Vulnerability analysis on leakage of audio information in mixed-signal SoC

Abstract

an audio signal is conductively coupled on the single common substrate of a mixed SoC with a system clock and the newly emerging the switching regulator noises. The unique features of the discovered EM leakages compared to previous leakages are that their frequency distribution is dense (i.e., at frequency intervals of the switching regulator noise), wideband (i.e., from several MHz to over 1 GHz), and static (i.e., time-invariant center frequencies). These features make the TEMPEST attack due to the switching regulator noise have a longer attack range and be more robust to interference. Consequently, the analyzed TEMPEST attack becomes considerably practical. By performing various experiments, we verify the root cause and analyze the possibility and the practicality of the attack. First, we perform a feasibility analysis by measuring and analyzing the audio-conveyed EM emanations of the popular mixed SoCs in an anechoic chamber. Next, we demonstrate how critical and practical the threat is by capturing the leakages from the commercial devices in an office environment. The experimental results show that the test sweep tones of the Sogou voice recorder (nRF52810 chipset) and Xiaomi earbuds (CSR8640 chipset) can be reconstructed at a distance of 10 meters. Furthermore, we propose a new signal reinforcement method based on the spectral addition of phase-aligned signals. Additionally, we study new vulnerabilities by analyzing the feasibility of the attack on digital signals and analyzing radiated leakages induced by additional coupling with RF carrier signals. Finally, we suggest several technical countermeasures that help to design safe IoT devices. The overall results indicate that the TEMPEST attack becomes more practical than the previous side-channel analysis.

As lightweight sensor-based internet of things (IoT) services become widespread, a mixed-signal system on chip (mixed SoC) spontaneously integrates all components, such as digital, analog, and even power circuits, into a single chipset to minimize the size of IoT devices. Accordingly, we pay attention to the accelerated integration of a switching regulator, which is one of the typical power circuits and may substantially increase the unintentional electromagnetic (EM) leakages, re-enabling the audio TEMPEST attack. This thesis analyzes a newly discovered vulnerability that an attacker can surreptitiously obtain original plain audio information at a distance by exploiting recently emerging unintentional EM radiations. In this thesis, we think that a root cause of new audio coupled EM leakages is the unavoidable integration of the switching regulator which innately has strong and low-frequency (i.e., several MHz) switching noises