 Hi everyone, my name is Pazza Meiri and I'll be talking about a project I'm working on named Tempest Radio Station. First, allow me to introduce myself. I've been developing hardware and software for more than 30 years and I'm working as a system engineer for more than a decade. I started my professional career very early. During my teen years, I cracked games and developed software tools. One of the software tools that I've developed was called the message sticker and during DEF CON 25 in Baraz showed code that he coded to deactivate the message sticker. He called his software on Pazza and on that Pazza. Okay, so what is Tempest? Tempest is a US NSA specification and a NATO certification. The acronym refers to information leakage from a system. Through unintentional radio signals or audio signals or electrical signals and so on. In 1985, the researcher, Wim van Eck, published the first unclassified analysis of the problem. He analyzed the information leakage from computer monitors. But government researchers were already aware of the problem. The US Army became aware that the equipment the Army is using during World War II was emitting unintentional electromagnetic waves and that these electromagnetic waves, the unintentional electromagnetic waves are carrying valuable data classified data out of the device. And since the fifties, the NSA is developing specification and certification for classified devices in order to reduce these unintentional emissions by grounding the equipment, shielding the equipment, separating different types of data lines and so on. Okay, how did they end up doing a project named Tempest Radio Station? Well, I read Tempest at home finding radio frequency side channels by David of Oldenburg. They wrote about their experiments transmitting electromagnetic waves from a computer to a remote receiver, 50 feet away. And they manipulated the GPU clock to control the transmission. And one of the most important thing that I found in their work was the until then, I thought, or I guess, that the electromagnetic waves emission regulation tests are preventing computers and cards from emitting so much energy into the air. And I was wrong. Another thing I learned from their work was the use of software defined radio receivers or SDR receivers. These are cheap radio receivers. The most common radio receivers of this type are tunable from almost zero to two gigahertz and they have really good reception quality. So I bought one and I studied the electromagnetic emissions generated by my laptop. And I got very interested by this work and I started wondering what can I do with it? How far can I transmit data using these emissions? And is it possible to transmit audio in real time? And above all, how hard can it be? So to figure it out, I've decided to start the Tempest Radio Station project. Transmitting audio in real time using these emissions and who knows how hard can it be? So first I have a project, then I need to define the project goals. The first goal was tunable frequency. And this is very important because if there are a lot of computers in a single area and I want to extract data from one computer, I need to separate the data it is transmitting from the other. And perhaps I want to receive more than one computer in the same area. So I need to have a dedicated frequency per computer. Very similar to radio stations. Each radio station has its own frequency. And the second reason for tunable frequency is that if you can choose the frequency, then you can find a quiet, relatively quiet frequency band with as little interference as possible and transmit the data in that frequency band and get a good signal to noise ratio, which is important for reception. Another goal for the project was maximum bitrate to maximize the audio quality. The third goal was innocent looking software to avoid detection for obvious reasons. And last but not least, trying to achieve maximum distance. Okay, so let's begin with a crash course about radio waves transmission. When you take a conductor and you pass time-varying electric current through it, it will emit electromagnetic radiation that will propagate from it to space. And reception works the other way around. If an electromagnetic radiation is close to a conductor, it will generate time-varying electric current in it. And this is transmission and reception of electromagnetic waves in a nutshell. This could be done with any conductor. It could either be wires or for this project PCB traces. PCB is the printed circuit boards that carry the electric components inside the computers. Traces are the fine wires within the PCB that connect between the terminals of the electrical components. And that's radio waves crash course. Another important thing to understand about broadcasting is modulation. Modulation is the manipulation that we do on the carrier wave, the expanding electromagnetic waves. In order to make it carry the data that we want it to carry. Most of you probably heard about amplitude modulation and frequency modulation, which are the two common methods used by commercial radio. But there are other types of modulation. The most simple type of modulation is the on-off keying. You have an energy source. You turn it on. It emits energy. You turn it off. It stops emitting energy. And you can put the data or encode the data in the duration of the pulse. And if the transmitter and receiver has the same protocol, then they can pass the data from one to another. The most common and known on-off keying modulation use is Morse code. Morse code has only two symbols. A short pulse and a long pulse. And you use those two symbols to transmit the whole alphabet, words, sentences and so on. Okay, so we understand that we can turn PCB traces in the computers into electromagnetic waves generators. And we know that if we can take a line and make it generate... make it emit energy at our will and control the duration and stop the line from emitting energy at our will, then we have on-off keying modulation. Now we need to have such a signal. Okay, so the signals I decided to use were the signals between the GPU and the GDDR. The GDDR is the memory installed in the graphic cards. And the GPU perform memory read and write operations by operating the control and data lines of the GDDR. Here you can see in this slide a timing diagram of GDDR6, which is a common memory type these days. And there are four major lines that the GPU is operating. The two signals in the upper side of the graph are CK and CA. CA is the commanding signal. And the GPU use the commanding signal to command the memory to do a write operation or read operation. And CK is the clock of CA. It helps the GPU to command the memory. Similar to that, the two lower signals, the data signal carries the data itself, and WCK is the clock of the data. Whenever the GPU is performing a write operation or a read operation, it operates these lines. When it is not performing a read or write operation, it is not operating these lines. And this is the key to the On-off key, meaning that when we want to transmit a symbol, we start a memory read or write. And the duration of the operation is predefined by us. And when it ends, the energy is stopped being transmitted. Okay, let's talk about the duration of the pulse. The electromagnetic radiation, as I explained, is emitted when the control and data lines are active. It is not emitted when it is not active. So we need now to control the duration. There is almost linear connection between the time it takes to write a batch of bytes and the size of the batch of the bytes. So if we have a small volume of bytes to write, it will be a short operation. If we have a big volume of bytes to write, then it will be a very long writing operation. And that's the key to control the symbol length. Whenever we are performing a memory transfer, a symbol will be transmitted. And the duration is predefined by the amount of bytes that are going to be read and written during the memory transfer. As I explained, the connection between symbol duration and symbol byte count is almost linear. This is because the GPU hardware is using dedicated hardware to perform large memory transfers. And this dedicated hardware is time deterministic. So to define the on-of-king protocol between the transmitter and the receiver, I need to pre-define to both what is a symbol. And I define the symbols in the following manner. The symbol duration equals to symbol value plus one, multiplied by a time constant that both the transmitter and the receiver know in advance. The plus one helps me to avoid a zero duration if I have a zero symbol value. In order to transmit these symbols, I need to transfer a known amount of bytes. So the symbol transfer size, which is relative to the symbol duration, equals symbol value plus one, multiplied by a bytes constant. And as I explained, there is a linear relationship between the time constant and the byte constant. So if I do a very large memory transfer, measure the time it takes to perform the transfer, then I get the ratio between bytes constant and time constant. And that's the whole story. Here you can see it graphically. In the upper graph, you see the energy being emitted for three different symbols. In the lower graph, you can see the relation between the calculation I showed you in the last slide and the amount of time it takes to transmit each symbol. Here you can see, for example, the symbol value five. You add one to it, you get six, multiplied by time constant, and this is the size of the symbol. Again, you can see it for symbol value three and symbol value eight. Why using the GDDR memory? When I chose the GDDR memory, I had good reasons following the project goals. The first and most important was that it has tunable frequency. You can set the memory, the GDDR memory frequency and the APIs that are available. It's very easy to do so and I did it. The second thing was because the hardware is very time-deterministic and it helped me build solid, good symbols which are transmitted and then received and because it is very time-deterministic, you get the same results over and over and over on different computers and different hardware. Most of the time, the GPU is idle because when it's not in use, it's idle and when it is idle, it's not doing anything and it's a free resource. Then why not use it? I used it. This is Scotty. Scotty is the transmission software. It is installed on the computer that is broadcasting the data, the audio. On the top left, you see a GPU list and here you select the GPU that you want to use, the graphical card that you want to use, the graphics card, sorry. Below that, you have two checkboxes to start the transmission. The first one is for internal testing and the second one is to transmit a wave file. The name of the wave file is written in the line down below. To the right of GPU's list, you see memory clock. This is WCK, the data memory clock. To its right, you can see a divider value and the data value. The data value of the data is being written in the memory and you can see memory base clock. This is CA, the command clock. The relationship between the memory clock and the base clock is in this case four and the values here are relative to each graphic card. The graphic card can tell you the type of memory that it is installed inside the graphic card and from the parameters it gives you, you can get to these numbers. Below memory clock, you see base clock shift. This is the way that I'm moving the base clock and tuning the base clock. To its right, you can see a shift frequency checkbox that commands the Scotty to perform the frequency shift and to its right, you can see the center frequency. This is the frequency that Scotty is calculating by adding the memory base clock to a base clock shift and this is the result. More important is the indicator below it which is called measured transmission frequency because this is the transmission frequency that the GPU is measuring and this is the actual frequency that is carrying the data. Below base clock shift, you see two bitrate indicators. The lower one data bitrate is showing you the data bitrate but only the data. This is the pure data bitrate and the raw bitrate equals to the data bitrate plus additional bits that are used for control and monitoring to build the data packet. The last indicator is data transmitted in percentage which is the percentage of the data that was transmitted from the way file. Okay, so what does Scotty do? Scotty is doing the following tasks. It is measuring the time required to perform large GPU memory transfers. It is calculating the bytes constant for a predefined time constant which is predefined for both transmitter and receiver. It is setting the GDDR memory clock frequency or broadcasting frequency and it is loading a way file and transmitting 8000 audio PCM samples every second. I targeted the C cave clock, the command clock as my main broadcasting frequency and this is why I'm referring to setting GDDR memory clock frequency as setting the transmission frequency. Okay, so we have the way file and it is broken by Scotty every second to 8000 audio PCM samples and then it is transmitting the 8000 audio PCM samples in one second intervals. And first it is encoding the 8000 audio PCM samples then it is bundling the data into packets according to protocol, to a protocol, sorry. And the protocol comprises header bytes, read Solomon forward error correction parity bytes for error correction recovery at the receiver. Audio packets counter count how many packets were already sent and G726 encoded audio bytes, this is the real payload and audio data checks and bytes to see that the data is valid at the receiver. Scotty is transmitting each packet symbol by symbol and when all 8000 samples have been transmitted the software stops and waits for the one second interval to elapse. Okay, so Scotty is now transmitting the data to free space and the electromagnetic waves are propagating in the area and this is the reason why we'll talk now about the radio path or the wave path. Scotty is transmitting the data from the computer which is seen on the left. To the right side of the graph you can see of the chart you can see the reception equipment which comprises an antenna that converts the electromagnetic waves to time varying current. After that you can see a low noise amplifier that amplifies these weak signals and sends an SDR receiver that receives the signals and passes the samples to a computer reception computer that runs a software named SPOC that is extracting the data from the signals. In the middle you can see a photograph of this reception equipment. Here you can see how CK the electromagnetic waves that are emitted from the CK PCB traces is received 50 feet away from the source computer. You see here power versus frequency band and you should expect for a fixed frequency, fixed clock frequency to see all the energy concentrated on a single frequency, the clock frequency. As you can understand this is not the case. The manufacturers are shifting the clock in small portions up and down, up and down and in this graph it would be right and left, right and left and they are doing so to reduce the average power per frequency and why is that? Both cards manufacturers and computer manufacturers has to pass electromagnetic waves emission tests. These emission tests are required to get regulation approval and if all of the energy would have been concentrated on a single frequency they might not pass the test. The power might be too large and pass the threshold of the test and the card of the computer will fail the test. So, better prepare for these tests the manufacturers are spreading the energy on a small frequency band and this way they are lowering the average power per frequency and by this method they are improving the chances of passing the regulation tests and this is why the signal looks like this. OK, so we spoke about Scotty and now let's speak about Spock. Here you can see the screen of Spock and on the left top side you can see the SDRs list. These are the SDR receivers available on the computer and below that you can see center frequency which is the frequency that you need to set and below that you can see two gain controls they are used to set the system gain the SDR system gain and to get the best result you need to tune all three of them the center frequency, the gain reduction and the LNA state. Once you set the frequency and the system gain and you get good reception all you need to do is to check the play audio checkbox below the system gain and here the audio. In the middle portion of the screen you see the sample versus time graph and here you can see the waveforms the samples are creating waveforms and here you can see two symbols and the shape of the waveforms is highly influenced by this spreading technique I explained earlier the spread spectrum clock generation the shifts the clock up and down or in the graph right and left and this is how it looks like over time and below that you can see three checkboxes are used for debugging the most important of them is the clear numbers on the right because it is clearing the statistics on the right and on the right side of the screen you can see all sort of information which helped me develop the software and analyze the quality of the reception you can see how many samples are per iteration how many good packets were received lost packets that are lost the good packets ratio which is important because it is indicating the quality of the reception and other types of data what is Spock doing? well it is doing a lot Spock is doing two batches of tasks the first batch of tasks is dealing with the samples the raw samples that are being picked up from the air and analyzing and processing these signals and getting the symbols out of these samples and the second batch of tasks is working with the symbols to recover the data so let's speak about the first batch of tasks Spock is setting up the SDR receiver it is receiving cyclic batches of samples from the SDR receiver it is calculating the absolute amplitude of the samples don't be intimidated there is a graph in the next slide explaining it better it is filtering the data with a low pass filter it is calculating the amplitude threshold to recover the symbols and it is recovering the symbols using all of this data and it saves the length of each symbol the duration of each symbol in a buffer you can see it in a graph and I hope it will be much clearer at the top graph we see the absolute value of the samples and you can see the symbols here power versus time and in the middle graph you see the filtered values and it looks much more like digital data and in the lower graph you see the digitized data the recovered symbols as I spoke earlier Spock is doing two batches of tasks this is the second batch now that it has the duration of each symbol it has the symbol value so it is looking for the header bytes the header symbols if you recall each packet starts with header bytes and when you have the symbols it starts with header symbols once it found the header symbols it can recover the packet so it is recovering the data packet from the symbols and then it is using forward error correction decoding to correct errors in the data if any and afterwards it is verifying packet validity if the packet is valid then it is decoding the audio using G726 decoder and it is storing the PCM samples in a buffer if there are any missing packets lost packet it is filling the PCM samples buffer with zeros and then it is playing the audio and that's the whole circle between Scotty and Spock let's talk about tests the first batch of tests that they did had the following properties time constant was set to 14 microseconds the data packet structure was four header bytes 20 read Solomon forward error correction parity bytes a single audio packets counter and 63 encoded audio bytes and I used two bits per PCM encoding per PCM sample encoding and last but not least two audio data checks and bytes each packet was transmitted with four bits per symbol I took every byte divided into two nibbles and transmitted four bits per symbol here you can see the computers I used for the tests one was a laptop computer and one was desktop computer you can see here the hardware of the two computers you can see the setup in my apartment on the left you can see the laptop computer on the table on the right you can see the reception equipment and in the middle you can see the corridor inside the apartment and at one end you see the laptop computer on the other end you see the antenna here you can see the same setup but for the desktop computer you can see the desktop computer on the table on the right the reception equipment and in the middle the corridor with both sides ok let's see some tests here you can see Scotty on the laptop it's in flight mode and here it begins to transmit and now that you got good sense of the raw bitrate I'm walking backwards to the reception equipment this is the reception equipment the antenna low noise amplifier and SDR receiver flight mode of course and this is pop let's clear the numbers and that was the laptop this is the desktop you can see raw bitrate and this is pop and that was the laptop this is the desktop you can see raw bitrate and this is pop of our population as a whole despite that the best stretches of the unknown and the unanswered and the unfinished still far outstripped our collective comprehension we set sail on this new scene because there is new knowledge to be gained and new rights to be won and they must be won and used and that's the first batch here are the test results I got good audio and good average bitrate but and I even got good packet ratio but I noticed something interesting I got on the desktop better ratio when the monitor was turned off then when it was turned on so I started to investigate this when I examined the signals I understood that the desktop computer is the meeting signals which Scotty did not generate and the computer stops transmitting these signals once the monitor is turned off by the windows power plan so since I got better results with the monitor off I've decided to set the parameters the packet structure differently for a second batch of tests and try to achieve better audio quality so I set the time constant to 8 microseconds I used 4 read Solomon 4 order correction parity bytes instead of 20 in the first batch and I used 3 bits per PCM sample encoding instead of 2, let's see what I got this is the desktop of course and you can see a higher bitrate and this is Spock and as you can see there are a lot of lost packets the audio quality is quite poor the reception quality is quite poor and this is because the monitor is still on so let's wait a few seconds to see how it will go when the display will be off and this is with the display you can see that the lost packets indicator has halted and the good packets ratio is increasing and we get good audio clearing the numbers to die on Mount Everest was asked why did he want to climb it he said because it is there and we're going to climb it and the moon and the planets are there and new hopes for knowledge and peace are there and therefore as we set sail we ask God's blessing on the most hazardous and dangerous and greatest adventure it's a wonderful speech by JFK and I recommend you all to listen to it it's a great speech so these are the test results I got better audio and better bitrate and better packet rate and everything is great the whole project was designed around CK the command clock but it is important to remember that other signals are being transmitted as well on the same time we have the four basic signals here but there are more derived signals from these signals and there are a lot of signals being transmitted at every symbol transmission so if you can't get your data on one frequency you might find it on different frequencies let's see an example of that here you can see the power versus frequency of signal which equals the command clock divided by two and you can see good power and here you can see that Spock receives it 99.6 good packet ratio the only difference you may see is in the waveforms the waveform of half of CK is different from the waveform of CK and if you want to receive this signal instead of CK then you need to adjust Spock to process the samples with this waveform to get the best results but as you can see this was not handled or tampered in any way and it just gives good reception ok so let's talk about conclusions the first are the fun conclusions first it works the second conclusion is that my apartment is too small for the range tests I had enough power I could have gone further but that's the length of the corridor so that was it for me and I got so excited that I've made the jingle for Tempest Radio station let's hear it that is the jingle but let's talk about more alarming conclusions first time memory transfers are easy to produce it's only memory transfers and you can leak data just like you can leak audio because as you saw the audio was already digitized it could pass any other payload that I could choose you can use this method on airgap computer you look at an airgap computer it doesn't have any radio based communication channel but if it has a GPU then you can use this method to get the information out of it this is most important during non-working hours because the GPU is idle, there's no supervision the monitor can be turned off to achieve maximum bitrate either by the attacker or by the company's IT policy and the attacker can choose the time of transmissions for example he can hide the reception equipment in the parking lot and choose the data to be transmitted from 9pm till midnight and get the data everything I spoke about is not supervised by any software not by antivirus firewalls, port monitoring or whatever and this is important not only to for example extract plans and design from internal networks you can also do it on open networks, networks that are connected to the internet because nobody is monitoring this channel it's an open channel and since nobody is monitoring you can pass whatever you want and as long as you can hide the reception equipment and get the data out you can enjoy Tempest Radio thank you very much for watching here are the links to the source code on github for both Scotty and Spock and here you can see the references from my work thanks again and I hope you enjoyed it