Researchers Turn AMD Radeon GPU Into a Radio Transmitter to Steal Data
What's the frequency, Kenneth?
In a reminder that no computing device is truly safe from prying eyes, a researcher at security firm Duo recently used an AMD Radeon Pro WX 3100 video card as a radio transmitter to transmit data, all without physically modifying the hardware. This allowed him to receive the data through a wall 50 feet away, thus stealing data from an air-gapped PC. The researcher accomplished the feat by manipulating the graphics card's shader clock rates to become a tunable radio device.
The fundamental concept behind any side-channel attack is simple; an attacker steals data by manipulating and then observing external indicators, like blinking lights or fan vibrations on your PC. The most nefarious aspect of these attacks is that the hardware actually works as designed, so the slight modifications aren't detectable by anti-virus scanners. In this case, the attackers used the radio frequencies generated by the GPU as it operated at different clock rates.
For the receiving device, the researchers used a Software Defined Radio (SDR) device that plugs into a standard USB port. You can pick up one of these receivers for less than $100, but the researcher employed a more sensitive and expensive model that typically retails between $300 and $600. With that tool in hand, the researcher paired it with both a UHF and a directional ultra-wideband antenna to assemble the capture device and then employed open source software to run the receiver.
We turned a Radeon GPU's shader clock in to a tunable radio transmitter that can jump through walls & get picked up 50ft away.Get your Van Eck fill and learn how to find these and other RF side-channels from myself and @baron of @duo_labs! https://t.co/nTsEpSqahL pic.twitter.com/ElfA0Q8eqIApril 22, 2020
The compromised test subject consisted of a Dell Precision 3430 workstation, notably without a wireless chipset, and a Radeon Pro WX 3100 graphics card. Using the Linux operating system, the researcher accessed the standard power controls for the Radeon Pro card and experimented first by switching between two shader clock frequencies (734 MHz and 214 MHz). That change shifted power around, which then generated a 428 MHz signal that the researchers picked up with the receiving device from 50 feet away–and through a wall.
This simple method of encoding the data with a rudimentary on/off signal would prove too slow for meaningful attacks, as data transmission is limited to passing one bit of data per clock adjustment. The researchers then shifted between five different 1MHz clock increments to enable better encoding and, therefore, faster radio transmission of data.
With the GPU transmitting data over detectable radio waves, all that's left is to create a coded way of passing data from the GPU to the receiver, thus stealing info from the host computer even if it isn't connected to the internet. The researcher didn't share the achieved data rates but contended that he could enhance the technique further to enable even more rapid data transmissions.
There are limitations to the technique, as it would require a machine compromised by another attack (like malware) to set up the correct code. Still, it displays just how one could leverage seemingly innocuous aspects of our computers, like clock frequencies, to transmit data from seemingly secure systems.
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Building the receiver and detecting the transmission is seemingly relatively simple, but developing an enhanced encoding technique to pass data at a faster rate and compromising the target machine would require a tremendous amount of technical acumen. That means we shouldn't expect beginners or script kiddies to pull off these types of attacks, and the knowledge and sophistication needed to exploit this type of attack probably relegate it to nation-states engaging in espionage, like when the U.S. compromised the Iranian nuclear production facilities with Stuxnet.
Given the method of attack, it's possible that similar exploits could be developed for Nvidia GPUs and possibly even from CPUs and other clock-driven devices. But unless you have nuclear launch codes stored on your system, you're probably safe. Then again, the code behind Stuxnet eventually leaked and was used by others, so paranoid types might look into some extra electromagnetic shielding for their gaming rigs.
Paul Alcorn is the Managing Editor: News and Emerging Tech for Tom's Hardware US. He also writes news and reviews on CPUs, storage, and enterprise hardware.
There's a budget GeForce GPU selling in China that not even Nvidia knew it made — RTX 4010 turns out to be a modified RTX A400 workstation GPU
US to patch loopholes that allow China to buy banned AI GPUs from other countries — new regulations include national quotas on GPU exports and a global licensing system
-
Pat Flynn I think the IT Security world has or will need to start a shift from reactive security, to pro-active training for ALL staff. The entire population needs to know how to identify malware threats to cut down on this kind of stuff.Reply
P.S. - if it wasn't stated clearly in this article, nearly all (or all?) side-channel attacks need some form of malware to compromise the computer to gain access to the data. This means training people to identify the threats instead of relying on anti-virus suites for zero day threats. -
GenericUser Pat Flynn said:I think the IT Security world has or will need to start a shift from reactive security, to pro-active training for ALL staff. The entire population needs to know how to identify malware threats to cut down on this kind of stuff.
P.S. - if it wasn't stated clearly in this article, nearly all (or all?) side-channel attacks need some form of malware to compromise the computer to gain access to the data. This means training people to identify the threats instead of relying on anti-virus suites for zero day threats.
I think part of the issue is even the companies that do train their more "general" employees on good cybersecurity practices, most people just shrug it off as another "check-in-the-box corporate training session" and just want to get on with their day, or it's "not my problem", or "we won't get hacked, or any excuse really.
The average employee isn't going to care that much to know about good cybersecurity practices. Does that mean companies should just give up and not bother? No, but until everyone from the IT staff and dedicated cybersecurity professionals in the organization, down to the guy in the mail room give a crap, the biggest threat will continue to be the inside threat. -
hannibal What this mean is that companies prevent installation of any programs to work computers. And there will not be allovance to any job related tasks at home computers...Reply
The situation is near that, but it will get even tighter. This same thing most likely could be done to cell phones... -
drea.drechsler This is actually unsurprising. When I was in the military they had a acronym term for it: TEMPEST (Telecommunications Electronics Materials Protected from Emanating Spurious Transmissions).Reply
Even back in the 1970's it was a problem, way before PC's and word processors. Electric typwriters, in particular, would transmit a unique signal for every key pressed. So someone sitting outside an unshielded office building in a surveillance van on the street could intercept every keystroke of the typewriter as a clerk typed out a classified memo.
I supposed that was why many offices used mechanical typewriters way after most of the civilians used electric. TEMPEST security was a big deal. -
Xlen This technically isn't anything new, we knew it's possible to do it on CPUs around 10 years ago, this is simply more proof that it's possible and easier than ever and there is no way to hide from it...Reply -
bit_user
That's not remotely realistic for many people whose job it is to develop software.hannibal said:What this mean is that companies prevent installation of any programs to work computers.
No. My employer already uses Microsoft's cell phone security software (I think it's called InTune?). It's already so onerous that I refuse to run it on my personal phone. If they want me to access company resources from a cell phone, they'll have to buy me one.hannibal said:This same thing most likely could be done to cell phones...
Anyway, by raising the bar too high for cell phone security, you have people's unsecured phones in the workplace. -
bit_user
I don't know if it was under the same program, but a guy I knew who worked in a lab that did DoD or DARPA research described how their CRT monitors basically had to be in Faraday cages. Annoyingly, it meant looking though a wire mesh that was the equivalent of a window screen.drea.drechsler said:When I was in the military they had a acronym term for it: TEMPEST (Telecommunications Electronics Materials Protected from Emanating Spurious Transmissions).
It makes me wonder whether there's a solution to these RF side-channel attacks that could involve simply improving the EMI shielding of the workstations. -
bit_user
Did it work on the same principle of altering the CPU's clock speed?Xlen said:This technically isn't anything new, we knew it's possible to do it on CPUs around 10 years ago,
What surprised me about this is that I expected it to involve running shader programs that modulated a signal through alternating between running loops and idling. I didn't expect it would be as simple as just manipulating the base clock frequency. -
drea.drechsler
Did it work on the same principle of altering the CPU's clock speed?
What surprised me about this is that I expected it to involve running shader programs that modulated a signal through alternating between running loops and idling. I didn't expect it would be as simple as just manipulating the base clock frequency.
I have to imagine there are ample opportunities considering the number of extemely high frequencies clocks and data paths inside of computers that could be monitored by any of the sensitive RF receivers and spectrum analyzers that are readily available. We don't make it hard, either, as we now use cases with windows for side panels and open-air cases even. And we've even removed the ferrite beads from cables (those lumps you often saw close to the connectors) that attenuated the signals before they could be conducted outside the case.
Security against this exploit is actually pretty simple. Just ensure your CPU case is well shielded with metal completely surrounding all electronic parts and no large holes, meaning metal fan grills are intact, and all screws are tightly installed. Tempered glass side panels should be metallized.