Building an RF Side-Channel Attack Using Machine Learning
Using machine learning and an Arduino to steal a PIN code
There isn’t anything new about RF side-channel attacks. Recovering plain text from encrypted communications using leaked emissions from poorly shielded hardware dates all the way back to the Second World War, and the dawn of the information age. It’s a sufficiently common problem that there are now established standards for shielding devices to ensure that they don’t leak.
However, not everybody pays attention to them.
The Ledger Blue hardware wallet, used to store the private key that secures your cryptocurrency, is vulnerable to such an attack, as “…when entering the PIN on the device, each button press creates a significant electro magnetic signal around the 169 MHz spectrum.”
The vulnerability, discovered by Thomas Roth, Josh Datko, and Dmitry Nedospasov, and presented at 35C3 is interesting enough. But I think the really interesting thing here is how the team built the proof-of-concept exploit. Because they used machine learning to recover the PIN from the leaked RF signals, which, as far as I know, is a first.
However, building a training dataset takes time and effort, “…this meant labelled recordings of button presses, for example 100 button presses of digit 0, 100 button presses of digit 1 etc. As this can be a lot of work, we decided to automate it by building a USB-controlled ‘button pusher’ — built from an Arduino, a servo motor, and some random stuff that was laying around the office.”
If you’re interested in taking a look, the team has gone ahead and published a Jupyter Notebook that includes source code for each step of the process, as well as some of the training data they gathered using the Arduino.
Their post walks you through building, training, and testing a machine learning model. I recommend you go read it, it’s an absolutely fascinating piece of work.