Noise-SDR: Arbitrary modulation of electromagnetic noise from unprivileged software and its impact on emission security

Electronic devices generate electromagnetic noise, also known as EM leakage when the noise leaks information. Many recent research papers exploit the fact that software activity can exploit this leakage to generate radio signals. This process breaks the isolation between simple unprivileged code and the radio spectrum, letting an attacker generate physical radio signals without accessing any radio interface. Previous work has discovered many leakage sources and covert communication channels, which generally use simple modulation schemes. However, a fundamental research question has been left unexplored: to which point can attackers shape electromagnetic leakage into signals of their choice? The answer to this question has an important security impact that goes beyond specific attacks or platforms. Indeed, arbitrary signal modulation is a useful primitive. This would allow attackers to use advanced modulations and better exploit the channel (leakage) capacity, for example, to establish advanced communication channels, or to inject malicious signals into victim receivers. At a first analysis, arbitrary modulation seems impossible: software has limited control on the leakage and existing attacks are therefore constrained to on-off keying or frequency-shift keying. In this paper, we demonstrate that shaping arbitrary signals out of electromagnetic noise is possible from unprivileged software. For this we leverage fully-digital radio techniques and call our method Noise-SDR because, similarly to a software-defined radio, it can transmit a generic signal synthesized in software. We demonstrate our approach with a practical implementation with DRAM accesses on ARMv7-A, ARMv8-A, x86-64, and MIPS32. We evaluate it on different types of devices, including smartphones, a laptop, a desktop, and a Linux-based IoT device. Although power, frequency and bandwidth are constrained by the properties of the leakage, we present several case studies, including transmission with advanced protocols, device tracking, and signal injection.