Electromagnetic Sniffing Research

Wednesday, September 21, 2016 @ 04:09 PM gHale


MWR Labs, the research and development platform of MWR InfoSecurity, took the first steps toward a non-intrusive method of obtaining and re-creating a storage device’s data which is unavoidably leaked through electromagnetic (EM) radiation.

Near-field analysis performed to infer (or ‘sniff’) data transferred internally within a device, confirmed resilient systems, such as 4G and similar, are far more vulnerable to attack than was previously thought.

Attackers are increasingly gaining access to the sophisticated hardware needed for such an attack, giving them access to (unencrypted) data at a lower level than ever before.

“All cryptographic operations within modern data processing and storage devices are physical processes where data elements must be represented by physical quantities in physical structures such as gates and transmission lines,” said Piotr Osuch, Information Security Researcher of MWR Labs. “These physical quantities and structures must necessarily have a time- and spatial-extent. As a result, a finite amount of energy must be transmitted during operation, necessarily giving rise to an EM field. The result is an unavoidable leakage of secret information.

“This [MWR Labs] research has formalized our near-field EM analysis methodology, allowing for the non-intrusive sniffing of data at a low abstraction level, and giving security researchers a view of a device’s data transmission under test. At this low level, various security measures are often not yet in place, such as data encryption which is usually done at a later, higher-abstraction stage of the process. If no provision has been made to sufficiently reduce this leaked EM field, then a near-field EM analysis will uncover, at least partially, any secret information being transmitted, allowing organizations to identify where defensive action needs to be taken.

“The hardware required to perform the aforementioned is no longer only accessible to research or government institutes with large budgets but can be afforded by the average fraudster. As a result, there has been a surge in both the sophistication and frequency of EM side-channel attacks, successfully employed to sniff secret information in underlying hardware.

“The additional introspection made possible with this technique allows for more sophisticated attacks, which were previously not possible due to limited output nodes made available via traditional channels. The [MWR Labs] research continues with the aim to add another two degrees of freedom and thus to transform the problem into a four- or five-dimensional vector space by incorporating electronically steerable two-dimensional spatial filtering with resolution of roughly 100 microns. This will allow us to extract data non-intrusively from individual data lines in modern devices.”

Click here to download the full research published by MWR Labs.