In a reminder that no computing device is truly safe from prying eyes, a researcher at security firm Duo (opens in new tab) recently used an AMD Radeon Pro WX 3100 video card as a radio transmitter to transmit data, all without physically modifying the hardware. This allowed him to receive the data through a wall 50 feet away, thus stealing data from an air-gapped PC. The researcher accomplished the feat by manipulating the graphics card's shader clock rates to become a tunable radio device.
The fundamental concept behind any side-channel attack is simple; an attacker steals data by manipulating and then observing external indicators, like blinking lights or fan vibrations on your PC. The most nefarious aspect of these attacks is that the hardware actually works as designed, so the slight modifications aren't detectable by anti-virus scanners. In this case, the attackers used the radio frequencies generated by the GPU as it operated at different clock rates.
For the receiving device, the researchers used a Software Defined Radio (SDR) device that plugs into a standard USB port. You can pick up one of these receivers for less than $100, but the researcher employed a more sensitive and expensive model that typically retails between $300 and $600. With that tool in hand, the researcher paired it with both a UHF and a directional ultra-wideband antenna to assemble the capture device and then employed open source software to run the receiver.
We turned a Radeon GPU's shader clock in to a tunable radio transmitter that can jump through walls & get picked up 50ft away.Get your Van Eck fill and learn how to find these and other RF side-channels from myself and @baron of @duo_labs! https://t.co/nTsEpSqahL pic.twitter.com/ElfA0Q8eqIApril 22, 2020
The compromised test subject consisted of a Dell Precision 3430 workstation, notably without a wireless chipset, and a Radeon Pro WX 3100 graphics card. Using the Linux operating system, the researcher accessed the standard power controls for the Radeon Pro card and experimented first by switching between two shader clock frequencies (734 MHz and 214 MHz). That change shifted power around, which then generated a 428 MHz signal that the researchers picked up with the receiving device from 50 feet away–and through a wall.
This simple method of encoding the data with a rudimentary on/off signal would prove too slow for meaningful attacks, as data transmission is limited to passing one bit of data per clock adjustment. The researchers then shifted between five different 1MHz clock increments to enable better encoding and, therefore, faster radio transmission of data.
With the GPU transmitting data over detectable radio waves, all that's left is to create a coded way of passing data from the GPU to the receiver, thus stealing info from the host computer even if it isn't connected to the internet. The researcher didn't share the achieved data rates but contended that he could enhance the technique further to enable even more rapid data transmissions.
There are limitations to the technique, as it would require a machine compromised by another attack (like malware) to set up the correct code. Still, it displays just how one could leverage seemingly innocuous aspects of our computers, like clock frequencies, to transmit data from seemingly secure systems.
Building the receiver and detecting the transmission is seemingly relatively simple, but developing an enhanced encoding technique to pass data at a faster rate and compromising the target machine would require a tremendous amount of technical acumen. That means we shouldn't expect beginners or script kiddies to pull off these types of attacks, and the knowledge and sophistication needed to exploit this type of attack probably relegate it to nation-states engaging in espionage, like when the U.S. compromised the Iranian nuclear production facilities with Stuxnet.
Given the method of attack, it's possible that similar exploits could be developed for Nvidia GPUs and possibly even from CPUs and other clock-driven devices. But unless you have nuclear launch codes stored on your system, you're probably safe. Then again, the code behind Stuxnet eventually leaked and was used by others, so paranoid types might look into some extra electromagnetic shielding for their gaming rigs.