Visible to the public When LoRa Meets EMR: Electromagnetic Covert Channels Can Be Super Resilient

TitleWhen LoRa Meets EMR: Electromagnetic Covert Channels Can Be Super Resilient
Publication TypeConference Paper
Year of Publication2021
AuthorsShen, Cheng, Liu, Tian, Huang, Jun, Tan, Rui
Conference Name2021 IEEE Symposium on Security and Privacy (SP)
Date PublishedMay 2021
PublisherIEEE
ISBN Number978-1-7281-8934-5
KeywordsAir gaps, Attenuation, composability, Detectors, Human Behavior, Meters, Metrics, Portable computers, privacy, pubcrawl, resilience, Resiliency, security, Sensors
AbstractDue to the low power of electromagnetic radiation (EMR), EM convert channel has been widely considered as a short-range attack that can be easily mitigated by shielding. This paper overturns this common belief by demonstrating how covert EM signals leaked from typical laptops, desktops and servers are decoded from hundreds of meters away, or penetrate aggressive shield previously considered as sufficient to ensure emission security. We achieve this by designing EMLoRa – a super resilient EM covert channel that exploits memory as a LoRa-like radio. EMLoRa represents the first attempt of designing an EM covert channel using state-of-the-art spread spectrum technology. It tackles a set of unique challenges, such as handling complex spectral characteristics of EMR, tolerating signal distortions caused by CPU contention, and preventing adversarial detectors from demodulating covert signals. Experiment results show that EMLoRa boosts communication range by 20x and improves attenuation resilience by up to 53 dB when compared with prior EM covert channels at the same bit rate. By achieving this, EMLoRa allows an attacker to circumvent security perimeter, breach Faraday cage, and localize air-gapped devices in a wide area using just a small number of inexpensive sensors. To countermeasure EMLoRa, we further explore the feasibility of uncovering EMLoRa's signal using energy- and CNN-based detectors. Experiments show that both detectors suffer limited range, allowing EMLoRa to gain a significant range advantage. Our results call for further research on the countermeasure against spread spectrum-based EM covert channels.
URLhttps://ieeexplore.ieee.org/document/9519447
DOI10.1109/SP40001.2021.00031
Citation Keyshen_when_2021