 Hello all and welcome, the following talk focuses on the vulnerability of electronic devices to electromagnetic interference with regard to IT security. Doors gleich. Electromagnetic threats for information security and electromagnetic nature for information security. We get cows in digital and electronic. Doors to the replacement of P-Priority on NABLA. Having worked at the French National Cyber Security Agency, Shouki has a PhD in electronics and has recently joined the TV labs at Dark Matter LSE. Join me in welcoming them on stage. Good afternoon everybody. Thank you for joining us. We are Shouki Kassmi and Jose Lopez Estevez here. We are very happy to be here today to talk about EM threats for information security. And hope we may find ways to induce chaos in digital and analog electronic devices. Directed energy weapons. So we are both electromagnetic security experts. We do also radio communication security analysis. Radio security and hardware and data security research. A quick disclaimer because I recently joined Dark Matter LSE in UAE. The research was done during my research activities at the French Network Information Security Agency. And all the content that will be presented today was done during those research activities. I am grateful for the support and encouragement provided by Dark Matter. So we are gendered for today. We will introduce you to the topic of electromagnetic security. Why we are looking for electromagnetic waves? We are looking for the effects of electromagnetic waves. And then we want to test EM weak points. And how we can make these effects into information security issues. As we have to talk we will draw some conclusions. And in the end we will find out what we learned from our research. We have all seen those nice moves. Or they are using some EMP weapons. And electronic devices like facilities or any facilities using those EMP weapons. Even Batman has an EMP weapon. In principle, for normal people it is a fantasy weapon. An EMP, electromagnetic pulse weapon. So you try to destroy them in devices or you try to destroy them. These sources have the same effect as high waves generated by nuclear or person. These high inductive fields induce voltage and current in the devices. All these parasitic voltage and current induce disturbances on the communication devices. And of course also any digital data. These effects are different from very low level effects. They can reach even permanent damages on devices. What we are looking for basically is to be able to detect and analyze the effects induced by these referential exposure. This is an important point to link the hardware and software failures. To be able to understand better how electronic devices react to these parasitic exposure. And also the infrastructures in which they are placed. From that we are also able to understand if there are any cascaded effects. What kind of effect can we do to overcome connected devices? So as we said it is not a fantasy weapon. A few things have come up in Europe. And my colleague would start from very simple airfired sources. It starts from very simple radio frequency weapons. They are used by malicious activities to win at a game machine in Japan. Then you can use your destroyer devices to take out security systems in critical infrastructure. In special places. There were also jubilee systems for example. You can use them to set up a bank in Great Britain and the Netherlands. This is interesting because some events have been used in order to disrupt some targeted devices. In similar ways we want to understand that this device does not require very high level of skills to be able to do that. And we can see that if someone is interested in building some sources available on the Internet, then you can easily find them on the Internet. So the use of electromagnetic interference to disable or destroy the device is directly linked to the topic of electromagnetic compatibility. In which we define a few general standards in order to test that these are not harmful. No abnormal behavior in a normal environment. This is the subject of immunity testing. In the same way we want to limit the device in the environment by reducing the amount generated by those devices. So as you may imagine, as you apply basic standards to the world of trust and compliance, then we try to have the best compliance of those devices so that it can be used in any way, very cheap reviews. In summary, some information security guys have been working on those topics. In similar ways other people have researched and seen that there is a correlation between the process data and the elimination of these devices. This is called Tempest Storm. And there is also a side channel area in which we correlate the chip and the system activities with the data that is processed by this device. In the same way a few researches are working on fault injection on KERN and FPGAs. And that uses the near field interaction between source and target in order to extract keys or other interesting secrets from the device. We see that we go beyond this standard that we have defined in the electromagnetic capability. We don't want to use these standards but we just want to have small correlations that may be used to reduce the security of those devices. To compromise this device. This is a kind of confusion. As a risk for information security, basically a phenomenon that originated from the EMC. So a physical phenomenon. In similar ways to extract information devices is highly useful when we are looking at security of those devices. The threads are as defined in the previous slide. As mentioned in the previous slide, we have introduced threads for the confidentiality. In order to recover data from the electronic devices and in the same way the availability of the device is directly linked to the immunity of these devices to parasitic fields. Our challenges are these two ones. The first is how can we assess the longevity of many electronic devices to parasitic exposure? And if we want to do some risk management, we should create an end-matter again. So concerning the vulnerability testing of electronic devices, let's have a look at the complexity of how we react to be able to test them. We have complex systems with a lot of different kinds of materials and communication links. We have wired or wireless connection between devices. And we have a lot of undetermined communication between devices. We have no specific protocols and at the time when we initiate the waves, we have to reproduce this test setup. We have a problem of scaling because we want to analyze the security of a chip, as well as the security of a wood reading. And this makes a lot of random parameters that you can use to analyze different attack scenarios with different payloads. The problem of modeling is that we can't model the entire infrastructure. A huge building with very small devices is very difficult to model. And of course it requires a lot of scientific fields that you have to use to be able to model and analyze the waves in the building. As we just said, there are a lot of random parameters and if we want to understand and predict anything, we need to do some exhaustive tests. But the problem with exhaustivity is that it requires a lot of configuration. So that you can reproduce any configuration you would like to work on for a specific parameter. And this makes for the reproducibility and reproducibility of the results. So from the greatest number of configurations, we would like to be able to compute the behavior of the device for possible configurations. Similarly, if we can analyze the effects of complex systems, then the effect is of course also very complex on the device. As information security researchers, we would like to have the ability to evaluate the EM attacks. The EM instrumentation requires the use source to disturb or to induce failure on any electronic devices can be characterized by these three parameters. The ability to find it on the internet or to look at a specific source to design it. The dimension of the source can fit in my backpack or a car. This defines the mobility and the capabilities to show the source frequency. Can I modify the amplitude of my source? These parameters are very important to be able to understand how to use these weapons to decide specific devices. For that, you need a lot of technical knowledge. Maybe not. After looking at the internet, we have seen that there are a lot of resources for it. The effective range of the source, I have to be close to my target. Before I need some information about my target, I have to test it before being able to do it in real life. Can I industrialize my source? Once I have my source, my setting, or is it target specific? I have to design a source for each target. For looking at this problem, there are two ways. The first is starting from the source itself. You can be connected to an antenna or to a propagation mode. The radiation in the free space or injected by waves in cables. Then I have the conductivity between both of them. We have the coupling to the target. Am I targeting a wireless interface of my target? Or is it the back coupling phenomenon? I am into some conductive parts in the system. And I have my effect, the last part of my propagation. If I can start from the source, then I can find specific scenarios for a specific target. But if I start from my target and I take effect in a very general environment, then I can detect all the parameters that may occur on the critical infrastructure. So we have a very simple way of having this problem. And we are working on the effect by parasitic effects on electronic devices. Now I am going to introduce our strategy for the analysis of the target. We will see that it is not a trivial problem. And I will introduce our decision to address this problem. Here we are trying to observe the effects of electromagnetic signals near the target. And for that the game is always the same. It is always our parasitic field. And we want to examine the changes on the target and react to the stimuli and the change. And we want to correlate the stimuli and the effects. And because of the complexity of this problem, there are many different types of stimuli that we can send to the target. We can also use additional stimuli. And the second problem is that we have to determine what we can decide. Whether it has an effect on the device or not. So in fact one of the main challenges in this game is to see the right classes to see the effects. So that is what we have done. And we propose that we want to identify the critical functions of the system. The health parameters of the system. And then you have to find out how to define these metrics to be able to compare them. Or to be able to classify the different effects that are observed on these observables. Sometimes it is easy. For example, if a robot thinks that it works or it doesn't work. If it doesn't work, then ok, now we have an outcome. But you also sometimes need to have a finer granulation of these metrics. For example, the robot's arm, you can imagine the arm's position error. And you have to find a way to measure that during the tests. To find out if there was an effect or not. And if the effect really comes from your attack. Or if it comes from something else. Or if it comes from the weak point of attack of the system. So we have taken a generic approach to adapt our approach to a specific context. We thought that we would take a generic approach. So our idea was to try to analyze the effects during the operating system. And it is interface based. There are different types of couplings on the devices. And we have numbered them for the physical couplings that are available on the device. And we have found a way to get access to some information. We have a interface on the level of the operating system. In the end we have a software that is running on the operating system. And it is monitoring the different interface. And then it is looking at the effects of the attack. What is interesting is that we don't really need to understand the physical effects. In fact we try to have an observation of the software layer. So we are only looking at the software level of the effects during the tests. And for the vast variety of different variables of stimuli that could be used in attack. We have used the lowest attacker profile. So a very low source, very low bandwidth. So we simply use a software-definished radio with various amplifiers. And the physical electromagnetic waves that we send to the target are radio frequency pulses. So they are a very low attacker profile. And there are two setups here, the typical ones. On the left we have our striped target. We have our target with the software that we design. And we have a antenna in our kefik that we send the signal out. And outside of the kefiks we have an monitoring computer that collects the information. And our radio sources. On the right we have an equivalent setup for direct propagation, without waves, but directly connected to the device. So as soon as we have defined the test scenario, we have used a few devices in a Faraday kefik. And now we want to present you some effects that have come up with this test. We have created these correlations. And there we have found a way to inject electromagnetic waves as a new technique to initiate data into the system. So at the beginning we used a very normal computer. And we just searched for certain places or files on the computer. And we sent our parasitic signal to the target. Here we have a few logs we can see. You don't have to read them because we want to present them to you. For example the two cut-outs. PS2 and USB. And we were able to get these effects. We were able to do a group of data and randomly inject valid keystrokes on the computer. When we were able to have the USB, we were able to switch off the device, the devices that were connected to the device, and also to the descriptors to shading or to corruption. We took a data link. Then we wanted to test some scale systems, so industrial control systems. We put a servo motor in a kefir and we examined how this motor behaves when it runs on a certain path. The normal behavior is the blue that we see here. I will try to show it to you here. Here you see the blue curve. This is the normal behavior. And in green and orange we sent our pulse. You can see here that we were able to modify the position of the servo motor as well as the range of the servo motor. We were able to manipulate the servo motor randomly with our pulses. Then we worked on some digital signal processing algorithms. Here is the pre-distortion algorithm. The pre-distortion algorithm is used in the nonlinear region. We can predict the nonlinear of the servo motor and the distortion induced by T is the one. But in the same way if you are injecting some sort of radio pulse, then you can see the j for jamming. We were able to manipulate the algorithm. This curve here is black. We see here that we have the elevation of the side of the source. It means that we are able to control all the devices to the frequency, for example the mobile station we are attacking here. So we are able to modify the packages that are sent from the mobile station. Then we send the data with a high error rate. So all the devices receive error data. All the devices that communicate this cell with our cell, if they are using other cells that are connected to this cell, in a frequency band or in a target, then it is possible to disturb the communication at this level. That is the cascade effect of the water fall, the domino effect that we have talked about. The calculation of this pre-distortion is not done every second, but rather on the scale of a minute. Only through a sudden intervention, you can let the radio disturb itself over several minutes until this pre-distortion factor is calculated again. We also have some analog interface instrumentalized, and here we present our results for thermal transducer and acoustic leader of the EMC community. There is a certain demand for randomness of these current circles and some of these analog current circles have a certain amplitude demodulation of the parasitic signal, and especially for operational amplifiers, there is an offset that is applied to the signal when a parasitic field falls on the target. Also, as we are talking about analog interface, they are usually on ADCs, and the whole work that can be done on digital converters can also be applied in this case. During our test, we observed the term of the term of the CPO of our target, and we noticed that when our parasitic field was on, we saw that the temperature that was shown was wrong or jumpy. How can it be used? We tried to design a scenario that uses this behavior, and we ran additional tests, and we noticed that the temperature that was shown by the diode was kind of a more or less proportional to the field strength of our parasitic field. That means that the attacker can, ultimately, the behavior of the temperature reading on the target. So we imagine a scenario where an attacker uses this behavior to send information to a specific process that simply controls the temperature on the target. And this is possible in certain cases, in cases where, for example, you want to separate a R-gap from a certain information system, and then it can be used, or it's very serious. And also, of course, if I can control the temperature with an attacker, they can transfer it from the diode to the CPU, or to the device that reads it out. You can imagine that you can sabotage the device. During our tests, we also observed the audio front end. So basically, we just recorded the audio, that it came from the sound card, and we made that with a microphone, with a wired microphone, or a cable microphone, or even without a microphone. And we always have been able to notice that there were some effects on our field, and then we had to imagine scenarios where this is a threat. And from that observation, there were various works that we conducted, and we considered the analog microphone as a user interface, which has access to the voice assistant, and we designed several proofs of concept, to interact with the system in order to execute arbitrary voice commands on the target device. We did two proof of concepts. On the right side, you can see the radiation method, the coupling interface, the cable of the headphone, and we also designed additional tests to test the propagation path, and we were able, by using the power signal inside the power network, to charge the telephone. So this research was published in Hacking Paris, but we still have two short videos about those two tests. Now I have to find my mouse again. In this video, we see the radiation test setup. Our target is the smartphone here, and we see the headphone cable on the left side of the screen, and our antenna on the right side. It sends the parasitic signal. We notice that there are certain activities on the audio front end, the red dot on the top right side. In this example, we send long voice commands to open a home page. And on this Android version, there was no real feedback to the user. The website just opened it without any further interaction with the target. This is connected with connectivity, so we have our setup here. We have the power supply and the computer, and here we have an ignition module that goes to our radio frequency source, and our target is here on the desk, and it is connected to the power supply charger and an outlet device. In this case, we just opened it. So if you need more information about technical details, then we can take a look at the previews in Hack in Paris. Here we just want to imagine a risk analysis of these weak points. Of course, everything you can do with this device can be done with this technology. What is also interesting is that we have completed the study with both front and backdoor scenarios. We also did the strolling and connectivity tests, and we tried to estimate the required energy and equipment needed to carry out these attacks. Of course, these are very targeted attacks because the attacker has to be able to modify the waves in order to adapt to the target device, for example, the telephone or the power supply. So, at the end, we just need additional details about the second one. We have connected the USB cable to the computer, and we have seen that the signal goes through the power supply and the computer. And through the USB shield, the microphone reaches the power supply. There are no problems with the EMC between the microphone and the USB, but from the information security standpoint we didn't find any issues that were able to define the signals via this language control. Thanks to all these tests, we have been able to analyze the effects induced by electromagnetic interference and we have been able to identify the effect of the quality of each attack. We have been able to estimate the effect of the energy devices and all the information security aspects. They help us to build additional protective equipment so that we can't stop these attacks. In general, we have noticed that the electromagnetic attacks are realistic threats even if you want to do more than DOS attacks. You have to adapt to the setup and to the context to emphasize the attack profile which is always lower because the technology is constantly developing and the devices you need are always cheaper and more accessible for almost everyone on the internet. We can say the same thing about the nuclear power plant and one last remark. The EMC information security committee and the physical crypto and side-channel committees have worked on their own path but in reality we are facing the same problem but we have different points of view and different goals. Maybe it's time to get together and share the resources and the knowledge about these problems. You can see our email addresses if you have any questions or if you want to talk about these topics then we are happy about it. We have quite some time for Q&A so please come to the microphone and take the microphone. Thank you very much for the interesting topic. I saw your request or any cables why? You tested the screening of cables and how much is affected by the results? On these research topics we tested different cables under USB cables and different charging devices out of the box and we found that it was possible on the audio frequency band but the frequency response was relatively low and it didn't affect the target. Thank you. Thank you for the talk. This is all very new to me so I'm very scared right now. I'm learning how I fly small airplanes and there is a lot of communication about radio waves and I wonder if you can tell me what is the impact of radio waves? For example 2000 feet and the target is very difficult I don't know what you are talking about but I'm very scared. Regarding the range we didn't work on the source side we only looked for the target device If you want to work on any device you can do it in a test environment and see what effect you could have depending on the characteristics of the source and then define the range that you can use and the amount of power you need to reach the signal level to reach the target for small drones or any kind of device we didn't do a specific test but it's a question where we are happy to work on it In your case you probably have to guess the propagation path that we described in a specific condition that you described Thank you very much I have a small question about the CPU thermistor with RF energy to increase the temperature was it a separators sensor and how long was the cable? Did you check the parameters? It was an old smart board on a computer the thermistor was interrogated by a superior chip and I think the PCB lines between the diode and the chip were about 10 cm Thank you very much you showed us some examples of data injection what about the passive ones? the talk was focused on the effect of the electromagnetic potential interference we didn't talk about other things I don't know if that answers the question I don't know if that answers the question Thank you for your response and I think that's all I know that this isn't really a topic of your research but could there be some pointers for tempest attacks last year there was something about AES tempest attacks on AES it was a side channel attack for several feet I think Marcus Kohn Research at Cambridge University is a very good resource to understand this topic Thank you very much and I think that's it that's your round of applause for our speakers