WingNews logo WingNews
top | item 28874426

(no title)

korethr | 4 years ago

This feels like one of those obvious-in-hindsight things. Of course an unshielded conductor would radiate RF correlating with the signal it carries, and if you could pick up the radiated RF, and knew the modulation scheme and how do decode it, you could see what was on the wire.

I do find myself wondering some things though.

Ethernet cables are 4 differential pairs. As I understand, the whole idea of these twisted pairs carrying a differential signal is that any RF the cable picked up from the environment would be common-mode, and get cancelled out receiver side, allowing the transmitted signal to arrive unspoiled. So, in theory, one would have a hard time injecting spurious transmissions into an Ethernet cable via RF.

Is this supposed to work in reverse, where the common-mode rejection of a differential pair would prevent RF from leaking out of the cable? Or is this one of those theory vs. practice things, where in theory, it shouldn't, but in practice, being a not-ideal twisted differential pair (e.g. twist rate is wrong for frequency of interest, untwisted section, conductors of slightly different lengths, etc) allows some RF emission to leak out, uncancelled. And in the case of a cheap cable, something claiming to be Cat 6A in actuality might never have passed spec for Cat 5, and thus leaks way more RF than it should, because the quality and balance of the twist was half-assed?

Or am I badly misunderstanding how this works because I haven't started studying for an amateur radio license yet?

discuss

order

marcan_42|4 years ago

There is always going to be some leakage. The question is whether you can get a high enough signal to noise ratio to get any useful information about it.

What this guy is doing is what he always does: deliberately modulate the signal (in this case, sending packets slowly) at a very low rate and encoding information in that. Of course that works; it always does. It's not news and it has no research value. It's obvious that you can take any system that produces measurable emissions and then drive it in such a way to encode low-bandwidth data in those emissions.

It would be nice if he actually studied practical channel bandwidths and determined just how much information you can transmit with these techniques, but he doesn't have the chops for that. He just cranks out minimum viable PoCs to get the news cycle, using misleading clickbait headlines.

topspin|4 years ago

You've got the basics right. An optimally coupled pair won't radiate. Nothing is optimal, however, so there is a small amount of RF radiation. Obviously this means not all RF energy from the environment is common mode as well. Thus the ever more substantial shielding that has appeared in later copper Ethernet cabling.

The implication of this click bait is that ordinary traffic is being recovered from RF leakage. While that's theoretically possible given short range and a sensitive receiver, what we have here is someone creating a low frequency transmitter using copper Ethernet. That doesn't mean it is without interest or value; dismissing side channels like that has a poor track record. But it's not what you're led to believe with "attack reveals Ethernet cable traffic!"

marcan_42|4 years ago

I do wonder how close you'd have to go to actually demodulate real Gigabit Ethernet over the air. Given the 8 simultaneous data streams (4 pairs times two directions), I imagine you'd need at least 8 antennas to get anywhere, probably arranged in very close proximity to the cable to pick up on the spatial differences between the pairs. Then you'd have to use MIMO demodulation techniques. At that point you might as well just tap the cable.

100BASE-TX would be a lot easier, since that just uses a single pair in each direction.

FWIW, this isn't a side channel, at least not the way he's presenting it. It's a covert channel. That's different; side channels leak (significant) information from uncooperating sources. Covert channels require a cooperating source. There's a huge difference. Covert channels are largely academic and almost never relevant in real life. This isn't like research on things like extracting RSA keys from CPU EMI emitted during OpenSSL operations, which is a real side channel and much more valuable research.