 and last talk of the session and last talk of the day is entitled electromagnetic information extortion from electronic devices using interceptor and its countermeasure. The paper is written by Masahiro Kinugawa, Daisuke Fujimoto, and Yuichi Hayashi, and Yuichi will give the presentation whenever he's ready. Flosius. Okay, thank you very much for your introduction. This is joint work and Masahiro and Daisuke, and the presenter is me. Okay, the first, in this presentation, we focus on the EMR attacks, the well-known hardware security threat. EMR attacks can be performed non-invasively without leaving any hard evidence. The first, as a background to this presentation, I'd like to introduce conventional EMR attacks. To help understand the EMR attacks, I'd like to show you a demo. This demo that we focus on the display as a popular attack target in conventional studies. This is the demo, the EM leakage from a tablet display was observed on the screen information as reconstructed. This is a cheap antenna. This is a SDL. This is a signal processing PC. This is a target device. This antenna is observed leakage information by using EM. Here's an attacker. As the monitor is, his monitor is connected to the signal processing PC and using the remote desktop. He can confirm reconstructed image in real time by using observed EM leakage. The target user's input information using software keyboard, the input string is detected automatically like this. This is a conventional study, conventional. Okay, here, a target device, an example of EMR attacks. The information leakage occurred due to unintentional EM emission from these electrical devices. Even in a device not listed here, and the device handling the information as electrical signal may be target to this kind of threats. On the other hand, not all electrical devices are target to EMR attacks. Some device has weak EM emissions, potentially leak-free. So, these devices are out of conventional EM attacks. From here, we propose a method for possibly causing EM leakage from leakage-free devices. The first, I will explain the attack concept of this presentation. But here is the target device. This device is a properly leakage-free device. The two extract information from this device that we installed an interceptor on the device. Next, we irradiate the device with EM wave. Then, the interceptor is activated and it leaks a target information by EM emission. And then, the attacker can observe information by measuring EM emission. Next, I will explain the interceptor in detail. As you know, Bloomberg published an article the last year about the possibility of malicious circuit being installed on the board during the manufacturing process. In this article, as samples, the very small element was shown. Our proposed interceptor is also very small, like this. Therefore, as Bloomberg's article mentions, it may be installed during the device manufacturing process. Moreover, interceptor can also be installed after fabrication. This slide shows the function of proposed interceptor. Interceptor causes EM leakage, the forcibly, and control the leakage, the timing, and the strength and the distance. And interceptor does not need a special antenna for EM leakage. And, moreover, interceptor keeps the original shape of the target signal. This slide shows the primitive of interceptor. Interceptor consists of MOSFET and short wires. And it leaks information outside the device by installing it in the peripheral circuit of IC and attached cables, like this. Next, I will explain behavior of interceptor. Here, interceptor installed on a transmission line. In this explanation, I only mentioned a transmission line. However, the interceptor works on the PCB inside the device with the same principle. The intentional electromagnetic irradiation is performed against the cable with interceptor. Interceptor, the irradiation wave induced on the cable propagates the interceptor and activates it. Under this situation, interceptor demodulates, excuse me, the interceptor modulates the target signal, target signal using the induced signal as a carrier frequency. The demodulated signal is de-emitted by using a cable as antenna, and the information can be acquired by demodulated it outside the device. From this observation, we can extract target information. Here, I will explain how to select MOSFET that is the core component of interceptor. This selection can be determined by the frequency and the voltage of the target signal. Although the six devices are shown here, other devices can be attacked by proper MOSFET selection. From here on, we will explain in detail as a leakage of highlighted devices. Highlighted devices. If you are interested in other devices, please check our paper. The first, I will focus on the display, which are popular target in conventional studies. The target display here is a leakage-free device. So information cannot be obtained by conventional EM attacks. Here is the explanation of target display signal. This signal is generated by a display driver and transmitted to the display through the cable. This time, interceptor is installed in the cable. This slide shows the circuit structure and the implementation of interceptor. Interceptor circuit is a simple circuit consisting of MOSFET and short wire. And interceptor is connected to the target signal and shield line. Here, interceptor is hidden by ferrite core. This time, it was mounted after fabrication, but if it was mounted in the manufacturing process, it would be more difficult to find because it would be covered with covering. Okay, here, I show you an example of installing an interceptor on a display cable. Here's Masahiro, cause this is a target cable. First, he removing cable. Then he remove the shield, he got shield. And he exposing the target wire. Now that he do the pre-thothering, he insert the wire topping. Now he installing interceptor, just 530, okay. In this way, the interceptor can be implemented within the few minutes. So we can install the interceptor after fabrication. Okay, this slide shows attack setups. The attack setup consists of the transmitting system and receiving system. These are photo of the setups. The stationary setup has a high antenna gain. And so it can attack from a distance. The portable setup has a low antenna sensitivity, but it is easy to carry around. Okay, let's see how information is obtained by using interceptor. EM leakage does not occur without EM irradiation. By EM irradiation, interceptor activate and leak target information. We can see leakage information like as the power transmitted from antenna or was constant, but intensity of EM leakage that can be controlled by changing the transmitted power. Like this. This result shows attack feasibility from a distance by changing the irradiation strength. Next, I'd like to introduce EM leakage from smart speaker. In this case, the interceptor is installed on the flexible cable that connect a main board and the peripheral board. This interceptor, the leaks pick up sound by smart speaker's microphone. Smart speakers always pick up ambient sounds. So attacker can monitor the surrounding sound of smart speaker by observing EM leakage. Okay, I show them again. This is final demo. This is a smart speaker. This is interceptor. This is target sound. Okay, this is Daisuke, our co-author. This is the attack setup. This piece is monitoring leakage sound information. Before irradiated, we cannot hear the leakage sound. By the EM irradiation, interceptor is activated and the leaks are the sound information. We can hear sound through the target smart speaker. Okay, finally, I would like to show you a case study for crypto module. Here, target, the algorithm is RSA. In this example, interceptor is used to leak side channel information caused by doing RSA processing. This interceptor leaks upper envelope of side channel information. The friend EM wave is not irradiated. Information cannot be observed like this. But the friend EM wave irradiated the side channel information envelope leaks. Like this, we can extract secret information, secret key by using this kind of leakage. This is a result at five meter from the target device. Even weak signal such as side channel information can be leaked at a distance using the interceptor. Okay, next, I briefly explain detection method. If you are interested in this kind of detection method, please check our paper for details. The interceptor detection method consists of active and passive sensing. Here, I introduce a passive sensing. The once interceptor was installed, the equivalent circuit of the device changes dynamically. Then a spectrum of EM emission also changes like this. Therefore, it may be possible to detect the interceptor by comparing the spectrum with and without interceptor. Okay, I conclude my presentation. In this presentation, we propose interceptor that possibly leak information from the leakage free devices. It was shown the timing and the distance and the intensity of leakage can be controlled by using interceptors. And I also briefly explained how to detect interceptors. In this paper, we focused on only six devices, but there are possibilities that interceptor apply to other electrical devices. Thank you for your kind attention. Thanks for your presentation. We have time for questions. Where are the spies? All right, I start. So my first question would be what's the cost of, let's say, the high power setup? High power setup, high power setup is probably less than, roughly, 10,000? Probably 10,000. 50,000? Probably 10,000? 10,000? 10,000, yeah. Cost is very reduced by using the amateur radio transmitter, by such equipment we can buy the, around the 100 to the 500 dollar only. Thank you. I have another question. Have you, do you have an idea how the thickness of walls affects the signal propagation? So can I measure this through a wall that is one meter thick? For example? You mean the, please repeat this question. So you showed that you can like measure from the neighboring room, the signal from the other room, so there was a wall in between. What if that wall is one meter thick? I probably, the if water includes the water and the electromagnetic is decreasing, but we increase the emission power, how to say, this way we reach to the target, that depending on the power and the material of a wall. Okay. So proper shielding would be needed to, like if I have really shielding in the wall. Yeah, but the shielding room, I had to say the shielding room has some power supply line that we inject the power supply line. This power supply line is connected to the inside the shielding room. More questions? Comments? No, okay. Thanks again. Thank you. Thank you.