Revealing the Secrets of Radio Embedded Systems: Extraction of Raw Information via RF

Erez Danieli, Menachem Goldzweig, Moshe Avital, Itamar Levi

Research output: Contribution to journalArticlepeer-review

Abstract

This article discusses the critical issue of the remote extraction of information from radio-enabled embedded systems, and focuses on sources emanating from micrometer wavelengths. These sources include intra-chip or inter-device buses and board-level routing traces, within tens of centimeters of the system's transmission antenna or front end (FE). Traditionally, side-channel analysis (SCA) attacks center on micrometer-level signal that emanate direct near-field information detectable within centimeters. Simple power analysis (SPA) attacks focus similarly over stronger signals and fewer statistics. Here, however, we turn to typically larger elements corresponding to larger wavelengths than previously reported. Recent discoveries reveal that radio-enabled systems can transmit data over far-field distances, which can be analyzed via SCA-like methods. Studies have also described direct data extraction from centimeter to tens of centimeters-scale sources such as SATA, USB, and others. These sources act as substantial transmission antennas. This article differs considerably from these works, since it targets intermediate wavelengths which find their way to leak into the RF-FE. We document a significant security challenge: nearly all signals within embedded systems, even serial ports, DMA-controlled memory access, and others, leak what can be considered to practically be raw information with high-SNR over tens of centimeters to the RF-FE. This has strong implications for signal integrity, security, and standards related to electromagnetic compatibility (EMC), signal shielding, and interference (EMI, RFI). We show that onboard signals with galvanic connections to the RF-FE-chip and onboard signals without galvanic connections to the RF-FE-chip are coupled, amplified and transmitted with high SNR, which enables quasi-raw extraction. We further demonstrate how sophisticated adversaries can build code-injection gadgets that can carry sensitive data and modulate the stream to be optimally extracted by the RF-channel. Practical demonstrations using commercial and low-cost equipment reinforce our claims. Specifically, we show that without concrete interference and isolation standards designed with security in mind, mitigating these leakages remains a challenge.

Original languageEnglish
Pages (from-to)2066-2081
Number of pages16
JournalIEEE Transactions on Information Forensics and Security
Volume19
DOIs
StatePublished - 2024

Bibliographical note

Publisher Copyright:
© 2005-2012 IEEE.

Funding

The work of Itamar Levi was supported in part by the Israel Innovation Authority (IIA), in part by the Bio-Chip Consortium under Grant 75696, in part by the Israel Ministry of Defense Directorate of Defense Research and Development (IMOD DDR&D), in part by the Research Program under Grant 4441189902, and in part by the Israel Science Foundation (ISF) under Grant 2569/21.

FundersFunder number
Israel Ministry of Defense Directorate of Defense Research and Development4441189902
Bio-Chip Consortium75696
Israel Science Foundation2569/21
Israel Innovation Authority
Israel Innovation Authority

    Keywords

    • Code injection
    • FLASH
    • JTAG
    • NFC
    • RF
    • SCA
    • SPI
    • leakage modulation
    • memory
    • radio transceivers
    • serial
    • side-channel attacks
    • sniffing
    • spectral modulation
    • spectrum

    Fingerprint

    Dive into the research topics of 'Revealing the Secrets of Radio Embedded Systems: Extraction of Raw Information via RF'. Together they form a unique fingerprint.

    Cite this