
Bob
Other remote attacks
Screaming Channels: Leak Broadcast
22
Alice
Bob
Other remote attacks
Screaming Channels: Leak Broadcast
22
Alice
Bob
Other remote attacks
Screaming Channels: Leak Broadcast
22
Alice
Bob
Eve
Other remote attacks
$400 - $3000
Screaming Channels: Leak Broadcast
22
Alice
Bob
Eve
Other remote attacks
$400 - $3000
Screaming Channels: Leak Broadcast
22
Alice
Bob
Eve
Other remote attacks
$400 - $3000
From Digital Noise
To Noise On The Radio Signal
23
Possible Impact on Radio Transmission
Digital:Inherently noisy
Analog:Noise sensitive
Propagation:Substrate couplingPower supply/Gnd
24
Substrate
Digital Analog
Practical Case We Observed
VCO𝟎°
𝟗𝟎°
cos(ω𝑡)
sin(ω𝑡)
𝐺
𝑉𝑠𝑢𝑝𝑝𝑙𝑦
I = 𝐴𝑘cos(𝝋𝒌)
Q = 𝐴𝑘sin(𝝋𝒌)
𝐺𝐴𝑘cos(ω𝑡 + 𝝋𝒌)
26
Practical Case We Observed
VCO𝟎°
𝟗𝟎°
cos(ω𝑡)
sin(ω𝑡)
𝐺
𝑉𝑠𝑢𝑝𝑝𝑙𝑦
I = 𝐴𝑘cos(𝝋𝒌)
Q = 𝐴𝑘sin(𝝋𝒌)
BT (GFSK modulation)
𝐺𝐴𝑘cos(ω𝑡 + 𝝋𝒌)
26
Practical Case We Observed
VCO𝟎°
𝟗𝟎°
cos(ω𝑡)
sin(ω𝑡)
𝐺
𝒏 𝒕 = 𝑨𝑬𝑺 𝒕 𝒄𝒐𝒔(𝝎𝒄𝒍𝒌𝒕)
𝑉𝑠𝑢𝑝𝑝𝑙𝑦
I = 𝐴𝑘cos(𝝋𝒌)
Q = 𝐴𝑘sin(𝝋𝒌)
BT (GFSK modulation)
𝐺𝐴𝑘cos(ω𝑡 + 𝝋𝒌)
26
Practical Case We Observed
VCO𝟎°
𝟗𝟎°
cos(ω𝑡)
sin(ω𝑡)
𝐺
𝒏 𝒕 = 𝑨𝑬𝑺 𝒕 𝒄𝒐𝒔(𝝎𝒄𝒍𝒌𝒕)
𝑉𝑠𝑢𝑝𝑝𝑙𝑦
I = 𝐴𝑘cos(𝝋𝒌)
Q = 𝐴𝑘sin(𝝋𝒌)
BT (GFSK modulation)
𝐺𝐴𝑘cos(ω𝑡 + 𝝋𝒌)
Amplitudemodulation
[1+n(t)]
26
Extraction
27
Quadrature Amplitude Demodulation
𝐺𝐴𝑘2
𝐴ES(t)cos((𝜔+𝜔𝑐𝑙𝑘)t+𝜑𝑘)
28
cos((𝜔+𝜔𝑐𝑙𝑘)𝑡)
−sin((𝜔+𝜔𝑐𝑙𝑘)𝑡)
Quadrature Amplitude Demodulation
𝐺𝐴𝑘2
𝐴ES(t)cos((𝜔+𝜔𝑐𝑙𝑘)t+𝜑𝑘)
28
cos((𝜔+𝜔𝑐𝑙𝑘)𝑡)
−sin((𝜔+𝜔𝑐𝑙𝑘)𝑡)
Quadrature Amplitude Demodulation
𝐼𝑅𝑋2 + 𝑄𝑅𝑋
2𝐺𝐴𝑘4
𝐴𝐸𝑆 𝑡
𝐺𝐴𝑘2
𝐴ES(t)cos((𝜔+𝜔𝑐𝑙𝑘)t+𝜑𝑘)
28
𝒇𝒓𝒆𝒒(𝒕)
𝒕
𝒏𝒐𝒓𝒎𝒂𝒍𝒊𝒛𝒆𝒅𝒂𝒎𝒑𝒍𝒊𝒕𝒖𝒅𝒆(𝒕)
𝒕
Extract(trigger)
𝒇𝒕𝒓𝒊𝒈
Extraction
𝐺𝐴𝑘4
𝐴𝐸𝑆 𝑡
29
𝒇𝒓𝒆𝒒(𝒕)
𝒕
𝒏𝒐𝒓𝒎𝒂𝒍𝒊𝒛𝒆𝒅𝒂𝒎𝒑𝒍𝒊𝒕𝒖𝒅𝒆(𝒕)
𝒕
Extract(trigger)
𝒇𝒕𝒓𝒊𝒈
Extraction
𝐺𝐴𝑘4
𝐴𝐸𝑆 𝑡
29
𝒇𝒓𝒆𝒒(𝒕)
𝒕
𝒏𝒐𝒓𝒎𝒂𝒍𝒊𝒛𝒆𝒅𝒂𝒎𝒑𝒍𝒊𝒕𝒖𝒅𝒆(𝒕)
𝒕
Extract(trigger)
𝒇𝒕𝒓𝒊𝒈
Extraction
𝐺𝐴𝑘4
𝐴𝐸𝑆 𝑡
29
𝒇𝒓𝒆𝒒(𝒕)
𝒕
𝒏𝒐𝒓𝒎𝒂𝒍𝒊𝒛𝒆𝒅𝒂𝒎𝒑𝒍𝒊𝒕𝒖𝒅𝒆(𝒕)
𝒕
Extract(trigger)
𝒇𝒕𝒓𝒊𝒈
𝒕
Align N(cross-corr.)
Extraction
𝐺𝐴𝑘4
𝐴𝐸𝑆 𝑡
29
𝒇𝒓𝒆𝒒(𝒕)
𝒕
𝒏𝒐𝒓𝒎𝒂𝒍𝒊𝒛𝒆𝒅𝒂𝒎𝒑𝒍𝒊𝒕𝒖𝒅𝒆(𝒕)
𝒕
Extract(trigger)
𝒇𝒕𝒓𝒊𝒈
𝒕
Align N(cross-corr.)
Extraction
𝐺𝐴𝑘4
𝐴𝐸𝑆 𝑡
Average N𝒕
29
Attack
30
Attacking
31
Targets:Cortex-M4 + BT TX TinyAES, mbedTLS
Attacking
31
Targets:Cortex-M4 + BT TX TinyAES, mbedTLS
Extraction: Automated via radioKnown plaintext
Attacking
31
Targets:Cortex-M4 + BT TX TinyAES, mbedTLS
Extraction: Automated via radioKnown plaintext
Attacks:Correlation, Template Code based on ChipWhisperer
Attacking
31
Targets:Cortex-M4 + BT TX TinyAES, mbedTLS
Extraction: Automated via radioKnown plaintext
Attacks:Correlation, Template Code based on ChipWhisperer
Much moreadvanced attacksexist
Correlation @ 10m
Radio leak @ 2.528GHz Strong even @ 10m!!
Quick Demo
33
TemplateAttack Traces
Quick Demo
33
TemplateAttack Traces
Attack one byte at a time
Quick Demo
33
TemplateAttack Traces
Attack one byte at a time
SUCCESS!
Evolution of the attack
36
Evolution of the attack
𝑪𝒂𝒃𝒍𝒆
36
Evolution of the attack
𝟏𝟓 𝒄𝒎
𝑪𝒂𝒃𝒍𝒆
36
Evolution of the attack
𝟏𝟓 𝒄𝒎
𝟐𝒎
𝑪𝒂𝒃𝒍𝒆
36
Evolution of the attack
𝟏𝟓 𝒄𝒎
𝟐𝒎
𝟑𝒎𝑪𝒂𝒃𝒍𝒆
36
Evolution of the attack
𝟏𝟓 𝒄𝒎
𝟐𝒎
𝟑𝒎
𝟓𝒎
𝑪𝒂𝒃𝒍𝒆
36
Evolution of the attack
𝟏𝟓 𝒄𝒎
𝟐𝒎
𝟑𝒎
𝟓𝒎
𝟏𝟎𝒎𝑪𝒂𝒃𝒍𝒆
36
Protection
37
Countermeasures
38
Resource constraint devices:Cost, power, time to market, etc.
Countermeasures
38
Resource constraint devices:Cost, power, time to market, etc.
Classic HW/SW:Masking, noise, key refresh (expensive, not complete)
Countermeasures
38
Resource constraint devices:Cost, power, time to market, etc.
Classic HW/SW:Masking, noise, key refresh (expensive, not complete)
Specific (SW):Radio off during sensitive computations (real time constraints)
Countermeasures
38
Resource constraint devices:Cost, power, time to market, etc.
Classic HW/SW:Masking, noise, key refresh (expensive, not complete)
Specific (SW):Radio off during sensitive computations (real time constraints)
Specific (HW):Consider impact of coupling on security during design and test(hard, expensive)
Final remarks
39
Reference to a Similar Effect
40
Tempest Fundamentals [5]From ‘80sDeclassified 2000
Propagation of leaks:
Reference to a Similar Effect
40
Tempest Fundamentals [5]From ‘80sDeclassified 2000
Propagation of leaks:1. Radiation
Reference to a Similar Effect
40
Tempest Fundamentals [5]From ‘80sDeclassified 2000
Propagation of leaks:1. Radiation2. Conduction
Reference to a Similar Effect
40
Tempest Fundamentals [5]From ‘80sDeclassified 2000
Propagation of leaks:1. Radiation2. Conduction
1. Acoustic
Reference to a Similar Effect
40
Tempest Fundamentals [5]From ‘80sDeclassified 2000
Propagation of leaks:1. Radiation2. Conduction3. Modulation of an
intended signal (redacted)
4. Acoustic
Responsible Disclosure
41
Major vendors & multiple CERTS
2 vendors are reproducing our results1 vendor is actively looking at short/long-term countermeasures
Multiple acknowledgements of the relevance and generality of the problem
Conclusion
42
General problem if sensitive processing and wireless tx• HW AES, WiFi, other chips• any device with radio?
Conclusion
42
General problem if sensitive processing and wireless tx• HW AES, WiFi, other chips• any device with radio?
A new point in the threat model space• Remote EM attacks
Conclusion
42
General problem if sensitive processing and wireless tx• HW AES, WiFi, other chips• any device with radio?
A new point in the threat model space• Remote EM attacks
Must be considered• Design and test of new devices• Smart countermeasures (specific)
Conclusion
42
General problem if sensitive processing and wireless tx• HW AES, WiFi, other chips• any device with radio?
A new point in the threat model space• Remote EM attacks
Must be considered• Design and test of new devices• Smart countermeasures (specific)
Many open directions for future research• More distant, less traces• Different crypto and wireless technologies• Attack the protocol
Codehttps://www.github.com/eurecom-s3/screaming_channels
More Info https://s3.eurecom.fr/tools/screaming_channels
Giovanni Camurati
@GioCamurati
43
Acknowledgements
• The authors acknowledge the support of SeCiF project within the
French-German Academy for the Industry of the future, as well as the
support by the DAPCODS/IOTics ANR 2016 project (ANR-16-CE25-
0015).
• We would like to thank the FIT R2lab team from Inria, Sophia
Antipolis, for their help in using the R2lab testbed.
44
References
• [1] Agrawal, Dakshi, et al. “The EM Side-Channel(s)” CHES '02
• [2] Genkin, Daniel, et al. "ECDH key-extraction via low-bandwidth
electromagnetic attacks on PCs." Cryptographers’ Track at the RSA
Conference. Springer, Cham, 2016.
• [3]Tempest attacks against AES: https://www.fox-it.com/en/wp-
content/uploads/sites/11/Tempest_attacks_against_AES.pdf
• [4] Van Eck Phreaking
https://en.wikipedia.org/wiki/Van_Eck_phreaking
• [5] NSA. “NACSIM 5000, Tempest fundamentals.” Technical Report.
1982. Document declassified in 2000 and available at
https://cryptome.org/jya/nacsim-5000/nacsim-5000.htm
45
Third-Party Images
• "nRF51822 - Bluetooth LE SoC : weekend die-shot" - CC-BY–
Modified with annotations. Original by zeptobars
https://zeptobars.com/en/read/nRF51822-Bluetooth-LE-SoC-Cortex-
M0
46
47
Related Documents
![Understanding Screaming Channels - EURECOM · 2021. 1. 8. · 362 UnderstandingScreamingChannels havebeenproposedandusedinliterature(e.g.,[GGJR+11,BCD+13,MOBW13]) forthechoiceofthetwosetstoanalyze.](https://static.cupdf.com/doc/110x72/60aff45028c90b2f0c1b1acd/understanding-screaming-channels-eurecom-2021-1-8-362-understandingscreamingchannels.jpg)
