camurati18screaming

Abstract

This paper presents a new side channel that affects mixed-signal chips used in widespread wireless communication protocols, such as Bluetooth and WiFi. This increasingly common type of chip includes the radio transceiver along with digital logic on the same integrated circuit. In such systems, the radio transmitter may unintentionally broadcast sensitive information from hardware cryptographic components or software executing on the CPU. The wellknown electromagnetic (EM) leakage from digital logic is inadvertently mixed with the radio carrier, which is amplified and then transmitted by the antenna. We call the resulting leak “screaming channels”. Attacks exploiting such a side channel may succeed over a much longer distance than attacks exploiting usual EM side channels.

Introduction

• Mixed-signal circuits are circuits in which analog and digital circuitry reside on the same piece of silicon, called a die.

• A typical example is a WiFi chip featuring a (digital) microcontroller as well as the (analog) radio.

• The special challenge of such designs is to separate the “noisy” digital circuits from the sensitive analog side of the system.

• EMattacks often use specialized magnetic-field antennas in close proximity of the target chip, typically within millimeters.

• The emissions of low-power devices are very weak and do not allow for attacks over larger distances.

• The basic intuition of screaming channels is that, when an RF circuit is placed in close proximity to digital circuitry, information on the digital circuit’s operation leaks into the RF part and is broadcast along with regular transmissions.

• This leakage is not due to the design error of an individual vendor, but to a fundamental difficulty in designing mixed-signal chips.

The paper contributions are the following:

• A novel side channel on devices that handle sensitive information and include a radio transceiver.

• Full key recovery up to 10 meters, a much larger distance than conventional EM side channels.

• A thorough analysis of the channel’s properties and explain its origin, allowing chip designers to take the issue into consideration for future designs.

• Countermeasures to protect current designs.

Background

• Side channels

  • The general principle of side-channel attacks is: when the implementation of a system inadvertently leaks information about its internal state, attackers who recover such information may be able to break the system’s security guarantees.

• Mixed-signal circuits

  • Though modern electronic systems rely on digital components and software to process information, they also employ analog circuitry for power and communication with the outside world.

  • Market pressure for cheaper, smaller devices and advances in microelectronics have popularized so-called mixed-signal chips, which combine the digital and analog/RF domain on a single chip (also called Radio Frequency Integrated Circuits (RFICs)).

  • Open

    

    Labeled die picture from an nRF51822 Bluetooth LE 2.4GHz mixed-signal design chip.

  • Digital circuits are characterized by an intense switching activity (i.e., logic gates taking “0” and “1” values). As a consequence, sharp current variations generate noise in a wide range of frequencies. Analog/RF circuits, which operate with continuous signals, are extremely sensitive to noise.

  • One of the main reasons for noise propagation is substrate coupling, where the substrate is the “bulk” silicon on which both digital and analog components are built.

  • It is interesting to note that in a mixed-signal design, the transmitter is often more exposed to noise than other analog/RF components. The reason is that radio receiver chains are very sensitive to noise and are therefore typically placed in a corner of the silicon chip, as far as possible from digital noise; on the other hand, the transmit chain deals with more powerful signals that are strong enough to
    present a good signal-to-noise ratio (SNR) even in the presence of digital noise.

Screaming Channels

Open

The noise produced by the digital circuit when executing AES-128 (red arrow) is picked up and transmitted by the analog part. It becomes part of the legitimate radio signal (blue arrow).

The software-defined radio (SDR) that the authors use to capture the radio emissions is tuned to f_chan+2·f_clock, where f_chan is the Bluetooth channel’s center frequency (2.4 GHz) and f_clock the frequency of the microprocessor’s clock (64 MHz). The implementation used for AES-128 is tinyAES.

Complete Key Recovery Attack

In this section we describe a full key recovery attack against AES on Nordic Semiconductor nRF52832, a commercial Bluetooth chip.

The nRF52832 is commonly used in IoT applications and embeds a Cortex-M4 microcontroller allowing for
single chip solutions.

The goal of the attack is to recover the key of an AES computation carried out by the processor of the target chip, using only the radio signal that the chip emits and knowledge of the plaintexts.

Refer to the paper to see the experimental setup, the trace collection and processing, and key recovering.

Analysis

In this section the authors focus on explaining the physical effects underlying the channel.

1. Noise generation

   1. A very good explanation of the CMOS transistors acting as switches is presented in section 5.2

   2. The current consumption is correlated with the value of the CMOS output: At the power supply, the consumption is I_sc + I_r in the case of a rising transition and I_sc in the case of a falling transition; ideally, there is no consumption if the value does not switch (see Fig below).

   3.  

   4. the effects on current and voltage are unintended outcomes of the digital circuit’s normal operation, and are therefore called digital noise

   5. The clock signal is a particularly strong source of digital noise: since it is responsible for synchronizing the circuit at a given frequency it is one of the fastest switching signals in the circuit. Moreover, it is a non-ideal square wave that exhibits many harmonics at multiples of the fundamental frequency.

2. Spectrum spraying

   1. The digital noise propagates inside and outside the circuit.

   2. This process is strongly dependent on its characteristics in the frequency domain.

   3. A time-domain signal can be seen as the composition of many pure sine waves at different frequencies (i.e., frequency components), and the Fourier transform is a way to switch between the time and frequency domains.

   4. One of the most important sources of noise in a digital circuit is the clock signal, which (ideally) is a square periodic signal.

   5. The “sharper” the changes in the time domain, as it is the case for a square wave, the higher the frequencies of the individual components.

   6. Propagation channels typically only allow a certain band of frequencies to pass. The information leak that we are interested in is present in several copies at different frequencies. As a consequence, it is very likely to be admitted through at least one noise propagation path in the circuit. We refer to this effect as spectrum spraying.

   7. More mathematical details are available in the paper.

   8. The modulating activity (see fig below) is replicated at each of the harmonics of the clock, which act as separate carriers. Alternatively, a data signal can couple with the input of a VCO, leading to frequency modulation of its output.

   10. It has been shown that malicious software can deliberately generate a carrier and modulate it as described above to transmit data, thus creating a covert channel. While these covert channels are based on the same principles of modulation, they invoke the modulating effects on purpose, whereas the leak we analyze in this paper is an unintended modulation.

        

3. Noise propagation and initial emission

   1. Substrate coupling is the main channel between the digital and analog domains.

   2. Digital switching noise stimulates the substrate via several mechanisms including direct injection of impact ionization currents at the device level, capacitive coupling of displacement (charging/discharging) currents at the circuit level, and ohmic coupling of power supply/ground
      noise voltages at the chip level. (refer to Substrate Noise Coupling in SoC Design: Modeling, Avoidance, and Validation)

   3. Resistive coupling dominates at low frequency, whereas capacitive and then inductive coupling appear at higher frequencies.

4. Radio transmission

   1. Screaming channels, as opposed to EM side channels, can be attacked over long distances. This is because the noise propagates to mixed-signal circuits that compose the radio, where it is mixed, amplified and broadcast.

   2. Modern radio transmitters are typically composed of:

      1. a digital baseband which converts the data to transmit into digitally modulated data (I/Q signals),

      2. a digital-to-analog converter (DAC) which converts modulated I/Q data to analog I/Q signals (the baseband signals),

      3. an analog transmitter which will bring baseband signals to the right frequency and amplifies them

   3. The way noise couples to the radio transmitter will depend on the transmitter architecture. There are multiple possible architectures, and the choice will depend on several factors, such as the semiconductor technology used, the difficulty to create a stable high frequency local oscillator, the acceptable noise levels or simply the cost.

   4. Direct transmitters are the most compact and common ones in modern integrated radio circuits (used in SCuM as well): the VCO will be tuned to the exact frequency at which the signal needs to be transmitted. Different from the superheterodyne transmitter which performs the conversion in two stages, first to an intermediate frequency then to the final frequency.

   5. The leak thus couples with the baseband signal, with the mixer, amplifier, or with the Voltage Controlled Oscillator (VCO) that is part of the carrier-frequency synthesizer:

   7. In any case the result is unintended amplitude/frequency modulation of the carrier.

   8. The authors are mainly interested in the capacitive coupling with the VCO, that leads to amplitude modulation. In this case, we have two cascaded modulations: → check with Fil whether this effect applies to scum

      • First, the leak modulates the clock harmonics.

      • Second, the resulting signal propagates to the radio and modulates the carrier (and its harmonics).

   9. The “noise modulated” carrier is further mixed with the legitimate baseband signal of the radio protocol. Then it enters a power amplifier, a balun, and finally reaches the antenna, where it is broadcast.

   10. The leaks are visible only when the power amplifier of the transmitter is on.

Additional Experiments

The authors perform additional experiments in different environments, using other AES implementations, and on other devices.

Attacking on other AES implementations such as mbedTLS and hardware implementation were tested. While this attack doesn’t effectively break link-layer encryption, the authors believe that the presence of screaming channels even for hardware implementations poses a significant threat.

Discussion

Real world applicability

• The hardware requirements for carrying out radio attacks outside lab environments are very moderate

• Attacking from greater distances will require more equipment, such as a highly directional antenna, a low noise amplifier and a good SDR for collecting traces.

• Some knowledge of the target chip is required in order to determine the right attack parameters. In particular, the attacker needs to know or guess the clock frequency of the target’s CPU to determine the radio frequency to listen on.

Impact on the threat model

• EM or power side-channels attacks are usually considered out of scope for devices with lower level of security and without tamper resistance requirements, such as IoT devices, wearables, and Bluetooth and WiFi chips included in smartphones and computers.

• The reason for ignoring EM side-channels in these devices is that if an attacker can get close enough to mount a side-channel attack, then the system can be compromised in many other ways.

• those attacks are often considered as physical attacks.

• However, the novel results in this paper show that this security model is not sufficient, and that for data to be really protected from attackers the chip must avoid leaks through the radio channel.

Countermeasures

1. Cryptographic countermeasures: hiding and masking

2. Avoiding leakage: avoid sensitive computations in digital circuitry close to radio components.

3. Countermeasures during chip design:

   1. System in Package (or System in a Package) (SiP) technologies integrate multiple dies inside one package, this allows to avoid substrate coupling and to use different semiconductor technologies. SiP devices have the advantage of being almost as compact as single chip solutions but providing more room for isolating sensitive operations from radio transmitter (e.g., creating filters using passive components). → similar to the Michigan Micro Mote

   2. Unlike conventional transmitters (including SDRs) fully digital radios perform the complete modulation of the signal in digital circuits. As those designs are made with significantly less analog radio components, it would be interesting to estimate their susceptibility to the screaming channels.

   3. Isolation can be used to reduce the coupling inside the chip using for example guard rings, various substrate modifications techniques or even active noise cancellation techniques.

Future Work

• There is no reason to consider that screaming channels are limited to mixed-signal designs on a single integrated chip. Any system that is processing sensitive data and contains a radio transmitter is potentially vulnerable if proper isolation of both domains is insufficient.

• In the current attacks we only use the amplitude of the signal, but noise coupling could lead to phase noise and exploiting phase noise can likely improve the attack.

Related Work

• EM side-channel attacks

• Modern tools and applications

  • Software provided by GNURadio, rsa-sdr, and the Chip-Whisperer project have simplified the tasks of trace collection and analysis, and in some cases inspired the trace processing code written for this study.

• Noise in mixed-signal designs

  • A lot of work has been dedicated to observing and explaining the various interactions in electronic circuits that lead to inadvertent signal emission in Printed Circuit Boards (PCBs).

  • Much of this research, however, is targeted at aiding circuit design with respect to EM compliance; security is never considered focus. The challenges and countermeasures of mixed-signal IC design
    are conceptually similar to PCB design.