noise floor
TRANSCRIPT
NOISE FLOORMelissa Elliott / 0xABAD1DEA
exploring the world of unintentional radio emissions
spoilers: every electronic device you own is screaming its name into the infinite
void
shield your eyes, the color scheme is about to change
IT'S PRONOUNCED A BAD IDEABinary analysis researcher at Veracode
accused of destroying infosec
What are we learning about in this talk?
How to evaluate our own devices for compromising radio emissions using
simple and cheap equipment!
Radio emissions?
Electronics naturally generate radio interference. It can leak information about the machine’s state
ZOMG IT HAS USB DOES IT RUN ON LINUX
Yes.
and OSX and Windows.
THE SCRIPT KIDDIE OF RADIOSRadio engineering expertise? Don't need
it.
You need ten dollars and a working computer.
Heck, even a Raspberry Pi will do.
There's python bindings.
IT'S REALLY EASY.
WHAT ARE WE DOING?We're using extremely cheap USB SDR
(software defined radio) dongles, intended for receiving television broadcasts, to pick up emissions from YOUR electronics (or your neighbor’s) to evaluate risk
The chipset is called Realtek RTL2832U and the dongles are sold under various brands, usually labeled as DVB-T.
WHAT ARE WE DOING?
Everyone who just giggled at the word "dongle" is uninvited from the secret club.
Nope, sorry, too late. No take-backs.
PAL female connector
Elonics E4000 - this one is really good
FC0013B - not as good but I got a crate of ten of them for $100! Including antennas and a CD I wouldn't dare install.
You can get ANYTHING on Ali Express!Even HUMAN HAIR. And radios.
WHY ARE WE DOING IT?Well for starters, I bet the NSA is.
http://www.guardian.co.uk/world/interactive/2013/jun/20/exhibit-b-nsa-procedures-document
WHY ARE WE DOING IT?Ever hear of TEMPEST? Van Eck
phreaking? That stuff’s real. It’s not just for CRT screens. “Compromising
Electromagnetic Emanations of Wired and Wireless Keyboards” by Martin Vuagnoux and Sylvain Pasini, 2009
http://infoscience.epfl.ch/record/140523/files/VP09.pdf
Intercept ALL the keyboards!
WHY ARE WE DOING IT?You deserve to know what other people
can determine about your computers
You need to know how to test if your mitigations are effective
It's the most fun you can have with a $10 radio and not get arrested*
* maybe
IS IT LEGAL?Yes, no, maybe so? Laws regarding radio
receivers vary vastly and are an utter quagmire.
BUT – it turns out that simply receiving is mostly passive-ish. Unlike that messy transmitter business.
Nonetheless, I would never, ever advocate carelessly flouting your local laws. Ever.
IS IT LEGAL?
"Scanning receivers and frequency converters designed or marketed for use with scanning receivers... shall be incapable of bla bla bla look don't tune into cell phone stuff okay"
(that's a quote)http://www.gpo.gov/fdsys/pkg/CFR-2010-title47-vol1/xml/CFR-2010-title47-vol1-sec15-121.xml
IS IT LEGAL?
Breaking the law could be as easy as...
(But no-one has ever gone to jail for incrementing an integer.)
WHAT GOT ME WORRIED ABOUT THIS?
I managed to go most of my life not knowing that my electronics were generating radio noise, until I had an opportunity to play with...
at NRAO in West Virginia
GREEN BANK GREAT BIG TELESCOPE
WHAT GOT ME WORRIED ABOUT THIS?
Okay, so they only let me use the old 40-foot dish. That's still bigger than yours.
http://en.wikipedia.org/wiki/File:GBT.png
WHAT GOT ME WORRIED ABOUT THIS?
What I learned at NRAO is that the very electronics they use to study the stars in the radio spectrum are an obstacle for them.
Because they are all. so. NOISY.
This is my friend, "$50 netbook from China with no shielding whatsoever"
let's not discuss how that USB port caught fire.
LET'S GET DANGEROUS
I'll show you the following slides live, but I gotta put it in as screenshots in case the pink laptop catches fire again between now and then.
Demo demons, you know.
an innocent, unsuspecting FM music station at 99.5mhz
(there is always a false spike at the center of the currently viewed region with these cheap SDRs)
after the netbook is powered on...
spikes ahoy!!!
moving the antenna, it blows the radio station out of the sky
Accounting for jitter, the spikes are between 32 and 33 khz apart
which reminds me of...
for those in the back... it says 32.768 khzhttp://en.wikipedia.org/wiki/Real-time_clock
MAGIC HAPPENS HEREWhere do we look for compromising
emissions?
Guess work, poking around, and randomly adding seemingly related numbers together.
Let’s look at a stunning success.
MAGIC HAPPENS HEREThe screen on the Terrible Laptop is 800 x
480. Pixels are 3 bytes of 8 bits (24 bpp). There's a ribbon cable inside.
800 x 480 x 24 = 9216000 hz (9.2 Mhz), below our SDR's range :(
But there's another factor... the refresh rate
MAGIC HAPPENS HEREI don't actually know the refresh rate.
800 x 480 x 24 x 60 = 552960000 (553 Mhz)
800 x 480 x 24 x 75 = 691200000 (691.2 Mhz)
Those are the probable bounds to look for the leaked signal of the LCD
Just a shade over 70FPS...
the word you're looking for is BINGO
THIS IS TERRIBLE HOW DID THIS HAPPENWe are seeing signal transitions from the
cable feeding to the screen. The more uniform the screen, the quieter the signal. It goes crazy when we look at complicated pictures.
THIS IS TERRIBLE HOW DID THIS HAPPENUnfortunately, my dongle’s sample rate
seems to be too low to recover the screen. Or I’m just bad at it. But this is getting close! There WAS a checkerboard pattern on the screen.
I KNOW YOU’RE LISTENINGHey NSA I pay my taxes. Send me your
algorithms for this!
HOW BAD DOES IT GET• Screens – sometimes even when
they’re off• Touchscreen capacitive fields• Physical button presses• The color of status LEDs• Microphones• Hard drive activity• RAM• So actually just everything
1600MHz dual-channel laptop RAM visible at (1600/2) = 800Mhz
Splorts caused by loading Chrome with a zillion tabs on my Macbook Air - visible across a wide chunk of bandwidth
Here is a wireless mic leaking all over the place. I would like to note that there was informed consent...
Spikes from my iPhone connecting to Twitter over 3G
My phone contacting Verizon over 3G
IT GETS PRETTY BADTypes of devices can be profiled and
detected. They can be seen through walls and tracked through 3D space. They’re radio transmitters.
Distinguishing idle and active states is trivial. A sophisticated adversary may be able to distinguish very finely between different possible active states.
IT GETS PRETTY BADThings I am carrying in my pockets and
my bag: iPhone 4S, Nexus 7, Nintendo 3DS, Macbook Air
Could an adversary with knowledge of my preferred toys and proper equipment pinpoint me in a crowd? YES.
Even if I turn off wifi and bluetooth.
IT GETS PRETTY BADReal-world example (uses wifi)
http://www.nytimes.com/2013/07/15/business/attention-shopper-stores-are-tracking-your-cell.html?pagewanted=all&_r=0
WHAT CAN YOU DOThis is why the spooky types say to
remove batteries COMPLETELY (oh wait all four of those devices have integrated batteries)
Store devices in faraday shielding wrappers - aka “booster bags”
Grocery store tinfoil is not very effective - takes a mountain of the stuff
WHAT CAN YOU DOHaving a private talk? Put all personal
devices in the microwave oven (you should probably not run it) and close the door.
My personal tests show that it is not 100% effective but it makes a dramatic difference
Snipping off the power cable may improve its faraday cage properties.
WHAT CAN YOU DOIf you must run a power or data cable
OUT of a faraday cage - keep the length AS SHORT AS POSSIBLE. It functions as an antenna
My first attempt at faraday cage testing was foiled by six feet of “shielded” USB cable on the OUTSIDE of the microwave door.
BE PROACTIVEYou can use even the cheapest SDRs to
evaluate your risk or to scan your area for electronics others may be using to record you without your consent.
In the process you will learn more than you ever wanted to know about the radio signals that surround you every day outside of AM and FM radio stations!
device inside microwave oven with SDR dongle and antenna- USB cable kept to minimum length outside of microwave
BE PROACTIVEWindows: use SDR#
OSX and Linux: use GQRX
Or write command-line utilities with the rtl-sdr library and the pretty radical Python bindings
These links are on the CD
BE PROACTIVEThe US government has its own
standards for being resistant to this kind of attack - you can find them linked from the TEMPEST Wikipedia page http://en.wikipedia.org/wiki/TEMPEST
Correlated emissions are bad. The government knows this and so should you.
Ask your landlady about copper shielding! :)
Well I’ll never feel safe again
Now you know why all security researchers are a bit twitchy
Hey... I can pick up the police radio from here... it isn’t encrypted
Viva Las Vegas.
@0xabad1deathat’s a zero, x, and oneI need more followers than my hex nemesis @0xcharlie