4

What kind of equipment would be required to sniff data from the electromagnetic emissions of data / address buses on an average motherboard?

I'd imagine a sensitive hall probe, a faraday cage and some expensive analysis equipment (e.g. spectrum analyser) would be necessary, racking up a pretty significant cost, but I don't really have any sources to suggest that this is correct or incorrect.

Anyone had any experience in this field? Are there homebrew methods, or is this the kind of attack that requires significant resources to pull off?

Polynomial
  • 132,208
  • 43
  • 298
  • 379

1 Answers1

5

I recall a video I saw from one of the big conventions, in which a researcher was able to decode emissions from a PS/2 keyboard using nothing but a slow oscilloscope - he simply observed the ground pin of the target machine and he could pick bits straight off. I had previously assumed that such attacks required spectrum analysers and a degree in RF black magic - but apparently not!

The video is by 'Andrea Barisana and Daniele Bianco' and is from a BlackHat 2009 talk - talk slides are at https://www.blackhat.com/presentations/bh-usa-09/BARISANI/BHUSA09-Barisani-Keystrokes-SLIDES.pdf.

I should point out that I haven't tried to replicate their research myself.

randomdude
  • 827
  • 1
  • 7
  • 12
  • I've seen similar stuff with large antennas picking up the EM from keyboard strokes in an adjacent room (there's a video out there somewhere), but I was thinking more specifically about high frequency data buses, especially the RAM / PCI buses on motherboards. +1 for the info though, very interesting. – Polynomial Jul 04 '12 at 14:10
  • I imagine it's almost impossible to sniff RAM/PCI with EM. It's already very hard to sniff it if you're able to directly touch the pins (though I don't know if it's impossible). With EM, the signals blur together due to the rate being so fast (many GT/s) and interspersed with so many control signals. If that weren't enough, PCI has a really creepy convoluted method of communication which is highly asynchronous. I don't remember the details, but it has to do with scrambling the data and not using any clock signal. – forest Apr 05 '16 at 03:48