Characterizing Information Leakage in Low Power Wireless Modules
Principal Investigator: Professor Joshi
Other Contributor: Mark Horeni
AWaRE REU Researcher: Brad King, Texas A&M University
Project Description: Due to tight on-die integration in low-cost, low-power wireless modules, digital and mixed-signal subsystems are often placed very close to each other. Noise coupling from the digital system is often indicative of the computations being performed and thus leaks information to the outside world. We would like to characterize this leakage and see what all can be inferred from power analysis and wireless signal analysis.
Finding: Many Bluetooth chips are vulnerable to wireless attacks because the digital logic and radio transceiver is on the same integrated circuit, causing them to be too close to each other.
The digital circuit performs cryptographic tasks and the radio transceiver broadcasts the signal. The closeness of the two allows information from the digital circuit to leak electromagnetically into the radio transceiver and be transmitted as noise in the Bluetooth signal.
After enough data is collected an algorithm called correlation radio analysis (CRA) can decrypt the keys. Due to the variability of silicon in the fabrication process, it is not likely that a CRA trained on one chip will work on many other chips.
Our research set out to train a convolutional neural network (CNN) using the same data collected for CRA to create a more generalized algorithm. Data was collected wirelessly with a software-defined radio (SDR) while the Bluetooth chip was continuously broadcasting and encrypting a plaintext message. The keys stayed the same while the plaint text changed. An SDR equipped with a well working CNN could be placed in a room discreetly and decrypt Bluetooth signals.