TY - CONF
T1 - A feasibility study of radio-frequency retroreflector attack
AU - Wakabayashi, Satohiro
AU - Maruyama, Seita
AU - Mori, Tatsuya
AU - Goto, Shigeki
AU - Kinugawa, Masahiro
AU - Hayashi, Yu ichi
N1 - Funding Information:
We first thank Mr. Michael Ossmann for giving an inspirational talk, entitled “The NSA Playset: A Year of Toys and Tools” at USENIX WOOT 2015. We were largely inspired by this talk and decided to start this research project. We thank Prof. Shigeru Shimamoto for allowing us to make use of the anechoic chamber. We also thank Mr. Haruka Hoshino for contributing to the early stage of this work. The initial prototypes of the RFRA circuit and the experimental setup were developed by him. A part of this work was supported by JSPS KAKENHI Grant Number 18K18053.
Funding Information:
We first thank Mr. Michael Ossmann for giving an inspirational talk, entitled ?The NSA Playset: A Year of Toys and Tools? at USENIX WOOT 2015. We were largely inspired by this talk and decided to start this research project. We thank Prof. Shigeru Shimamoto for allowing us to make use of the anechoic chamber. We also thank Mr. Haruka Hoshino for contributing to the early stage of this work. The initial prototypes of the RFRA circuit and the experimental setup were developed by him. A part of this work was supported by JSPS KAKENHI Grant Number 18K18053.
Publisher Copyright:
© 2018 USENIX Association. All rights reserved.
PY - 2018
Y1 - 2018
N2 - Radio-frequency (RF) retroreflector attack (RFRA) is an active electromagnetic side-channel attack that aims to leak the target’s internal signals by irradiating the targeted device with a radio wave, where an attacker has embedded a malicious circuit (RF retroreflector) in the device in advance. As the retroreflector consists of small and cheap electrical elements, such as a field-effect transistor (FET) chip and a wire that can work as a dipole antenna, the reflector can be embedded into various kinds of electric devices that carry unencrypted, sensitive information;, e.g., keyboard, display monitor, microphone, speaker, USB, and so on. Only a few studies have addressed the RFRA. However, they did not evaluate the conditions for a successful attack scientifically, and therefore, assessing the feasibility of the RFRA remains an open issue. In the present study, we aim to evaluate the conditions for a successful RFRA, empirically, through extensive experiments. Understanding attack limitations should help to develop effective countermeasures against it. In particular, as the conditions for a successful attack, we studied the distance between the attacker and the target, and the target signal frequencies. Through the extensive experiments, using off-the-shelf hardware, including software-defined radio (SDR) equipment, we revealed that the required conditions for a successful attack are (1) up to a 10-Mbps of a target signal and (2) up to a distance of 10 meters. We also demonstrated that a USB keyboard, using USB low-speed (1.5 Mbps), is attackable, and we succeeded to eavesdrop typing. We conclude that the RFRA threat is realistic.
AB - Radio-frequency (RF) retroreflector attack (RFRA) is an active electromagnetic side-channel attack that aims to leak the target’s internal signals by irradiating the targeted device with a radio wave, where an attacker has embedded a malicious circuit (RF retroreflector) in the device in advance. As the retroreflector consists of small and cheap electrical elements, such as a field-effect transistor (FET) chip and a wire that can work as a dipole antenna, the reflector can be embedded into various kinds of electric devices that carry unencrypted, sensitive information;, e.g., keyboard, display monitor, microphone, speaker, USB, and so on. Only a few studies have addressed the RFRA. However, they did not evaluate the conditions for a successful attack scientifically, and therefore, assessing the feasibility of the RFRA remains an open issue. In the present study, we aim to evaluate the conditions for a successful RFRA, empirically, through extensive experiments. Understanding attack limitations should help to develop effective countermeasures against it. In particular, as the conditions for a successful attack, we studied the distance between the attacker and the target, and the target signal frequencies. Through the extensive experiments, using off-the-shelf hardware, including software-defined radio (SDR) equipment, we revealed that the required conditions for a successful attack are (1) up to a 10-Mbps of a target signal and (2) up to a distance of 10 meters. We also demonstrated that a USB keyboard, using USB low-speed (1.5 Mbps), is attackable, and we succeeded to eavesdrop typing. We conclude that the RFRA threat is realistic.
UR - http://www.scopus.com/inward/record.url?scp=85084164165&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85084164165&partnerID=8YFLogxK
M3 - Paper
AN - SCOPUS:85084164165
T2 - 12th USENIX Workshop on Offensive Technologies, WOOT 2018, co-located with USENIX Security 2018
Y2 - 13 August 2018 through 14 August 2018
ER -