When LoRa Meets EMR : Electromagnetic covert channels can be super resilient

Research output: Chapters, Conference Papers, Creative and Literary WorksRGC 32 - Refereed conference paper (with host publication)peer-review

25 Scopus Citations
View graph of relations

Author(s)

Detail(s)

Original languageEnglish
Title of host publicationProceedings - 2021 IEEE Symposium on Security and Privacy
Subtitle of host publicationSP 2021
PublisherInstitute of Electrical and Electronics Engineers, Inc.
Pages1304-1317
ISBN (electronic)9781728189345
ISBN (print)978-1-7281-8935-2
Publication statusPublished - 2021
Externally publishedYes

Publication series

NameProceedings - IEEE Symposium on Security and Privacy
ISSN (Print)1081-6011
ISSN (electronic)2375-1207

Conference

Title42nd IEEE Symposium on Security and Privacy (SP 2021)
LocationVirtual
PlaceUnited States
CitySan Francisco
Period24 - 27 May 2021

Abstract

Due to the low power of electromagnetic radiation (EMR), EM convert channel has been widely considered as a short-range attack that can be easily mitigated by shielding. This paper overturns this common belief by demonstrating how covert EM signals leaked from typical laptops, desktops and servers are decoded from hundreds of meters away, or penetrate aggressive shield previously considered as sufficient to ensure emission security. We achieve this by designing EMLoRa - a super resilient EM covert channel that exploits memory as a LoRa-like radio. EMLoRa represents the first attempt of designing an EM covert channel using state-of-the-art spread spectrum technology. It tackles a set of unique challenges, such as handling complex spectral characteristics of EMR, tolerating signal distortions caused by CPU contention, and preventing adversarial detectors from demodulating covert signals. Experiment results show that EMLoRa boosts communication range by 20x and improves attenuation resilience by up to 53 dB when compared with prior EM covert channels at the same bit rate. By achieving this, EMLoRa allows an attacker to circumvent security perimeter, breach Faraday cage, and localize air-gapped devices in a wide area using just a small number of inexpensive sensors. To countermeasure EMLoRa, we further explore the feasibility of uncovering EMLoRa's signal using energy- and CNN-based detectors. Experiments show that both detectors suffer limited range, allowing EMLoRa to gain a significant range advantage. Our results call for further research on the countermeasure against spread spectrum-based EM covert channels.

Bibliographic Note

Publisher Copyright: © 2021 IEEE.

Citation Format(s)

When LoRa Meets EMR: Electromagnetic covert channels can be super resilient. / Shen, Cheng; Liu, Tian; Huang, Jun et al.
Proceedings - 2021 IEEE Symposium on Security and Privacy: SP 2021. Institute of Electrical and Electronics Engineers, Inc., 2021. p. 1304-1317 (Proceedings - IEEE Symposium on Security and Privacy).

Research output: Chapters, Conference Papers, Creative and Literary WorksRGC 32 - Refereed conference paper (with host publication)peer-review