TEMPEST Comeback: A Realistic Audio Eavesdropping Threat on Mixed-signal SoCs

Abstract

This study presents a new TEMPEST threat that an attacker can surreptitiously obtain original plain audio information from a distance by exploiting recently emerging unintentional electromagnetic (EM) radiations. As lightweight sensor-based Internet of things (IoT) services become widespread, a mixed-signal system on chip (MSoC) spontaneously integrates all components, such as digital, analog, and even power circuits, into a single chipset to minimize the size of IoT devices. Accordingly, we pay attention to the accelerated integration of a switching regulator (SWREG), which is one of the typical power circuits and may substantially increase the unintentional EM leakages, re-enabling the audio TEMPEST attack. In this paper, we posit that a root cause of new audio coupled EM leakages is the unavoidable integration of SWREG which innately has strong and low-frequency (i.e., several MHz) switching noises; an audio signal is conductively coupled on the single common substrate of an MSoC with a system clock and the newly emerging the SWREG noises. The unique features of the suggested EM leakages compared to previous leakages are that their frequency distribution is dense (i.e., at frequency intervals of the SWREG noise), wideband (i.e., from several MHz to over 1 GHz), and static (i.e., time-invariant center frequencies). These features make the new TEMPEST attack due to the SWREG noise have a longer attack range and be more robust to interferences. Consequently, the presented TEMPEST attack becomes considerably practical. To verify the new TEMPEST attack due to the SWREG noise, we first perform a feasibility analysis by measuring and analyzing the audio-conveyed EM emanations of the popular MSoCs in an anechoic chamber. Next, we demonstrate how critical and practical the threat is by capturing the leakages from the commercial devices in an office environment. Furthermore, we propose a new signal reinforcement method with the three benefits (dense, wideband, and static) of the suggested radiations: the spectral addition of phase-aligned signals. The experimental results show that the test sweep tones of the Sogou voice recorder (nRF52810 chipset) and Xiaomi earbuds (CSR8640 chipset) can be reconstructed over 10 meters. Additionally, an attack feasibility analysis on digital signal (I2C) is performed in a short-range. The overall results indicate that the new TEMPEST attack becomes more practical than the previous side-channel analysis. Finally, we suggest several technical countermeasures that help to design safe IoT devices.