Modern devices often carry some radio transceivers for wireless connectivity on the same silicon die as the processor and other digital blocks (mixed-signal architecture). For example, an IoT device can use a chip with a Cortex-M4 processor and a BLE transceiver. Recently, we have demonstrated that in this case the processor might accidentally modulate the BLE carrier, broadcasting side channel information at large distance. We named this novel vector Screaming Channels, in contrast with the low power ""whisper"" of conventional side channels. Are Screaming Channels really different from conventional leakages? Are they really easier to exploit? But most importantly, can they be applied in realistic scenarios? For example, do they work in real world environments? Do they work against real systems and protocols? Based on some novel results published at TCHES2020 (https://tches.iacr.org/index.php/TCHES/article/view/8594), we take a deep dive on a BLE chip to answer these important questions. Among the most interesting results, we show an attack at 15m in office environment, reusing a profile previously built on a different device in simpler conditions. We also show a proof-of-concept attack against a Google Eddystone beacon, where we deal with the practical problem of BLE frequency hopping.
Understanding screaming channels: From a detailed analysis to improved attacks
CONFIDENCE 2020, 19th International Infosecurity Conference, 7-9 September 2020, Virtual Conference
      
  Type:
        Talk
      Date:
        2020-09-09
      Department:
        Sécurité numérique
      Eurecom Ref:
        6338
      Copyright:
        © EURECOM. Personal use of this material is permitted. The definitive version of this paper was published in CONFIDENCE 2020, 19th International Infosecurity Conference, 7-9 September 2020, Virtual Conference and is available at : 
      See also:
        
      PERMALINK : https://www.eurecom.fr/publication/6338
 
     
                       
                      