Screaming Channels: When TEMPEST Meets Side Channels and Wireless Security

This is a Technical event focused on TEMPEST attacks utilizing Side-Channel Analysis.

TEMPEST attacks are a well-known threat that consists in spying on an electronic device through its unintended physical emissions. Physical emissions are also used by side-channel attacks to break cryptographic implementations. However, while TEMPEST attacks have been demonstrated at large distance (e.g., several meters), side channel attacks generally work only in proximity of the target (e.g., mm to 1m) as they rely on very weak signals.

In this talk, we will see that mounting side channel attacks at large distance is sometimes possible. This happens when the radio signals intentionally emitted by a wireless interface accidentally contain side channel information about the digital activity of the chip. Indeed, modern connected devices often use a mixed-signal architecture where analog/radio-frequency components lay on the same silicon die as the digital blocks and suffer from their interference. We call this novel side channel vector “Screaming Channels”, because of the strength of the signal compared to the low “whisper” of conventional side channel emissions. By giving the attackers the ability to break cryptography “over-the-air", Screaming Channels introduce a new threat to the security of wireless communications. In this talk we will first provide some background, then present our latest results on this topic. They include an in-depth analysis of the leakage on a BLE chip, and attacks that are more and more realistic. As of now we have demonstrated an attack at 15m reusing a profile built on a different device in more convenient conditions, and a proof-of-concept attack against the authentication of Google Eddystone beacons.