• Now's your chance win big! Join our community and get entered to win a RTX 2060 GPU, plus more! Join here.

    Meet Stan Dmitriev of SurrogateTV on the Pi Cast TODAY! The show is live August 11th at 2:30 pm ET (7:30 PM BST). Watch live right here!

    Professional PC modder Mike Petereyns joins Scharon on the Tom's Hardware Show live on Thursday, August 13th at 3:00 pm ET (8:00 PM BST). Click here!

News Researchers Turn AMD Radeon GPU Into a Radio Transmitter to Steal Data

Pat Flynn

Honorable
Aug 8, 2013
227
12
10,765
42
I think the IT Security world has or will need to start a shift from reactive security, to pro-active training for ALL staff. The entire population needs to know how to identify malware threats to cut down on this kind of stuff.

P.S. - if it wasn't stated clearly in this article, nearly all (or all?) side-channel attacks need some form of malware to compromise the computer to gain access to the data. This means training people to identify the threats instead of relying on anti-virus suites for zero day threats.
 
Reactions: Makaveli

GenericUser

Distinguished
Nov 20, 2010
138
26
18,740
11
I think the IT Security world has or will need to start a shift from reactive security, to pro-active training for ALL staff. The entire population needs to know how to identify malware threats to cut down on this kind of stuff.

P.S. - if it wasn't stated clearly in this article, nearly all (or all?) side-channel attacks need some form of malware to compromise the computer to gain access to the data. This means training people to identify the threats instead of relying on anti-virus suites for zero day threats.
I think part of the issue is even the companies that do train their more "general" employees on good cybersecurity practices, most people just shrug it off as another "check-in-the-box corporate training session" and just want to get on with their day, or it's "not my problem", or "we won't get hacked, or any excuse really.

The average employee isn't going to care that much to know about good cybersecurity practices. Does that mean companies should just give up and not bother? No, but until everyone from the IT staff and dedicated cybersecurity professionals in the organization, down to the guy in the mail room give a crap, the biggest threat will continue to be the inside threat.
 
Reactions: bit_user

hannibal

Distinguished
Apr 1, 2004
2,312
36
19,840
14
What this mean is that companies prevent installation of any programs to work computers. And there will not be allovance to any job related tasks at home computers...
The situation is near that, but it will get even tighter. This same thing most likely could be done to cell phones...
 
This is actually unsurprising. When I was in the military they had a acronym term for it: TEMPEST (Telecommunications Electronics Materials Protected from Emanating Spurious Transmissions).

Even back in the 1970's it was a problem, way before PC's and word processors. Electric typwriters, in particular, would transmit a unique signal for every key pressed. So someone sitting outside an unshielded office building in a surveillance van on the street could intercept every keystroke of the typewriter as a clerk typed out a classified memo.

I supposed that was why many offices used mechanical typewriters way after most of the civilians used electric. TEMPEST security was a big deal.
 
Reactions: bit_user
Apr 25, 2020
1
0
10
0
This technically isn't anything new, we knew it's possible to do it on CPUs around 10 years ago, this is simply more proof that it's possible and easier than ever and there is no way to hide from it...
 

bit_user

Splendid
Ambassador
What this mean is that companies prevent installation of any programs to work computers.
That's not remotely realistic for many people whose job it is to develop software.

This same thing most likely could be done to cell phones...
No. My employer already uses Microsoft's cell phone security software (I think it's called InTune?). It's already so onerous that I refuse to run it on my personal phone. If they want me to access company resources from a cell phone, they'll have to buy me one.

Anyway, by raising the bar too high for cell phone security, you have people's unsecured phones in the workplace.
 

bit_user

Splendid
Ambassador
When I was in the military they had a acronym term for it: TEMPEST (Telecommunications Electronics Materials Protected from Emanating Spurious Transmissions).
I don't know if it was under the same program, but a guy I knew who worked in a lab that did DoD or DARPA research described how their CRT monitors basically had to be in Faraday cages. Annoyingly, it meant looking though a wire mesh that was the equivalent of a window screen.

It makes me wonder whether there's a solution to these RF side-channel attacks that could involve simply improving the EMI shielding of the workstations.
 

bit_user

Splendid
Ambassador
This technically isn't anything new, we knew it's possible to do it on CPUs around 10 years ago,
Did it work on the same principle of altering the CPU's clock speed?

What surprised me about this is that I expected it to involve running shader programs that modulated a signal through alternating between running loops and idling. I didn't expect it would be as simple as just manipulating the base clock frequency.
 
[....

Did it work on the same principle of altering the CPU's clock speed?

What surprised me about this is that I expected it to involve running shader programs that modulated a signal through alternating between running loops and idling. I didn't expect it would be as simple as just manipulating the base clock frequency.
I have to imagine there are ample opportunities considering the number of extemely high frequencies clocks and data paths inside of computers that could be monitored by any of the sensitive RF receivers and spectrum analyzers that are readily available. We don't make it hard, either, as we now use cases with windows for side panels and open-air cases even. And we've even removed the ferrite beads from cables (those lumps you often saw close to the connectors) that attenuated the signals before they could be conducted outside the case.

Security against this exploit is actually pretty simple. Just ensure your CPU case is well shielded with metal completely surrounding all electronic parts and no large holes, meaning metal fan grills are intact, and all screws are tightly installed. Tempered glass side panels should be metallized.
 
Last edited:
Reactions: bit_user

mchldpy

Distinguished
Jan 16, 2010
146
8
18,695
1
There are still people that look at you like your speaking a Foreign Language when you say "Air Gap". Those are usually the same bunch that believe Star Trek was filmed
"On Location".
 

Questors

Distinguished
Jan 17, 2004
68
1
18,630
0
How does modulating the card to pick up a radio frequency enable the stealing of data? How does this enable a person to capture what the system in question is processing? Or a fan vibration for that matter? This is what I want to know.
 

ASK THE COMMUNITY

TRENDING THREADS