../tempest-sca

Tempest & SCA

Profile Pic

At an open door day at school their was a student showing of his implementation of Tempest for Eliza i found it fun, discuss with a teacher of what was also possible and go find friends who join me on the project.

Goals

When we started the project the goal was to perform a Tempest Attack on HDMI and to be able to show it easily, for a cheap price, and to vulgarize the subject.

In practice we tried 3 different Side Channel Attack, 2 electromagnetic and 1 mechanic.

Tempest on HDMI

So after being able to reproduce the Tempest for Eliza we worked on Tempest attack on HDMI.

Hopefully there was this project on github.

After taking our time to understand the problem and the setup in 2 weeks we were able to do a Tempest attack on HDMI from a short distance.

Improvement

To have better result we decided to test 2 path : Denoising, and better antenna.

The denoising was hard, i was living in hell trying to just understand the Java code, and, as far as i know, we didn’t had good enough model to implement on the system.

But to try to avoid the Java mess we tried to make the stuff work with gr-tempest. Also the block system of gnu radio was a good way to show how it works behind the app but we weren’t able to make it work in real world usecase.

Then for the antenna you can see on the demo video below how big was our first one.

Tempest on HDMI DEMO

The mistake was, with our bad basic antenna for the first PoC we kinda “Bruteforce” the frequency and found 148.5Mhz as a good frequency for the usecase. So we made a directive antenna for this frequency.

For better use we decided to make this last antenna, which was possible to mount and dismount (partially) and working around 1Ghz.

Note : We made the v1 of this antenna in a tube of PVC🙃

Profile Pic

The problem for this one was we underestimated the effects of eletronics noises around us si it’s a little hard to use.

We were still able to make some test at 12m and getting a convincing signal.

SCA on Keyboard

I don’t have that much to say about this one because it was smarter persons of the group wo was working on it and i was in crusade against python.

Shortly

They used SVM to performe classification of sound of keyboard stroke. In laboratory condition it performed very well ! Also in less bettre environnement. But because they wanted to be more realistic they decided to work on non-supervised and semi-supervised version of the system.

And i have to say, even if it wasn’t working perfectly they made a system were they ware able to check the “guessed” output and could perform manual labellisation which was a very realistic view of what a tool like that would do in real world intelligence. even if it was juste a CLI tool.

Ghost Touch

yes i really like this one

The concept is really easy.

When you use a capacitive touch screen, the contact of your finger on a sensor will discharge a capacitor and this discharge tell the system that you pressed here.

If you choose the right frequency with enough power you can stimulate the discharge without the finger from distance (relatively).

So with the idea to reproduce a basic PoC we grabbed a GBF and tried random frequencies on the screen of our phones.

We already was able to have some results but it was only from 2mm so not very realistic and it took us too much time to get the right frequency.

Find the right frequency

While the others was working on the SVM i decided to built a system to automated the frequency finding procedure.

Profile Pic

My laptop was scheduling the procedure.

there where 4 component but could have been 3.

  1. The laptop scheduling the procedure by sending the frequency through text to the phone then tell the AD to sent it.
  2. The Analog Discovery (AD) emmitting the signal.
  3. The phone with an app which record when there is a touch and register the current frequency gifted by the laptop at touch.
  4. The Server agregating the results of the test.

With this strategy we where able to test a phone in less than 5min.

Emitting from a longer distance

We tried to “craft” an high tension amplifier with an assembly of Mosfet, resistance, capacitor and a DC DC high tension converter.

But we are bad electronician, didn’t had that much time. So we weren’t able to have stable result but one time we were able to test it from nearly 2 cm then the DC-DC converter burned.

What if i make it today ?

I’m proud of this project and whenever we had problem we was able to patch them.

I may tried to make a better antenna more reliable (we let someone else use it and he broke it).

I think, with my today knowledge i would have lost time to try to implement time reversal signal processing to amplify the signal in one point even if it’s nearly impossible at this scale.

My only regret is that i didn’t took the time to interest myself in the keyboard attack but it could have been a really interesting experience.