Thursday, April 23rd 2020

Security Researchers Turn Radeon GPU into a Radio Transmitter with 50ft Range to Steal Data

Thursday we brought you a story of an improbable but ingenious cybersecurity attack vector called Air-ViBER, which uses fan vibrations to transmit data to a nearby listening device in an air-gapped environment. Another team of researchers, led by Mikhail Davidov and Baron Oldenburg, developed an equally ingenious but more insidious attack vector - rapid manipulation of clock speeds of an AMD Radeon Pro WX3100 GPU to turn it into a tunable radio transmitter; and ferrying data off as inaudible and invisible RF transmissions. The graphics card itself works as a radio transmitter, the computer needn't have a WLAN device.

What's worse, the signal has an impressive 50-foot (15.2 m) range, can pass through walls, and can have a far higher data-rate than the fan vibration hack. Even worse, the attack doesn't require any special hacks of the GPU driver or physical modification of the graphics card in any way - only a tool that can manipulate its clock speeds (any overclocking software can do that). Luckily, overclocking tools are privileged applications (requiring ring-0 access), and in most machines it springs up a UAC gate unless the overclocking software installs a driver and service that runs in the background (this installation requires a UAC authorization in the first place). If someone managed to install privileged software on your computer, you have bigger problems than a graphics card that likes to sing. Find technical details of the hack here, and a video presentation here.
Sources: Mikhail Davidov, via Tom's Hardware
Add your own comment

19 Comments on Security Researchers Turn Radeon GPU into a Radio Transmitter with 50ft Range to Steal Data

#1
btarunr
Editor & Senior Moderator
I have an idea for a mitigation. Reprogram the driver to apply user-specified clock speeds with a 4000 ms delay (without affecting the driver's internal clock-manipulation rate used by power-management). This will junk the hack's data-rate?
Posted on Reply
#3
Divide Overflow
NVidia cards can do this while minimizing the background noise!
Posted on Reply
#4
lexluthermiester
I think 50M is optimistic. 15M is pushing it even with the right equipment.
Posted on Reply
#5
btarunr
Editor & Senior Moderator
CORRECTION: I mixed up feet and meters. The range they claim is in feet. 50 ft = 15.2 m.
Posted on Reply
#6
Jism
btarunrI have an idea for a mitigation. Reprogram the driver to apply user-specified clock speeds with a 4000 ms delay (without affecting the driver's internal clock-manipulation rate used by power-management). This will junk the hack's data-rate?
A hack like this is more of a 007 bond type of hack shit that you see in movies. I mean it takes alot of skill to start using your GPU as a wireless device now. Any device inside a working pc is vulnerable towards a hack like this. I think they are better of using proper shielding of components in the first place if protected data should be kept sensitive in the first place.
Posted on Reply
#7
mtcn77
btarunrI have an idea for a mitigation. Reprogram the driver to apply user-specified clock speeds with a 4000 ms delay (without affecting the driver's internal clock-manipulation rate used by power-management). This will junk the hack's data-rate?
Hysteresis is a baller idea. I don't know why it doesn't get its share of usual fanfare. It locks into step all useless fan ramp modulations at supramaximum.

It is present in MSI Afterburner for instance.
Posted on Reply
#8
droopyRO
Use a passive cooled GPU, the iGPU and/or unplug fans from GPU, easy ... btw dose it interfere with the 5G spying ?
Posted on Reply
#9
AusWolf
droopyROUse a passive cooled GPU, the iGPU and/or unplug fans from GPU, easy ... btw dose it interfere with the 5G spying ?
Or use and nVidia GPU that sets a target clock, and only decreases it with heat and/or increased power consumption. For example, my 1660Ti runs on 1920/1905 MHz all the time. I doubt anyone can extract any information from that.
Posted on Reply
#10
Bruno Vieira
It doent need a patch, if the person has admin acess, turning the AMD gpu into a radio is not very efficient, you cant do so many easier things with the system
Posted on Reply
#11
rutra80
I'm doing a research of nVidia GPU leaking data with Morse code via flicking screen black & white.
Posted on Reply
#12
Tartaros
I love this, this is fucking big brain thinking enabling conspirationists to a brand new cosmos of bullshittery. I hope this is merged into the 5g covid lore.
Posted on Reply
#13
R-T-B
droopyROUse a passive cooled GPU, the iGPU and/or unplug fans from GPU, easy ... btw dose it interfere with the 5G spying ?
This hack doesn't use fans.

What 5G spying?
TartarosI hope this is merged into the 5g covid lore.
Oh god, please no.
rutra80I'm doing a research of nVidia GPU leaking data with Morse code via flicking screen black & white.
Honestly, it's just as practical as half of this, and not a bad idea. You could even set it to target a specific small pixel to avoid user notice. Because James Bonds screen capture software is always pixel-perfect... ENHANCE!
Posted on Reply
#14
rutra80
Vulnerability researched by me will be patched in the next nVidia drivers by applying a random 500-1500 ms delay on every frame render, thus bringing Morse transfer to unpractically low bandwidth. Sorry for making your lives miserable with 1 fps experience.
Posted on Reply
#15
remixedcat
TartarosI love this, this is fucking big brain thinking enabling conspirationists to a brand new cosmos of bullshittery. I hope this is merged into the 5g covid lore.
Too late every frog is gay
Posted on Reply
#16
lexluthermiester
btarunrCORRECTION: I mixed up feet and meters. The range they claim is in feet. 50 ft = 15.2 m.
Ah, that makes more sense. I still say it's optimistic to expect any usable data from such an exploit.
Posted on Reply
#17
Tartaros
remixedcatToo late every frog is gay
Posted on Reply
#18
candle_86
Yet secure sites also have Faraday cages around the computer systems and usually the building to stop any leaks. It's vector I guess could be a corporate system that's not properly sheilded but military, governments, and government contractors are required to keep air gapped data also behind physical access barriers and a Faraday cage.

I worked on the call desk for a defense contractor and one specific computer acted up. He had to write instructions down and error messages and hand carry them to said computer because his phone wouldn't work in the building because as he put it, it's inside a sheilded concrete area to protect it from any possible attack on the em spectrum or someone sneaking in wireless devices to capture data. I couldn't see this type of attack working.
Posted on Reply
#19
Octopuss
I don't undestand. What's this good for? So you can transmit data somehow to the next room.
What kind of data? This sounds more like script kiddie fun project rather than serious security problem.
Posted on Reply
Add your own comment
Jun 30th, 2022 05:40 EDT change timezone

New Forum Posts

Popular Reviews

Controversial News Posts