Screaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers (Black Hat Conference 2018)

The drive for ever smaller and cheaper components in microelectronics has popularized so-called "mixed-signal circuits," in which analog and digital circuitry are residing on the same silicon die. A typical example is WiFi chips which include a microcontroller (digital logic) where crypto and protocols are implemented together with the radio transceiver (analog logic). The special challenge of such designs is to separate the "noisy" digital circuits from the sensitive analog side of the system.

In this talk, we show that although isolation of digital and analog components is sufficient for those chips to work, it's often insufficient for them to be used securely. This leads to novel side-channel attacks that can break cryptography implemented in mixed-design chips over potentially large distances. This is crucial as the encryption of wireless communications is essential to widely used wireless technologies, such as WiFi or Bluetooth, in which mixed-design circuits are prevalent on consumer devices.

The key observation is that in mixed-design radio chips the processor's activity leaks into the analog portion of the chip, where it is amplified, up-converted and broadcast as part of the regular radio output. While this is similar to electromagnetic (EM) side-channel attacks which can be mounted only in close proximity (millimeters, and in a few cases a few meters), we show that it is possible to recover the original leaked signal over large distances on the radio. As a result, variations of known side-channel analysis techniques can be applied, effectively allowing us to retrieve the encryption key by just listening on the air with a software defined radio (SDR).


Aurélien Francillon

Aurélien Francillon is an assistant professor in the Networking and Security department at EURECOM in the System and Software Security group ( Before this he received a PhD degree in 2009 from INRIA and Grenoble INP, then he was a postdoctoral researcher in the System Security Group at ETH Zurich. He is mainly interested in practical aspects of the security of embedded devices. In this context he has worked on topics such as software security, wireless security, hardware support for software security, bug finding techniques as well as on broader security and privacy topics. He served in many program committees, was program co-chair of CARDIS 2013 and is part of the steering committees of WOOT and CARDIS.

Giovanni Camurati

Giovanni Camurati is currently a PhD student in the Software and Systems Security group of EURECOM. He likes to work on interdisciplinary projects involving Electronics, Computer Science and Security. Lately he focused on symbolic execution of firmware and on electromagnetic side-channel attacks. He has been at EURECOM for his double-degree in Electronic Engineering with Télécom-ParisTech (Diplôme d'ingénieur) and Politecnico di Torino (Laurea Magistrale with Honors). In 2014, he obtained his Bachelor with Honors from Politecnico di Torino. Giovanni has worked six months in ARM as an intern in the CPU design team in Sophia-Antipolis. His research aimed at investigating and implementing hardware support for an innovative programming technique in a next-generation multi-core application processor. The topic is wide and requires multi-disciplinary and multi-layer knowledge and skills. His master degree thesis is based on this work.

Marius Muench

Marius Muench is a PhD student at the Software and Systems Security group of EURECOM in Sophia-Antipolis (France). His main research interests are dynamic binary analysis techniques for binary firmware in order to ease vulnerability detection for embedded devices. To ease this task, he created and maintains the avatar²-framework. Besides this, he is interested in any kind of low-level hardware and embedded system and largely appreciates capturing flags in his spare time.

Sebastian Poeplau

Sebastian Poeplau is a PhD student at EURECOM in Sophia Antipolis, France, working on the security of embedded devices. He received his BSc and MSc degrees in computer science from the University of Bonn, Germany. Before joining the PhD program at EURECOM he was employed at Lastline, a US-based security company, developing their malware analysis system, and at Zalando, a German e-commerce business.

Tom Hayes

Tom Hayes is a researcher interested in wireless networks and embedded systems.

Detailed Presentation:

(Source: Black Hat USA 2018, Las Vegas)


Views: 75

Join the Discussion ...

You need to be a member of CISO Platform to join the discussion!

Join CISO Platform

© 2020   Created by CISO Platform.   Powered by

Badges  |  Report an Issue  |  Privacy Policy  |  Terms of Service