No Software Required: Raspberry Pi Uses Electromagnetic Waves to Detect Malware

SourChipmunk · 14 Jan 2022 at 17:44

I couldn't find this already posted, and wasn't sure where to post it.

Not clear if this is an early April Fools joke or what. Does this even seem feasible?

https://www-pcmag-com.cdn.ampprojec...uses-electromagnetic-waves-to-detect?amp=true

https://www.tomshardware.com/news/raspberry-pi-detects-malware-with-em-waves

The end result is a system with a malware-detection accuracy of 99.82%, which could prove invaluable to malware analysts.

Rroff · 14 Jan 2022 at 17:52

I've only skimmed the details but looks like it only really works for embedded systems which have a very defined "clean" state in normal operation.

Something like a PC with very varied operating states normally likely it wouldn't work with.

Frozennova · 19 Jan 2022 at 20:01

It's entirely feasible, and much more common than you would think. NewAE produce a set of tools for Side channel analysis.

Much of the focus is around finding vulnerabilities as exploits rather than for malware detection. Certain operations produce very repeatable and consistent power draw traces from an embedded processor. AES is incredibly trivial to discover the keys for using differential power analysis

SourChipmunk · 21 Jan 2022 at 16:46

Rroff said:
Something like a PC with very varied operating states normally likely it wouldn't work with.

Frozennova said:
Certain operations produce very repeatable and consistent power draw traces from an embedded processor. AES is incredibly trivial to discover the keys for using differential power analysis

That certainly helps clear it up for me. In summary: they are scanning systems with a fairly static operation. In other words, any system will run within certain thresholds regarding heat, power consumption, things like that. So, if there is a [calculated] variation in monitored items, it will trigger an alert. Does that sound accurate?

I don’t know why the articles specify “malware”… this type of scan would be useful for detecting potential hardware failures or other unexpected loads. Pretty cool if you ask me.

Thanks for the feedback!

Frozennova · 23 Jan 2022 at 13:08

SourChipmunk said:
That certainly helps clear it up for me. In summary: they are scanning systems with a fairly static operation. In other words, any system will run within certain thresholds regarding heat, power consumption, things like that. So, if there is a [calculated] variation in monitored items, it will trigger an alert. Does that sound accurate?

I don’t know why the articles specify “malware”… this type of scan would be useful for detecting potential hardware failures or other unexpected loads. Pretty cool if you ask me.

Thanks for the feedback!

From my understand in simplistic terms yes, I haven't done much with side channel analysis. Mostly just going through the worked examples provided with a NewAE ChipWhisperer. It's not my specialty but is something that is explorers through work

Fundamentally you can profile the power trace of a device in normal operation. Then monitor the power trace for abnormalities later down the line.