Sie sind auf Seite 1von 59

NOISE FLOOR

Melissa Elliott / 0xABAD1DEA

exploring the world of unintentional radio emissions

spoilers: every electronic device you own is screaming its name into the infinite void

shield your eyes, the color scheme is about to change

IT'S PRONOUNCED A BAD IDEA


Binary analysis researcher at Veracode

accused of destroying infosec

What are we learning about in this talk?

How to evaluate our own devices for compromising radio emissions using simple and cheap equipment!

Radio emissions?

Electronics naturally generate radio interference. It can leak information about the machines state

ZOMG IT HAS USB DOES IT RUN ON LINUX

Yes.

and OSX and Windows.

THE SCRIPT KIDDIE OF RADIOS


Radio engineering expertise? Don't need it. You need ten dollars and a working computer. Heck, even a Raspberry Pi will do.

There's python bindings.


IT'S REALLY EASY.

WHAT ARE WE DOING?


We're using extremely cheap USB SDR (software defined radio) dongles, intended for receiving television broadcasts, to pick up emissions from YOUR electronics (or your neighbors) to evaluate risk The chipset is called Realtek RTL2832U and the dongles are sold under various brands, usually labeled as DVB-T.

WHAT ARE WE DOING?

Everyone who just giggled at the word "dongle" is uninvited from the secret club. Nope, sorry, too late. No take-backs.

Elonics E4000 - this one is really good FC0013B - not as good but I got a crate of ten of them for $100! Including antennas and a CD I wouldn't dare install.

PAL female connector

You can get ANYTHING on Ali Express! Even HUMAN HAIR. And radios.

WHY ARE WE DOING IT?


Well for starters, I bet the NSA is.

http://www.guardian.co.uk/world/interactive/2013/jun/20/exhibit-b-nsa-procedures-document

WHY ARE WE DOING IT?


Ever hear of TEMPEST? Van Eck phreaking? That stuffs real. Its not just for CRT screens. Compromising Electromagnetic
Emanations of Wired and Wireless Keyboards by Martin Vuagnoux and Sylvain Pasini, 2009 http://infoscience.epfl.ch/record /140523/files/VP09.pdf Intercept ALL the keyboards!

WHY ARE WE DOING IT?


You deserve to know what other people can determine about your computers

You need to know how to test if your mitigations are effective It's the most fun you can have with a $10 radio and not get arrested*

IS IT LEGAL?
Yes, no, maybe so? Laws regarding radio receivers vary vastly and are an utter quagmire.

BUT it turns out that simply receiving is mostly passive-ish. Unlike that messy transmitter business.
Nonetheless, I would never, ever advocate carelessly flouting your local laws. Ever.

IS IT LEGAL? "Scanning receivers and frequency converters designed or marketed for use with scanning receivers... shall be incapable of bla bla bla look don't tune into cell phone stuff okay"

(that's a quote)
http://www.gpo.gov/fdsys/pkg/CFR-2010-title47-vol1/xml/CFR-2010-title47vol1-sec15-121.xml

IS IT LEGAL? Breaking the law could be as easy as...

WHAT GOT ME WORRIED ABOUT THIS?


I managed to go most of my life not knowing that my electronics were generating radio noise, until I had an opportunity to play with...

GREEN BANK GREAT BIG TELESCOPE

at NRAO in West Virginia

WHAT GOT ME WORRIED ABOUT THIS?


Okay, so they only let me use the old 40-foot dish. That's still bigger than yours.
http://en.wikipedia.org/wiki/File:GBT.png

WHAT GOT ME WORRIED ABOUT THIS?


What I learned at NRAO is that the very electronics they use to study the stars in the radio spectrum are an obstacle for them. Because they are all. so. NOISY.

let's not discuss how that USB port caught fire.

LET'S GET DANGEROUS I'll show you the following slides live, but I gotta put it in as screenshots in case the pink laptop catches fire again between now and then. Demo demons, you know.

an innocent, unsuspecting FM music station at 99.5mhz

(there is always a false spike at the center of the currently viewed region with these cheap SDRs)

after the netbook is powered on...

spikes ahoy!!!

moving the antenna, it blows the radio station out of the sky

Accounting for jitter, the spikes are between 32 and 33 khz apart

which reminds me of...

for those in the back... it says 32.768 khz


http://en.wikipedia.org/wiki/Real-time_clock

MAGIC HAPPENS HERE


Where do we look for compromising emissions? Guess work, poking around, and randomly adding seemingly related numbers together. Lets look at a stunning success.

MAGIC HAPPENS HERE


The screen on the Terrible Laptop is 800 x 480. Pixels are 3 bytes of 8 bits (24 bpp). There's a ribbon cable inside.

800 x 480 x 24 = 9216000 hz (9.2 Mhz), below our SDR's range :(


But there's another factor... the refresh rate

MAGIC HAPPENS HERE


I don't actually know the refresh rate. 800 x 480 x 24 x 60 = 552960000 (553 Mhz) 800 x 480 x 24 x 75 = 691200000 (691.2 Mhz)

Those are the probable bounds to look for the leaked signal of the LCD

Just a shade over 70FPS...

the word you're looking for is BINGO

THIS IS TERRIBLE HOW DID THIS HAPPEN


We are seeing signal transitions from the cable feeding to the screen. The more uniform the screen, the quieter the signal. It goes crazy when we look at complicated pictures.

THIS IS TERRIBLE HOW DID THIS HAPPEN


Unfortunately, my dongles sample rate seems to be too low to recover the screen. Or Im just bad at it. But this is getting close! There WAS a checkerboard pattern on the screen.

I KNOW YOURE LISTENING


Hey NSA I pay my taxes. Send me your algorithms for this!

HOW BAD DOES IT GET

Screens sometimes even when theyre off Touchscreen capacitive fields Physical button presses The color of status LEDs Microphones Hard drive activity RAM So actually just everything

1600MHz dual-channel laptop RAM visible at (1600/2) = 800Mhz

Splorts caused by loading Chrome with a zillion tabs on my Macbook Air - visible across a wide chunk of bandwidth

Here is a wireless mic leaking all over the place. I would like to note that there was informed consent...

Spikes from my iPhone connecting to Twitter over 3G

My phone contacting Verizon over 3G

IT GETS PRETTY BAD


Types of devices can be profiled and detected. They can be seen through walls and tracked through 3D space. Theyre radio transmitters. Distinguishing idle and active states is trivial. A sophisticated adversary may be able to distinguish very finely between different possible active states.

IT GETS PRETTY BAD


Things I am carrying in my pockets and my bag: iPhone 4S, Nexus 7, Nintendo 3DS, Macbook Air

Could an adversary with knowledge of my preferred toys and proper equipment pinpoint me in a crowd? YES.
Even if I turn off wifi and bluetooth.

IT GETS PRETTY BAD


Real-world example (uses wifi) http://www.nytimes.com/2013/07/15/business/attention-shopperstores-are-tracking-your-cell.html?pagewanted=all&_r=0

WHAT CAN YOU DO


This is why the spooky types say to remove batteries COMPLETELY (oh wait all four of those devices have integrated batteries)

Store devices in faraday shielding wrappers aka booster bags


Grocery store tinfoil is not very effective takes a mountain of the stuff

WHAT CAN YOU DO


Having a private talk? Put all personal devices in the microwave oven (you should probably not run it) and close the door.

My personal tests show that it is not 100% effective but it makes a dramatic difference
Snipping off the power cable may improve its faraday cage properties.

WHAT CAN YOU DO


If you must run a power or data cable OUT of a faraday cage - keep the length AS SHORT AS POSSIBLE. It functions as an antenna

My first attempt at faraday cage testing was foiled by six feet of shielded USB cable on the OUTSIDE of the microwave door.

BE PROACTIVE
You can use even the cheapest SDRs to evaluate your risk or to scan your area for electronics others may be using to record you without your consent. In the process you will learn more than you ever wanted to know about the radio signals that surround you every day outside of AM and FM radio stations!

device inside microwave oven with SDR dongle and antenna- USB cable kept to minimum length outside of microwave

BE PROACTIVE
Windows: use SDR# OSX and Linux: use GQRX Or write command-line utilities with the rtlsdr library and the pretty radical Python bindings These links are on the CD

BE PROACTIVE
The US government has its own standards for being resistant to this kind of attack - you can find them linked from the TEMPEST Wikipedia page http://en.wikipedia.org/wiki/TEMPEST Correlated emissions are bad. The government knows this and so should you. Ask your landlady about copper shielding! :)

THE TREE STORY


Coworkers said I have to tell you this one

Now you know why all security researchers are a bit twitchy Well Ill never feel safe again

Hey... I can pick up the police radio from here... it isnt encrypted

Viva Las Vegas.

@0xabad1dea thats a zero, x, and one I need more followers than my hex nemesis @0xcharlie