Screen Gleaning: A Screen Reading TEMPEST Attack on Mobile Devices Exploiting an Electromagnetic Side Channel

We introduce screen gleaning, a TEMPEST attack in which the screen of a mobile device is read without a visual line of sight, revealing sensitive information displayed on the phone screen. The screen gleaning attack uses an antenna and a software-defined radio (SDR) to pick up the electromagnetic signal that the device sends to the screen to display, e.g., a message with a security code. This special equipment makes it possible to recreate the signal as a gray-scale image, which we refer to as an emage. Here, we show that it can be used to read a security code. The screen gleaning attack is challenging because it is often impossible for a human viewer to interpret the emage directly. We show that this challenge can be addressed with machine learning, specifically, a deep learning classifier. Screen gleaning will become increasingly serious as SDRs and deep learning continue to rapidly advance. In this paper, we demonstrate the security code attack and we propose a testbed that provides a standard setup in which screen gleaning could be tested with different attacker models. Finally, we analyze the dimensions of screen gleaning attacker models and discuss possible countermeasures with the potential to address them.

[1]  Thomas Eisenbarth,et al.  TPM-FAIL: TPM meets Timing and Lattice Attacks , 2019, USENIX Security Symposium.

[2]  Rakesh Agrawal,et al.  Keyboard acoustic emanations , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[3]  Arie Yeredor,et al.  Dictionary attacks using keyboard acoustic emanations , 2006, CCS '06.

[4]  Jean-Jacques Quisquater,et al.  ElectroMagnetic Analysis (EMA): Measures and Counter-Measures for Smart Cards , 2001, E-smart.

[5]  Jan-Michael Frahm,et al.  Seeing double: reconstructing obscured typed input from repeated compromising reflections , 2013, CCS.

[6]  G LoweDavid,et al.  Distinctive Image Features from Scale-Invariant Keypoints , 2004 .

[7]  Manfred Pinkal,et al.  Acoustic Side-Channel Attacks on Printers , 2010, USENIX Security Symposium.

[8]  Geoffrey E. Hinton,et al.  ImageNet classification with deep convolutional neural networks , 2012, Commun. ACM.

[9]  Daniel Genkin,et al.  Get your hands off my laptop: physical side-channel key-extraction attacks on PCs , 2015, Journal of Cryptographic Engineering.

[10]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[11]  Alan Hanjalic,et al.  Make Some Noise: Unleashing the Power of Convolutional Neural Networks for Profiled Side-channel Analysis , 2019, IACR Cryptol. ePrint Arch..

[12]  Nicolai Petkov,et al.  Comparison of texture features based on Gabor filters , 1999, Proceedings 10th International Conference on Image Analysis and Processing.

[13]  Markus G. Kuhn,et al.  Compromising Emanations , 2002, Encyclopedia of Cryptography and Security.

[14]  Jimmy Ba,et al.  Adam: A Method for Stochastic Optimization , 2014, ICLR.

[15]  Yuval Yarom,et al.  ECDSA Key Extraction from Mobile Devices via Nonintrusive Physical Side Channels , 2016, IACR Cryptol. ePrint Arch..

[16]  Patrick Schaumont,et al.  Prototype IC with WDDL and Differential Routing - DPA Resistance Assessment , 2005, CHES.

[17]  Pankaj Rohatgi,et al.  Introduction to differential power analysis , 2011, Journal of Cryptographic Engineering.

[18]  Francis Olivier,et al.  Electromagnetic Analysis: Concrete Results , 2001, CHES.

[19]  H. Sekiguchi,et al.  Study on Maximum Receivable Distance for Radiated Emission of Information Technology Equipment Causing Information Leakage , 2013, IEEE Transactions on Electromagnetic Compatibility.

[20]  Larry S. Davis,et al.  Learning Rich Features for Image Manipulation Detection , 2018, 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition.

[21]  Pankaj Rohatgi,et al.  Template Attacks , 2002, CHES.

[22]  Wim van Eck,et al.  Electromagnetic radiation from video display units: An eavesdropping risk? , 1985, Comput. Secur..

[23]  Emmanuel Prouff,et al.  Breaking Cryptographic Implementations Using Deep Learning Techniques , 2016, SPACE.

[24]  Christof Paar,et al.  On the Power of Power Analysis in the Real World: A Complete Break of the KeeLoqCode Hopping Scheme , 2008, CRYPTO.

[25]  Snellen Snellen Chart , 2020, A Compendium of Tests, Scales and Questionnaires.

[26]  Georg Sigl,et al.  Side Channel Attacks on Smartphones and Embedded Devices Using Standard Radio Equipment , 2015, COSADE.

[27]  Markus G. Kuhn,et al.  Optical time-domain eavesdropping risks of CRT displays , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[28]  Shwetak N. Patel,et al.  Televisions, video privacy, and powerline electromagnetic interference , 2011, CCS '11.

[29]  Dakshi Agrawal,et al.  The EM Side-Channel(s) , 2002, CHES.

[30]  Daniel Genkin,et al.  Synesthesia: Detecting Screen Content via Remote Acoustic Side Channels , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[31]  Jiangqun Ni,et al.  Deep Learning Hierarchical Representations for Image Steganalysis , 2017, IEEE Transactions on Information Forensics and Security.

[32]  Yu-ichi Hayashi,et al.  Electromagnetic Information Extortion from Electronic Devices Using Interceptor and Its Countermeasure , 2019, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[33]  Yu-ichi Hayashi,et al.  Remote Visualization of Screen Images Using a Pseudo-Antenna That Blends Into the Mobile Environment , 2017, IEEE Transactions on Electromagnetic Compatibility.

[34]  Cécile Canovas,et al.  Deep Learning to Evaluate Secure RSA Implementations , 2019, IACR Cryptol. ePrint Arch..

[35]  Cécile Canovas,et al.  Convolutional Neural Networks with Data Augmentation Against Jitter-Based Countermeasures - Profiling Attacks Without Pre-processing , 2017, CHES.

[36]  Markus G. Kuhn,et al.  Soft Tempest: Hidden Data Transmission Using Electromagnetic Emanations , 1998, Information Hiding.

[37]  Christof Paar,et al.  Breaking Mifare DESFire MF3ICD40: Power Analysis and Templates in the Real World , 2011, CHES.

[38]  Yoshua Bengio,et al.  Gradient-based learning applied to document recognition , 1998, Proc. IEEE.

[39]  Mehdi Tibouchi,et al.  Side-Channel Analysis of Weierstrass and Koblitz Curve ECDSA on Android Smartphones , 2016, CT-RSA.

[40]  K.R. Demarest,et al.  Engineering Electromagnetics , 1997, IEEE Electrical Insulation Magazine.

[41]  Michael Backes,et al.  2008 IEEE Symposium on Security and Privacy Compromising Reflections –or– How to Read LCD Monitors Around the Corner , 2022 .

[42]  Adam J. Aviv,et al.  Smudge Attacks on Smartphone Touch Screens , 2010, WOOT.

[43]  Y. Hayashi,et al.  Analysis of Electromagnetic Information Leakage From Cryptographic Devices With Different Physical Structures , 2013, IEEE Transactions on Electromagnetic Compatibility.

[44]  Martin Welk,et al.  Tempest in a Teapot: Compromising Reflections Revisited , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[45]  Stefan Mangard,et al.  Power analysis attacks - revealing the secrets of smart cards , 2007 .

[46]  Lin Yan,et al.  A Study on Power Side Channels on Mobile Devices , 2015, Internetware.

[47]  Erwan Nogues,et al.  Electro-Magnetic Side-Channel Attack Through Learned Denoising and Classification , 2020, ICASSP 2020 - 2020 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP).

[48]  Yu-ichi Hayashi,et al.  A Threat for Tablet PCs in Public Space: Remote Visualization of Screen Images Using EM Emanation , 2014, CCS.

[49]  Wil Michiels,et al.  Differential Computation Analysis: Hiding Your White-Box Designs is Not Enough , 2016, CHES.

[50]  Minerva , 2004, BMJ : British Medical Journal.

[51]  Jian Sun,et al.  Deep Residual Learning for Image Recognition , 2015, 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[52]  Belhassen Bayar,et al.  Constrained Convolutional Neural Networks: A New Approach Towards General Purpose Image Manipulation Detection , 2018, IEEE Transactions on Information Forensics and Security.

[53]  Pankaj Rohatgi,et al.  Towards Sound Approaches to Counteract Power-Analysis Attacks , 1999, CRYPTO.

[54]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[55]  Yuval Yarom,et al.  Pseudorandom Black Swans: Cache Attacks on CTR_DRBG , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[56]  Y. Hayashi,et al.  Efficient Evaluation of EM Radiation Associated With Information Leakage From Cryptographic Devices , 2013, IEEE Transactions on Electromagnetic Compatibility.

[57]  Koen E. A. van de Sande,et al.  Evaluating Color Descriptors for Object and Scene Recognition , 2010, IEEE Transactions on Pattern Analysis and Machine Intelligence.

[58]  Hao Chen,et al.  TouchLogger: Inferring Keystrokes on Touch Screen from Smartphone Motion , 2011, HotSec.

[59]  Ingrid Verbauwhede,et al.  Power Analysis of Atmel CryptoMemory - Recovering Keys from Secure EEPROMs , 2012, CT-RSA.

[60]  Adam J. Aviv,et al.  Practicality of accelerometer side channels on smartphones , 2012, ACSAC '12.