0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/853 Thanks! 1 00:00:17,270 --> 00:00:19,549 Hello, all, and welcome, the following 2 00:00:19,550 --> 00:00:21,739 talk focuses on the vulnerability 3 00:00:21,740 --> 00:00:24,289 of electronic devices to electromagnetic 4 00:00:24,290 --> 00:00:26,359 interference with regard to 5 00:00:26,360 --> 00:00:28,559 I.T. security, with the subject of 6 00:00:28,560 --> 00:00:29,839 empty threats getting more and more 7 00:00:29,840 --> 00:00:31,279 traction nowadays. 8 00:00:31,280 --> 00:00:33,499 Security specialists Shoki Kazmi and 9 00:00:33,500 --> 00:00:35,629 Jose Lopez Estévez with explain 10 00:00:35,630 --> 00:00:37,489 and classify the types of attacks that we 11 00:00:37,490 --> 00:00:38,929 are exposed to. 12 00:00:38,930 --> 00:00:41,329 They both have extensive experience 13 00:00:41,330 --> 00:00:42,709 in security research. 14 00:00:42,710 --> 00:00:44,269 Having worked at the French National 15 00:00:44,270 --> 00:00:46,369 Cybersecurity Agency, Shoki has 16 00:00:46,370 --> 00:00:48,769 a Ph.D. in electronics and has recently 17 00:00:48,770 --> 00:00:50,560 joined the TV labs at Dark Matter. 18 00:00:51,650 --> 00:00:53,360 Join me in welcoming them onstage. 19 00:01:01,660 --> 00:01:03,189 Good afternoon, everybody. 20 00:01:03,190 --> 00:01:04,488 Thank you for joining us. 21 00:01:04,489 --> 00:01:06,609 So we are subjects, me and my 22 00:01:06,610 --> 00:01:07,849 sister was here. 23 00:01:07,850 --> 00:01:10,059 Um, we are very happy to 24 00:01:10,060 --> 00:01:12,379 be here today to talk about 25 00:01:12,380 --> 00:01:14,889 m friends for information security 26 00:01:14,890 --> 00:01:17,319 and how we may find ways to 27 00:01:17,320 --> 00:01:19,419 induce chaos in digital 28 00:01:19,420 --> 00:01:21,789 and analog electronic devices thanks 29 00:01:21,790 --> 00:01:24,040 to directed energy weapons. 30 00:01:25,330 --> 00:01:27,999 So we are both, uh, 31 00:01:28,000 --> 00:01:29,919 electromagnetic security experts. 32 00:01:29,920 --> 00:01:32,319 Uh, we do also radio communications 33 00:01:32,320 --> 00:01:34,569 security analyzes, um, 34 00:01:34,570 --> 00:01:37,179 some hardware and embedded system, 35 00:01:37,180 --> 00:01:39,849 uh, security research, 36 00:01:39,850 --> 00:01:41,469 as well as signal processing. 37 00:01:43,940 --> 00:01:45,889 A quick disclaimer, because I recently 38 00:01:45,890 --> 00:01:48,769 joined Armorer LLC anyway, 39 00:01:48,770 --> 00:01:51,379 so the research was done during my 40 00:01:51,380 --> 00:01:53,729 research activities at the French Network 41 00:01:53,730 --> 00:01:55,879 and Information Security Agency, 42 00:01:55,880 --> 00:01:57,979 and all the content that will 43 00:01:57,980 --> 00:02:00,109 be presented today was done 44 00:02:00,110 --> 00:02:02,629 during those research activities. 45 00:02:02,630 --> 00:02:04,499 Um, I'm grateful for the support and 46 00:02:04,500 --> 00:02:06,769 encouragement provided by our mother 47 00:02:06,770 --> 00:02:08,809 in allowing me to present this research 48 00:02:08,810 --> 00:02:11,059 today with my colleague, José 49 00:02:11,060 --> 00:02:12,060 Lopez Estévez. 50 00:02:13,280 --> 00:02:16,159 So the agenda for today, 51 00:02:16,160 --> 00:02:17,779 we will introduce you the topic of 52 00:02:17,780 --> 00:02:19,879 electromagnetic security, 53 00:02:19,880 --> 00:02:22,459 then to present you 54 00:02:22,460 --> 00:02:24,859 why we are looking for effects induced 55 00:02:24,860 --> 00:02:26,619 by M waves. 56 00:02:26,620 --> 00:02:28,699 Um, then we will 57 00:02:28,700 --> 00:02:31,099 have a look at the vulnerability of 58 00:02:31,100 --> 00:02:33,169 some devices and how 59 00:02:33,170 --> 00:02:35,539 we may involve those 60 00:02:35,540 --> 00:02:37,669 effects and turning 61 00:02:37,670 --> 00:02:40,309 them into, um, information 62 00:02:40,310 --> 00:02:41,310 security issues. 63 00:02:42,440 --> 00:02:43,969 And at the end of the talk, we will draw 64 00:02:43,970 --> 00:02:46,639 some conclusions and perspective of 65 00:02:46,640 --> 00:02:48,619 concerning our research. 66 00:02:48,620 --> 00:02:50,059 So let's start with electromagnetic 67 00:02:50,060 --> 00:02:51,060 security. 68 00:02:51,980 --> 00:02:54,109 So you may have all 69 00:02:54,110 --> 00:02:56,239 seen those nice movies or 70 00:02:56,240 --> 00:02:58,549 Hollywood movies where 71 00:02:58,550 --> 00:03:00,769 they are using some EMP weapons 72 00:03:00,770 --> 00:03:03,229 to disable electronic and 73 00:03:03,230 --> 00:03:05,389 electric devices like 74 00:03:05,390 --> 00:03:08,269 or any, um, facilities 75 00:03:08,270 --> 00:03:10,879 using those EMP weapons. 76 00:03:10,880 --> 00:03:13,099 So even Batman has an empty weapon 77 00:03:13,100 --> 00:03:15,769 in movies. So basically 78 00:03:15,770 --> 00:03:18,349 it's for 79 00:03:18,350 --> 00:03:19,699 common people. 80 00:03:19,700 --> 00:03:22,219 EMP weapons are a fantasy 81 00:03:22,220 --> 00:03:23,220 weapon. 82 00:03:24,160 --> 00:03:26,319 But since the 90s, 83 00:03:26,320 --> 00:03:27,669 many countries have developed 84 00:03:27,670 --> 00:03:30,579 capabilities in order to involve 85 00:03:30,580 --> 00:03:32,679 EMP weapons, in order to 86 00:03:32,680 --> 00:03:35,649 induce perturbation 87 00:03:35,650 --> 00:03:37,929 into targeted devices, as 88 00:03:37,930 --> 00:03:40,269 well as to try to damage them thanks to 89 00:03:40,270 --> 00:03:42,429 high power sources. 90 00:03:42,430 --> 00:03:43,430 So. 91 00:03:44,160 --> 00:03:46,409 Those sources are involving the same 92 00:03:46,410 --> 00:03:48,509 effect as high altitude 93 00:03:48,510 --> 00:03:51,089 electromagnetic, uh, uh, 94 00:03:51,090 --> 00:03:53,949 waves generated by nuclear or Pearse's, 95 00:03:53,950 --> 00:03:56,459 um, and those high intensity 96 00:03:56,460 --> 00:03:58,739 fields induce parasitic currents 97 00:03:58,740 --> 00:04:01,409 and voltages into targeted devices 98 00:04:01,410 --> 00:04:03,599 and all those parasitic currents and 99 00:04:03,600 --> 00:04:06,089 voltages induced 100 00:04:06,090 --> 00:04:08,279 perturbations on communication 101 00:04:08,280 --> 00:04:10,949 devices, as well as any 102 00:04:10,950 --> 00:04:13,799 digital, uh, datalink link. 103 00:04:13,800 --> 00:04:15,959 So the effects very, 104 00:04:15,960 --> 00:04:18,179 uh, from very 105 00:04:18,180 --> 00:04:19,588 low level effects. 106 00:04:19,589 --> 00:04:22,049 So basic disturbances, 107 00:04:22,050 --> 00:04:24,659 um, and countryish also, 108 00:04:24,660 --> 00:04:26,789 um, permanent damages on 109 00:04:26,790 --> 00:04:27,790 devices. 110 00:04:29,910 --> 00:04:32,249 What we are looking for, basically, is 111 00:04:32,250 --> 00:04:34,679 to be able to detect and analyze 112 00:04:34,680 --> 00:04:36,869 the effects induced by 113 00:04:36,870 --> 00:04:39,719 the sources during parasitic exposure 114 00:04:39,720 --> 00:04:42,119 so that we are able to design appropriate 115 00:04:42,120 --> 00:04:44,039 protections and to harden critical 116 00:04:44,040 --> 00:04:45,040 facilities. 117 00:04:45,890 --> 00:04:48,109 One important point is basically 118 00:04:48,110 --> 00:04:50,269 to link the hardware 119 00:04:51,380 --> 00:04:54,199 errors to software failures 120 00:04:54,200 --> 00:04:56,929 so that we are able to understand how 121 00:04:56,930 --> 00:05:00,109 electronic devices react 122 00:05:00,110 --> 00:05:02,359 during President Exposer as well 123 00:05:02,360 --> 00:05:04,549 as the whole infrastructure in 124 00:05:04,550 --> 00:05:05,709 which we will place them. 125 00:05:07,070 --> 00:05:09,289 And from that, we are also 126 00:05:09,290 --> 00:05:11,239 able to understand if there are any 127 00:05:11,240 --> 00:05:12,259 cascading effect. 128 00:05:12,260 --> 00:05:14,899 So basically, if we target one system, 129 00:05:14,900 --> 00:05:17,089 what kind of effect we may induce on 130 00:05:17,090 --> 00:05:18,680 over connected devices? 131 00:05:24,030 --> 00:05:26,159 So, as we said, it's not a fantasy 132 00:05:26,160 --> 00:05:28,289 points, a couple of, uh, events 133 00:05:28,290 --> 00:05:30,509 occurred in Europe and France, 134 00:05:30,510 --> 00:05:32,579 but presented 135 00:05:32,580 --> 00:05:34,649 a brief summary of what 136 00:05:34,650 --> 00:05:36,779 happens in Europe and other 137 00:05:36,780 --> 00:05:37,209 countries. 138 00:05:37,210 --> 00:05:39,629 So it starts from very simple, 139 00:05:39,630 --> 00:05:40,829 uh, sources. 140 00:05:40,830 --> 00:05:42,959 So Aarav guns used by 141 00:05:42,960 --> 00:05:45,509 some, uh, malicious, 142 00:05:45,510 --> 00:05:47,639 uh, during malicious activities 143 00:05:47,640 --> 00:05:50,189 to trigger, uh, winning 144 00:05:50,190 --> 00:05:51,990 at a game machine in Japan. 145 00:05:54,510 --> 00:05:56,729 Then we have some use of, um, 146 00:05:56,730 --> 00:05:59,459 the disruptor to neutralize 147 00:05:59,460 --> 00:06:02,399 security systems of critical 148 00:06:02,400 --> 00:06:04,499 infrastructures and specific places 149 00:06:04,500 --> 00:06:07,449 like Jabbari, um, 150 00:06:07,450 --> 00:06:09,539 regions or some Russian security 151 00:06:09,540 --> 00:06:11,819 systems, um, during so 152 00:06:11,820 --> 00:06:13,709 that were disabled during parasitic 153 00:06:13,710 --> 00:06:15,839 exposer as well as some bank 154 00:06:15,840 --> 00:06:16,840 in U.K.. And 155 00:06:18,180 --> 00:06:20,309 so the summary is interesting because 156 00:06:20,310 --> 00:06:22,469 it defines a couple of 157 00:06:22,470 --> 00:06:24,659 of events in which some sources 158 00:06:24,660 --> 00:06:26,789 with high mobility or low mobility 159 00:06:26,790 --> 00:06:29,159 have been used in order to 160 00:06:29,160 --> 00:06:31,289 disrupt some targeted devices. 161 00:06:32,500 --> 00:06:35,529 In the same way, we are able to 162 00:06:35,530 --> 00:06:37,480 understand that those devices 163 00:06:38,890 --> 00:06:41,229 does not require very 164 00:06:41,230 --> 00:06:43,449 high knowledge or skills to be able 165 00:06:43,450 --> 00:06:45,099 to design them. 166 00:06:45,100 --> 00:06:47,649 This is the last column of this table. 167 00:06:47,650 --> 00:06:49,989 And we can see that basically 168 00:06:49,990 --> 00:06:52,209 if someone is interested by building 169 00:06:52,210 --> 00:06:54,549 some sources, a couple of information 170 00:06:54,550 --> 00:06:56,470 are readily available on Internet. 171 00:07:01,680 --> 00:07:03,989 So, um, 172 00:07:03,990 --> 00:07:06,179 the use of electromagnetic interference 173 00:07:06,180 --> 00:07:08,939 to disable or disturb electronic devices 174 00:07:08,940 --> 00:07:10,889 is directly linked to the topic of 175 00:07:10,890 --> 00:07:12,959 electromagnetic compatibility in 176 00:07:12,960 --> 00:07:15,779 which we defined some 177 00:07:15,780 --> 00:07:18,089 general standards to test 178 00:07:18,090 --> 00:07:20,279 equipment and check that they will 179 00:07:20,280 --> 00:07:23,279 not, uh, experience any, 180 00:07:23,280 --> 00:07:25,949 um, abnormal behavior 181 00:07:25,950 --> 00:07:28,439 when they are exposed in the normal 182 00:07:28,440 --> 00:07:30,389 electromagnetic environment. 183 00:07:30,390 --> 00:07:32,579 So this is the topic of immunity testing. 184 00:07:33,910 --> 00:07:36,049 In the same way we try to limit the 185 00:07:36,050 --> 00:07:37,719 limitations of any electric and 186 00:07:37,720 --> 00:07:40,359 electronic device in the environment 187 00:07:40,360 --> 00:07:42,609 by reducing the noise generated 188 00:07:42,610 --> 00:07:44,289 by those devices. 189 00:07:44,290 --> 00:07:46,569 So as you may imagine, as 190 00:07:46,570 --> 00:07:48,639 you apply basic standards, it is 191 00:07:48,640 --> 00:07:50,379 a world of trust and compliance. 192 00:07:50,380 --> 00:07:52,869 We test those devices as the laptop here 193 00:07:52,870 --> 00:07:55,449 and we try to have 194 00:07:55,450 --> 00:07:57,969 the best, um, the 195 00:07:57,970 --> 00:08:00,069 best compliance of this device 196 00:08:00,070 --> 00:08:02,199 to the so that it can be used in 197 00:08:02,200 --> 00:08:04,359 a in any place 198 00:08:04,360 --> 00:08:05,489 where it should be used. 199 00:08:06,830 --> 00:08:07,830 In the same way, 200 00:08:08,930 --> 00:08:11,119 some information security guys have been 201 00:08:11,120 --> 00:08:13,339 working on those topics and have seen 202 00:08:13,340 --> 00:08:15,529 that basically we 203 00:08:15,530 --> 00:08:17,179 can find some correlation between the 204 00:08:17,180 --> 00:08:19,279 process data and the 205 00:08:19,280 --> 00:08:21,589 elimination of those devices. 206 00:08:21,590 --> 00:08:23,329 This called this topic is called 207 00:08:23,330 --> 00:08:24,469 Tempesta. 208 00:08:24,470 --> 00:08:27,079 And there is also the sidesaddle 209 00:08:27,080 --> 00:08:29,269 area in which we correlate 210 00:08:29,270 --> 00:08:32,269 the activity of a chip or a system 211 00:08:32,270 --> 00:08:34,340 with the data processed by this device. 212 00:08:35,750 --> 00:08:38,089 In the same way some 213 00:08:38,090 --> 00:08:40,038 researchers are working on for injection 214 00:08:40,039 --> 00:08:42,319 on the smartcards and 215 00:08:42,320 --> 00:08:43,999 to an FPGA. 216 00:08:44,000 --> 00:08:46,729 So it's using basically, um, 217 00:08:46,730 --> 00:08:48,259 the near field interaction between the 218 00:08:48,260 --> 00:08:50,509 source and the target 219 00:08:50,510 --> 00:08:52,609 so that we are able to extract 220 00:08:52,610 --> 00:08:55,129 some keys or 221 00:08:55,130 --> 00:08:57,769 any interesting secrets 222 00:08:57,770 --> 00:08:59,119 on the device. 223 00:08:59,120 --> 00:09:01,339 So in this way, we see that 224 00:09:01,340 --> 00:09:03,559 basically we go beyond 225 00:09:03,560 --> 00:09:05,929 the standards applied in 226 00:09:05,930 --> 00:09:07,009 VAMC area. 227 00:09:08,080 --> 00:09:10,359 We don't stay, uh, 228 00:09:10,360 --> 00:09:12,129 we don't comply with the standards 229 00:09:12,130 --> 00:09:14,349 because we have we are looking 230 00:09:14,350 --> 00:09:16,809 at very small correlations 231 00:09:16,810 --> 00:09:18,939 or susceptibility level that 232 00:09:18,940 --> 00:09:22,389 may be used to, um, 233 00:09:22,390 --> 00:09:24,519 to to to to reduce the security 234 00:09:24,520 --> 00:09:25,749 of those devices. 235 00:09:25,750 --> 00:09:27,460 So it's a word of deception. 236 00:09:32,550 --> 00:09:34,829 So other other risks 237 00:09:34,830 --> 00:09:37,289 for information security, 238 00:09:37,290 --> 00:09:39,359 it's basically, um, a 239 00:09:39,360 --> 00:09:41,639 phenomena, uh, that originated 240 00:09:41,640 --> 00:09:44,459 from VMC, so it's a physical phenomena 241 00:09:44,460 --> 00:09:45,779 and in the same way. 242 00:09:47,050 --> 00:09:50,169 Targeting, targeting information systems 243 00:09:50,170 --> 00:09:52,689 based on electronic device 244 00:09:52,690 --> 00:09:54,759 is highly useful when 245 00:09:54,760 --> 00:09:57,129 we are looking at the security of those 246 00:09:57,130 --> 00:09:58,509 other devices. 247 00:09:58,510 --> 00:09:59,510 So. 248 00:10:00,350 --> 00:10:02,869 The threats are as as, uh, 249 00:10:02,870 --> 00:10:05,359 as defined in the previous slide, 250 00:10:05,360 --> 00:10:08,029 so we have the imagination, Fred, 251 00:10:08,030 --> 00:10:10,279 which might which introduce 252 00:10:10,280 --> 00:10:11,629 a phrase for the confusion, the 253 00:10:11,630 --> 00:10:14,329 confidentiality of, uh, the information 254 00:10:14,330 --> 00:10:16,459 as we are able to recover data from the 255 00:10:16,460 --> 00:10:19,279 emanations of the electronic devices 256 00:10:19,280 --> 00:10:21,919 and in the same way the integrity 257 00:10:21,920 --> 00:10:24,020 and the availability of the device. 258 00:10:25,090 --> 00:10:27,159 Is directly linked to the immunity 259 00:10:27,160 --> 00:10:29,059 of this device to parasitic fields. 260 00:10:30,280 --> 00:10:32,589 So our challenges 261 00:10:32,590 --> 00:10:34,719 are the two of these two 262 00:10:34,720 --> 00:10:36,849 ones. The first is how 263 00:10:36,850 --> 00:10:39,099 can we assess the vulnerability of 264 00:10:39,100 --> 00:10:41,079 any electronic device to parasitic 265 00:10:41,080 --> 00:10:43,269 exposer and. 266 00:10:44,460 --> 00:10:46,649 If we want to do some risk management, 267 00:10:46,650 --> 00:10:48,869 we need to be able to rate any 268 00:10:48,870 --> 00:10:50,760 attack against any device. 269 00:10:53,980 --> 00:10:56,379 So concerning the vulnerability testing 270 00:10:56,380 --> 00:10:59,179 of electronic devices, so 271 00:10:59,180 --> 00:11:00,999 let let's have a look at the complexity 272 00:11:01,000 --> 00:11:03,189 on how we we how we 273 00:11:03,190 --> 00:11:05,919 would like to be able to test devices. 274 00:11:05,920 --> 00:11:08,229 So we have complex 275 00:11:08,230 --> 00:11:09,189 systems. 276 00:11:09,190 --> 00:11:11,829 We have a lot of, uh, 277 00:11:11,830 --> 00:11:14,169 different kind of material and 278 00:11:14,170 --> 00:11:16,629 communication links. 279 00:11:16,630 --> 00:11:18,879 Um, we have 280 00:11:18,880 --> 00:11:21,129 wired or wireless connections 281 00:11:21,130 --> 00:11:23,559 between devices, and 282 00:11:23,560 --> 00:11:25,749 we have a lot of entertainment in 283 00:11:25,750 --> 00:11:27,819 deterministic interaction between the 284 00:11:27,820 --> 00:11:30,189 devices as we are using 285 00:11:30,190 --> 00:11:31,809 some specific protocols. 286 00:11:31,810 --> 00:11:34,329 And at the time we are injecting 287 00:11:34,330 --> 00:11:35,389 waves. 288 00:11:35,390 --> 00:11:37,569 Uh, we need to be able to reproduce 289 00:11:37,570 --> 00:11:39,609 this, uh, this test set up. 290 00:11:41,110 --> 00:11:44,019 We have a problem of scale because 291 00:11:44,020 --> 00:11:46,209 we may want to analyze 292 00:11:46,210 --> 00:11:48,309 the security of a chip as 293 00:11:48,310 --> 00:11:49,929 well as to be able to analyze the 294 00:11:49,930 --> 00:11:52,539 security of a building. 295 00:11:52,540 --> 00:11:55,299 And this makes a lot of, um, 296 00:11:55,300 --> 00:11:57,429 a lot of random parameters 297 00:11:57,430 --> 00:11:59,589 appearing to analyze 298 00:11:59,590 --> 00:12:01,749 the different attack scenarios 299 00:12:02,920 --> 00:12:04,140 with different payloads. 300 00:12:05,260 --> 00:12:07,479 The issue of modeling as 301 00:12:07,480 --> 00:12:10,489 we cannot model the food infrastructures, 302 00:12:10,490 --> 00:12:12,849 uh, um, uh, 303 00:12:12,850 --> 00:12:15,039 a huge building with a very, very 304 00:12:15,040 --> 00:12:17,289 small electronic device in there due 305 00:12:17,290 --> 00:12:18,520 to, uh, modeling issues. 306 00:12:19,640 --> 00:12:22,219 Um, and it requires 307 00:12:22,220 --> 00:12:24,349 a lot of scientific fields to 308 00:12:24,350 --> 00:12:26,479 be to be used in order to be able to 309 00:12:26,480 --> 00:12:28,639 model and to analyze the 310 00:12:28,640 --> 00:12:30,780 coupling of waves into those buildings. 311 00:12:32,370 --> 00:12:34,529 So as we just said, 312 00:12:34,530 --> 00:12:36,869 there are a lot of random parameters, and 313 00:12:36,870 --> 00:12:39,059 if you want to understand and to be able 314 00:12:39,060 --> 00:12:40,859 to predict any 315 00:12:41,910 --> 00:12:44,099 vulnerability of the device, we need 316 00:12:44,100 --> 00:12:47,139 to do some exhaustive testing. 317 00:12:47,140 --> 00:12:49,209 But the problem with the exhibit is that 318 00:12:49,210 --> 00:12:51,399 it requires a lot of random 319 00:12:51,400 --> 00:12:53,209 configuration. 320 00:12:53,210 --> 00:12:54,210 So that. 321 00:12:54,820 --> 00:12:56,889 Four specific parameters, we 322 00:12:56,890 --> 00:12:58,959 are able to reproduce any 323 00:12:58,960 --> 00:13:01,299 configuration we would like to work on, 324 00:13:01,300 --> 00:13:03,459 and this makes some issues with the 325 00:13:03,460 --> 00:13:05,709 reproducibility and the generalization 326 00:13:05,710 --> 00:13:07,659 of the results. 327 00:13:07,660 --> 00:13:09,459 So from a reduced number of 328 00:13:09,460 --> 00:13:11,589 configurations, we would like to 329 00:13:11,590 --> 00:13:13,749 be able to understand the 330 00:13:13,750 --> 00:13:16,089 Goulder, the behavior device for 331 00:13:16,090 --> 00:13:17,090 the rule, 332 00:13:18,370 --> 00:13:19,959 the whole set of configured possible 333 00:13:19,960 --> 00:13:20,960 configuration. 334 00:13:22,280 --> 00:13:23,330 And in the same way. 335 00:13:24,580 --> 00:13:26,799 When we want to analyze the effects 336 00:13:26,800 --> 00:13:29,229 on the complex system, the detection 337 00:13:29,230 --> 00:13:31,299 of the sea of the of the effect is 338 00:13:31,300 --> 00:13:32,300 complex itself. 339 00:13:37,650 --> 00:13:40,049 So as information security researchers, 340 00:13:41,130 --> 00:13:43,829 what we would like to be able is to have 341 00:13:43,830 --> 00:13:46,259 the ability to rate any kind of 342 00:13:46,260 --> 00:13:47,839 attack against a specific device. 343 00:13:49,040 --> 00:13:51,499 So the electro magnetic 344 00:13:51,500 --> 00:13:54,019 instrumentation required 345 00:13:54,020 --> 00:13:56,549 like the users, to disturb 346 00:13:56,550 --> 00:13:58,969 or to induce failure on 347 00:13:58,970 --> 00:14:00,080 an ISIS. 348 00:14:02,440 --> 00:14:04,239 Can be characterized by those three 349 00:14:04,240 --> 00:14:06,399 parameters, so the very viability 350 00:14:06,400 --> 00:14:08,739 of the device and it cuts costs, 351 00:14:08,740 --> 00:14:10,839 is it possible to find it 352 00:14:10,840 --> 00:14:13,029 on Internet or do I to 353 00:14:13,030 --> 00:14:15,849 do I have to to have a look at specific, 354 00:14:15,850 --> 00:14:18,009 um, tutorials to be able 355 00:14:18,010 --> 00:14:19,989 to to design it? 356 00:14:19,990 --> 00:14:22,689 Um, the dimension of the source. 357 00:14:22,690 --> 00:14:25,179 Can I put it in my bag or in a car? 358 00:14:25,180 --> 00:14:27,129 So this defines the mobility of the 359 00:14:27,130 --> 00:14:30,039 source and the capabilities. 360 00:14:30,040 --> 00:14:32,409 So do 361 00:14:32,410 --> 00:14:34,359 I have the possibility to choose the 362 00:14:34,360 --> 00:14:36,609 source for specific frequencies? 363 00:14:36,610 --> 00:14:39,039 Um, can I modify 364 00:14:39,040 --> 00:14:40,809 the amplitude of my source? 365 00:14:40,810 --> 00:14:43,059 And those parameters are 366 00:14:43,060 --> 00:14:45,309 very important to understand how they can 367 00:14:45,310 --> 00:14:47,589 be used to defeat specific 368 00:14:47,590 --> 00:14:48,660 electronic devices. 369 00:14:50,190 --> 00:14:52,589 So for that, 370 00:14:52,590 --> 00:14:55,829 it requires a lot of technical knowledge, 371 00:14:55,830 --> 00:14:56,830 maybe, maybe not. 372 00:14:58,030 --> 00:14:59,589 After looking at the Internet, we have 373 00:14:59,590 --> 00:15:01,179 seen that there are a lot of resources 374 00:15:01,180 --> 00:15:02,519 for that. 375 00:15:02,520 --> 00:15:04,679 Um, the effective range of 376 00:15:04,680 --> 00:15:07,109 the source, do I have to be close 377 00:15:07,110 --> 00:15:09,499 to my target or can I stay 378 00:15:09,500 --> 00:15:11,189 a bit far from it? 379 00:15:11,190 --> 00:15:13,709 Uh, do I need some information 380 00:15:13,710 --> 00:15:15,089 about my target? 381 00:15:15,090 --> 00:15:17,459 Do I have to test it 382 00:15:17,460 --> 00:15:19,829 before being able to do it in real 383 00:15:19,830 --> 00:15:20,830 scenarios? 384 00:15:22,290 --> 00:15:24,479 Can I industrialize my source 385 00:15:24,480 --> 00:15:26,579 so once I have designed Marceau's, can 386 00:15:26,580 --> 00:15:28,919 I sell it or, 387 00:15:28,920 --> 00:15:31,529 um, and easy target specific. 388 00:15:31,530 --> 00:15:33,479 Do I have to design a source for each 389 00:15:33,480 --> 00:15:35,699 target that will I may have to 390 00:15:35,700 --> 00:15:36,700 work on? 391 00:15:40,310 --> 00:15:42,469 So for looking at this problem, 392 00:15:42,470 --> 00:15:44,689 there are two ways, the first 393 00:15:44,690 --> 00:15:46,429 is starting from the source itself. 394 00:15:46,430 --> 00:15:48,439 So I have my source. 395 00:15:48,440 --> 00:15:50,809 It can be connected to an antenna 396 00:15:50,810 --> 00:15:51,899 or an injection probe. 397 00:15:51,900 --> 00:15:54,049 So then we are in into propagation 398 00:15:54,050 --> 00:15:56,839 mode, the radiation in the free space, 399 00:15:56,840 --> 00:15:58,999 or do I inject my 400 00:15:59,000 --> 00:16:01,639 waves in cables? 401 00:16:01,640 --> 00:16:03,799 Then I am in the connected one. 402 00:16:03,800 --> 00:16:05,359 We have also the link between both of 403 00:16:05,360 --> 00:16:06,360 them. 404 00:16:06,680 --> 00:16:08,569 We have the coupling to the target. 405 00:16:08,570 --> 00:16:10,309 Is it from the recoupling? 406 00:16:10,310 --> 00:16:12,739 So am I targeting a wireless 407 00:16:12,740 --> 00:16:14,959 interface of my target or is 408 00:16:14,960 --> 00:16:16,549 it a backdoor coupling phenomena? 409 00:16:16,550 --> 00:16:18,799 I am using my waves into 410 00:16:18,800 --> 00:16:20,539 some conductive part into the in the 411 00:16:20,540 --> 00:16:21,540 system. 412 00:16:22,570 --> 00:16:24,879 And I have my effect, which is 413 00:16:24,880 --> 00:16:27,250 the last part of my propagation, 414 00:16:28,900 --> 00:16:31,209 if I start from the source, 415 00:16:31,210 --> 00:16:33,489 then I will defined specific 416 00:16:33,490 --> 00:16:35,829 scenarios for a specific 417 00:16:35,830 --> 00:16:36,849 devices. 418 00:16:36,850 --> 00:16:39,039 But if I start from my target and 419 00:16:39,040 --> 00:16:41,319 I take effect in a very 420 00:16:41,320 --> 00:16:43,479 general environment, then I 421 00:16:43,480 --> 00:16:45,969 might be able to 422 00:16:45,970 --> 00:16:48,189 to check all the parameters that I 423 00:16:48,190 --> 00:16:50,889 may experience when I want to harden 424 00:16:50,890 --> 00:16:52,899 a critical infrastructure. 425 00:16:52,900 --> 00:16:55,119 So we have chosen the second 426 00:16:55,120 --> 00:16:57,759 way of having a look at this 427 00:16:57,760 --> 00:17:00,009 problem, and we are working 428 00:17:00,010 --> 00:17:02,709 on the effect induced by parasitic 429 00:17:02,710 --> 00:17:04,649 field on electronic devices. 430 00:17:07,369 --> 00:17:09,588 OK, so, um, now I am going 431 00:17:09,589 --> 00:17:11,749 to introduce our strategy 432 00:17:11,750 --> 00:17:13,909 for, uh, the analyze 433 00:17:13,910 --> 00:17:16,219 the analysis of effects on specific 434 00:17:16,220 --> 00:17:18,479 targets so we will see that it's 435 00:17:18,480 --> 00:17:19,848 not a trivial problem. 436 00:17:19,849 --> 00:17:22,098 And, um, I will present, uh, 437 00:17:22,099 --> 00:17:24,169 the decisions, the choices that we 438 00:17:24,170 --> 00:17:27,159 have made to address this issue. 439 00:17:27,160 --> 00:17:29,879 Um, so here we are, um, 440 00:17:29,880 --> 00:17:32,599 um, trying to 441 00:17:32,600 --> 00:17:35,239 observe, uh, the, um, effects 442 00:17:35,240 --> 00:17:37,729 of, uh, the, uh, presence 443 00:17:37,730 --> 00:17:40,099 of electromagnetic, uh, parasitic 444 00:17:40,100 --> 00:17:42,169 signals, uh, around the, 445 00:17:42,170 --> 00:17:43,639 uh, the target. 446 00:17:43,640 --> 00:17:45,859 And for that, the game generally is 447 00:17:45,860 --> 00:17:48,289 always the same. Uh, whatever the field, 448 00:17:48,290 --> 00:17:50,519 uh, the scientific field, you send the 449 00:17:50,520 --> 00:17:52,879 stimuli. So it's our parasitic 450 00:17:52,880 --> 00:17:55,009 field. And, uh, you want to observe 451 00:17:55,010 --> 00:17:57,139 changes on the target, uh, 452 00:17:57,140 --> 00:17:58,940 that will respond to your stimuli 453 00:18:00,110 --> 00:18:02,569 and you want to correlate the 454 00:18:02,570 --> 00:18:04,729 stimuli and the changes and, uh, 455 00:18:04,730 --> 00:18:07,009 the challenges here are, uh, that 456 00:18:07,010 --> 00:18:09,439 as a shoki introduced, uh, because 457 00:18:09,440 --> 00:18:11,779 of the the complexity 458 00:18:11,780 --> 00:18:14,089 of the problem, uh, there are a lot of, 459 00:18:14,090 --> 00:18:16,159 um, different kinds of stimuli 460 00:18:16,160 --> 00:18:18,349 that we can, uh, uh, send 461 00:18:18,350 --> 00:18:19,729 to the target. 462 00:18:19,730 --> 00:18:21,839 Uh, we can also, 463 00:18:21,840 --> 00:18:24,179 um, use, 464 00:18:24,180 --> 00:18:26,539 um, um, uh, additional 465 00:18:26,540 --> 00:18:29,779 additions of, uh, different stimulations. 466 00:18:29,780 --> 00:18:32,209 And, um, the second 467 00:18:32,210 --> 00:18:34,819 problem is that we 468 00:18:34,820 --> 00:18:37,429 have to determine what to look at, 469 00:18:37,430 --> 00:18:39,679 uh, to decide that there is an effect on 470 00:18:39,680 --> 00:18:40,680 the target or not. 471 00:18:43,950 --> 00:18:46,259 So, in fact, the 472 00:18:46,260 --> 00:18:48,629 one of the main challenges in that game 473 00:18:48,630 --> 00:18:51,059 is to design the right glasses 474 00:18:51,060 --> 00:18:53,219 to see the effects of the 475 00:18:53,220 --> 00:18:56,819 electromagnetic stimulations. 476 00:18:56,820 --> 00:18:58,509 So that's what we we proposed. 477 00:18:58,510 --> 00:18:59,909 That's what we did. 478 00:18:59,910 --> 00:19:03,119 Um, and we proposed, uh, 479 00:19:03,120 --> 00:19:05,609 well, usually you 480 00:19:05,610 --> 00:19:07,859 want to identify the critical 481 00:19:07,860 --> 00:19:09,239 functions of the system you want to 482 00:19:09,240 --> 00:19:10,139 monitor. 483 00:19:10,140 --> 00:19:12,239 So it's, uh, kind of the 484 00:19:12,240 --> 00:19:14,339 the health, uh, parameters 485 00:19:14,340 --> 00:19:16,109 of your system. 486 00:19:16,110 --> 00:19:18,209 And, um, then you have 487 00:19:18,210 --> 00:19:20,549 to find a way to monitor, uh, those 488 00:19:20,550 --> 00:19:22,629 critical functions and maybe 489 00:19:22,630 --> 00:19:25,169 define some metrics to then compare 490 00:19:25,170 --> 00:19:27,569 or, uh, classify, uh, the 491 00:19:27,570 --> 00:19:29,969 different, uh, uh, effects 492 00:19:29,970 --> 00:19:31,979 that you observed, uh, on those 493 00:19:31,980 --> 00:19:33,529 observables. 494 00:19:33,530 --> 00:19:35,489 So sometimes it can be easy. 495 00:19:35,490 --> 00:19:37,829 If you think about, uh, 496 00:19:37,830 --> 00:19:39,989 rotating robotic arm, maybe you can just 497 00:19:39,990 --> 00:19:42,149 say, OK, it still works or it 498 00:19:42,150 --> 00:19:43,529 doesn't work anymore. 499 00:19:43,530 --> 00:19:45,719 And when it doesn't work anymore, you say 500 00:19:45,720 --> 00:19:46,720 I have an effect. 501 00:19:47,830 --> 00:19:50,459 Uh, but you also, um, 502 00:19:50,460 --> 00:19:52,699 sometimes need to have, uh, more, 503 00:19:52,700 --> 00:19:55,349 uh, finer granularity 504 00:19:55,350 --> 00:19:57,689 in your, uh, matrix. 505 00:19:57,690 --> 00:20:00,149 Uh, so for the rotating robotic arm, 506 00:20:00,150 --> 00:20:02,819 you can think about, uh, the positioning 507 00:20:02,820 --> 00:20:05,009 error, uh, of your arm. 508 00:20:05,010 --> 00:20:07,199 Uh, so you will have to find a way 509 00:20:07,200 --> 00:20:09,659 to measure that and then 510 00:20:09,660 --> 00:20:11,909 monitor that during the tests, uh, 511 00:20:11,910 --> 00:20:14,009 to determine then if, uh, 512 00:20:14,010 --> 00:20:16,199 there was an effect, if 513 00:20:16,200 --> 00:20:18,329 that effect was really correlated to 514 00:20:18,330 --> 00:20:19,330 your stimuli. 515 00:20:21,170 --> 00:20:23,389 In order to analyze, uh, 516 00:20:23,390 --> 00:20:24,390 the, um. 517 00:20:25,400 --> 00:20:27,800 The vulnerability of your system. 518 00:20:31,740 --> 00:20:32,740 So. 519 00:20:33,630 --> 00:20:36,239 We adopted a generic approach, 520 00:20:36,240 --> 00:20:38,759 we thought, OK, uh, instead 521 00:20:38,760 --> 00:20:40,889 of adapting our approach to the, 522 00:20:40,890 --> 00:20:42,959 uh, specific context, 523 00:20:42,960 --> 00:20:45,249 uh, we thought about, um, uh, 524 00:20:45,250 --> 00:20:47,429 generic approach, which is, uh, system 525 00:20:47,430 --> 00:20:49,739 centric. So our idea was 526 00:20:49,740 --> 00:20:51,929 to, uh, try to analyze 527 00:20:51,930 --> 00:20:54,089 the effect, uh, as the 528 00:20:54,090 --> 00:20:56,159 operating system, uh, 529 00:20:56,160 --> 00:20:57,160 can see them. 530 00:20:59,540 --> 00:21:01,939 And it's interface based, so as 531 00:21:01,940 --> 00:21:03,919 introduced by Shawqi, there are different 532 00:21:03,920 --> 00:21:06,169 types of coupling on the device and 533 00:21:06,170 --> 00:21:09,139 um, we enumerated 534 00:21:09,140 --> 00:21:11,899 the interfaces, uh, 535 00:21:11,900 --> 00:21:13,969 for the physical coupling that 536 00:21:13,970 --> 00:21:15,679 are available on the device. 537 00:21:15,680 --> 00:21:17,989 And, um, we found 538 00:21:17,990 --> 00:21:20,689 a way to, um, 539 00:21:20,690 --> 00:21:22,909 have access to some information coming 540 00:21:22,910 --> 00:21:25,099 from those interfaces, uh, at 541 00:21:25,100 --> 00:21:26,359 the operating system level. 542 00:21:28,240 --> 00:21:30,849 And in the end, we have, uh, 543 00:21:30,850 --> 00:21:33,219 software that is running on the operating 544 00:21:33,220 --> 00:21:35,709 system and that is monitoring 545 00:21:35,710 --> 00:21:37,869 the different interfaces, 546 00:21:37,870 --> 00:21:39,909 uh, looking for effects. 547 00:21:39,910 --> 00:21:40,910 In fact. 548 00:21:44,780 --> 00:21:46,909 And what's interesting with that strategy 549 00:21:46,910 --> 00:21:49,669 is that we we don't really 550 00:21:49,670 --> 00:21:52,309 need to understand 551 00:21:52,310 --> 00:21:54,859 the propagation of the physical 552 00:21:54,860 --> 00:21:56,959 effects, uh, through to the 553 00:21:56,960 --> 00:21:58,189 software effect. 554 00:21:58,190 --> 00:22:00,469 In fact, we we try to 555 00:22:00,470 --> 00:22:02,689 have an observation of the software 556 00:22:02,690 --> 00:22:04,309 layer level effects 557 00:22:05,540 --> 00:22:06,560 during the test. 558 00:22:12,760 --> 00:22:14,949 And as for the vast variety of 559 00:22:14,950 --> 00:22:17,219 different stimuli that, uh, 560 00:22:17,220 --> 00:22:19,329 an attacker could use, we decided 561 00:22:19,330 --> 00:22:21,819 to, uh, consider 562 00:22:21,820 --> 00:22:24,369 the, um, the lowest attacker profile. 563 00:22:24,370 --> 00:22:26,919 So, uh, low cost source, 564 00:22:26,920 --> 00:22:29,439 uh, low bandwidth, uh, source. 565 00:22:29,440 --> 00:22:31,929 So, uh, we basically use a software 566 00:22:31,930 --> 00:22:33,999 defined radio with, uh, uh, 567 00:22:34,000 --> 00:22:36,189 several amplifiers and, 568 00:22:36,190 --> 00:22:37,190 uh, the, um. 569 00:22:38,480 --> 00:22:40,699 The physical, electromagnetic, 570 00:22:40,700 --> 00:22:42,799 uh, waves that we, 571 00:22:42,800 --> 00:22:44,899 um, have sent 572 00:22:44,900 --> 00:22:47,029 to the target, uh, are, uh, 573 00:22:47,030 --> 00:22:48,439 what we call RF pulses. 574 00:22:50,210 --> 00:22:52,609 So it's a low profile, uh, 575 00:22:52,610 --> 00:22:54,679 low ataca profile, 576 00:22:54,680 --> 00:22:56,569 and we have two setups that are depicted 577 00:22:56,570 --> 00:22:58,819 here on the left, uh, we have 578 00:22:58,820 --> 00:23:01,519 our, uh, radiated propagation, 579 00:23:01,520 --> 00:23:02,629 uh, set up. 580 00:23:02,630 --> 00:23:04,489 So, uh, it's in a Faraday cage. 581 00:23:04,490 --> 00:23:06,799 We have our targets, uh, running 582 00:23:06,800 --> 00:23:09,289 the monitoring software that we designed. 583 00:23:09,290 --> 00:23:11,509 And, uh, we have, uh, an antenna inside 584 00:23:11,510 --> 00:23:13,669 the Faraday cage, which, uh, will send 585 00:23:13,670 --> 00:23:15,019 the Cemile. 586 00:23:15,020 --> 00:23:17,269 And outside the cage we have, uh, uh, 587 00:23:17,270 --> 00:23:20,089 monitoring computer, which will, um, 588 00:23:20,090 --> 00:23:22,429 gather the information 589 00:23:22,430 --> 00:23:24,619 collected by the monitoring software 590 00:23:24,620 --> 00:23:27,079 and, uh, our, uh, RF 591 00:23:27,080 --> 00:23:29,779 sources instrumentation. 592 00:23:29,780 --> 00:23:32,569 And on the right, we have the equivalent, 593 00:23:32,570 --> 00:23:34,759 uh, set up for the 594 00:23:34,760 --> 00:23:36,859 connected, uh, propagation. 595 00:23:41,850 --> 00:23:44,159 So once we define the 596 00:23:44,160 --> 00:23:46,649 test scenario and test configuration, 597 00:23:46,650 --> 00:23:49,019 we put a couple of devices in the Faraday 598 00:23:49,020 --> 00:23:51,449 cage and now we will show you 599 00:23:51,450 --> 00:23:53,819 some effect induced 600 00:23:53,820 --> 00:23:56,369 by regearing parasitic exposer 601 00:23:56,370 --> 00:23:58,919 and by understanding 602 00:23:58,920 --> 00:24:01,049 how we were able to correlate 603 00:24:01,050 --> 00:24:03,359 the effects to the parasitic 604 00:24:03,360 --> 00:24:04,669 field. 605 00:24:04,670 --> 00:24:07,429 We have found a way to involve 606 00:24:07,430 --> 00:24:09,769 in wave for as 607 00:24:09,770 --> 00:24:12,139 a new technique to inject data 608 00:24:12,140 --> 00:24:14,779 into devices or to interact with devices, 609 00:24:14,780 --> 00:24:15,940 and we will show you how we did it. 610 00:24:17,120 --> 00:24:19,549 So just for us 611 00:24:19,550 --> 00:24:21,319 at the beginning, we use some general 612 00:24:21,320 --> 00:24:23,539 computers and we monitor 613 00:24:23,540 --> 00:24:25,639 some common APIs and 614 00:24:25,640 --> 00:24:27,829 even logs on 615 00:24:27,830 --> 00:24:30,589 the computer and we send our 616 00:24:30,590 --> 00:24:32,210 parasitic signal to the target. 617 00:24:33,440 --> 00:24:35,429 So here we have a couple of logs. 618 00:24:35,430 --> 00:24:37,519 Uh, you 619 00:24:37,520 --> 00:24:38,929 don't need to read them because we 620 00:24:38,930 --> 00:24:41,329 summarize them for you and 621 00:24:41,330 --> 00:24:42,349 we have them here. 622 00:24:42,350 --> 00:24:45,139 For example, the two, uh, 623 00:24:45,140 --> 00:24:47,089 keyboard links we are testing. 624 00:24:47,090 --> 00:24:49,549 So the two and the USB, 625 00:24:49,550 --> 00:24:51,439 um, and we have seen some. 626 00:24:51,440 --> 00:24:53,809 So we were able to get those effects. 627 00:24:53,810 --> 00:24:56,239 So we were able to correct data 628 00:24:56,240 --> 00:24:58,999 that was received by the computer, 629 00:24:59,000 --> 00:25:01,429 um, and to 630 00:25:01,430 --> 00:25:03,799 randomly inject a valid keystrokes 631 00:25:03,800 --> 00:25:04,800 on the computer. 632 00:25:06,020 --> 00:25:08,239 On the USB, we have been able to disable 633 00:25:08,240 --> 00:25:10,339 the hub, uh, disconnect, 634 00:25:10,340 --> 00:25:12,199 uh, devices, peripherals that were 635 00:25:12,200 --> 00:25:14,329 connected to the computer and also 636 00:25:14,330 --> 00:25:15,509 to correct descriptor. 637 00:25:15,510 --> 00:25:17,809 So this is back 638 00:25:17,810 --> 00:25:19,879 door coupling effect because we were 639 00:25:19,880 --> 00:25:21,979 targeting Datalink, which are not 640 00:25:21,980 --> 00:25:23,540 intending to collect energy. 641 00:25:26,580 --> 00:25:29,009 Then we wanted to test some scary systems 642 00:25:29,010 --> 00:25:30,920 or like industrial control system, 643 00:25:32,070 --> 00:25:34,139 we put a several matau in Faraday 644 00:25:34,140 --> 00:25:36,689 cage and we tested some 645 00:25:36,690 --> 00:25:39,119 of the behavior of the 646 00:25:39,120 --> 00:25:41,479 of the seven motor where it was 647 00:25:41,480 --> 00:25:42,780 running a specific. 648 00:25:43,860 --> 00:25:45,989 So the 649 00:25:45,990 --> 00:25:48,089 normal behavior of the device 650 00:25:48,090 --> 00:25:49,569 is the blue one. 651 00:25:49,570 --> 00:25:50,759 Um, no. 652 00:25:50,760 --> 00:25:52,499 We'll try to show it to you here. 653 00:25:55,740 --> 00:25:57,959 OK, here you see the blue, 654 00:25:57,960 --> 00:26:00,029 the blue, which is a normal the 655 00:26:00,030 --> 00:26:02,159 normal behavior device, and in 656 00:26:02,160 --> 00:26:04,259 green and orange we 657 00:26:04,260 --> 00:26:06,329 send it our purses and we can 658 00:26:06,330 --> 00:26:08,759 see here that the we 659 00:26:08,760 --> 00:26:11,609 have been able to modify 660 00:26:11,610 --> 00:26:13,799 the position of the 661 00:26:13,800 --> 00:26:15,929 of the several motor as well as 662 00:26:15,930 --> 00:26:17,219 the speed of it. 663 00:26:17,220 --> 00:26:19,889 So we are able to randomly manipulate 664 00:26:19,890 --> 00:26:22,229 the several motor using our 665 00:26:22,230 --> 00:26:23,230 of. 666 00:26:26,730 --> 00:26:29,219 Then we worked on, uh, some 667 00:26:29,220 --> 00:26:32,129 digital, uh, processing, 668 00:26:32,130 --> 00:26:34,259 uh, algorithm or here 669 00:26:34,260 --> 00:26:36,339 it is, the, um, the, 670 00:26:36,340 --> 00:26:38,639 um, preregistration algorithm, 671 00:26:38,640 --> 00:26:41,609 uh, running on any and FPGA. 672 00:26:41,610 --> 00:26:43,949 The distortion algorithm 673 00:26:43,950 --> 00:26:46,319 is used to compensate the power 674 00:26:46,320 --> 00:26:48,389 amplifier distortion where we are 675 00:26:48,390 --> 00:26:51,269 using it in the nonlinear region. 676 00:26:51,270 --> 00:26:53,789 So we compute the known 677 00:26:53,790 --> 00:26:56,069 we predict the nonlinearities of 678 00:26:56,070 --> 00:26:57,869 the power amplifier, which is T minus 679 00:26:57,870 --> 00:27:00,809 one, and the actual 680 00:27:00,810 --> 00:27:02,969 distortion induced by the amplifier is 681 00:27:02,970 --> 00:27:05,519 two. So if you do ten minutes one by T, 682 00:27:05,520 --> 00:27:06,520 you have one. 683 00:27:07,230 --> 00:27:09,839 But in the same way, if you're injecting 684 00:27:09,840 --> 00:27:11,939 some RF passes during 685 00:27:11,940 --> 00:27:14,759 the computation of the distortion, 686 00:27:14,760 --> 00:27:17,549 uh by uh and just by the amplifier. 687 00:27:17,550 --> 00:27:19,799 So here it's the DJ for Jamie. 688 00:27:20,870 --> 00:27:23,119 We were able to modify 689 00:27:23,120 --> 00:27:25,339 the behavior of the protesters, 690 00:27:25,340 --> 00:27:27,709 an algorithm, and 691 00:27:27,710 --> 00:27:30,139 by modifying this behavior 692 00:27:30,140 --> 00:27:32,449 here, it's, um, 693 00:27:32,450 --> 00:27:34,639 this curve here in 694 00:27:34,640 --> 00:27:35,640 black. 695 00:27:38,130 --> 00:27:40,649 We see here that we have some 696 00:27:40,650 --> 00:27:43,019 elevation of the side lobe 697 00:27:43,020 --> 00:27:45,269 of the source, so it means that 698 00:27:45,270 --> 00:27:48,029 we are jamming all devices 699 00:27:48,030 --> 00:27:50,249 that are co-located to 700 00:27:50,250 --> 00:27:52,919 the radio frequency. 701 00:27:52,920 --> 00:27:55,619 So, for example, the mobile station 702 00:27:55,620 --> 00:27:57,380 around the target is one. 703 00:27:58,560 --> 00:28:00,779 So we were able to to modify 704 00:28:00,780 --> 00:28:03,149 the package emitted by the by the 705 00:28:03,150 --> 00:28:05,249 by the mobile station. 706 00:28:05,250 --> 00:28:06,250 Then it sends 707 00:28:07,320 --> 00:28:09,659 data with a high error rate. 708 00:28:09,660 --> 00:28:12,239 So any device that received the signal 709 00:28:12,240 --> 00:28:14,519 received corrupted data. 710 00:28:14,520 --> 00:28:16,679 And on the right, in the same way as 711 00:28:16,680 --> 00:28:19,049 we increase the silence, 712 00:28:19,050 --> 00:28:21,479 all the devices that communicate 713 00:28:21,480 --> 00:28:24,539 around this cell, we have oversells. 714 00:28:24,540 --> 00:28:27,089 If they are using the 715 00:28:27,090 --> 00:28:29,249 frequency, Bandelier, the 716 00:28:29,250 --> 00:28:31,829 targeted one, then we are able to stop 717 00:28:31,830 --> 00:28:34,409 the communication on this level. 718 00:28:34,410 --> 00:28:36,449 So this is the cascading effect we have 719 00:28:36,450 --> 00:28:38,079 been talking about. 720 00:28:38,080 --> 00:28:40,029 Yeah, another interesting point in that 721 00:28:40,030 --> 00:28:42,219 example is that, uh, the, uh, the 722 00:28:42,220 --> 00:28:44,979 computation of the distortion, uh, 723 00:28:44,980 --> 00:28:47,409 factors, uh, is not, uh, perform 724 00:28:47,410 --> 00:28:49,659 usually, uh, every second. 725 00:28:49,660 --> 00:28:51,669 I mean, it's, uh, more on the scale of 726 00:28:51,670 --> 00:28:52,659 the minute. 727 00:28:52,660 --> 00:28:55,089 So, in fact, with, uh, just one, uh, 728 00:28:55,090 --> 00:28:57,419 malicious intervention, uh, you can, 729 00:28:57,420 --> 00:28:59,619 um, um, you can 730 00:28:59,620 --> 00:29:01,959 make the, um, the, um, the radio 731 00:29:01,960 --> 00:29:04,839 front end, uh, self jerm itself, 732 00:29:04,840 --> 00:29:06,939 uh, during several minutes until 733 00:29:06,940 --> 00:29:09,439 the computation of the distortion, 734 00:29:09,440 --> 00:29:10,719 uh, factors. 735 00:29:14,940 --> 00:29:17,279 We also instrumented the analog 736 00:29:17,280 --> 00:29:19,499 interfaces, uh, and, uh, we 737 00:29:19,500 --> 00:29:21,359 are going here to present the results we 738 00:29:21,360 --> 00:29:23,519 had on, uh, thermal transducer 739 00:29:23,520 --> 00:29:25,799 and also on, uh, acoustic, uh, 740 00:29:25,800 --> 00:29:27,779 transducers, uh, microphones. 741 00:29:27,780 --> 00:29:29,429 So, uh, there are there is some 742 00:29:29,430 --> 00:29:31,499 literature about the, um, uh, 743 00:29:31,500 --> 00:29:33,569 from the EMC community about 744 00:29:33,570 --> 00:29:35,339 the susceptibility of, uh, analog 745 00:29:35,340 --> 00:29:36,179 circuits. 746 00:29:36,180 --> 00:29:39,419 And, uh, it's admitted now that, uh, 747 00:29:39,420 --> 00:29:42,089 some analog, uh, circuits, um, 748 00:29:42,090 --> 00:29:44,279 do some, uh, envelope detection. 749 00:29:44,280 --> 00:29:46,049 So it's a kind of, uh, amplitude 750 00:29:46,050 --> 00:29:48,749 modulation, uh, of the parasitic signal 751 00:29:48,750 --> 00:29:51,209 and, um, uh, especially, 752 00:29:51,210 --> 00:29:53,819 uh, for, um, um. 753 00:29:55,150 --> 00:29:58,329 Um, operational amplifiers, 754 00:29:58,330 --> 00:30:00,429 uh, there is also, uh, uh, 755 00:30:00,430 --> 00:30:02,419 an offset that is added to the signal. 756 00:30:02,420 --> 00:30:04,389 Uh, yeah. 757 00:30:04,390 --> 00:30:06,549 When, uh, parasitic field is, 758 00:30:06,550 --> 00:30:09,279 uh, present on the target 759 00:30:09,280 --> 00:30:11,469 and also, um, as 760 00:30:11,470 --> 00:30:13,689 it, uh, we are talking about, uh, analog 761 00:30:13,690 --> 00:30:15,999 interfaces, uh, they 762 00:30:16,000 --> 00:30:18,459 are usually end up on 763 00:30:18,460 --> 00:30:20,739 ATCs. So all the work that work 764 00:30:20,740 --> 00:30:22,419 that has been made about the 765 00:30:22,420 --> 00:30:24,849 vulnerability of, uh, analog 766 00:30:24,850 --> 00:30:26,919 to digital converters, uh, can 767 00:30:26,920 --> 00:30:29,079 also be used, uh, in that case. 768 00:30:33,470 --> 00:30:35,119 So during our tests, we have been 769 00:30:35,120 --> 00:30:37,219 monitoring the, uh, behavior 770 00:30:37,220 --> 00:30:39,529 of, uh, the Terminator, the thermal 771 00:30:39,530 --> 00:30:42,049 dyad of the CPU of our target, 772 00:30:42,050 --> 00:30:44,239 and we noticed that, uh, when 773 00:30:44,240 --> 00:30:46,429 our, uh, parasitic field 774 00:30:46,430 --> 00:30:48,649 was on, um, we 775 00:30:48,650 --> 00:30:50,779 saw that, uh, the temperature 776 00:30:50,780 --> 00:30:53,119 that was reported by the diad, uh, was 777 00:30:53,120 --> 00:30:54,120 kind of erratic. 778 00:30:55,610 --> 00:30:57,829 So, um, how 779 00:30:57,830 --> 00:30:59,509 can it be used by an attacker? 780 00:30:59,510 --> 00:31:01,729 Um, we try to 781 00:31:01,730 --> 00:31:04,129 derive, uh, scenario, uh, exploiting 782 00:31:04,130 --> 00:31:06,710 that, uh, factor. 783 00:31:08,470 --> 00:31:10,629 And we ran 784 00:31:10,630 --> 00:31:12,969 additional tests and we noticed 785 00:31:12,970 --> 00:31:15,189 that the the temperature 786 00:31:15,190 --> 00:31:17,259 that was reported by the thermal 787 00:31:17,260 --> 00:31:20,389 diode, uh, was, um, 788 00:31:20,390 --> 00:31:22,749 um, kind 789 00:31:22,750 --> 00:31:24,969 of, um, homothetic 790 00:31:24,970 --> 00:31:27,339 to the electric field magnitude, the 791 00:31:27,340 --> 00:31:29,889 parasitic electric field, uh, magnitude. 792 00:31:29,890 --> 00:31:32,019 Um, so that means that, uh, the 793 00:31:32,020 --> 00:31:34,809 attacker is able to, uh, finally 794 00:31:34,810 --> 00:31:36,909 control the behavior 795 00:31:36,910 --> 00:31:39,459 of the, um, the temperature 796 00:31:39,460 --> 00:31:41,799 reading, uh, on 797 00:31:41,800 --> 00:31:43,149 the target. 798 00:31:43,150 --> 00:31:45,219 So we imagine the scenario where, 799 00:31:45,220 --> 00:31:47,409 um, uh, an attacker 800 00:31:47,410 --> 00:31:49,509 uses that to send 801 00:31:49,510 --> 00:31:52,029 information to, uh, malicious, 802 00:31:52,030 --> 00:31:54,129 uh, process that is, uh, 803 00:31:54,130 --> 00:31:56,589 monitoring continuously the temperature 804 00:31:56,590 --> 00:31:57,999 on the target. 805 00:31:58,000 --> 00:32:00,189 And, uh, in some 806 00:32:00,190 --> 00:32:02,559 cases, I mean, in, 807 00:32:02,560 --> 00:32:05,139 um, cases where you have, for example, 808 00:32:05,140 --> 00:32:07,659 uh, put an air gap strategy in place 809 00:32:07,660 --> 00:32:09,789 in order to separate, uh, uh, 810 00:32:09,790 --> 00:32:11,889 several, uh, information systems 811 00:32:11,890 --> 00:32:13,569 of heterogeneous criticized. 812 00:32:15,550 --> 00:32:17,829 Uh, this kind of threat, uh, 813 00:32:17,830 --> 00:32:19,420 can be, uh, serious. 814 00:32:21,020 --> 00:32:23,179 And also, of course, if I can, uh, 815 00:32:23,180 --> 00:32:25,249 if an attacker is able to control 816 00:32:25,250 --> 00:32:27,619 the temperature that is, uh, uh, 817 00:32:27,620 --> 00:32:29,959 transmitted from the Dyad to, 818 00:32:29,960 --> 00:32:32,239 uh, the Espoo or 819 00:32:32,240 --> 00:32:34,519 a reader of the temperature, uh, one can 820 00:32:34,520 --> 00:32:36,929 easily think about sabotage, 821 00:32:36,930 --> 00:32:38,210 uh, scenarios. 822 00:32:42,880 --> 00:32:45,159 During our tests, we also monitored, 823 00:32:45,160 --> 00:32:47,589 um, the audio front-end, 824 00:32:47,590 --> 00:32:50,229 so we basically just recorded 825 00:32:50,230 --> 00:32:52,389 the audio, uh, coming 826 00:32:52,390 --> 00:32:54,459 from the audio card. 827 00:32:54,460 --> 00:32:56,559 Uh, and, uh, we we we 828 00:32:56,560 --> 00:32:59,319 made that, uh, with the microphone 829 00:32:59,320 --> 00:33:01,629 on with the microphone, 830 00:33:01,630 --> 00:33:03,669 uh, with a wired microphone, uh, plugged 831 00:33:03,670 --> 00:33:06,069 in or without microphone. 832 00:33:06,070 --> 00:33:08,499 And, uh, we always, uh, 833 00:33:08,500 --> 00:33:10,849 have been able to notice that, 834 00:33:10,850 --> 00:33:12,190 uh, um. 835 00:33:15,400 --> 00:33:17,769 There were some effects of the presence 836 00:33:17,770 --> 00:33:18,940 of the parasitic fields'. 837 00:33:20,520 --> 00:33:22,919 And again, we try to imagine scenarios 838 00:33:22,920 --> 00:33:25,079 where this could be a threat for 839 00:33:25,080 --> 00:33:27,329 information, uh, security and a system. 840 00:33:32,720 --> 00:33:34,849 And, uh, from that observation, 841 00:33:34,850 --> 00:33:37,639 we have several works there were derived 842 00:33:37,640 --> 00:33:40,039 and we consider that the analog 843 00:33:40,040 --> 00:33:42,109 microphone is, uh, usually, 844 00:33:42,110 --> 00:33:44,299 uh, user interface that gives 845 00:33:44,300 --> 00:33:46,489 access to, um, the 846 00:33:46,490 --> 00:33:49,399 voice assistance, uh, interfaces. 847 00:33:49,400 --> 00:33:51,649 Uh, and we designed the several 848 00:33:51,650 --> 00:33:53,869 proof of concept, uh, 849 00:33:53,870 --> 00:33:56,299 exploiting this, um, 850 00:33:56,300 --> 00:33:58,459 way to interact with, uh, the 851 00:33:58,460 --> 00:34:00,679 system, uh, in order to 852 00:34:00,680 --> 00:34:02,269 execute, uh. 853 00:34:03,340 --> 00:34:05,409 Arbitrary voice commands 854 00:34:05,410 --> 00:34:06,880 on, uh, the target. 855 00:34:11,969 --> 00:34:14,339 We need to proof of concept 856 00:34:14,340 --> 00:34:16,859 on the right, you see the radiated 857 00:34:16,860 --> 00:34:19,530 one. So in that case, um, 858 00:34:20,730 --> 00:34:23,218 the, um, the coupling interface 859 00:34:23,219 --> 00:34:25,260 was the, uh, the headphones cable. 860 00:34:27,020 --> 00:34:29,599 And, uh, we also, um, um, 861 00:34:29,600 --> 00:34:31,908 performed additional tests, uh, 862 00:34:31,909 --> 00:34:34,279 and, uh, DNA tests to see 863 00:34:34,280 --> 00:34:35,178 the test. 864 00:34:35,179 --> 00:34:37,729 Um, they conducted, uh, propagation 865 00:34:37,730 --> 00:34:38,658 path. 866 00:34:38,659 --> 00:34:40,789 And, uh, we 867 00:34:40,790 --> 00:34:43,339 were able to inject, uh, voice commands 868 00:34:43,340 --> 00:34:45,439 by injecting the parasitic signal 869 00:34:45,440 --> 00:34:47,388 inside the power network. 870 00:34:47,389 --> 00:34:49,699 Uh, when the phone was, uh, charging. 871 00:34:50,800 --> 00:34:52,869 So this research has been 872 00:34:52,870 --> 00:34:53,729 published. 873 00:34:53,730 --> 00:34:56,138 Uh, attack in Paris, uh, 874 00:34:56,139 --> 00:34:58,329 but we have still the two, 875 00:34:58,330 --> 00:35:00,399 uh, quick, uh, videos, 876 00:35:00,400 --> 00:35:02,529 uh, to, uh, about 877 00:35:02,530 --> 00:35:04,169 those, uh, those tests. 878 00:35:06,160 --> 00:35:07,840 So I need to recover my mouse. 879 00:35:13,420 --> 00:35:15,639 So in this video is the jacket, 880 00:35:15,640 --> 00:35:17,739 the test set up we have we are 881 00:35:17,740 --> 00:35:18,999 in the dark age. 882 00:35:19,000 --> 00:35:21,249 Uh, our target is the smartphone 883 00:35:21,250 --> 00:35:23,499 and we can see the, um, the 884 00:35:23,500 --> 00:35:25,839 headphone cable on the left, uh, 885 00:35:25,840 --> 00:35:27,219 side of the screen. 886 00:35:27,220 --> 00:35:29,859 And, of course, uh, our antenna, 887 00:35:29,860 --> 00:35:32,409 uh, that is, uh, sending 888 00:35:32,410 --> 00:35:34,869 the parasitic signal. 889 00:35:34,870 --> 00:35:37,119 And we can notice that, uh, there 890 00:35:37,120 --> 00:35:38,859 is some activity on the audio front end 891 00:35:38,860 --> 00:35:40,959 because the the the dart, the 892 00:35:40,960 --> 00:35:43,179 red dot, uh, on the um, the 893 00:35:43,180 --> 00:35:45,459 upper right corner of the, uh, 894 00:35:45,460 --> 00:35:46,460 the phone screen. 895 00:35:47,770 --> 00:35:49,929 And in that example, we sent, 896 00:35:49,930 --> 00:35:52,099 uh, long, uh, voice commands, 897 00:35:52,100 --> 00:35:54,159 uh, asking 898 00:35:54,160 --> 00:35:56,649 to open, uh, uh, website. 899 00:35:58,510 --> 00:36:00,699 And at that time on that that the 900 00:36:00,700 --> 00:36:03,069 Android version, um, 901 00:36:03,070 --> 00:36:05,139 there was no real feedback 902 00:36:05,140 --> 00:36:07,459 to the user and, um, the 903 00:36:07,460 --> 00:36:09,789 the website was open without 904 00:36:09,790 --> 00:36:11,859 any other interaction with the 905 00:36:11,860 --> 00:36:12,860 target. 906 00:36:14,620 --> 00:36:17,469 And the way they conducted case, so here 907 00:36:17,470 --> 00:36:19,599 we you see how our set up, 908 00:36:19,600 --> 00:36:22,359 so we have the power supply 909 00:36:22,360 --> 00:36:24,789 with the computer plugged in 910 00:36:24,790 --> 00:36:27,249 and here we have an injection probe 911 00:36:27,250 --> 00:36:29,469 with this cable going to our, 912 00:36:29,470 --> 00:36:31,300 uh, radio frequency source. 913 00:36:32,740 --> 00:36:35,019 And our target is here on the 914 00:36:35,020 --> 00:36:37,269 desk and is plugged to 915 00:36:37,270 --> 00:36:39,699 the the power socket, uh, 916 00:36:39,700 --> 00:36:42,040 with, uh, Ginuwine charger. 917 00:36:47,900 --> 00:36:50,239 And in that case, we were just asked to 918 00:36:50,240 --> 00:36:52,219 open, uh, an application. 919 00:37:11,850 --> 00:37:13,919 So if you need more information about, 920 00:37:13,920 --> 00:37:16,379 uh, technical details on 921 00:37:16,380 --> 00:37:18,539 those, uh, proof of concept, uh, you can 922 00:37:18,540 --> 00:37:20,589 refer to the talks we made in 923 00:37:20,590 --> 00:37:23,159 huckleberries and we also released a 924 00:37:23,160 --> 00:37:24,929 Tripoli paper. 925 00:37:24,930 --> 00:37:27,479 And, uh, here we just try to 926 00:37:27,480 --> 00:37:29,579 imagine, uh, to perform our quick risk 927 00:37:29,580 --> 00:37:31,829 analysis about, uh, those 928 00:37:31,830 --> 00:37:34,079 kind of, uh, vulnerabilities. 929 00:37:34,080 --> 00:37:36,629 And, uh, of course, the, um, 930 00:37:36,630 --> 00:37:38,849 the, um, anything you 931 00:37:38,850 --> 00:37:40,379 can do by using the voice command 932 00:37:40,380 --> 00:37:42,419 interface can be done using those 933 00:37:42,420 --> 00:37:43,420 techniques. 934 00:37:46,370 --> 00:37:48,379 What's also interesting is that we 935 00:37:48,380 --> 00:37:50,459 completed, um, the 936 00:37:50,460 --> 00:37:52,699 the study by trying 937 00:37:52,700 --> 00:37:54,289 both the front door and back door 938 00:37:54,290 --> 00:37:56,449 coupling scenarios, uh, we 939 00:37:56,450 --> 00:37:58,789 also did the right 940 00:37:58,790 --> 00:38:00,829 thing and they conducted testing. 941 00:38:00,830 --> 00:38:03,049 And, uh, we tried to estimate the, uh, 942 00:38:03,050 --> 00:38:06,139 the attacker profile and, uh, the, um, 943 00:38:06,140 --> 00:38:07,140 the. 944 00:38:08,350 --> 00:38:10,629 That will require the power, uh, 945 00:38:10,630 --> 00:38:12,909 and, um, the equipment 946 00:38:12,910 --> 00:38:15,099 that is required to perform those 947 00:38:15,100 --> 00:38:17,319 kinds of attacks and 948 00:38:17,320 --> 00:38:19,509 of course, these attacks are, uh, highly 949 00:38:19,510 --> 00:38:21,729 targeted attacks because, uh, the 950 00:38:21,730 --> 00:38:23,949 attacker needs to, uh, uh, change 951 00:38:23,950 --> 00:38:26,349 the, uh, at least the 952 00:38:26,350 --> 00:38:29,109 the waveform, the parasitic waveform, 953 00:38:29,110 --> 00:38:31,299 uh, to adapt himself to 954 00:38:31,300 --> 00:38:33,459 the, um, the the situation, the 955 00:38:33,460 --> 00:38:35,619 target, the phone, for example, 956 00:38:35,620 --> 00:38:37,809 or the, um, uh, power 957 00:38:37,810 --> 00:38:39,100 network specificities. 958 00:38:44,690 --> 00:38:47,089 OK, so we 959 00:38:47,090 --> 00:38:49,369 just some additional 960 00:38:49,370 --> 00:38:51,919 details about the injection 961 00:38:51,920 --> 00:38:54,199 voice command injection techniques, um, 962 00:38:54,200 --> 00:38:55,879 concerning the second one, we have seen 963 00:38:55,880 --> 00:38:58,219 that it's a USB cable that is targeting 964 00:38:58,220 --> 00:39:00,349 targeted um, we 965 00:39:00,350 --> 00:39:02,359 have connected this USB cable to the 966 00:39:02,360 --> 00:39:03,889 computer also. 967 00:39:03,890 --> 00:39:06,109 And we have seen that the signal 968 00:39:06,110 --> 00:39:08,149 was going through the power network and 969 00:39:08,150 --> 00:39:10,609 the granting of the of the computer 970 00:39:10,610 --> 00:39:13,579 and was reaching through the USB 971 00:39:13,580 --> 00:39:15,439 shield, the microphone. 972 00:39:16,580 --> 00:39:18,709 So this is interesting because it is, 973 00:39:18,710 --> 00:39:21,199 uh, some known issues 974 00:39:21,200 --> 00:39:22,969 from the EMC community. 975 00:39:22,970 --> 00:39:25,399 So the crosstalk between the USB 976 00:39:25,400 --> 00:39:27,109 port and the microphone. 977 00:39:27,110 --> 00:39:28,110 I see. 978 00:39:28,540 --> 00:39:31,089 But from the information 979 00:39:31,090 --> 00:39:33,219 security point of view, we have, 980 00:39:33,220 --> 00:39:35,499 we did not have seen any study 981 00:39:35,500 --> 00:39:37,569 that was showing that 982 00:39:37,570 --> 00:39:39,729 we were able to inject, uh, 983 00:39:39,730 --> 00:39:42,129 defined signals on this voice 984 00:39:42,130 --> 00:39:43,130 command interface. 985 00:39:44,230 --> 00:39:46,419 Um, thanks to all those 986 00:39:46,420 --> 00:39:47,499 tests we have. 987 00:39:47,500 --> 00:39:50,499 So we have been able to analyze 988 00:39:50,500 --> 00:39:52,539 to detect and analyze the effects induced 989 00:39:52,540 --> 00:39:55,359 by ISIS or intentional electromagnetic 990 00:39:55,360 --> 00:39:56,589 interferences. 991 00:39:56,590 --> 00:39:58,719 Um, during periodic 992 00:39:58,720 --> 00:40:00,849 exposer, um, we have been able to 993 00:40:00,850 --> 00:40:03,069 classify the effects, so defining 994 00:40:03,070 --> 00:40:05,349 the criticality of each effect. 995 00:40:05,350 --> 00:40:07,959 With regards of the application, 996 00:40:07,960 --> 00:40:10,179 um, we have been able to estimate 997 00:40:10,180 --> 00:40:12,429 the impact for the security of the device 998 00:40:12,430 --> 00:40:14,649 to test the devices and 999 00:40:14,650 --> 00:40:16,929 all those informations contributes 1000 00:40:16,930 --> 00:40:19,239 to, uh, the 1001 00:40:19,240 --> 00:40:22,029 information security risk analysis 1002 00:40:22,030 --> 00:40:24,279 and to help us 1003 00:40:24,280 --> 00:40:27,129 to put some additional 1004 00:40:27,130 --> 00:40:29,499 protective devices so that 1005 00:40:29,500 --> 00:40:31,689 I am I cannot be involved 1006 00:40:31,690 --> 00:40:34,209 to perform those kind of 1007 00:40:34,210 --> 00:40:36,090 attacks against electronic devices. 1008 00:40:39,360 --> 00:40:42,569 And more generally, uh, we, 1009 00:40:42,570 --> 00:40:44,639 um, observe that the 1010 00:40:44,640 --> 00:40:47,039 electromagnetic electromagnetic attacks 1011 00:40:47,040 --> 00:40:49,599 are a kind of a realistic threat, 1012 00:40:49,600 --> 00:40:51,749 uh, even if generally if you 1013 00:40:51,750 --> 00:40:53,879 want to perform more than, uh, denial 1014 00:40:53,880 --> 00:40:56,009 of service attack, uh, it 1015 00:40:56,010 --> 00:40:58,649 will be, uh, targeted attack 1016 00:40:58,650 --> 00:41:01,139 because you will need to, uh, to, 1017 00:41:01,140 --> 00:41:03,389 um, adapt your attack set up 1018 00:41:03,390 --> 00:41:05,789 to your your target and to the, uh, 1019 00:41:05,790 --> 00:41:07,380 the contexts around the target. 1020 00:41:10,160 --> 00:41:12,319 We also wanted to emphasize 1021 00:41:12,320 --> 00:41:14,659 that, uh, the attacker profiled, 1022 00:41:14,660 --> 00:41:16,819 uh, for these kind of attacks is, 1023 00:41:16,820 --> 00:41:19,399 uh, getting lower and lower, 1024 00:41:19,400 --> 00:41:22,179 uh, because of technological evolutions, 1025 00:41:22,180 --> 00:41:24,529 uh, the, um, uh, devices 1026 00:41:24,530 --> 00:41:26,779 that are needed to create some 1027 00:41:26,780 --> 00:41:29,719 of the required, uh, sources, 1028 00:41:29,720 --> 00:41:31,879 um, is, uh, 1029 00:41:31,880 --> 00:41:34,489 more and more affordable and available, 1030 00:41:34,490 --> 00:41:36,739 freely available to anyone, 1031 00:41:36,740 --> 00:41:38,749 uh, on the Internet. 1032 00:41:38,750 --> 00:41:40,819 Uh, and it's we we can say 1033 00:41:40,820 --> 00:41:43,309 the same, uh, on the, uh, 1034 00:41:43,310 --> 00:41:45,230 the power amplifiers, for example. 1035 00:41:46,650 --> 00:41:48,779 And, uh, one last 1036 00:41:48,780 --> 00:41:50,969 word to try to join 1037 00:41:50,970 --> 00:41:53,669 people to this kind of research, 1038 00:41:53,670 --> 00:41:55,979 um, we noticed that, 1039 00:41:55,980 --> 00:41:57,599 uh, the M.S. 1040 00:41:57,600 --> 00:42:00,059 community, the, uh, information security 1041 00:42:00,060 --> 00:42:02,379 community and, uh, the specific, 1042 00:42:02,380 --> 00:42:04,469 uh, physical cryptanalysis 1043 00:42:04,470 --> 00:42:06,419 and, uh, site channel, uh, and for the 1044 00:42:06,420 --> 00:42:08,850 tax, uh, communities, uh, 1045 00:42:10,080 --> 00:42:12,359 worked, uh, on their own 1046 00:42:12,360 --> 00:42:14,759 path. Uh, but in reality, 1047 00:42:14,760 --> 00:42:17,039 we are looking at the same problem 1048 00:42:17,040 --> 00:42:19,379 and, uh, just we have different points 1049 00:42:19,380 --> 00:42:22,049 of view and different objectives. 1050 00:42:22,050 --> 00:42:24,329 So, uh, maybe it's time to, uh, 1051 00:42:24,330 --> 00:42:26,649 join together and, uh, try to, 1052 00:42:26,650 --> 00:42:29,009 uh, uh, share the resources 1053 00:42:29,010 --> 00:42:30,599 and the knowledge about the, uh, these 1054 00:42:30,600 --> 00:42:31,600 issues. 1055 00:42:33,530 --> 00:42:35,569 So we thank you very much for your 1056 00:42:35,570 --> 00:42:36,570 attention. 1057 00:42:44,640 --> 00:42:47,009 As usual, you have all the references 1058 00:42:47,010 --> 00:42:49,139 that we used to to create this iStock. 1059 00:42:50,760 --> 00:42:53,009 And our e-mail address is, if you have 1060 00:42:53,010 --> 00:42:54,869 any questions or if you want to interact 1061 00:42:54,870 --> 00:42:57,299 about those topics, we will be 1062 00:42:57,300 --> 00:42:59,099 happy to do so. 1063 00:42:59,100 --> 00:43:00,100 Thank you. 1064 00:43:03,380 --> 00:43:05,839 So step up to the microphones 1065 00:43:05,840 --> 00:43:09,139 and we also take questions online. 1066 00:43:09,140 --> 00:43:11,869 We have a single angel answering the 1067 00:43:11,870 --> 00:43:14,599 question, feed anybody 1068 00:43:14,600 --> 00:43:15,600 a microphone to. 1069 00:43:16,590 --> 00:43:17,489 Go ahead. 1070 00:43:17,490 --> 00:43:19,199 Yeah, thank you very much for the 1071 00:43:19,200 --> 00:43:21,209 interesting topic. 1072 00:43:21,210 --> 00:43:23,879 I saw your lab equipment 1073 00:43:23,880 --> 00:43:25,979 and you didn't screen the 1074 00:43:25,980 --> 00:43:28,109 church or any cables. 1075 00:43:28,110 --> 00:43:30,329 Why? Or and there 1076 00:43:30,330 --> 00:43:31,859 may be another question. 1077 00:43:31,860 --> 00:43:34,319 Did you test this with screening 1078 00:43:34,320 --> 00:43:36,419 of the cables and 1079 00:43:36,420 --> 00:43:38,549 how much, uh, is 1080 00:43:38,550 --> 00:43:40,949 affected or. 1081 00:43:40,950 --> 00:43:43,199 Yeah. The cable in 1082 00:43:43,200 --> 00:43:45,899 the results, uh, 1083 00:43:45,900 --> 00:43:48,509 on those, uh, 1084 00:43:48,510 --> 00:43:50,819 research topics, we did not really, 1085 00:43:50,820 --> 00:43:53,009 uh, we tested several USB cables 1086 00:43:53,010 --> 00:43:55,259 and then several, uh, 1087 00:43:55,260 --> 00:43:56,429 genuine chargers. 1088 00:43:56,430 --> 00:43:58,469 I mean, uh, Cat's out of the box, uh, 1089 00:43:58,470 --> 00:43:59,579 chargers. 1090 00:43:59,580 --> 00:44:02,309 And we observed that, uh, the 1091 00:44:02,310 --> 00:44:04,419 we were able to on the 1092 00:44:04,420 --> 00:44:06,539 audio frequency band, we were 1093 00:44:06,540 --> 00:44:08,699 able to recover our signal for a 1094 00:44:08,700 --> 00:44:11,009 frequency response was kind of flat. 1095 00:44:11,010 --> 00:44:13,289 So, uh, it didn't really affect, 1096 00:44:13,290 --> 00:44:15,600 uh, the effect on the target. 1097 00:44:19,750 --> 00:44:21,339 Thank you. 1098 00:44:21,340 --> 00:44:23,439 Microphone number one, thank you 1099 00:44:23,440 --> 00:44:24,819 for the talk. 1100 00:44:24,820 --> 00:44:27,129 This was all very new to me, so I'm 1101 00:44:27,130 --> 00:44:29,229 very, very scared right now 1102 00:44:29,230 --> 00:44:31,329 because I am learning how to 1103 00:44:31,330 --> 00:44:32,799 fly a small aircraft. 1104 00:44:32,800 --> 00:44:34,869 And a lot of it is there's 1105 00:44:34,870 --> 00:44:36,489 a lot of communication that happens via 1106 00:44:36,490 --> 00:44:37,490 radio. 1107 00:44:38,290 --> 00:44:39,669 And I'm wondering, when you talked about 1108 00:44:39,670 --> 00:44:42,009 the effective range, what kind of threats 1109 00:44:42,010 --> 00:44:45,039 are we looking at for something, say, 1110 00:44:45,040 --> 00:44:47,679 at an altitude of, say, even 2000 1111 00:44:47,680 --> 00:44:50,199 feet and a moving target? 1112 00:44:50,200 --> 00:44:51,879 Does that make it very, very difficult, 1113 00:44:53,140 --> 00:44:55,419 knowing that I don't know much 1114 00:44:55,420 --> 00:44:56,679 about what you just said, but it was 1115 00:44:56,680 --> 00:44:57,680 really quite scary. 1116 00:45:00,400 --> 00:45:02,529 Um, concerning the range, 1117 00:45:02,530 --> 00:45:04,869 so as we as 1118 00:45:04,870 --> 00:45:07,209 we presented, we did not, uh, 1119 00:45:07,210 --> 00:45:10,029 work on, um, 1120 00:45:10,030 --> 00:45:12,759 the suicide, we directly, 1121 00:45:12,760 --> 00:45:15,309 uh, assessed the effects on the target. 1122 00:45:15,310 --> 00:45:17,379 If you have any kind of 1123 00:45:17,380 --> 00:45:18,729 device you would like to work on, 1124 00:45:18,730 --> 00:45:21,009 basically you put it in, um, 1125 00:45:21,010 --> 00:45:23,139 in a test environment, you 1126 00:45:23,140 --> 00:45:25,659 check what kind of effect you may expect, 1127 00:45:25,660 --> 00:45:27,729 depending on the characteristics of 1128 00:45:27,730 --> 00:45:28,929 the source we have. 1129 00:45:28,930 --> 00:45:31,449 You have defined and then defining 1130 00:45:31,450 --> 00:45:34,029 the range is just using some general, 1131 00:45:34,030 --> 00:45:36,699 uh, theoretical equations 1132 00:45:36,700 --> 00:45:39,219 that define you 1133 00:45:39,220 --> 00:45:41,319 the amount of power you need to 1134 00:45:41,320 --> 00:45:43,479 generate to reach the signal 1135 00:45:43,480 --> 00:45:46,539 level. You need to disrupt your device, 1136 00:45:46,540 --> 00:45:48,909 um, for small drones 1137 00:45:48,910 --> 00:45:51,459 or any, uh, 1138 00:45:51,460 --> 00:45:52,899 any kind of those devices. 1139 00:45:52,900 --> 00:45:55,149 We didn't we did not specific tests. 1140 00:45:55,150 --> 00:45:57,519 But yeah, it's an open question and we 1141 00:45:57,520 --> 00:46:00,189 would really happy to work on that if. 1142 00:46:00,190 --> 00:46:02,329 Yeah. If I can, uh, 1143 00:46:02,330 --> 00:46:04,479 add something in your case, I 1144 00:46:04,480 --> 00:46:06,759 guess you have to estimate 1145 00:46:06,760 --> 00:46:09,669 the propagation path that we described, 1146 00:46:09,670 --> 00:46:11,769 uh, in the specific conditions that 1147 00:46:11,770 --> 00:46:13,739 you described, in fact. 1148 00:46:13,740 --> 00:46:14,889 Thank you. Thank you. 1149 00:46:16,510 --> 00:46:18,759 Thank you very much, microphone to 1150 00:46:18,760 --> 00:46:19,760 go ahead. 1151 00:46:20,350 --> 00:46:21,849 Thanks for the talk. 1152 00:46:21,850 --> 00:46:23,769 I very, very small question about the 1153 00:46:23,770 --> 00:46:25,959 sheep missed or that you set 1154 00:46:25,960 --> 00:46:28,359 up and you can, with RF energy, 1155 00:46:28,360 --> 00:46:29,949 increase the temperature or observe the 1156 00:46:29,950 --> 00:46:32,259 temperature of the processor. 1157 00:46:32,260 --> 00:46:34,329 Was it actually a separate, uh, 1158 00:46:34,330 --> 00:46:36,159 sensor? And how long was the cable and 1159 00:46:36,160 --> 00:46:38,619 what's output impedance of the sensor 1160 00:46:38,620 --> 00:46:40,659 to check those parameters? 1161 00:46:40,660 --> 00:46:43,209 Yeah, I think the it was on, um, 1162 00:46:43,210 --> 00:46:45,669 on an old motherboard, on a computer. 1163 00:46:45,670 --> 00:46:47,769 The, uh, Terminator, uh, was 1164 00:46:47,770 --> 00:46:50,019 interrogated by a superior chip. 1165 00:46:50,020 --> 00:46:52,359 And I guess the the dimensions 1166 00:46:52,360 --> 00:46:54,459 of the, uh, the PCB line 1167 00:46:54,460 --> 00:46:56,649 between the, uh, the CPU diode and, uh, 1168 00:46:56,650 --> 00:46:59,019 the superior chip was, uh, some 1169 00:46:59,020 --> 00:47:01,209 something like 10 centimeters, 1170 00:47:01,210 --> 00:47:02,210 I guess. 1171 00:47:05,000 --> 00:47:06,199 Thank you very much. 1172 00:47:06,200 --> 00:47:07,909 I think we have a question from the line. 1173 00:47:10,450 --> 00:47:12,729 You've showed us some example of 1174 00:47:12,730 --> 00:47:14,889 that injection, so this was an active 1175 00:47:14,890 --> 00:47:16,149 attack. 1176 00:47:16,150 --> 00:47:18,069 What about the passive ones, like getting 1177 00:47:18,070 --> 00:47:20,469 the data from the device, for example, 1178 00:47:20,470 --> 00:47:22,779 pixels of the screen or touch typing 1179 00:47:22,780 --> 00:47:23,780 the keyboard? 1180 00:47:25,110 --> 00:47:27,309 Um, as we yeah, 1181 00:47:27,310 --> 00:47:29,639 the talk was focused on the 1182 00:47:29,640 --> 00:47:32,099 effect of, uh, intentional 1183 00:47:32,100 --> 00:47:33,899 electromagnetic interference. 1184 00:47:33,900 --> 00:47:35,819 So that's why we didn't talk about the 1185 00:47:35,820 --> 00:47:38,219 other specific parts of Tempesta attacks 1186 00:47:38,220 --> 00:47:39,510 or general attacks. 1187 00:47:40,690 --> 00:47:42,279 I don't know if that answers the 1188 00:47:42,280 --> 00:47:43,280 question. 1189 00:47:46,020 --> 00:47:48,179 Well, thank you for your response, and 1190 00:47:48,180 --> 00:47:50,429 I think that's all for 1191 00:47:50,430 --> 00:47:52,199 questions. Oh, no, there's one more from 1192 00:47:52,200 --> 00:47:53,200 the online feed. 1193 00:47:56,100 --> 00:47:58,179 I know that it it 1194 00:47:58,180 --> 00:48:00,279 is this isn't really a topic 1195 00:48:00,280 --> 00:48:02,699 of your research, but could you give 1196 00:48:02,700 --> 00:48:05,129 some pointers to recent research 1197 00:48:05,130 --> 00:48:07,409 on EUM emancipation like Tempest 1198 00:48:07,410 --> 00:48:09,509 attacks or there 1199 00:48:09,510 --> 00:48:11,549 was something on a year last year, I 1200 00:48:11,550 --> 00:48:14,489 guess, uh, Craig's me stock. 1201 00:48:14,490 --> 00:48:16,709 Uh, tempesta attacks on a yes. 1202 00:48:16,710 --> 00:48:18,839 I get it was such an attack but 1203 00:48:18,840 --> 00:48:20,939 with uh uh so uh, several 1204 00:48:20,940 --> 00:48:23,579 feet range for example. 1205 00:48:23,580 --> 00:48:25,319 I think it can be a good pointer. 1206 00:48:26,980 --> 00:48:29,139 Mark, Mark, Mark was research at 1207 00:48:29,140 --> 00:48:31,359 Cambridge University is also a 1208 00:48:31,360 --> 00:48:34,299 well, a very good resource to understand 1209 00:48:34,300 --> 00:48:35,670 the topic of Tempesta. 1210 00:48:38,600 --> 00:48:39,799 Thank you very much. 1211 00:48:39,800 --> 00:48:42,079 And I think that's it, that's 1212 00:48:42,080 --> 00:48:43,789 your honor. Applause for our speakers. 1213 00:48:43,790 --> 00:48:44,790 Thank you. Thank you.