International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Understanding Screaming Channels: From a Detailed Analysis to Improved Attacks

Authors:
Giovanni Camurati , EURECOM, Sophia-Antipolis, France
Aurélien Francillon , EURECOM, Sophia-Antipolis, France
François-Xavier Standaert , Université catholique de Louvain, Louvain-la-Neuve, Belgium
Download:
DOI: 10.13154/tches.v2020.i3.358-401
URL: https://tches.iacr.org/index.php/TCHES/article/view/8594
Search ePrint
Search Google
Presentation: Slides
Abstract: Recently, some wireless devices have been found vulnerable to a novel class of side-channel attacks, called Screaming Channels. These leaks might appear if the sensitive leaks from the processor are unintentionally broadcast by a radio transmitter placed on the same chip. Previous work focuses on identifying the root causes, and on mounting an attack at a distance considerably larger than the one achievable with conventional electromagnetic side channels, which was demonstrated in the low-noise environment of an anechoic chamber. However, a detailed understanding of the leak, attacks that take full advantage of the novel vector, and security evaluations in more practical scenarios are still missing. In this paper, we conduct a thorough experimental analysis of the peculiar properties of Screaming Channels. For example, we learn about the coexistence of intended and unintended data, the role of distance and other parameters on the strength of the leak, the distortion of the leakmodel, and the portability of the profiles. With such insights, we build better attacks. We profile a device connected via cable with 10000·500 traces. Then, 5 months later, we attack a different instance at 15m in an office environment. We recover the AES-128 key with 5000·1000 traces and key enumeration up to 223. Leveraging spatial diversity, we mount some attacks in the presence of obstacles. As a first example of application to a real system, we show a proof-of-concept attack against the authentication method of Google Eddystone beacons. On the one side, this work lowers the bar for more realistic attacks, highlighting the importance of the novel attack vector. On the other side, it provides a broader security evaluation of the leaks, helping the defender and radio designers to evaluate risk, and the need of countermeasures.
Video from TCHES 2020
BibTeX
@article{tches-2020-30395,
  title={Understanding Screaming Channels: From a Detailed Analysis to Improved Attacks},
  journal={IACR Transactions on Cryptographic Hardware and Embedded Systems},
  publisher={Ruhr-Universität Bochum},
  volume={2020, Issue 3},
  pages={358-401},
  url={https://tches.iacr.org/index.php/TCHES/article/view/8594},
  doi={10.13154/tches.v2020.i3.358-401},
  author={Giovanni Camurati and Aurélien Francillon and François-Xavier Standaert},
  year=2020
}