Electromagnetic Information Extortion from Electronic Devices Using Interceptor and Its Countermeasure

. The problem of information leakage through electromagnetic waves for various devices has been extensively discussed in literature. Conventionally, devices that are under such a threat suﬀer from potential electromagnetic information leakage during their operation. Further, the information inside the devices can be obtained by monitoring the electromagnetic waves leaking at the boundaries of the devices. The leakage of electromagnetic waves, however, was not observed for some devices, and such devices were not the target of the threat discussed above. In light of this circumstance, this paper discusses an “interceptor” that forces the leakage of information through electromagnetic waves, even from devices in which potential electromagnetic leakage does not occur. The proposed interceptor is a small circuit consisting of an aﬀordable semiconductor chip and wiring and is powered by electromagnetic waves that irradiate from the outside of a device as its driving energy. The distance at which information is obtained is controlled by increasing the intensity of the irradiated electromagnetic waves. The paper presents the structure of the circuit for implementing the proposed interceptor to be used in major input–output devices and cryptographic modules, mounting a pathway designed on the basis of the construction method onto each device. Moreover, it is shown that it is possible to forcefully cause information leakage through electromagnetic waves. To detect the aforementioned threat, the paper also focuses on the changes in a device itself and the surrounding electromagnetic environment as a result of mounting an interceptor and considers a method of detecting an interceptor by both passive and active monitoring methods.


Introduction
The performance of consumer measurement devices and the speeds of computational resources have improved, while memory device capacities have become larger in recent years, facilitating statistical analyses of data observed over a long period of time.These analyses demonstrated that, through the leakage of electromagnetic (EM) waves, information can be rapidly and easily extracted from devices without leaving any trace.Therefore, a wide range of data communication devices are under threat associated with the leakage of EM waves.Given this background, various information-containing and ubiquitous devices have been examined for the analysis and procurement of leakage signals via EM radiation, including cathode-ray tube (CRT) and liquid-crystal display (LCD) monitors [VE85, Kuh02, Kuh04, Kuh05, Kuh13, SS07, SS08, Sek10, SS13, TYF11, SJY14], touchscreen monitors [HHM + 14], information printed by printers [TTY + 06], key data input from keyboards EM radiation that is unintentionally generated from electronic devices has been considered in the field of EM engineering, and the mechanism of radiation can be explained by the EM radiation model shown in Figure 1 [Pau06].
The target signals to be obtained by an attacker (e.g., the drawing signals on a display, the scan signals on a keyboard, and the side channels generated during cryptographic processing) vary with time in a manner similar to the source signal shown in Figure 1.The rising and falling edges of signals include broadband signals such as the spectrum of the source signal in Figure 1.EM waves are efficiently radiated when the frequency components and the antenna characteristics composed of the physical structure of the circuit board and wiring pattern (Figure 1, antenna factor) match.
Generally, many device designers tend to design circuits assuming that signals are transmitted only along the wiring.However, in actual devices, the high-frequency components, included in the rising and falling edges of signals, are successively transmitted above the wiring owing to the coupling of the capacity and the induction in the wires.Therefore, an unpredictable structure behaves as an antenna, and EM radiation occurs.When the classified information inside the device is included in such radiation, information leakage occurs through EM waves.
However, if there exist no coupling paths or unexpected antenna structures in the device, the EM waves that contain information do not propagate until the attacker, who is at a distance.Therefore, not all devices leak information by EM waves unless critical paths or unexpected antenna structures which increase possibilities of information leakage are formed inside the devices.For these devices, it is difficult to obtain information from leaked EM waves, and TEMPEST studies only looked at devices that experience potential leakage.
Our contribution.In light of the above, an interceptor that forces information leakage from targeted devices by EM waves is proposed in this paper.The interceptor expands the range of target devices from devices that exhibit potential leakage to those that do not.We develop an interceptor based on a concept similar to that of a miniature circuit built by an inexpensive circuit element and simple wiring without a special antenna structure.The interceptor is mounted onto electronic devices.
The proposed interceptor operates only by using the EM waves of a particular frequency irradiated from the outside the device as the driving energy.Using the irradiated frequency as a carrier, the confidential information inside a device is modulated and forcibly leaked outside the device.In addition, the distance at which EM waves containing information are transmitted can be controlled by changing the irradiation intensity.Information can thus be obtained from a standalone system that does not possess a communication line.Furthermore, the proposed interceptor leaks the waveforms of the information signals without any change in comparison with the differentiated waveform of conventional TEMPEST.
In addition, this paper explains the operation principles of the developed interceptor, and on the basis of these principles, discusses the features of the devices to which the interceptor can be applied.As specific examples, the interceptor is mounted onto input devices and cryptographic modules where highly sensitive information is exchanged, and we show how information is leaked.A detection method for verifying whether the interceptor is mounted onto a device in secrecy is also discussed.
The contributions of this paper are as follows: • The acquisition of information is made possible by forcibly causing leakage from devices (as in essence the leakage is there in the device already, it is just not radiated out).
• Leakage is only measurable from a distance during the irradiation of EM waves from devices, and the range of leakage is adjustable by the irradiation intensity (in conventional TEMPEST, the range from which an attack can be performed was determined by the intensity of the EM waves radiating from devices).
• The proposed interceptor covers both analog and digital signals and leaks information outside devices by using a physical structure inside the devices, such as the antenna.
• The proposed interceptor does not require a special antenna to leak information until a certain distance.Interceptors emanate information from unintended antenna structures (e.g., the transmission lines inside the device, the cables connected to the device, etc.).
• Conventional TEMPEST measures the differentiated shape of the original signal.However, the signal leaked by the interceptor retains the original shape, and this waveform can be measured.

Related work.
Although a circuit with a concept similar to that of the interceptor proposed in this study also appears in the NSA ANT catalog [Wik], actual examples are provided in the NSA Playset, which contains a radio frequency (RF) retroreflector [Oss14][Oss15], and a Green Bay Professional Packet Radio (GBPPR) project [Proa][Prob] [Proc].Their structure is similar to RF identification (RFID) [Leh12], which requires a special external antenna to communicate with outside devices.Thus, the implementation targets of these circuits are limited to certain devices, and their applications are very limited compared with those of the interceptor proposed in this study.In addition, if a special antenna is shielded with device housing made from metal as a conventional EM compatibility (EMC) countermeasure, these circuits might not work.Moreover, if an interceptor with an external antenna is implemented on a communication cable, it can be easily detected visually.In contrast, if an unintended antenna is employed, the above problem will not occur.
The possibility of an active attack using intentional EM interference is pointed out in [KA98] [And08].The concept of a TEMPEST virus shown in [And08], which modifies target devices, steals secret information, and transmits it to an outside device, is similar to an interceptor.However, the feasibility, detailed mechanisms, and examples are not shown in previous studies.
Furthermore, in an irradiation attack, the transmission power increases as the attack distance increases.As a result of the increased power, the carrier signal directly propagates from the transmit antenna (Tx) to the receive antenna (Rx).In this circumstance, the modulation index of the received wave decreases.This is a problem that occurs with or without an external antenna.Therefore, in conventional studies, only demonstrations at short distances (less than 1 m) have been shown.In contrast, in this research, the array of antennas used for the attack is optimized, and the carrier signal is directly suppressed from the transmit antenna to the receive antenna [ESS14].Specifically, the antenna array employs directional antennas that have null directions, for which antenna gain is a local minima.In the attack experiments, we arranged the null direction of the transmission and reception antennas to face each other.This arrangement electrically decouples both antennas.Therefore, our attack works over distances of several meters or greater.
Structure of this paper.This paper is structured as follows.Section 2 explains the features and principles of the interceptor developed in this study as well as the approach to selecting a field effect transistor (FET) with respect to the installation target.Section 3 discusses devices that exchange highly sensitive information that have been the targets of conventional TEMPEST and EM side-channel attacks.Further, this section shows that information leakage can be forced by installing the interceptor onto devices for which it is difficult to obtain information through conventional means.Section 4 discusses methods that can be used to detect whether an interceptor is attached to a device.Section 5 concludes this paper.

Scenarios in which an interceptor is installed on a device
The interceptor proposed in this paper assumes installation or placement on the printed circuit board (PCB) of a target device or on a communication cable.
Another threat that assumes a similar scenario is a hardware trojan (HT) in which a malicious circuit is implemented in a system, but the targets for HTs were mainly limited to implementations inside integrated circuits (ICs) [CY10, WTP08, GM11, RWTP08, CLK11].In contrast, the proposed interceptor consists of affordable (a few dollars) electronic components, and the degree of freedom with respect to its implementation is improved.This is because it can be implemented outside an IC owing to its ability to be easily implemented onto the circuit boards and wiring that constitute the device as well as the transmission lines for the interconnecting devices.For example, this interceptor can be easily connected to the motherboard that constitutes an information device in a similar manner to the "tiny microchip" discussed in the Bloomberg article titled "The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies" from early October of 2018 [Blo18].If the targeted signals are transmitted to the outside of a device through a communication line, then such a path of communication could be appropriate for the implementation of the circuit.
Considering that the proposed interceptor consists of a small-scale circuit, the device may be implemented on circuit boards and transmission lines as a regular component during the manufacturing process by disguising it as a regular electronic component such as the capacitors and inductors that are implemented in the device (Figure 2, Figure 3).In general, information communication devices undergo EMC testing related to EM radiation (e.g.CISPR (Comité International Spécial des Perturbations Radioélectriques) 22) and immunity to EM disturbance (e.g.CISPR 16) before shipping.However, because the proposed interceptor requires to irradiate it and to measure its emission simultaneously, the interceptor may pass conventional EMC tests, which individually evaluate radiation and disturbance.Moreover, because the structure of the interceptor is simple, it can be inserted if the attacker can access the target device for a short duration after EMC testing.
The proposed interceptor has limited functionality unlike HTs that are traditionally implemented inside an IC.An HT implemented inside an IC can perform various functions such as the modification of functionality, the modification of specifications, the leakage of

Structure of an interceptor and the principles of leakage
This section discusses the circuit composition of an interceptor and its operating principles.
Figure 4 shows a conceptual diagram of the interceptor used in this study.The circuit consists of a single FET and short wiring and uses a line connected to a wiring pattern on the circuit board and to devices such as antennas (referred to as unintentional antennas henceforth).By mounting such a circuit on the targeted device, the information inside the device is leaked to the outside through EM waves.From conventional studies [Pau06, HHM + 12b], the signals transmitted over a line connected to the wiring pattern and the devices on a circuit board are known to leak over the entire circuit board and connecting lines through the connection of the transmitting line with the other lines and the board itself.The interceptor can be operated by mounting it at a location where the leaked signals can be measured and unintentional antenna structures are adjacent.
Next, the principle of information leakage caused by the interceptor is explained.As shown in Figure 5, an interceptor consists of an unintentional antenna, a reflective and absorbing element with a high-frequency power, and intercepting wiring for the targeted signals.The EM waves that irradiate a device from the outside cause the unintentional antenna to have a high-frequency power.If the reflective and absorbing element with a high-frequency power is not connected to the unintentional antenna, a reflected wave is generated depending on the magnitude of the high-frequency power.This wave is the same as the reflected wave generated when EM waves irradiate the conductor.However, when there is an element that reflects, absorbs, and changes the strength of the generated high-frequency power of the unintentional antenna, its reflected wave corresponds to the amount of power reflected by the reflective and absorbing element.Moreover, instead of an irradiated EM wave, a conductive wave can be induced from the power/communication line.In this case, the loss of the EM wave is low; therefore, it might reach targets even if there is a structure that decreases its strength over air, such as a shield.
In the proposed interceptor, a reflective and absorbing element with a high-frequency power that can be controlled by a voltage is achieved by using a FET.Additionally, by using information bearing signals from inside the device as the control voltage for the interceptor, a reflected wave where the intensity is modulated by that information bearing signal, i.e. an amplitude-modulating (AM) signal, is generated.
The specific principles of an interceptor are shown by the operation of a mixer circuit in which two signals are multiplied.A mixer circuit multiplies an intercepted signal s BB (t) and a high-frequency signal s C (t) induced by externally irradiated EM waves and generates an amplitude-modulated signal s AM (t) = s BB (t)s C (t), where s C (t) is the carrier signal and s BB (t) is the baseband signal.The time-varying signal s BB (t) is radiated outside the device as the amplitude-modulated signal s AM (t) through an unintentional antenna.The interceptor used in this study can be seen as a passive mixer circuit composed of a single FET.
Next, the amplitude-modulated reflected wave s AM (t) is received at the frequency at which this wave irradiates the device.By treating this frequency as a carrier and demodulating it, the intercepted signal s BB (t) can be obtained.This operation can be thought of as an attack that obtains information by combining an active attack [MOP07] and a passive [JT12] attack.
Since the strength of the carrier signal s C (t) is proportional to the intensity of the EM waves irradiating from the outside of the device, the intensity of the EM waves s AM (t) for leaking the intercepted information can be controlled by the irradiation intensity.In other words, the interceptor in this study can control the intensity of the radiation from the target devices, enabling intentional control of the monitoring distance [KH18], which was previously impossible for attackers with TEMPEST.This fact indicates that the attack distance can be extended by strengthening the irradiation intensity within the operating range of the FET.
For an extended attack range or an environment with a great degree of propagation attenuation, the strength of s AM (t) must be raised further.To do so, a resonant frequency at which the reception efficiency of the unintentional antenna is maximized is utilized.Treating max(|s C (t)|) as the maximum, the strength s AM (t) of the EM waves that leak information from the inside of devices can be maximized.The resonant frequencies of the unintended antenna are determined depending on the physical structure [Pau06][Mar92].Among the physical structures, we focused on the resonant frequency determined by the dimensions of the circuit board and the length of the line attached to devices [HHM + 12a].The irradiation and monitoring of these EM waves can be conducted from the antenna through space, a current probe via a power line connected to the device, or a combination of these approaches.

Selection of a FET to match targeted information
Although it is possible to forcefully cause leakage from electronic devices through EM waves by the concept discussed above, an appropriate FET needs to be selected for the targeted device.The following are notable for the selection of the FET: In the next section, the conditions that each point should satisfy are discussed, and an approach for selecting the FET that constitutes an interceptor is provided.

Relationship that the FET impedance and the voltage of the target signal should satisfy
This section presents the selection criteria for the FET that generates the optimal amplitudemodulated signals for the interception of information by deriving the conditions for the impedance.
To design an interceptor suitable for the target signals, the drain-source impedance Z f et of the FET used in the interceptor circuit needs to be variable within the voltage range of the target signals.A threshold voltage or pinch-off voltage exists in a FET as a voltage V gs is applied between the gate and the source to initiate a change in Z f et .This voltage is noted on the FET data sheet, but it cannot be applied to the interceptor circuit, in which a direct current (DC) potential difference does not exist between the drain and the source.Therefore, the change in the drain-source impedance as a function of the gate-source voltage needs to be measured per FET, and an appropriate FET needs to be selected.
The FET impedance Z f et can be measured by using the measurement system shown in Figure 6.By varying V gs and measuring Z f et with a network analyzer, a graph of V gs versus Z f et can be obtained.The values of V gs at which Z f et changes need to be read from the graph, and the FET suitable for the target needs to be selected accordingly.

Driving the interceptor and the reception method for leaked signals
This section discusses the driving method of the interceptor, whose structure and principles were discussed in Section 2.2 as well as the method of obtaining leaked signals.
Driving the interceptor requires the irradiation of EM waves from outside of the device on which the interceptor is installed.The interceptor uses the EM waves to drive itself and as a carrier of modulated waves that cause information to leak to the outside by generating amplitude-modulated signals and radiating the intercepted signals.Figure 7 shows the transmission-and-reception system that radiates EM waves and receives and demodulates amplitude-modulated signals.
The transmission-and-reception system consists of a transmission system and reception system.The transmission system sends continuous sine waves as EM waves.Signals are amplified until they reach a value that can supply the power needed to drive the FET and irradiate EM waves to the devices on which an interceptor is installed.This is accomplished by using an antenna suitable for the frequency that can be easily absorbed by the intercepting device.An EM wave with a strength that is sufficiently high to activate the FET but does not destroy the device must be radiated.The maximum radiated power is limited by the radiation strength that does not destroy the device, and the reach of the re-emitted signal caused by the signal having this strength limits the maximum attack range.Moreover, an efficient frequency for irradiation can be estimated from the physical structure of the device[HHM + 12a], and the transmission system should cover this frequency.
The reception system receives the amplitude-modulated signals radiated by the interceptor and reconstructs the signals.Since EM waves are received at the same frequency as that of the radiated frequency, an antenna tuned to the same frequency as the antenna used for transmission is used.Further, the dynamic range of the reception system should cover both the carrier signal and amplitude-modulated signal.In addition, the modulation index of amplitude-modulated signal may be a quantitative index that can be used to determine the quality of the acquisition of information.
The received signals are processed by converting the frequency and then digitized by an analog-to-digital converter.During signal processing, a low-pass filter appropriate for the frequency bandwidth of the target signals is applied, followed by AM demodulation, producing the intercepted signals.Data are obtained by analyzing the reconstructed intercepted signals according to the protocol.The transmission system and reception system are controlled by a personal computer (PC) that synchronizes the frequency between transmission and reception.

Case study
This section describes the mounting of the interceptor described in Section 2 onto a target device, which induces information leakage using EM waves.The targeted devices are mainly those that have been used as targets in past studies on TEMPEST and EM side-channel attacks for comparison between the conventional and proposed attack methods.We also evaluate the microphone of a smart speaker as a bugging device as an example of a target that does not appear in conventional research.
For each experiment, the basic circuit of the interceptor discussed in Section 2 was expanded according to the speed at which targeted information is processed to show that the timing and distance at which leakage is caused can be freely controlled.

Selection of the FET used for the interceptor based on the target signal characteristics
On the basis of the FET selection criteria discussed in Section 2.3, this experiment used the following FET for the interceptor.Table 1 summarizes the specifications of the targeted device and internal signals.The results for the PS/2 Keyboard are not included because they might be covered by the Since the signal voltage is in a positive range between 0 V and 5 V, except for sidechannel signals for cryptographic devices, an enhancement-mode FET needs to be selected to expect changes in the impedance in this range.This study used a Broadcom ATF-54143 FET that satisfies such conditions.Figure 9 presents a graph that shows the relationship between the gate-source voltage, the drain-source impedance, and the frequency of the signal applied between the drain and the source of the Broadcom ATF-54143 FET, which satisfies the conditions described above.
The side-channel information leak caused by the encryption module consists of an impulse signal series with a small range of voltage fluctuation of approximately 0.3 V. Therefore, by adding a peak hold circuit to the interceptor, it is optimized with respect to AM, which is expanded to a voltage range between 0 V and 0.7 V by further amplification.Given that the fluctuation in this range of voltages is covered by the Broadcom ATF-54143 FET.
According to the specific examples of attacks using interceptors that have been described above, if the voltage and frequency range of the victim signals are within the range in Figure 8, the interceptor may work by simply optimizing the circuit constants such as the value of the resistor.If not, the attack may not succeed.This is the limit of our proposed method.

Transmission-and-reception system used in the experiment
Following the driving force behind an interceptor and the reception method for leaked signals, as discussed in Section 2.4, this section describes the transmission-and-reception system.Table 2 lists the experimental devices, and Figure 10 shows the system components and layout.The specifications of the entire transmission-and-reception system are listed in Table 3.
The transmission system consists of a signal generator, an amplifier, and a transmission antenna.The signal generator generates sine waves that serve as an arbitrary frequency and startup power for the interceptor.The generated sine waves are amplified to 40 dB by an amplifier and input into the transmission antenna.
The reception system consists of a reception antenna and software-defined radio (SDR).The reception antenna can also be used as a transmission antenna by using a circulator, but this approach is flawed, given the fact that the reception sensitivity decreases.For this reason, given the fact that the ultrahigh frequency (UHF) antenna is small, this experiment used a structure in which the transmission and reception antennas are separated.Compared to the 19-inch rack, 4-unit volume, and 20-kg weight of the conventional TEMPEST receiver (Dynamic Sciences R-1550A) [Sci], the setup for this experiment is miniature (27.7 cm × 21.8 cm × 3.8 cm) and lightweight (1.7 kg).Further, digital signal processing can be used to filter and remove noise without the use of additional devices.

Experimental procedure
In the experiment, the distance with respect to the target device mounted with an interceptor is varied, and the changes in the quality of the received signals with the distance are observed.Additionally, to compare the leaked signals obtained by conventional TEMPEST  and the signals obtained by the proposed method, leaked EM waves were also measured for devices not mounted with an interceptor.In this experiment, conventional TEMPEST uses a cable with a shield cut to evaluate the signals leaked under the same conditions when the interceptor is installed.Moreover, conventional TEMPEST is performed at the frequency where the received power is maximum [HHT + 16].Note that conventional TEMPEST attacks do not work against potentially leak-free devices.Therefore, even if the shield is cut, it is difficult to obtain information using conventional TEMPEST unless the frequency containing the information causes resonance on the cable and the signal is not radiated outside the device.The experimental setup of the conventional TEMPEST is identical to that in Figure 10.

USB keyboard (digital input device)
A USB keyboard was used as the target.Similar to a PS/2 keyboard, a USB keyboard is a commonly used input device.Unlike a PS/2 keyboard, the signals treated inside the device are digital signals of several megabits per second.A USB keyboard was separately evaluated since the methods for mounting the interceptor and detecting signals are different.

Signals inside the targeted USB keyboard
The targeted USB keyboard sends key input information to the USB host through the following procedure.First, the states of the keys over the key matrix are monitored and recorded by a built-in microcomputer.Next, the key code of the key that is pressed at the moment is returned in response to the read request from the USB host.The transmitted data are the key code values assigned to each key. Figure 11 shows the key input information sent from the keyboard and a schematic of the communication signals.A key code, which is the key input information, is transmitted as a data packet as a response to a data request by a token packet from the USB host.The payload of the data packet is 12-byte data with a unit of 8 bits, as shown in Figure 12. Figure 12 shows the data packet transmitted while the "A" key is pressed.When a single key is entered, the data are set to the Key Code 1 field.When multiple keys are simultaneously entered, a maximum of six keys are set to the fields for Key Codes 1-6.

Circuit of the interceptor and its implementation
Figure 13 shows the circuit diagram of the interceptor used in the experiment and its implementation method.This circuit consists of a FET and resistors.
To intercept key input information with the interceptor, it is sufficient to obtain either one of the D-or D+ signals, as D-and D+ are complementary.The interceptor in this experiment was structured such that signal information was transmitted outside the device by intercepting the D-signal.The resistances of R1 and R2 are determined to implement a resistive voltage divider that restricts the peak gate-to-source voltage to 0.6 V.  Figure 14 shows the state in which the interceptor built in this experiment is mounted in the cable.The FET is small in size and can be covered easily by the cable jacket; thus, its presence can be hidden.
This experiment induced information leakage by connecting each pin to the communication line of the USB cable.Pin 1 is connected to the D-signal line, Pin 2 is connected to the shield drain wire on the keyboard side, and Pin 3 is connected to the shield drain wire on the USB host side.Shield drain wires function as unintentional antenna.Amplitude-modulated signals are generated by multiplying the alternating current (AC) signals generated between Pins 2 and 3 by irradiating EM waves and communication signals from the keyboard inputs from Pin 1 using the FET.Radiation outside the device occurs, as these signals are transmitted to the unintentional antenna.Moreover, through AM demodulation outside the device, the data signals generated by key inputs can be obtained.

Experimental environment
The experimental environment setup is shown in Figure 10, and the parameters used are listed in Table 4.As explained in the previous section, EM waves irradiated the target device, and the modulated signal was received.
In this section, the unintentional antenna is implemented by the USB cable, keyboard, and PC.The total length of this unintended antenna is 2 m, and the antenna structure can be regarded as a dipole antenna.Therefore, the resonance occurs when the condition is satisfied, where f n is the resonance frequency of the antenna, n is the order of resonance, c is the light speed and L is the total length of the unintended antenna.The resonance frequency of this antenna can be obtained from Equation 1 as 75, 225, 375, 525, and 675 MHz.Among these frequencies, we employed the frequency around 675 MHz that is suitable for the frequency characteristics of the antenna used for the attack.Given that the data signals were square waves with a maximum frequency of 750 kHz, the bandwidth used for demodulation was 50 MHz, which included a third-order harmonic.Therefore, bits were readable as square waves from the temporal waveforms after demodulation.The bandwidth was limited up to the third-order harmonic to reduce the calculation cost during signal processing and measurements in real time.

Acquisition of information using the interceptor
Next, the possibility of leaking information from a USB keyboard mounted with an interceptor is specifically considered.In the following experiment, a waveform in which the letter "A" is continuously typed is monitored.
Figure 15 shows the original waveform of the data signals.The data signals could not be monitored with the conventional TEMPEST and without an interceptor, as shown in Figure 16 (similar in the other case studies).Figure 17 shows the result after demodulation of the received signals and two-value processing using the hysteresis threshold value when the distance between the target onto which the interceptor was mounted and the receive antenna was 1 m.We can demodulate the obtained signal and recover the original bit sequence.Figure 18 shows the result when the distance between the target and the antenna was increased to 5 m, the output intensity of the EM waves was increased, and reception and demodulation processing similar to the case for a distance of 1 m were performed.As with the case for a distance of 1 m, the result was such that bit restoration was possible.

Cryptographic devices (analog signal)
In this section, the secret key of a Rivest-Shamir-Adleman (RSA) cryptographic device is obtained by mounting an interceptor onto it, forcing the radiation of side-channel information outside the device, and performing a simple EM analysis (SEMA) [AARR02, MOP07].

Targeted side-channel signal
Regarding the side-channel signals, this experiment focused on the core voltage fluctuation caused by the operation of a field-programmable gate array (FPGA; Xilinx Artix-7 XC7A35T-L1CSG324I).In the side-channel signals, the squaring operation appears as a large amplitude, and multiplication appears as a small amplitude (Figure 19).As for the correspondence between the bit of the secret key and the core voltage waveform where the secret key is treated as the repeated bit pattern discussed above, a squaring operation whose amplitude is large is performed when the bit is 0. A multiplication operation whose amplitude is small is performed after the squaring operation when the bit is 1.Using this feature, the secret key can be extracted on a bitwise basis.
The aforementioned side-channel signals consist of a series of impulse signals, and their source of generation is the transient current caused by the operation of the complementary metal-oxide-semiconductor (CMOS) gate that constitutes the FPGA. Figure 20 shows an expanded diagram of the temporal waveform of the impulse signal series.The secret key data of the RSA cryptographic device is included in the envelope of this impulse signal series.For this reason, the envelope line was intercepted from the side-channel signals at the interceptor for the cryptographic module, and the envelope signals are leaked as an amplitude-modulated signal outside the device.
The specifications of the RSA cryptographic device implemented onto the FPGA and the data, key, and input data are as follows.The left to right binary method was used for the algorithm.The key length was 1024 bits.Some chosen plaintext was used as the input data, where the least significant bit (LSB) was 1 and everything else was input as 1-, which represents 0. The key value repeated an 8-byte pattern of 0x0123456789abcdef 16 times, a value at which changes in bit pattern were easily monitored.

Circuit of the interceptor and its implementation
Figure 21 shows the circuit and wiring diagrams of the interceptor.Because this interceptor circuit is implemented on a power source plane of the cryptographic module, it is able to gain DC power in addition to the side-channel signals.For this reason, this circuit operates by gaining power to drive the circuit from the target power source.As shown in the circuit diagram in Figure 21, signal processing at the circuit consists of side-channel signal extraction from the power source plane, amplification of the extracted side channel signals, a peak hold circuit, and a FET as the variable impedance element that operates the unintentional antenna constructed by the PCB and interceptor as the transmissionand-reception antenna.
Owing to this signal processing, the period of the intercepted signals is decreased to the processing cycle time of the cryptographic module, which allows the frequency bandwidth required for reception to be narrowed and enables a low configuration for the sampling rate by the analog/digital converter of the SDR.This shows that the implementation of a function greater than AM onto the interceptor circuit lowers the difficulty of attack.
To simplify the experiment, an interceptor and an antenna independent of the cryptographic module were used.However, highly dense mounting is easily attainable, and miniaturization to the size shown in Figure 22 is possible, allowing mounting onto the existing circuits of the target.An antenna line is attached to the interceptor, but this antenna line can be omitted by coupling with the power line or communication line.

Experimental environment and parameters
As for other experiments, the environment was set up as shown in Figure 10, and the values listed in Table 5 were used as the parameters for the experiment.
The unintentional antenna in this section is implemented by the PCB of the target and the interceptor.The total length of this unintended antenna is 0.7 m.From Equation 1, the resonance frequency is calculated as 214 MHz, 643 MHz, and 1.07 GHz.Among these, we focus on 643 MHz, which matches the frequency characteristics of the antenna used for the attack, and irradiate around this frequency.Given that the clock period of the cryptographic module is 5 µs, the bandwidth for demodulation was set at 2 MHz, which is equal to 10 samples per the clock period.

Acquisition of information using the interceptor
Next, the possibility of intercepting the side-channel signals from the cryptographic module mounted with an interceptor is considered.The side-channel signals monitored over the cryptographic processing board used in the experiment are shown in Figure 23.
As with conventional TEMPEST, the side-channel signals could not be monitored when the device without an interceptor was not irradiated with EM waves were not irradiated, as shown in Figure 24.   to the bits of the secret key could also be observed in Figure 26 (Binarized Signal and RSA Key).In light of the above, the experiment showed that intercepted side-channel signals could be received at a greater distance.
In this section, attacks were performed using AM modulation and demodulation; however, for Differential Power Analysis (DPA) style attacks, it is necessary to measure the amplitude fluctuation precisely according to the input.Therefore, other modulation methods (e.g., frequency modulation) must be utilized for increasing signal fidelity.

Targeted video signals
The targeted display is a flat panel display used for PCs. Figure 27 shows an outline of the drawing operation.This experiment targeted analog RGB signals.An analog RGB signal consists of tricolor luminance signals (R, G, and B), a horizontal sync (HSYNC) signal, and a vertical sync (VSYNC) signal.
The targeted RGB signal is a 700 mV peak-to-peak analog signal.The luminance was expressed as continuous voltage value, where the minimum luminance was expressed as 0 V and the maximum luminance was 700 mV.Pixel information was leaked outside the device by intercepting the changes in the voltage.Table 6 summarizes the VGA signal parameters used in the experiment.
The luminance signals of the analog RGB signals are broadband signals ranging from DC to harmonic signals.The resolution used in this experiment was in the bandwidth of 0-32.5 MHz, and a coaxial cable with limited damping of harmonic signals (a characteristic  impedance of 75 Ω) was used for signal transmission.A coaxial cable exists for each RGB luminance signal inside the VGA cable.This experiment was structured such that a red luminance signal is intercepted and transmitted outside the device.

Circuit of the interceptor and its implementation
Figure 28 shows the circuit diagram of the interceptor used in the experiment and the implementation method.This circuit only consists of a FET.
Figure 29 shows the state in which an interceptor built in this experiment is mounted in the cable.The FET is small in size and can be easily covered by the cable jacket; thus, its presence can be hidden.
In this experiment, information leakage is induced by connecting each pin to the communication line of the VGA cable.Pin 1 is connected to the central conductor of the coaxial cable that transmits the red luminance signal, Pin 2 is connected to the shield drain wire on the display side, and Pin 3 is connected to the shield drain wire on the PC side.Amplitude-modulated signals for red luminance are generated by multiplying the high-frequency signals generated between Pins 2 and 3 by irradiated EM waves and the red luminance signal from the Pin 1 input using the FET.Radiation outside the device occurs as these signals are transmitted to the unintentional antenna.Moreover, through   AM demodulation outside the device, the changes in the red luminance can be obtained, and videos can be obtained by reconstructing the raster scans back to images.

Experimental environment
As with the other experiments, the environment was set up as shown in Figure 10, and the values listed in Table 7 were used as parameters for the experiment.The unintentional antenna in this section is implemented by the VGA cable, the PC and the display.The total length of this unintended antenna is 2.3 m.From Equation 1, the resonance frequency is calculated as 62.5 MHz, 188, 313, 438, 563, and 688 MHz.Among these, we focus on 438 MHz and 688 MHz, which matches the frequency characteristics of the antenna used for the attack, and irradiate around this frequency.
Given that data signals targeted in this experiment are analog signals with a maximum frequency of 0-32.5 MHz, the occupied bandwidth after modulation is 65 MHz.For this reason, the demodulation bandwidth was set higher at 100 MHz so that the luminance information can be reconstructed at the pixel level.

Acquisition of information using the interceptor
Next, the possibility of leaking video information from a VGA cable mounted with an interceptor is considered.In the following experiment, the reception waveform is monitored when Figure 30 is displayed.As with conventional TEMPEST, video could not be monitored when a device without an interceptor was not irradiated with EM waves, as shown in Figure 31.Figure 32 shows the reconstructed image result after the demodulation of the received signals when the distance between the target mounted with the interceptor and the receive antenna was 1 m.Video where words could be identified in a similar fashion as the original video was observed is shown in Figure 33.As with the case in which the distance between the target and the antenna was 1 m, words could be identified as with the original data, even when the distance between the target and the antenna was increased to 5 m and the output intensity of the EM waves was increased (Figure 33).

Audio Device
This section considers the interception of sound information.Specifically, a smart speaker is targeted.

Targeted sound signal
A smart speaker interprets wake words such as "OK Google," "Alexa," or "Hey Siri" on the basis of the surrounding sound acquisition and invokes the speech recognition process.Further, the surrounding sound is always monitored to extract wake words.Therefore, in the case of installing an interceptor on such a device, the sound around the device can be intercepted from a distance.
Microelectromechanical systems (MEMS) microphones are generally used for speech acquisition because of their low power consumption, performance, and size.In this example, we consider the interception of the surrounding speech from the output signal of an MEMS microphone.The output signal of an MEMS microphone is the digital signal using pulse density modulation (PDM).The voltage range of this signal is around 0-3.3 V, which is the same as a general single-end digital signal on the board.In addition, the signal input to the microphone is a chirp signal in the range of 20 Hz-20 kHz.
The speech output device used in the experiment was a tablet PC, and chirp signals were released from the external speaker connected to tablet PC.The distance between the smart speaker with an interceptor and the speaker that output the chirp signals was 1 m.We monitored whether the chirp signals can be intercepted outside the device while changing the volume by 50% from 0%-100%.

Circuit of the interceptor and its implementation
An MEMS microphone is directly mounted on the printed circuit board (PCB) of the smart speaker.Therefore, the unintentional antenna must consist of the electrical element or wiring near the output signal of the MEMS microphone.In this section, a flexible printed  circuit (FPC), which works as a PCB-to-PCB cable, is used as an unintentional antenna.
The FPC has a solid ground plane to reduce unwanted EM emission.If the ground plane is isolated from the system ground at the attack frequency, it efficiently receives high frequency power when EM waves at the resonant frequency are irradiated.Figure 34 shows the circuit diagram of the implemented interceptor and the implementation method.The voltage level of the target PDM signal is divided by the resistor to a voltage level at which the FET of interceptor efficiently operates.The ground plane of the FPC, which works as an unintentional antenna, is connected with the drain of the FET of the interceptor by a capacitor.Moreover, to prevent distortion of the PDM signal caused by the installed interceptor, the resistance between the interceptor and the PDM signal must be high.Moreover, to prevent a change in the ground plane potential caused by installing an interceptor, the inductance between the ground plane and the system ground must be small so that only the high-frequency signal can be blocked.
Figure 35 shows the state in which the interceptor built in this experiment was mounted onto the smart speaker.The size of the circuit element for the interceptor was small and could be easily installed into the space inside the smart speaker so that its presence can be hidden.

Experimental environment and parameters
As with the other experiments, the environment was set up as shown in Figure 10, and the values listed in Table 8 were used as parameters for the experiment.
The unintentional antenna in this section is implemented by the PCB of the target and the FPC.The total length of this unintended antenna is 23 cm.From Equation 1, the resonance frequency is calculated as 652 MHz, 1.96 GHz, and 3.26 GHz.Among these, we focus on 652 MHz, which matches the frequency characteristics of the antenna used for the attack, and irradiate around this frequency.
Given that the PDM signals were square waves with a maximum frequency of 2 MHz, the bandwidth used for demodulation was 10 MHz, which included a third-order harmonic.Thus, bits were readable as square waves from the temporal waveforms after demodulation.The bandwidth was limited up to the third-order harmonic to reduce the calculation cost

Acquisition of information by the interceptor
Next, the possibility of leaking speech information from a smartspeaker mounted with an interceptor is specifically considered.The spectral changes over time for the chirp signals used in the experiment are shown in the spectrogram in Figure 36.
As with conventional TEMPEST, the chirp signals could not be monitored at any volume when a device without an interceptor was not irradiated with EM waves, as shown in Figure 37. Figure 38 shows spectrograms of speech extracted from demodulated reception signals when the distance between the target mounted with the interceptor and the receive antenna was 1 m.The fundamental waves of the original signals could be observed at every volume except volume 0 % in Figure 38. Figure 39 shows spectrograms of demodulated speech from the received signals when the distance between the target and the antenna was increased to 5 m.The fundamental waves of the chirp signals could be observed at every volume in Figure 39.

Summary of experiments
This section showed that forcefully leaking information is possible through EM waves by mounting the interceptor proposed in Section 2 onto any device, which handles high/low- In the experiment, observations were acquired at a distance as far as 5 m, but it is possible to obtain information at a farther distance by increasing the transmission power of the antenna.The interceptor used in this experiment was handmade, but its size may be further reduced and improved in terms of precision through techniques such as the implementation of a circuit board.

Detection method for the interceptor
The interceptor used in this study was driven by the power from the EM waves applied from the outside.It modulated information from inside a device and radiated it outside the device.The EM waves used for the irradiation attack exceed EMC regulations.A mechanism that stops operation when such EM waves are irradiated can be a countermeasure.As a concrete example of a countermeasure, a monitor that can measure the voltage fluctuation inside a device caused by intentional EM interference can be installed [ZS18][FHB + 18].However, as the monitoring of wide frequency bands is difficult, it is necessary to estimate the frequency used for the attack.For example, low-immunity frequencies (i.e., frequencies at which EM waves are easily induced inside a device) are considered as monitoring candidates.
Moreover, the presence of an interceptor may be verified by detecting the difference between the case in which EM waves are irradiated and the case in which such waves are not irradiated.Figure 40 shows a graph that compares the spectrum between the case in which EM waves irradiate a device mounted with an interceptor and the case in which such waves do not irradiate the device.The interceptor considered in this study was implemented on an analog VGA cable of a display, as explained Section 3.6.Figure 40 shows that a difference is observed between 414 MHz, a frequency at which the waves are applied from the outside to start the interceptor (shown in Section 3.1), and 542.1 MHz. Figure 41 also shows a graph of the temporal variation by focusing on the frequency for which there was a difference.The obtained results show that luminance signals repeated at a period of 60 Hz went through AM demodulation while using the frequency of 542.1 MHz as a carrier, thus leaking information outside the device.The presence of a mounted interceptor can be detected by scanning the device periodically by the method described above.The spectrum of radiated EM waves changes if the interceptor is activated by the irradiated EM waves.Therefore, we can detect attacks by observing the chance of the radiation spectrum, even if the target signal is unknown.
The interceptor may also be detected by continuously observing the radiated spectrum alone.The proposed interceptor induces EM waves of a specific frequency that are applied outside the device into the device and uses these waves as the driving power and as a carrier of modulated waves that cause information leakage.The addition of such a circuit that improves the sensitivity to EM waves decreases the immunity of the device and is equivalent to making changes to its equivalent circuit and frequency characteristic [Pau06].As a result, the EM wave spectrum irradiated from the device changes [HHM + 12a].In order to measure the difference between EM waves with/without an interceptor, a board without an interceptor is required.For this purpose, it is better to use multiple manufacturers to assemble the board.This idea has already been proposed as a framework for HT insertion prevention for ICs, and we applied the idea to a board, as shown in Figure 42.Note that the framework used here is different from that in IC split fabrication [XFT15, VDS + 14] and assumes the use of multiple manufacturers for board manufacturing.In a device with an interceptor, the equivalent circuit of the device changes significantly.This is a large change compared to the change caused by the manufacturing variance in the equivalent circuit.Additionally, changes in the equivalent circuit of the device affect the spectrum of the radiated EM waves.Therefore, by observing the radiated spectrum of the instrument, it is possible to distinguish devices "with" and "without" interceptors.
Figure 43 shows the radiation spectrum observed from the device in the case where there "was" an interceptor and the case where there "was not" an interceptor.A difference in the spectrum is observed between these cases; thus, it is possible to detect whether an interceptor was mounted by a specific manufacturer/manufacturers.
Another potential method of detection is to prevent the induction of EM waves applied from the outside to drive the HT into the device.Components for EMC and noise suppression as well as measures against intentional EM disturbances are examples of effective methods for this approach [Rad14, K.716, K.816a].
Furthermore, the propagation of interfering EM waves into a device can be regarded as a phenomenon in which the direction of propagation of the EM waves leaking from the device is in the opposite direction owing to the EM reciprocity theorem.For this reason, the application of ITU-T Recommendations K.84, K.87, and K.115 [K.811, K.816b, K.115] to the problem of reducing information leakage by leaking EM waves may also be a viable measure against the threat discussed in this paper.

Conclusions
This paper focused on the threat of information leakage through EM waves.Conventionally, devices targeted by such a threat are those with the potential leakage of EM waves during their operation, and the information inside the device was obtainable by monitoring the leaking EM waves near the device.In contrast, the leakage of EM waves was not potentially observed for some devices, and such devices were not a target of the threat discussed above.
In light of this, this paper proposed an interceptor that forces leakage even in devices that do not suffer potential EM leakage.The proposed interceptor consisted of an inexpensive FET and wiring without a special antenna structure and can be mounted onto manufactured devices.The driving energy can be supplied via EM waves outside the device, rendering an individual power supply unnecessary.Additionally, leakage occurs only when a signal with a specific frequency irradiates the device, making the detection of leakage from the device by anyone other than the attacker difficult.Furthermore, an increase in the intensity of the irradiated EM waves enables control of the distance at which information can be obtained.The intercepted result captures information signals without any change in comparison with the differentiated waveform of conventional TEMPEST.
The study showed that it is possible to force information leakage through EM waves by using a USB keyboard as a digital signal target and a cryptographic module as an analog signal target to ensure data confidentiality and completeness, which is realized by mounting an interceptor onto these devices.Further, such leakage can be monitored from a distance using the devices by increasing the intensity of the irradiated EM waves.Moreover, a signal that satisfies the conditions listed in Section 3.1 might be covered by the interceptor to force information leakage.
To detect the aforementioned threat, we focused on the changes in the device itself and the surrounding EM environment as a result of mounting an interceptor and considered a method of detecting a malicious circuit that causes such a threat by using both passive and active monitoring methods.

Figure 1 :
Figure 1: Electromagnetic radiation model of electronic devices

Figure 2 :Figure 3 :Figure 4 :
Figure 2: Interceptor disguised as a regular electronic component Figure 3: Interceptor implemented on a substrate by disguising it as a regular component

Figure 5 :
Figure 5: Principle of information leakage caused by the interceptor

Figure 6 :Figure 7 :
Figure 6: Impedance measurement system for the FETs of the interceptors

Table 1 :Figure 8 :Figure 9 :
Figure 8: Internal signal classification of the target devices

FreqFigure 10 :
Figure 10: Common experimental system components and layout

Figure 11 :
Figure 11: Functions and communication signals of a USB keyboard

Figure 12 :Figure 13 :
Figure 12: USB signaling and packet format of the USB keyboard

Figure 14 :
Figure 14: Interceptor installed in the USB cable of the USB keyboard

Figure 15 :Figure 16 :Figure 17 :Figure 18 :
Figure 15: Original USB signal of the USB keyboard Figure 16: Conventional TEMPEST result for the USB keyboard

Figure 19 :
Figure 19: Waveform characteristics of the side-channel signal in the cryptographic device circuit and the method for extracting its secret key

Figure 22 :
Figure 22: Miniaturized interceptor on the cryptographic device

Figure 23 :
Figure 23: Original side-channel signal of the cryptographic device and the extracted secret key in the RSA cryptographic device

Figure 27 :Figure 28 :
Figure 27: Drawing operation and video signal of the display

Figure 29 :
Figure 29: Interceptor installed in the VGA cable

Figure 34 :
Figure 34: Circuit and wiring diagram of the interceptor for the audio device

Figure 35 :
Figure 35: Interceptor installed in the enclosure of the smart speaker

Figure 36 :Figure 37 :Figure 38 :Figure 39 :
Figure 36: Spectrogram of the original audio data Figure 37: Spectrogram of the conventional TEMPEST result

Figure 40 :Figure 41 :
Figure 40: Comparison of the frequency response to differentiate between the normal case (not modified) and that modified with the interceptor Figure 41: Temporal variation in the radiated EM wave power at 542.1 MHz

Figure 42 :Figure 43 :
Figure 42: Framework for the HT insertion prevention of a board

Table 2 :
List of experimental devices

Table 3 :
Specifications of the transmission-and-reception system b Calculated value at 500 MHz

Table 4 :
Experimental parameters for intercepting the USB signal of the USB keyboard

Table 5 :
Experimental parameters for intercepting the side-channel signal

Table 6 :
Signal parameters of the analog RGB (VGA) signal

Table 7 :
Experimental parameters for intercepting the video signal

Table 8 :
Experimental parameters for intercepting the audio signal