Security Researchers Turn Radeon GPU into a Radio Transmitter with 50ft Range to Steal Data

btarunr · Apr 24, 2020

Thursday we brought you a story of an improbable but ingenious cybersecurity attack vector called Air-ViBER, which uses fan vibrations to transmit data to a nearby listening device in an air-gapped environment. Another team of researchers, led by Mikhail Davidov and Baron Oldenburg, developed an equally ingenious but more insidious attack vector - rapid manipulation of clock speeds of an AMD Radeon Pro WX3100 GPU to turn it into a tunable radio transmitter; and ferrying data off as inaudible and invisible RF transmissions. The graphics card itself works as a radio transmitter, the computer needn't have a WLAN device.

What's worse, the signal has an impressive 50-foot (15.2 m) range, can pass through walls, and can have a far higher data-rate than the fan vibration hack. Even worse, the attack doesn't require any special hacks of the GPU driver or physical modification of the graphics card in any way - only a tool that can manipulate its clock speeds (any overclocking software can do that). Luckily, overclocking tools are privileged applications (requiring ring-0 access), and in most machines it springs up a UAC gate unless the overclocking software installs a driver and service that runs in the background (this installation requires a UAC authorization in the first place). If someone managed to install privileged software on your computer, you have bigger problems than a graphics card that likes to sing. Find technical details of the hack here, and a video presentation here.

View at TechPowerUp Main Site

btarunr · Apr 24, 2020

I have an idea for a mitigation. Reprogram the driver to apply user-specified clock speeds with a 4000 ms delay (without affecting the driver's internal clock-manipulation rate used by power-management). This will junk the hack's data-rate?

Lionheart · Apr 24, 2020

Nvidia right now :rolleyes:

Divide Overflow · Apr 24, 2020

NVidia cards can do this while minimizing the background noise!

lexluthermiester · Apr 24, 2020

I think 50M is optimistic. 15M is pushing it even with the right equipment.

btarunr · Apr 24, 2020

CORRECTION: I mixed up feet and meters. The range they claim is in feet. 50 ft = 15.2 m.

Jism · Apr 24, 2020

btarunr said:
I have an idea for a mitigation. Reprogram the driver to apply user-specified clock speeds with a 4000 ms delay (without affecting the driver's internal clock-manipulation rate used by power-management). This will junk the hack's data-rate?

A hack like this is more of a 007 bond type of hack shit that you see in movies. I mean it takes alot of skill to start using your GPU as a wireless device now. Any device inside a working pc is vulnerable towards a hack like this. I think they are better of using proper shielding of components in the first place if protected data should be kept sensitive in the first place.

mtcn77 · Apr 24, 2020

btarunr said:
I have an idea for a mitigation. Reprogram the driver to apply user-specified clock speeds with a 4000 ms delay (without affecting the driver's internal clock-manipulation rate used by power-management). This will junk the hack's data-rate?

Hysteresis is a baller idea. I don't know why it doesn't get its share of usual fanfare. It locks into step all useless fan ramp modulations at supramaximum.

It is present in MSI Afterburner for instance.

droopyRO · Apr 24, 2020

Use a passive cooled GPU, the iGPU and/or unplug fans from GPU, easy ... btw dose it interfere with the 5G spying ?

AusWolf · Apr 24, 2020

droopyRO said:
Use a passive cooled GPU, the iGPU and/or unplug fans from GPU, easy ... btw dose it interfere with the 5G spying ?

Or use and nVidia GPU that sets a target clock, and only decreases it with heat and/or increased power consumption. For example, my 1660Ti runs on 1920/1905 MHz all the time. I doubt anyone can extract any information from that.

Bruno Vieira · Apr 24, 2020

It doent need a patch, if the person has admin acess, turning the AMD gpu into a radio is not very efficient, you cant do so many easier things with the system

rutra80 · Apr 24, 2020

I'm doing a research of nVidia GPU leaking data with Morse code via flicking screen black & white.

Tartaros · Apr 24, 2020

I love this, this is fucking big brain thinking enabling conspirationists to a brand new cosmos of bullshittery. I hope this is merged into the 5g covid lore.

R-T-B · Apr 25, 2020

droopyRO said:
Use a passive cooled GPU, the iGPU and/or unplug fans from GPU, easy ... btw dose it interfere with the 5G spying ?

This hack doesn't use fans.

What 5G spying?

Tartaros said:
I hope this is merged into the 5g covid lore.

Oh god, please no.

rutra80 said:
I'm doing a research of nVidia GPU leaking data with Morse code via flicking screen black & white.

Honestly, it's just as practical as half of this, and not a bad idea. You could even set it to target a specific small pixel to avoid user notice. Because James Bonds screen capture software is always pixel-perfect... ENHANCE!

rutra80 · Apr 25, 2020

Vulnerability researched by me will be patched in the next nVidia drivers by applying a random 500-1500 ms delay on every frame render, thus bringing Morse transfer to unpractically low bandwidth. Sorry for making your lives miserable with 1 fps experience.

remixedcat · Apr 26, 2020

Tartaros said:
I love this, this is fucking big brain thinking enabling conspirationists to a brand new cosmos of bullshittery. I hope this is merged into the 5g covid lore.

Too late every frog is gay

lexluthermiester · Apr 26, 2020

btarunr said:
CORRECTION: I mixed up feet and meters. The range they claim is in feet. 50 ft = 15.2 m.

Ah, that makes more sense. I still say it's optimistic to expect any usable data from such an exploit.

Tartaros · Apr 26, 2020

remixedcat said:
Too late every frog is gay

candle_86 · Apr 27, 2020

Yet secure sites also have Faraday cages around the computer systems and usually the building to stop any leaks. It's vector I guess could be a corporate system that's not properly sheilded but military, governments, and government contractors are required to keep air gapped data also behind physical access barriers and a Faraday cage.

I worked on the call desk for a defense contractor and one specific computer acted up. He had to write instructions down and error messages and hand carry them to said computer because his phone wouldn't work in the building because as he put it, it's inside a sheilded concrete area to protect it from any possible attack on the em spectrum or someone sneaking in wireless devices to capture data. I couldn't see this type of attack working.

Octopuss · Apr 27, 2020

I don't undestand. What's this good for? So you can transmit data somehow to the next room.
What kind of data? This sounds more like script kiddie fun project rather than serious security problem.

System Name	RBMK-1000
Processor	AMD Ryzen 7 5700G
Motherboard	Gigabyte B550 AORUS Elite V2
Cooling	DeepCool Gammax L240 V2
Memory	2x 16GB DDR4-3200
Video Card(s)	Galax RTX 4070 Ti EX
Storage	Samsung 990 1TB
Display(s)	BenQ 1440p 60 Hz 27-inch
Case	Corsair Carbide 100R
Audio Device(s)	ASUS SupremeFX S1220A
Power Supply	Cooler Master MWE Gold 650W
Mouse	ASUS ROG Strix Impact
Keyboard	Gamdias Hermes E2
Software	Windows 11 Pro

System Name	RBMK-1000
Processor	AMD Ryzen 7 5700G
Motherboard	Gigabyte B550 AORUS Elite V2
Cooling	DeepCool Gammax L240 V2
Memory	2x 16GB DDR4-3200
Video Card(s)	Galax RTX 4070 Ti EX
Storage	Samsung 990 1TB
Display(s)	BenQ 1440p 60 Hz 27-inch
Case	Corsair Carbide 100R
Audio Device(s)	ASUS SupremeFX S1220A
Power Supply	Cooler Master MWE Gold 650W
Mouse	ASUS ROG Strix Impact
Keyboard	Gamdias Hermes E2
Software	Windows 11 Pro

System Name	Intel NUC 12 Extreme
Processor	Intel Core i7 12700 (E Cores Disabled)
Motherboard	Intel NUC Module Motherboard
Cooling	NUC Blower Cooler + 3 x 92mm Fans
Memory	64GB Corsair 3200Mhz CL22
Video Card(s)	PowerColor RX 9070 16GB Reaper
Storage	Silicon 512GB Gen4 SSD + 256GB SD Card
Display(s)	Sony 4K Bravia X85J 43Inch TV 120Hz
Case	Intel NUC 12 Extreme Mini ITX Case
Audio Device(s)	Realtek Audio + Dolby Atmos
Power Supply	SFX FSP 650 Gold Rated PSU
Mouse	Logitech G203 Lightsync Mouse
Keyboard	Red Dragon K552W RGB White KB.
VR HMD	( ◔ ʖ̯ ◔ )
Software	Windows 10 Home 64bit
Benchmark Scores	None. I also own a Apple Macbook Air M2

Processor	Ryzen 9 5900X
Motherboard	Gigabyte X570 Aorus Master
Cooling	ARCTIC Liquid Freezer III 360 A-RGB
Memory	32 GB Ballistix Elite DDR4-3600 CL16
Video Card(s)	XFX 6800 XT Speedster Merc 319 Black
Storage	Sabrent Rocket NVMe 4.0 1TB
Display(s)	LG 27GL850B x 2 / ASUS MG278Q
Case	be quiet! Silent Base 802
Audio Device(s)	Sound Blaster AE-7 / Sennheiser HD 660S
Power Supply	Seasonic Vertex PX-1200
Software	Windows 11 Pro 64

System Name	RBMK-1000
Processor	AMD Ryzen 7 5700G
Motherboard	Gigabyte B550 AORUS Elite V2
Cooling	DeepCool Gammax L240 V2
Memory	2x 16GB DDR4-3200
Video Card(s)	Galax RTX 4070 Ti EX
Storage	Samsung 990 1TB
Display(s)	BenQ 1440p 60 Hz 27-inch
Case	Corsair Carbide 100R
Audio Device(s)	ASUS SupremeFX S1220A
Power Supply	Cooler Master MWE Gold 650W
Mouse	ASUS ROG Strix Impact
Keyboard	Gamdias Hermes E2
Software	Windows 11 Pro

Security Researchers Turn Radeon GPU into a Radio Transmitter with 50ft Range to Steal Data

btarunr

Editor & Senior Moderator

btarunr

Editor & Senior Moderator

Lionheart

Divide Overflow

lexluthermiester

btarunr

Editor & Senior Moderator

Jism

mtcn77

droopyRO

AusWolf

Bruno Vieira

rutra80

Tartaros

R-T-B

rutra80

remixedcat

lexluthermiester

Tartaros

candle_86

Octopuss

System Name	My second and third PCs are Intel + Nvidia
Processor	AMD Ryzen 7 7800X3D @ 45 W TDP Eco Mode
Motherboard	MSi Pro B650M-A Wifi
Cooling	be quiet! Shadow Rock LP
Memory	2x 24 GB Corsair Vengeance DDR5-4800
Video Card(s)	PowerColor Reaper Radeon RX 9070 XT
Storage	2 TB Corsair MP600 GS, 4 TB Seagate Barracuda
Display(s)	Dell S3422DWG 34" 1440 UW 144 Hz
Case	Corsair Crystal 280X
Audio Device(s)	Logitech Z333 2.1 speakers, AKG Y50 headphones
Power Supply	750 W Seasonic Prime GX
Mouse	Logitech MX Master 2S
Keyboard	Logitech G413 SE
Software	Bazzite (Fedora Linux) KDE Plasma

System Name	Rectangulote 2
Processor	Ryzen 7 9800X3D
Motherboard	Asus TUF Gaming B650-PLUS
Cooling	Alphacool Eisbaer Pro Aurora 360 + 240 ST30
Memory	64 GB DDR5 6000mhz Corsair Vengeance
Video Card(s)	Asus TUF Gaming RTX 4090 OC
Storage	3 x WD Black SN-850X 1TB
Display(s)	2 x Asus ROG Swift PG278QR / LG C4
Case	Corsair 5000D Airflow
Audio Device(s)	Evga Nu Audio + Beyerdynamic DT 150 + Trust GTX 258
Power Supply	Corsair RMX1000
Mouse	Razer Naga Wireless Pro
Keyboard	Keychron K4
Software	Windows 11 Pro

System Name	Pioneer
Processor	Ryzen 9 9950X
Motherboard	MSI MAG X670E Tomahawk Wifi
Cooling	Noctua NH-D15 + A whole lotta Sunon, Phanteks and Corsair Maglev blower fans...
Memory	128GB (4x 32GB) G.Skill Flare X5 @ DDR5-4200(Running 1:1:1 w/FCLK)
Video Card(s)	XFX RX 7900 XTX Speedster Merc 310
Storage	Intel 5800X Optane 800GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs, 1x 2TB Seagate Exos 3.5"
Display(s)	55" LG 55" B9 OLED 4K Display
Case	Thermaltake Core X31
Audio Device(s)	TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply	FSP Hydro Ti Pro 850W
Mouse	Logitech G305 Lightspeed Wireless
Keyboard	WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software	Gentoo Linux x64, other office machines run Windows 11 Enterprise

System Name	RemixedBeast-NX
Processor	Intel Xeon E5-2690 @ 2.9Ghz (8C/16T)
Motherboard	Dell Inc. 08HPGT (CPU 1)
Cooling	Dell Standard
Memory	24GB ECC
Video Card(s)	Gigabyte Nvidia RTX2060 6GB
Storage	2TB Samsung 860 EVO SSD//2TB WD Black HDD
Display(s)	Samsung SyncMaster P2350 23in @ 1920x1080 + Dell E2013H 20 in @1600x900
Case	Dell Precision T3600 Chassis
Audio Device(s)	Beyerdynamic DT770 Pro 80 // Fiio E7 Amp/DAC
Power Supply	630w Dell T3600 PSU
Mouse	Logitech G700s/G502
Keyboard	Logitech K740
VR HMD	Linktr.ee/remixedcat // for my music ♡♡
Software	Linux Mint 20
Benchmark Scores	Network: APs: Ubiquiti Unifi AP-AC-LR and Lite Router/Sw:Meraki MX64 MS220-8P

System Name	The86
Processor	Ryzen 5 3600
Motherboard	ASROCKS B450 Steel Legend
Cooling	AMD Stealth
Memory	2x8gb DDR4 3200 Corsair
Video Card(s)	EVGA RTX 3060 Ti
Storage	WD Black 512gb, WD Blue 1TB
Display(s)	AOC 24in
Case	Raidmax Alpha Prime
Power Supply	700W Thermaltake Smart
Mouse	Logitech Mx510
Keyboard	Razer BlackWidow 2012
Software	Windows 10 Professional

Processor	Ryzen 5800X
Motherboard	Asus TUF-Gaming B550-Plus
Cooling	Noctua NH-U14S
Memory	32GB G.Skill Trident Z Neo F4-3600C16D-32GTZNC
Video Card(s)	Sapphire AMD Radeon RX 7900 XTX Nitro+
Storage	HP EX950 512GB + Samsung 970 PRO 1TB
Display(s)	Cooler Master GP27Q
Case	Fractal Design Define R6 Black
Audio Device(s)	Creative Sound Blaster AE-5
Power Supply	Seasonic PRIME Ultra 650W Gold
Mouse	Roccat Kone AIMO Remastered
Software	Windows 10 x64