Is it true that all circuits can act antennas?

MisterBill2

Joined Jan 23, 2018
18,176
I asked a question on StackExchange about device to measure ELF of CPU and anything to mask the ELF of CPU. I asked this after I read a report detailing how researchers used electromagnetic activity of the CPU to exfiltrate data from an airgapped system in a Faraday shield. One user who answered the question said that almost all circuits are capable of acting as antennas, if this is true, then it must mean all motherboards, CPUs, GPUs are capable of transmitting and receiving data without being connected to a WiFi or Ethernet, anyone nearby could use this phenomena to compromise the system.

Is it true that all circuits can act antennas? Can IC found on CPUs, GPUs, motherboards, etc be programmed to act as antennas to send and receive data? Is there a way to find at what frequencies they are broadcasting and receiving? What can I do to mask the ELF of CPU and higher frequencies?
Indeed it is true, and so the military has created the "tempest" program to develop ways to prevent this giving away any information, or being susceptible to interference. There is a great deal of information on the topic and some of it is not classified and may be available.
AND, TEMPEST certified computer systems do not radiate any data related signals.
 

BobTPH

Joined Jun 5, 2013
8,813
And malware can be created to load, unload and process data to make the CPU or any mircroprocessor generate usable EMF.
If you can get malware in the machine, why would you bother when you could simply send the data you want to steal over the net? Worrying about someone stealing your data via cpu RF emissipns us about as rational as worrying about being hit by lightning while crossing a busy interstate highway blindfolded.

Bob
 

nsaspook

Joined Aug 27, 2009
13,087
If you can get malware in the machine, why would you bother when you could simply send the data you want to steal over the net? Worrying about someone stealing your data via cpu RF emissipns us about as rational as worrying about being hit by lightning while crossing a busy interstate highway blindfolded.

Bob
For most of the public, for most of the time, that's correct but the thing that removes the random factor is directed action on specific targets. Then worrying about someone stealing your data via cpu RF emissions is as rational as worrying about being hit by a truck while crossing a busy interstate highway blindfolded as the random lightning factor has been eliminated.
https://www.eff.org/files/2013/11/15/20131027-spiegel-embassy.pdf

Sending stolen data directly over the net might be detected (and get your hands dirty) so side-channels (physical or electrical) are used to bypass normal comsec.
https://theintercept.com/2015/02/04/demonize-prosecute-hackers-nsa-gchq-rely-intel-expertise/
 
Last edited:

MisterBill2

Joined Jan 23, 2018
18,176
If you can get malware in the machine, why would you bother when you could simply send the data you want to steal over the net? Worrying about someone stealing your data via cpu RF emissipns us about as rational as worrying about being hit by lightning while crossing a busy interstate highway blindfolded.

Bob
Given that the folks who created the TEMPEST program are military folks, their situation is a bit different from mine and yours. And the bad guys always play for keeps.
Besides that, MOST folks do not have things worth going to that much effort to steal on their computers. And certainly the equipment to get useful information from computer noise radiation is both complex and expensive.
 

djsfantasi

Joined Apr 11, 2010
9,156
...said that almost all circuits are capable of acting as antennas, if this is true, then it must mean all motherboards, CPUs, GPUs are capable of transmitting and receiving data without being connected to a WiFi or Ethernet, anyone nearby could use this phenomena to compromise the system.
You are missing some important qualifiers. Let’s take two situations one at a time.

All motherboards, etc “are capable of receiving data”. If you agree with this statement, you have to qualify it by “receiving meaningful data”. Without specific situations and complex hardware/software, “all” motherboards, etc can’t do anything with the data. A dedicated system might in very specific circumstances.

Secondly, all motherboards etc can transmit data. But as I outlined in the previous data, only a subset of data that is transmitted can be received as meaningful data.

No one is going to go to the expense of using this technique to capture your credit card info. The variables are too great. But if you are running a system which handles highly secure data, you might worry.
 

WBahn

Joined Mar 31, 2012
29,979
I asked a question on StackExchange about device to measure ELF of CPU and anything to mask the ELF of CPU. I asked this after I read a report detailing how researchers used electromagnetic activity of the CPU to exfiltrate data from an airgapped system in a Faraday shield. One user who answered the question said that almost all circuits are capable of acting as antennas, if this is true, then it must mean all motherboards, CPUs, GPUs are capable of transmitting and receiving data without being connected to a WiFi or Ethernet, anyone nearby could use this phenomena to compromise the system.

Is it true that all circuits can act antennas? Can IC found on CPUs, GPUs, motherboards, etc be programmed to act as antennas to send and receive data? Is there a way to find at what frequencies they are broadcasting and receiving? What can I do to mask the ELF of CPU and higher frequencies?
In principle, yes. All elements of all circuits can act as an antenna and can either radiate electromagnetic energy or receive electromagnetic energy.

Under normal conditions most electronic circuits, while always doing both of these things, are not able to do either in any meaningful way in terms of communicating information either into or out of the circuit because the signal-to-noise levels are just way too low.

But the ability to communicate information involves two sides -- the transmitter and the receiver -- and to effect communication in a system that otherwise couldn't do it you can either increase the power output of the transmitter (in the direction of the receiver) or increase the sensitivity of the receiver (in the direction of the transmitter). Since the bad guy is almost always going to have control over one of these, they have a lot of potential to improve their end of the communication link sufficiently enough to establish communications.

For what you are talking about (exfiltrating data from an air gapped system), the bad guys first work on the receiving end to improve it as much as they can. They have a lot of tools at their disposal, some simple and cheap, others extremely sophisticated and expensive, and lot of stuff in between. If they can get the necessary sensitivity within their budget and resources to detect and extract the information they are seeking, they've won (for now). If they can't, then they can try to do what you are suggesting and trick the system with the data into doing something that will create a detectable signal the contains the information. This may or may not be easy to do. One the one hand, there are so many possible avenues to achieve it that it is literally impossible for the good guys to be sure that they have rendered all of them useless, but on the other hand first finding an exploitable weakness and then figuring out a way to exploit it are generally not trivial tasks, particularly on a system that has been designed to prevent exfiltration.

As one example of a very low-tech way that some students came up with in a short period of time and at a cost of about $50, they took a cheap SDR (software-defined radio) and tuned it to the datarate of an HDMI interface and then put the antenna on one side of a wall opposite a computer monitor that was against the wall on the other side and were able to use leaked energy from the system (predominantly the shielded HDMI cable, which was only about six inches away) to recreate a good approximation of the image on the monitor. There's all kinds of ways that malware could be written to exfiltrate arbitrary information from the machine using this approach.
 

WBahn

Joined Mar 31, 2012
29,979
Indeed it is true, and so the military has created the "tempest" program to develop ways to prevent this giving away any information, or being susceptible to interference. There is a great deal of information on the topic and some of it is not classified and may be available.
AND, TEMPEST certified computer systems do not radiate any data related signals.
TEMPEST certification can only test that under specified test conditions that radiation of data-related signals was below some maximum threshold. It does not guarantee either that there are no data-related emissions or that the system could not be made to operate in some previously unknown way that results in data-related emissions above the threshold.
 

MisterBill2

Joined Jan 23, 2018
18,176
In principle, yes. All elements of all circuits can act as an antenna and can either radiate electromagnetic energy or receive electromagnetic energy.

Under normal conditions most electronic circuits, while always doing both of these things, are not able to do either in any meaningful way in terms of communicating information either into or out of the circuit because the signal-to-noise levels are just way too low.

But the ability to communicate information involves two sides -- the transmitter and the receiver -- and to effect communication in a system that otherwise couldn't do it you can either increase the power output of the transmitter (in the direction of the receiver) or increase the sensitivity of the receiver (in the direction of the transmitter). Since the bad guy is almost always going to have control over one of these, they have a lot of potential to improve their end of the communication link sufficiently enough to establish communications.

For what you are talking about (exfiltrating data from an air gapped system), the bad guys first work on the receiving end to improve it as much as they can. They have a lot of tools at their disposal, some simple and cheap, others extremely sophisticated and expensive, and lot of stuff in between. If they can get the necessary sensitivity within their budget and resources to detect and extract the information they are seeking, they've won (for now). If they can't, then they can try to do what you are suggesting and trick the system with the data into doing something that will create a detectable signal the contains the information. This may or may not be easy to do. One the one hand, there are so many possible avenues to achieve it that it is literally impossible for the good guys to be sure that they have rendered all of them useless, but on the other hand first finding an exploitable weakness and then figuring out a way to exploit it are generally not trivial tasks, particularly on a system that has been designed to prevent exfiltration.

As one example of a very low-tech way that some students came up with in a short period of time and at a cost of about $50, they took a cheap SDR (software-defined radio) and tuned it to the datarate of an HDMI interface and then put the antenna on one side of a wall opposite a computer monitor that was against the wall on the other side and were able to use leaked energy from the system (predominantly the shielded HDMI cable, which was only about six inches away) to recreate a good approximation of the image on the monitor. There's all kinds of ways that malware could be written to exfiltrate arbitrary information from the machine using this approach.
The TEMPEST program was intended to prevent exactly that sort of possibility. This did include much better shielding. And there is a great deal of difference between being able to detect a signal and being able to understand that signal.
 

WBahn

Joined Mar 31, 2012
29,979
If you can get malware in the machine, why would you bother when you could simply send the data you want to steal over the net? Worrying about someone stealing your data via cpu RF emissipns us about as rational as worrying about being hit by lightning while crossing a busy interstate highway blindfolded.

Bob
As the TS stated in the first post, he is talking about getting malware onto an air gapped system. It is MUCH easier to get malware loaded onto an air gapped system than it is to exfiltrate data from such a system. The ability to load programs and data is pretty much required on a routine basis, the ability to communicate data out of the system is much more limited.

Stuxnet was loaded onto the air-gapped Iranian ICS systems that controlled their centrifuges from an infected laptop, which was infected by a thumb drive. Once on those systems, it would have been very difficult to exfiltrate anything over the net since they weren't connected to the net. Trying to sneak data out in a manner comparable to how it was snuck it would have been much more problematic. Of course, in this case that wasn't important because the purpose of the malware wasn't to exfiltrate information, but rather to destroy hardware with software (which it did a very good job of).
 

WBahn

Joined Mar 31, 2012
29,979
The TEMPEST program was intended to prevent exactly that sort of possibility. This did include much better shielding. And there is a great deal of difference between being able to detect a signal and being able to understand that signal.
Yes, but the TEMPEST program can only reduce the vulnerability, not eliminate it. There have been numerous demonstrations of people exfiltrating data from TEMPEST-certified systems, usually by exploiting side channels that were previously unknown, but sometimes by getting more clever about how to detect the residual emissions. The results are often changes to the TEMPEST standards. I can pretty much guarantee that we haven't see the last of those revisions.
 
Top