Jose Lopes Esteves
Information security research engineer at ANSSI
Jose Lopes Esteves
A Ghost in your Transmitter: analyzing polyglot signals for physical layer covert channels detection
During the last 5 years, the possibility of using physical covert channels to communicate with air-gapped information systems has been widely investigated, the main idea being the instrumentation of software or hardware components in order to code information on a shared physical medium. In complement, logical covert channels in communication protocols have been intensively studied for several decades, mostly relying on unused or reserved fields in frames at logical layers or on the instrumentation of timings and state transitions in the target protocols. Interestingly, the exploitation of physical layer characteristics of legitimate transmissions as covert channels seems to have been underestimated. More recently, an approach was proposed to superimpose two different protocols, one ASK-based and one PSK-based, within the same transmitted PHY frames, thus illustrating the possibility of covert channels using so-called polyglot signals.
In this study, we decided to focus on the possibility of using a compromised radiofrequency transceiver in order to create a covert channel on the physical layer while preserving a legitimate communication. To this end, we considered a classical QPSK transmission system on which a covert communication was implemented by modulating the legitimate (modulated) signal. Several modulation schemes were formalized showing that covert channels based on polyglot signals are not restricted to the use of complementary carrier characteristics (e.g. amplitude for channel 1 and phase for channel 2). For each attack model, a specific receiver has been designed. Finally, we will show that the detection of this kind of RF covert channel, which is not possible with a classical receiver, can be achieved by monitoring some simple RF characteristics with state-of-the-art signal processing algorithms.
Emmanuel Cottais Electromagnetic security researcher at ANSSI where he is working on threats related to spurious compromising emanations (TEMPEST).
Chaouki Kasmi Electromagnetic security researcher at ANSSI where he is working on threats related to spurious compromising emanations (TEMPEST) and intentional electromagnetic interferences (IEMI). Chaouki is giving lectures on EMSEC in French and foreign universities since 2010. Chaouki has also presented his researches in the framework of his PhD in Electronics at numerous national and international conferences including IEEE Conferences on EMC, AMEREM and URSI.
Jose Lopes Esteves Information security research engineer at ANSSI. His main interests are embedded systems security and wireless security. Jose also gives lectures on those topics in French universities. Before that he worked as a security evaluator and a pentester in a French ITSEC.