Welcome to the Noise-SDR project!
Giovanni Camurati and Aurélien Francillon. "Noise-SDR: Arbitrary Modulation of Electromagnetic Noise from Unprivileged Software and Its Impact on Emission Security" to appear at IEEE S&P 2022.
Electronic devices emit some unintended radio noise when working, this is usually known as Electro Magnetic (EM) noise (or EM leakage). This effect is well known for EM side channel attacks (or Tempest attacks) that exploit it to spy on the device, but also for building covert channels: a piece of code on the device controls the noise generated by the device to transmit information (Soft-Tempest). Such covert channels are limited in power and bandwidth, and, more importantly, they can transmit only on the frequencies where the leakage is present (e.g. harmonics of the clock). Existing covert channels are usually using simple modulations, for example, On Off Keying (make noise or not), to transmit information, which are simple to implement but also not very robust. With Noise-SDR we demonstrate that by controlling software running on the device, we can generate arbitrary modulations (using a technique known as RF-PWM). This allows to build more diverse and resilient transmitters and even allows to use protocols written for software defined radios, despite some limitations in power, frequency, and bandwidth. We also demonstrate the possibility to transmit at longer distance and more reliably. Interestingly, the ability to transmit using existing protocols with a software defined approach opens the potential for applications other than covert channels, for example, trying to inject data in a victim receiver.
thor22-psk125.mp4
hamdrm.mp4
sstv.mp4
Noise-SDR uses a leakage-based fully-digital software-defined approach to shape electromagnetic noise produced by unprivileged software into generic radio signals, arbitrarily modulated in amplitude/frequency/phase. Despite some limitations on power, frequency and bandwidth, it can transmit data with a variety of analog and digital radio protocols. Noise-SDR currently runs on x86_64 (Linux and Windows), ARMV7A/ARMV8A (Android), and MIPS32 (OpenWrt). Please check the academic paper for more details.
Note: This is just an initial release. You can already find the code and how to (cross)compile it. Running fldigi-noise-sdr is straightforward (check the help menu). We assume you have some familiarity with running code on various platforms, EM leakage, popular SDR tools and radio protocols (many resources online are available).
Giovanni Camurati and Aurélien Francillon, "Noise-SDR: Arbitrary Modulation of Electromagnetic Noise from Unprivileged Software and Its Impact on Emission Security", to appear at IEEE S&P 2022.
This work was developed at EURECOM by Giovanni Camurati (now at ETH Zurich) and Aurélien Francillon. Please contact camurati@eurecom.fr for any question.
We would like to thank Andrea Possemato, Giulia Clerici, Matteo Guarrera, Elie Bursztein, Jean-Michel Picod, the anonymous reviewers and the shepherd for their feedback, help or interesting discussions. This work was partially supported by a Google Faculty Research Award.
We are grateful for the many online resources and open-source tools that made our work possible, in particular: Fldigi, GNURadio, gr-lora_sdr, gnss-sdr, qsstv, wsjt-x, sigidwiki, system-bus-radio, and drammer. Please see the academic paper for more and more detailed citations.
.
├── configs # Example configs for Fldigi, Gqrx, and WSJT-X
│ ├── fldigi_def_example.xml
│ ├── gqrx-example-b210.conf
│ └── WSJT-X-example.ini
├── COPYRIGHT
├── docs
│ └── images
│ ├── overview2.jpg
│ ├── overview.jpg
│ └── thor22-rtty45-psk125r-3.jpg
├── fldigi-noise-sdr # Fldigi-Noise-SDR
│ ├── Makefile # See ARCH and OP options
│ └── src
│ ├── fldigi # Flidigi original modems
│ │ ├── contestia
│ │ ├── cw_rtty
│ │ ├── dominoex
│ │ ├── fft
│ │ ├── filters
│ │ ├── include
│ │ ├── libsamplerate
│ │ ├── lora # Additional Lora from gr-lora_sdr (modified)
│ │ ├── mfsk
│ │ ├── misc
│ │ ├── modem.cxx
│ │ ├── mt63
│ │ ├── olivia
│ │ ├── psk
│ │ ├── rsid
│ │ └── thor
│ ├── fldigi-noise-sdr # Noise-SDR specific code
│ │ ├── AndFlmsg_Fldigi_Interface.cxx # Added RF-PWM code
│ │ ├── include
│ │ └── main.cxx # Main interface
│ └── libion # Added libion for ArmV7-A
├── gnss # Code/scripts for GNSS experiments
│ ├── glonass
│ │ ├── glonass-normal
│ │ │ ├── generate-example.sh # Generate IQ and RF-PWM files
│ │ │ ├── gnss-sdr-1.5M.conf Gnss-sdr config for generated file
│ │ │ ├── gnss-sdr.conf # Gnss-sdr config for rx file
│ │ │ ├── receive-1.5M.sh # Analysis of the IQ generated file with gnss-sdr
│ │ │ ├── receive.sh # Analysis of the IQ rx file with gnss-sdr
│ │ │ └── rx.grc # Gnuradio flowgraph for reception with a USRP B210
│ │ ├── glonass-sim.py # GLONASS signal generator (simple, not a complete spoofer)
│ │ └── glonass-slow-10 # Same as glonass-normal but 10 times lower rate
│ │ ├── generate-slow-10-example.sh
│ │ ├── gnss-sdr.conf
│ │ ├── receive.sh
│ │ ├── rx.grc
│ │ └── signal_glonass.bin
│ └── gps # Similar to Glonass, but for GPS, 100 times lower rate
│ ├── generate-slow-100-example.sh
│ ├── gnss-sdr.conf
│ ├── receive.sh
│ └── rx.grc
├── gnuradio # Gnuradio flowgraphs
│ └── misc
│ | └── generic.grc # AM, (NB)FM, USB
│ └── gr-lora_sdr-noise-sdr # gr-lora_sdr, added support simple mode, clone separately (see vagrant/bootstrap.sh).
├── LICENSE
├── offline-noise-sdr # Offline implementation of Noise-SDR
│ ├── generate # Python script to convert IQ files generated by an SDR tool into RF-PWM timings for noise-sdr.
│ │ └── rf-pwm.py
│ └── transmit # Offline version of Noise-SDR that reads a timing file and transmits that signal.
│ ├── Makefile
│ └── src
│ ├── libion
│ │ ├── chipset.cxx
│ │ ├── include
│ │ │ └── ion
│ │ │ └── ion.h
│ │ ├── ion.c
│ │ └── kernel-headers
│ │ └── linux
│ │ └── ion.h
│ └── noise-sdr
│ └── main.cxx
├── README.md
├── scripts # Useful scripts
│ ├── data
│ │ ├── buffer.txt
│ │ ├── ft4-turing-2020-08-12-log.csv
│ │ └── rfpwm.txt
│ ├── fig12.py # Replicate Figure 12 in the paper.
│ ├── fig15.py # Replicate Figure 15 in the paper.
│ └── fig3.py # Replicate Figure 3 in the paper.
└── vagrant # Vagrant to create a VirtualBox VM or as reference for native installation
├── bin # bootstrap.ch will fill this folder, or you can dodwnload it (see below).
│ ├── fldigi-noise-sdr-mips-CNT # MIPS32, leak with CNT, for OpenWRT
│ ├── fldigi-noise-sdr-v7-ION # ARMV7-A, leak with ION, for Android
│ ├── fldigi-noise-sdr-v8-CIVAC # ARMV8-A, leak with CIVAC, for Android
│ ├── fldigi-noise-sdr-v8-ION # ARMV8-A, leak with ION, for Android
│ ├── fldigi-noise-sdr-x86-STREAM # x86_64, leak with STREAM, for Linux
│ ├── fldigi-noise-sdr-x86-STREAM.exe # x86_64, leak with STREAM, for Windows
│ ├── offline-noise-sdr-mips-CNT
│ ├── offline-noise-sdr-v7-ION
│ ├── offline-noise-sdr-v8-CIVAC
│ ├── offline-noise-sdr-v8-ION
│ ├── offline-noise-sdr-x86-STREAM
│ └── offline-noise-sdr-x86-STREAM
├── bootstrap.sh # Provision script, use as guide for native installation too
├── rfpwm # Some pre-generated rf-pwm files, you can download them (see below).
├── traces # Some pre-collected traces, you can download them (see below).
└── Vagrantfile # VirtualBox configuration for vagrant
You can either install Noise-SDR manually or use Vagrant and Virtualbox to
automatically create a virtual machine. In either case, look at
noise-sdr/vagrant/Vagrantfile
and noise-sdr/vagrant/boostrap.sh
for
self-explaining installation instructions. Note that the actual Noise-SDR code
is only a small part of this, the rest being popular SDR tools required, for
example, for reception.
In addition, precompiled binaries for Noise-SDR are available here.
git clone https://github.com/eurecom-s3/noise-sdr.git
cd noise-sdr/vagrant
vagrant up
vagrant ssh
Once you have compiled Noise-SDR, run in on your machine, or push it to a phone or other device to run it there (use the correct architecture).
fldigi-noise-sdr-XXXX --help
There is also an offline version of Noise-SDR. In offline-noise-sdr you can find both a python script to generate RF-PWM timing from IQ files
./rf-pwm.py generate --help
and a version of noise-sdr that reads these files
./offline-noise-sdr-XXXX --help
For Android you can use adb, e.g.,
adb push file /data/local/tmp # to push files to the device
adb shell
$ cd /data/local/tmp # to get a shell to run the programs
USB debugging has to be activated. If device and laptop are on the same network you can connect without cable.
For the Carambola2, follow the guides: to build OpenWRT and connect to the board, to install packages manually, and to add an unprivileged user. Cross-comilation is already covered here.
Use your favorite tool for reception. For example, we use gqrx (and a USRP B210) and Fldigi, using a virtual audio sink to connect them:
pulseaudio --start
pacmd load-module module-null-sink sink_name=MySink
Note that we provide example configuration files for FLDigi, GQRX, and WSJTX
in the folder configs
.
When using GQRX, you can save raw IQ samples and then replay it later. Please check the GQRX documentations and tutorials for this. FLDigi can also open and replay wav recordings.
You can find wav traces for the videos at the top of this page here
in the sub-folder gqrx/videos-wav
.
You can find an IQ traces for the same examples as in the videos at the top of this page here
in the sub-folder gqrx/videos-iq
.
We provide helper scripts and configurations in the gnss/
folder.
For example, for GLONASS follow these steps.
- Glonass with pre-recorded traces
- Download a GLONASS trace from here. For example,
glonass-innosd6000-2MSaps-800MHz-glonass-example.complex
- Run the reception script:
./receive.sh glonass-innosd6000-2MSaps-800MHz-glonass-example.complex
- Download a GLONASS trace from here. For example,
- Record new traces
- Connect a suitable phone (e.g., Innos D6000, see paper) and make sure adb works.
- Enter in the glonass folder
cd gnss/glonass/glonass-normal/
- Run the script that generates an example of glonass signal, conversts it to rfpwm,
and pushes it on the phone
./generate-example.sh
- Connect a USRP B210 radio to your laptop and run the
rx.grc
flowgraph. Adjust the parameters (e.g., harmonic you want to look at) in necessary. - Run offline-noise-sdr on the phone giving the rfpwm file generated at step 3 as input.
- After a while, stop the flowgraph, which has generated the
/tmp/glonass_rec
IQ file. - Run the reception script
./receive.sh /tmp/glonass_rec
Similar steps apply to the examples in glonass-slow-10
and gps
.
To receive LoRa packets we provide a modified version of gr-lora_sdr available at git@github.com:giocamurati/gr-lora_sdr-noise-sdr.git (automatically installed in the vagrant VM).
Compared to the original version, we provide:
- Two flowgraphs
apps/lora_rx.grc
andapps/lora_rx_simple.grc
to scan the spectrum for packets sent by fldigi-noise-sdr using different modes. - An additional mode to receive LoRa-like packets without error correction, that we used in the paper as baseline.
Like for the original version, remember to run source apps/setpaths.sh
before running Gnuradio and opening the flowgraphs.
You can find some pre-collected IQ traces here, and some pre-computed RF-PWM files for offline-noise-sdr here. Precompiled binaries are here.