I debugged a boot issue on the Apple Newton this way. The latest flash image was a brick on production hardware (no available LEDs, GPIOs, etc.) but not on development hardware. But I could flash a new OS image.
So I wrote some small loops that did different stuff on the bus (so that they sounded different) and salted the boot path with them, then listened in on my portable AM radio. Found the problem inside of an hour by moving the loops further down the path.
There were probably other ways to do this (could have coaxed a hardware tech in the lab to solder in a GPIO), but this way was more fun. :-)
Reminds me of the CHDK hackers trying to dump firmware off a Canon camera. They could get the altered firmware to activate and could read memory and control an LED, so... they blinked the firmware out through the LED, and read it with a ball mouse's optical sensor attached to a microphone cord. :-)
IIRC it was some improperly guarded code that was intended to run only on the non-production development systems (some debugging support). The kernel would touch a non-existent h/w register and trap, which was fatal. Removing the code was the fix.
Back a couple of decades, my alphabetic pager was going off but the messages were gibberish. It turned out the CPU in the PC I'd been asked to look at was a Pentium running at 150 MHz. I'd set my pager directly on top of the case, and the nominal frequency for it was 150.5 MHz, frequency modulated.
The lines in the motherboard can be used as antennae and the CPU pins can produce a clock pulse and modulate it. There used to be a parallel port audio device for PCs which was mainly just different resistors. The driver for it just timed pulses to the different pins.
This software just shows a bit of a novel implementation to modulate the motherboard bus itself in an ordered way to produce a signal with useful data in it. I imagine FM may be easier to pull off cleanly than AM, actually.
This shows that an air gap has to be pretty large, and should probably be backed up by a Faraday cage if your data is that sensitive.
I don't suspect this will be used to get grandma's credit card number from her home desktop considering the logistics of the actual attack. Source code to something really important, military data, diplomatic dispatches, or something else of really high value would be the only sensible targets in a closed area. However, a university lab, Internet cafe, coffee shop, or public library might be easy enough. Most of the machines there will be on the network, and that's an easier way to exfiltrate. The main advantage of this in the common attacker's toolkit is it won't be seen by a host-based firewall. DNS, DHCP, or lots of other ways could be used to exfiltrate through most firewalls though.
This sort of thing is a great novelty for most of the computer-using world. It's kind of scary for people who are actually in need of an air gap, but I don't think it's unforeseen.
Years ago I was in the same building during the installation of a "NATO standard" (whatever that means) environment suitable for developing sensitive software, and the air gap was indeed pretty large, the entire 2 rooms were air gapped from the building (at 4th floor), enclosed in a Faraday cage and with special precautions (out of my clearance level) for electricity going in. It was very quiet inside (even cell phone did not have any signal, of course).
Hopefully cellphones weren't allowed? Otherwise it would be interesting to hack the phone to go to "record AM signals" if there's no cell/wifi/FM/GPS signals (if it were on a plane it would still see GPS signals). Or maybe to announce its presence using ultrasonic, so if there's also compromised machines/CPUs/hypervisor environments inside the secured environment, it would detect the "Hello" and start uploading data to it. Later when the phone user reconnects to the cell network, it can upload your secret data..
Of course they were forbidden, as it was every not authorized device. The physical security was tight. I just entered it during the building, before the certification (I was in a manager role in the building)
I'm very curious (from an academic thought-experiment standpoint) what sorts of mitigations could be used for electrical lines in an environment like this.
My first thought - an alternate reality where you could turn power to (say) 100kW of light and then back again - would actually not be enough, as light can be pulsed so rapidly we're already using it to encode data. Welp.
I'm guessing that UPS-type equipment was used as a form of powerline isolation, at least.
> There used to be a parallel port audio device for PCs which was mainly just different resistors. The driver for it just timed pulses to the different pins.
Turns out you don't really even need a DAC for audio. You can fairly easily bit-bang a single binary output and run it through an RC filter to get nice audio.
People had fanciful minds. They had expected the civilization to end in bio-warfare, or atomic bombs, or a blazing meteorite impact.
No such luck. The end of the civilization came, rather anticlimactically, when the humans discovered that side effects and timing attacks made any form of cyber-security a joke. Their computers screeched to a halt bogged down by nightmarish security patches.
By then, it was already too late to go back and live off the land.
This code is more fun and interesting than scary. The only way this could be used maliciously would be in the one-in-a-million environment where arbitrary code execution is possible but exfiltration is difficult and where the attacker has physical proximity to the machine. The other 999,999 times, if you have ACE then it's much simpler to just exfiltrate via the network or USB or etc.
This would aid e.g. the "Stuxnet usecase" once the used computer hardware is known. Precise directional antennas could pick up the signal from a distance.
In theory it would help with exfiltration from air-gapped machines, although like you said, you do still need to get the code on there in the first place, which would imply it's not air-gapped all that well.
I know this is in good-natured jest, but wouldn’t the arrival of widespread quantum computing, which need to be absolutely decoupled from their environment so as to prevent decoherence, actually be an enormous step forward in almost all these “side channel” attacks? In the sense that decoupling must by definition limit any exchange of information that might constitute ‘observation’, and as such, the goings-on of a quantum computer become literally unobservable on the pain of nonfunction.
Current quantum computers don't have much in the way of microarchitecture. No caches or branch prediction obviously.
But if you were timesharing on a quantum machine (which, given that they need $1M microkelvin coolers seems like it will be common) it's not impossible that information could leak. Given the analog way they work, you could probably set up a computation that would be sufficiently sensitive to initial conditions that the not-entirely-decayed-to-zero previous computation could influence it.
Uhm... no, I think not: to get information out of the quantum computer as output for the ”previous user” it needs to go through an explicit phase of observation, busting all the state (?), and loading up new data for the subsequent user’s computation also constitutes ’observation’ since there’s knowledge of the inner state of the quantum system outside the strict confines of the quantum system. I really don’t think you could at any moment in time get information out of a side-channel, otherwise the thing wouldn’t compute.
(Yup, of course they’re extremely simplistic in terms of inner architecture, but that’s quite beside the point, as I think we both agree.)
It's true that the quantum state can only be observed once, but at the end of the observation the resolved state exists classically in the phase of the resonating elements. Also, the input vector continues to be there. Leaking either is a leak.
Nah, that wouldn't work - simple CPUs, by virtue of going slower, being less complicated inside and using more power per cycle, would be easier to snoop at through EM channels.
And then, they discovered that by putting the 8-bit machines under metal rollers moving 12-foot-wide plastic film at 10 meters per second, their signals could not push through the resulting force field.
Side channels are always present. I think people not realizing it is a sad example of how our brains compartmentalize things, so that even smart individuals end up abstracting away the physical world.
These articles are only friendly reminders: computing runs in physical reality. Whatever you do, whatever information you process, its always broadcasting itself at the speed of light. The only thing you can do is to try and raise the practical costs of a side-channel attack so much, that it becomes much more expensive than the target data is worth to the attacker.
I wouldn’t sell NBC weapons short... at least not the B and N parts. Nukes are dangerous in the hands of nations, but my god you just wait until every asshole with a laptop and $10,000 worth of equipment can customize their own plague. We’re not quite there yet, but we’re close, and regulating that is going to be utterly impossible.
It’s possible to exist in a relative detente between nations, but when the capacity to end human civilization is democratized we are dead. Many forms of incredible tech are really maturing, and frankly our laws are a century or more behind. We’re in real trouble if we have to wait to be burned to believe in the fire this time.
Unfortunately it seems that most of the smartest people are desperately trying to strike it rich, and that’s just about all. Even most of the people who want to make a difference only feel they can/should after making “fuck you money.”
In addition to the working Alto, MITS Altair, etc. they have a dedicated cold room for working vintage mainframes. You can even request an account on one of 'em so you can remotely telnet in. You're also openly invited to interact with just about any of the microcomputers they have up and running that day.
That's just a small part of their collection. Neat stuff.
Yeah, the amount of direct exposure you have to the collection is pretty stunning. If I remember correctly only the Alto was behind a display. Everything else you could touch/interact with.
This is so well-known there's even an oeuvre appropriately titled “IBM 1401: A User’s Manual” by Icelandic neoclassical composer Jóhann Jóhannsson that involves recording the noises made on a radio by running different code on an old mainframe.
In a far less sophisticated way, I was able to achieve audio transmission without any extra hardware except for a ~6 foot aux audio cable. This was back when I was maybe 14 years old and I was already building RF circuits with crystal oscillators and such. Learning that audio is sampled at specific frequencies, I was then lead to wonder if the same principles used to send and receive audio through proximal electromagnetism(since electrical current generate fields). While this is obvious to any adult with basic knowledge of science, it was quite novel for me to discover that my boom box radio, when set to auxiliary mode, could slightly pick up audio passing through an open-ended cable from my sound card. What I really didn't expect was that by upping the volume further, I could send a clear signal across several feet. Clearly, this wasn't just the force of magnetism but there was some radio activity happening. I never figured out what was going on, although I hypothesized that the transistors in the microphone input hardware of the boom box were configured in a way that was behaving like a transistor radio.
I would love to understand what was really happening there.
AM is basically and audio signal applied to a carrier wave, while FM is a whole different beast. Meaning that AM is quite similar to what pass down a speaker wire.
I am not a professional, but my impression is that AUX mode basically just pass the input audio signal directly to the speakers.
I am not quite sure what you mean by an open ended cable though, nor what end of the setup you upped the volume one (i suspect the PC).
Actually, you're correct since there's no one frequency that's being modulated. It must have been AM.
By open-ended cable, I meant that there was an audio cable coming out of my sound card but connected to nothing on the other end. That's how I remember it, anyway. Actually, I think I increased the volume output in my PC was well as the volume on my receiver.
At Cold War time, in USSR, American spy device was discovered that was placed on the street outside the wall of main frame computer installation nearby drum printers (https://en.wikipedia.org/wiki/Printer_(computing)#/media/Fil...). The device was recording signals from them and retransmitted recording in compressed form to satellite.
We were told about this by our lecturer in university (USSR). Discipline was "data protection / security" ("Защита данных" in Russian).
The device was masqueraded as a canned "Килька черноморская в томате" (Canned fish: Black Sea sprat in tomato) and was transmitting short narrow beams upstream on schedule.
I suppose it could be capturing EM emissions from the printers rather than acoustic, but that would make it fundamentally more like the other TEMPEST hacks as a way to exploit unintentional emissions, rather than as a sneaky covert channel where you have control over the computer equipment, but don't have access to external interfaces to offload your stolen data.
Unless I'm misunderstanding some part of your description, anyway.
There's also PiFM[1] which (iirc) modulates one of the GPIO pins fast enough on a Pi to produce an FM radio signal.
It's fun to play with, and is a great hack, but please don't try and use it for anything or any length of time; it puts out a tonne of horrible harmonics all over the radio spectrum.
I have a „Hörmann“ garage door opener.
For a long time, I want to use my phone instead of the original sender.
Therefore, I thought to run a raspberry and send the signal from there.
I recorded the signal with HackRF One as .wav, the problem here is that HackRF records with a sampling rate much higher than 48kHz (by default it is 10MHz!).
So one has to downsample the recorded file, which I did with Matlab (downsample(signal, „fs_of_record/fs_for_rpitx“)).
The resulting .wav signal is now send at 433MHz (either my garage door listens their too, or 2nd harmonic works?!)
For a really good time, I suggest https://github.com/JamesP6000/WsprryPi - it is super fun run a signal into a long wire and see it picked up around the world!
(You do need an amateur radio license for this, but in the USA at least the technician one is very easy to get.)
For the semi-serious there is a pre-made filter "temporarily unavailable" (2018-01-15) for purchase: Raspberry Pi QRP TX Shield for WSPR | https://www.tapr.org/kits_20M-wspr-pi.html
the harmonics are filtered by a LPF, and the broadband noise is filtered by a BPF [...] a buffer amp is provided for isolation. This also provides a boost to the TX signal
And this project ties in an RTL-SDR for receiving: https://github.com/ha7ilm/qtcsdr mentioning AM/NFM/WFM/LSB/USB [...] although NFM/WFM works as expected, the AM/SSB modes need a much higher level of filtering
I love how this person linked their amazon wishlist as their "project tip jar." That's a fun idea. We kind of get a sense of their personality as well through it - they obviously like tea, for example.
If I were to run this on a VM, would the host machine start transmitting AM, or would the hypervisor ruin the mechanism in which this works?
I rent a VPS at a nearby datacenter, and I could maybe ask for a tour. It would be interesting if I could pick up these signals from their server racks by running the code on my VM.
I thought about this for a minute, and my theory is that it wouldn't, because the hypervisor wasn't based on an RTOS. If it was RTOS-based, and the hypervisor's needed to use a known constant amount of time for its own housekeeping, you might be able to find a frequently multiple that worked.
But as things are, I don't THINK so, due to indeterminate scheduling. The likelihood is very low. (Translation: I really do want this to work because it would be cool :P - but the VM world has already been turned upside down this year....)
If you have a spare machine lying around you could maybe spin up the same VM software on that and see if anything interesting happens. After establishing very very good radio transmissions off the bare metal (and finding all potential frequencies etc), of course.
The other good question is what sort of transmission frequency would be used by the hardware your VPS is running on. That would be fun to find out about...
Always a fun side effect that can be the catalyst for people becoming more interested in radio! I ported code written for the Altair 8800 that did this to my Cromemco S-100 system in high school, the MIT AI lab had a 'tunes' program on their KL-10 that could play music on a nearby radio. I even intentionally used this effect in my easter egg locator beacon system (the PIC chips can output their 1Mhz clock to a pin and it is easy to modulate it from there).
It will be a sad time when the AM bands are discontinued or moved to digital modes (where this technique will no longer work).
You can see the 1401 demo'd on Wednesdays and Saturdays -- although they don't do this in the regular demo, just read cards and print on the line printer.
You're right. It works because there's no protection against trying to send the drive head past where it's meant to be able to go, because nobody expected anyone would try to repeatedly ask it to move out of bounds, and the vibration can easily get the head out of alignment.
This sounds like a modern-day equivalent of the classic "Fool on the Hill" played on the AM radio sitting on top of an Altair 8800 ( recreated in the video below ):
In the 1970s, I read about people doing this at MIT or some such, on real computers. Our high school had a Nova 1220 minicomputer, but we had no access to assembly for it, so all I could do was write programs in BASIC.
After a bit of experimentation, I was able to produce two or three distinct tones of discordant buzzing with loops.
I think you are referring to "Foot on the Hill" being played on that Altair 8800, which cunningly made use of the radio frequency interference/ static controlled by the timing loops by the program - created by Steve Dompier .
Bill Gates was confounded and astounded, and described it as, "the best demo program I've seen for the Altair…". He could not figure out how the computer could broadcast to the radio.
I am not 100%, but i could have sworn that Woz talked about other members of the club playing around with something similar the day him and Jobs went there to show of Woz's would-be Apple 1.
I seem to recall reading about this running on minicomputers or mainframes, as described in another reply, and I also think this predated the Altair, as I first became smitten with computers around 1972.
Here's a video of a minicomputer generating AM radio music in 1971:
I think that computer was built in 1971; the video mentions that the software used is Richard Wilson's player, which was written in 1975 (the DECUS entry is dated 2/11/1976).
I saw it done in the 1970s on a PDP-8 at the University of Minnesota. It wasn't just a couple of tones, it was playing complete songs. Later on a Z80 micro. Computers really emitted a lot of RF back then!
When I was a kid in the early 80's, I couldn't use my TRS-80 Model I during prime time TV hours. The main TV antenna for the house was located in the attic above my room. When I turned on my computer, the interference would essentially wipe out the VHF-Lo channels. Sometimes I would forget until I heard my parents yelling from across the house. Ah... good times...
For good tones, you had to get down close to "the metal." I recall that there were a few programs like this, but I believe they were written in assembler or machine language so as to control the cpu and bus directly.
When I first laid eyes on the "High Speed Job Stream" in UofT's Sanford Fleming building (that particular building has since burnt down and been replaced), students were running jobs in PL/1, WATFIV, LISP, SPITBOL, COBOL, and many others.
In the labs, there were IBM Selectric terminals dedicated to APL.
And there was a BASIC dialect over at what was then "Ryerson Polytechnic." There was a room with terminals and acoustic couplers, no security to keep you out.
You need a username and password to use the terminals, but the username and password for each class was posted on a corkboard, so you would write your own programs as long as you didn't get in the way of actual students trying to finish their assignments.
I don't doubt that "most" programming was done in assembler, but there was no shortage of higher-level programming going on.
I said most programming for those particular machines. I agree that mainframes had largely moved on, and probably the larger minis too. My first exposure to programming was time-shared Basic in 1972.
With the ZX81 and hardware of that era you kind of knew a lot more about what was going on with the radio waves as you would listen to a radio and have interference from television and computer kit, e.g. loading and saving programs off tape decks. The whole spectrum that was a bit more accessible with things like CB radio, nowadays we are deaf to analog signals and would not 'notice' and interference.
Only half related, but it's kind of neat that we've used such a relatively simple standard of radio for so long. Modern modulation schemes are so complicated that they require dedicated functionality just to interpret. Wasn't always like that.
The signal appears on many different frequencies, so afaik they must be harmonics, I'm curious as to what is defining the base carrier frequency too as the code itself doesn't determine that really.
This is how you debug hardware.You put a oscilloscope on the bus and you decode the bytes. This is what people have been doing since the advent of the computer.
This sentence from the linked paper is informative - "When data is exchanged between the CPU and the RAM, radio waves are emitted from the bus's long parallel circuits."
For some background:
Digital circuits like computer motherboards have components called oscillators that switch voltage on and off a number of times every second. This is what "clock speeds" refers to - 2.8 GHz CPU clock speed means voltage to CPU is being switched on and off 2.8x10^9 times per second.
All components like the processors, IO buses, RAM modules, etc. synchronize their actions to the rise and falls in these voltage levels. It's a way of synchronizing their actions.
One consequence of switching voltage on and off is that electrical fields build up and collapse (voltage is a measure of the electrical field), and cause magnetic fields to build up and collapse. We lay people call "oscillating electromagnetic fields" as "radio waves". This is the origin of radio waves from motherboards.
The missing link for transmission is that like any radio transmission, it requires an "antenna" - that is a conductor of some length. There are conductors on a circuit board in the form of copper traces through which current passes. These start acting like antennas.
In this case, the copper traces connecting CPU to RAM on that particular computer are emitting EM radiation at a frequency of 1580 kHz.
So far, all there is is some EM radiation with certain frequency and an antenna to transmit it. This is just the "carrier wave". But for transmitting useful information, some kind of modulation is necessary to encode data over that carrier wave. This project uses an SSE2 CPU instruction called MOVNTDQ or _mm_stream_si128 to write to memory, with the data to be transmitted encoded as sequences of 1s and 0s with certain frequency (rate) and for a certain time period. This act of at writing at a certain rate for some time period results in switching on and off of voltages on the traces between CPU and RAM which in turn creates modulated EM radiation.
TBH, I didn't understand the details of how this project modulates the binary data over a square wave and how it gets treated as amplitude modulation by a regular radio receiver, and I request another ELI5 from somebody else to explain it to me :)
First realize the aptitude modulation in this radio is very crude. Unlike normal radio which has many amplitudes, this radio only has 2. On and off. Tone or no tone. This radio has no control over the exact amplitude.
Due to this limitation, this radio can only transfer a single tone at a time. Music must be monophonic.
To transfer a 60htz tone we just switch between the on and off state at 60htz. The On state will be at some random amplitude that we can't control.
What are these states? In the On state, we write to a memory address repeatedly very very fast (as fast as the computer allows). And in the off state we sleep.
Ah ok! So far, I was trying to unsuccessfully fit my mental model of normal amplitude modulation to what this code is doing.
Your two statements "This radio has no control over the
exact amplitude. On state will be at some random amplitude that we can't control" were exactly the missing gaps I needed to clear my confusion. Very well explained, thank you very much!
Computers emit radio waves, by varying the processing upon the computer you can influence those emissions. Thus you are able to control those emissions and produce a radio signal you can pick up upon a standard radio.
Any wire acts as an antenna. Therefore, any part of the computer can be the part emitting the radiation.
Choosing which part of the computer is a matter of choosing the frequency which dictates the length of wire necessary and which parts can oscillate at that frequency.
The CPU colloquially called the processor does this. When you feed a program to the CPU, it switches between logic gates (read - transistors turning on and off), to process the program. As the processing elements switch between power levels of 0 and 1 (0V & 5V / 0V & 12 V), there are electromagnetic fluctuations.
These EM fluctuations are the emmissions we are talking about here.
Yes, it's the bus traces between CPU and RAM. From linked paper: "When data is exchanged between the CPU and the RAM, radio waves are emitted from the bus's long parallel circuits."
I don’t think the FETs generate enough EM on their own? It’s probably the inductors on the motherboard charging and discharging as a result of the FETs that cause the EM whine/hum?
Another likely source is the power supply, which has coils by the dozens and will react to varying loads of computational work. The cheap ones are already all over the radio spectrum even when you don’t want them to be.
The transistors in a modern machine use a minuscule amount of power and don't have enough area to make an antenna. You need to find a way to affect an output pin of the chip. Address lines for example will do a decent job, and the lower bits of the address are easy to control with a program.
#/media/File:Drum-printer.jpg){kind=link}
So I wrote some small loops that did different stuff on the bus (so that they sounded different) and salted the boot path with them, then listened in on my portable AM radio. Found the problem inside of an hour by moving the loops further down the path.
There were probably other ways to do this (could have coaxed a hardware tech in the lab to solder in a GPIO), but this way was more fun. :-)