Detecting and locating electronic devices using their unintended electromagnetic emissions

Electronically-initiated explosives can have unintended electromagnetic emissions which propagate through walls and sealed containers. These emissions, if properly characterized, enable the prompt and accurate detection of explosive threats. The following dissertation develops and evaluates techniques for detecting and locating common electronic initiators. The unintended emissions of radio receivers and microcontrollers are analyzed. These emissions are low-power radio signals that result from the device\u27s normal operation. In the first section, it is demonstrated that arbitrary signals can be injected into a radio receiver\u27s unintended emissions using a relatively weak stimulation signal. This effect is called stimulated emissions. The performance of stimulated emissions is compared to passive detection techniques. The novel technique offers a 5 to 10 dB sensitivity improvement over passive methods for detecting radio receivers. The second section develops a radar-like technique for accurately locating radio receivers. The radar utilizes the stimulated emissions technique with wideband signals. A radar-like system is designed and implemented in hardware. Its accuracy tested in a noisy, multipath-rich, indoor environment. The proposed radar can locate superheterodyne radio receivers with a root mean square position error less than 5 meters when the SNR is 15 dB or above. In the third section, an analytic model is developed for the unintended emissions of microcontrollers. It is demonstrated that these emissions consist of a periodic train of impulses. Measurements of an 8051 microcontroller validate this model. The model is used to evaluate the noise performance of several existing algorithms. Results indicate that the pitch estimation techniques have a 4 dB sensitivity improvement over epoch folding algorithms --Abstract, page iii

MAGNETO: Fingerprinting USB Flash Drives via Unintentional Magnetic Emissions

Universal Serial Bus (USB) Flash Drives are nowadays one of the most convenient and diffused means to transfer files, especially when no Internet connection is available. However, USB flash drives are also one of the most common attack vectors used to gain unauthorized access to host devices. For instance, it is possible to replace a USB drive so that when the USB key is connected, it would install passwords stealing tools, root-kit software, and other disrupting malware. In such a way, an attacker can steal sensitive information via the USB-connected devices, as well as inject any kind of malicious software into the host. To thwart the above-cited raising threats, we propose MAGNETO, an efficient, non-interactive, and privacy-preserving framework to verify the authenticity of a USB flash drive, rooted in the analysis of its unintentional magnetic emissions. We show that the magnetic emissions radiated during boot operations on a specific host are unique for each device, and sufficient to uniquely fingerprint both the brand and the model of the USB flash drive, or the specific USB device, depending on the used equipment. Our investigation on 59 different USB flash drives---belonging to 17 brands, including the top brands purchased on Amazon in mid-2019---, reveals a minimum classification accuracy of 98.2% in the identification of both brand and model, accompanied by a negligible time and computational overhead. MAGNETO can also identify the specific USB Flash drive, with a minimum classification accuracy of 91.2%. Overall, MAGNETO proves that unintentional magnetic emissions can be considered as a viable and reliable means to fingerprint read-only USB flash drives. Finally, future research directions in this domain are also discussed.Comment: Accepted for publication in ACM Transactions on Embedded Computing Systems (TECS) in September 202

Exploitation of Unintentional Information Leakage from Integrated Circuits

Unintentional electromagnetic emissions are used to recognize or verify the identity of a unique integrated circuit (IC) based on fabrication process-induced variations in a manner analogous to biometric human identification. The effectiveness of the technique is demonstrated through an extensive empirical study, with results presented indicating correct device identification success rates of greater than 99:5%, and average verification equal error rates (EERs) of less than 0:05% for 40 near-identical devices. The proposed approach is suitable for security applications involving commodity commercial ICs, with substantial cost and scalability advantages over existing approaches. A systematic leakage mapping methodology is also proposed to comprehensively assess the information leakage of arbitrary block cipher implementations, and to quantitatively bound an arbitrary implementation\u27s resistance to the general class of differential side channel analysis techniques. The framework is demonstrated using the well-known Hamming Weight and Hamming Distance leakage models, and approach\u27s effectiveness is demonstrated through the empirical assessment of two typical unprotected implementations of the Advanced Encryption Standard. The assessment results are empirically validated against correlation-based differential power and electromagnetic analysis attacks

Feature Selection and Classifier Development for Radio Frequency Device Identification

The proliferation of simple and low-cost devices, such as IEEE 802.15.4 ZigBee and Z-Wave, in Critical Infrastructure (CI) increases security concerns. Radio Frequency Distinct Native Attribute (RF-DNA) Fingerprinting facilitates biometric-like identification of electronic devices emissions from variances in device hardware. Developing reliable classifier models using RF-DNA fingerprints is thus important for device discrimination to enable reliable Device Classification (a one-to-many looks most like assessment) and Device ID Verification (a one-to-one looks how much like assessment). AFITs prior RF-DNA work focused on Multiple Discriminant Analysis/Maximum Likelihood (MDA/ML) and Generalized Relevance Learning Vector Quantized Improved (GRLVQI) classifiers. This work 1) introduces a new GRLVQI-Distance (GRLVQI-D) classifier that extends prior GRLVQI work by supporting alternative distance measures, 2) formalizes a framework for selecting competing distance measures for GRLVQI-D, 3) introducing response surface methods for optimizing GRLVQI and GRLVQI-D algorithm settings, 4) develops an MDA-based Loadings Fusion (MLF) Dimensional Reduction Analysis (DRA) method for improved classifier-based feature selection, 5) introduces the F-test as a DRA method for RF-DNA fingerprints, 6) provides a phenomenological understanding of test statistics and p-values, with KS-test and F-test statistic values being superior to p-values for DRA, and 7) introduces quantitative dimensionality assessment methods for DRA subset selection

Radiated Emissions from a Remote-Controlled Airplane-Measured in a Reverberation Chamber

A full-vehicle, subscale all-electric model airplane was tested for radiated emissions, using a reverberation chamber. The mission of the NASA model airplane is to test in-flight airframe damage diagnosis and battery prognosis algorithms, and provide experimental data for other aviation safety research. Subscale model airplanes are economical experimental tools, but assembling their systems from hobbyist and low-cost components may lead to unforseen electromagnetic compatibility problems. This report provides a guide for accommodating the on-board radio systems, so that all model airplane systems may be operated during radiated emission testing. Radiated emission data are provided for on-board systems being operated separately and together, so that potential interferors can be isolated and mitigated. The report concludes with recommendations for EMI/EMC best practices for subscale model airplanes and airships used for research

Comparison of Radio Frequency Distinct Native Attribute and Matched Filtering Techniques for Device Discrimination and Operation Identification

The research presented here provides a comparison of classification, verification, and computational time for three techniques used to analyze Unintentional Radio- Frequency (RF) Emissions (URE) from semiconductor devices for the purposes of device discrimination and operation identification. URE from ten MSP430F5529 16-bit microcontrollers were analyzed using: 1) RF Distinct Native Attribute (RFDNA) fingerprints paired with Multiple Discriminant Analysis/Maximum Likelihood (MDA/ML) classification, 2) RF-DNA fingerprints paired with Generalized Relevance Learning Vector Quantized-Improved (GRLVQI) classification, and 3) Time Domain (TD) signals paired with matched filtering. These techniques were considered for potential applications to detect counterfeit/Trojan hardware infiltrating supply chains and to defend against cyber attacks by monitoring executed operations of embedded systems in critical Supervisory Control And Data Acquisition (SCADA) networks

Advances in SCA and RF-DNA Fingerprinting Through Enhanced Linear Regression Attacks and Application of Random Forest Classifiers

Radio Frequency (RF) emissions from electronic devices expose security vulnerabilities that can be used by an attacker to extract otherwise unobtainable information. Two realms of study were investigated here, including the exploitation of 1) unintentional RF emissions in the field of Side Channel Analysis (SCA), and 2) intentional RF emissions from physical devices in the field of RF-Distinct Native Attribute (RF-DNA) fingerprinting. Statistical analysis on the linear model fit to measured SCA data in Linear Regression Attacks (LRA) improved performance, achieving 98% success rate for AES key-byte identification from unintentional emissions. However, the presence of non-Gaussian noise required the use of a non-parametric classifier to further improve key guessing attacks. RndF based profiling attacks were successful in very high dimensional data sets, correctly guessing all 16 bytes of the AES key with a 50,000 variable dataset. With variable reduction, Random Forest still outperformed Template Attack for this data set, requiring fewer traces and achieving higher success rates with lower misclassification rate. Finally, the use of a RndF classifier is examined for intentional RF emissions from ZigBee devices to enhance security using RF-DNA fingerprinting. RndF outperformed parametric MDA/ML and non-parametric GRLVQI classifiers, providing up to GS =18.0 dB improvement (reduction in required SNR). Network penetration, measured using rogue ZigBee devices, show that the RndF method improved rogue rejection in noisier environments - gains of up to GS =18.0 dB are realized over previous methods