Fork me on GitHub
Eurecom S3

Screaming Channels

When Electromagnetic Side Channels Meet Radio Transceivers



Intro

Screaming Channels is a project that investigates long-distance side-channel attacks on radio signals emitted by mixed-signal chips. Up to now, our best result is a full key recovery from 10 m (Bluetooth dongle, TinyAES 128, anechoic room). We make our setup and code public so that others can reproduce and improve our results.

In a nutshell, Screaming Channels is based on these remarks:

  • Mixed-signal circuits are popular (cheap integrated solution for radio communication)
  • The digital part (noisy) is close to the analog/RF part (noise sensitive)
  • Propagation (e.g., substrate / power supply coupling to the Frequency Synthesizer / Power Amplifier)
  • Sensitive information regarding the digital activity flows to the radio where it is picked up and transmitted
  • Side-channel attacks possible at a considerable distance

Publication

Screaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers
Giovanni Camurati, Sebastian Poeplau, Marius Muench, Tom Hayes, Aurélien Francillon
To appear at the 25th ACM conference on Computer and communications security (CCS), Toronto, Canada
PDF Bibtex Black Hat USA 2018 talk Black Hat USA 2018 Slides



How

In order to make our results fully reproducible, we have made our setup and code (as well as some traces) public. You can find this and a detailed README guide on git.

News

Full key recovery now working from 10 m in an anechoic room (Bluetooth dongle, TinyAES 128).
Giovanni Camurati and Marius Muench presented the Screaming Channels project at Black Hat USA 2018, on August 9 afternoon in Las Vegas (USA).
Giovanni Camurati presented Screaming Channels at ACM CCS 2018.
Sebastian Poeplau presented Screaming Channels at CSAW 2018 and won the 3rd place at CSAW Europe 2018 Applied Research Competition.
Marius Muench presented Screaming Channels at GreHack 2018.

Coverage

LE MONDE, 25.07.2018, Les très indiscrètes puces des objets connectés
The Register, 27.07.2018, Boffins: Mixed-signal silicon can SCREAM your secrets to all
HACKADAY, 27.07.2018, Screaming Channels Attack RF Security
HACKADAY, 30.07.2018, Screaming Channels Attacks Against Mixed Signal Microcontrollers
SECURITY INFO, 31.07.2018, Attacco Screaming Channels: i dati si leggono anche a 10 metri
threatpost, 08.08.2018, Black Hat 2018: Mixed Signal Microcontrollers Open to Side-Channel Attacks

Screaming Channels?

Compared to conventional Side Channels, the Screaming Channels leak is strong and broadcast over a potentially long distance by the radio. Hence the attribute Screaming, in contrast with the Whisper of conventional channels.

Authors

Screaming Channels has been developed at EURECOM by Giovanni Camurati, Sebastian Poeplau, Marius Muench, Tom Hayes and Aurélien Francillon.

Contact

Feel free to contact camurati@eurecom.fr for any question.

Acknowledgments

The authors acknowledge the support of SeCiF project within the French-German Academy for the Industry of the future as well as the support by the DAPCODS/IOTics ANR 2016 project (ANR-16-CE25-0015). We would like to thank the FIT R2lab team from Inria, Sophia Antipolis, for their help in using the R2lab testbed.