Thursday, August 18, 2011

Spread Spectrum Clock Generation, Emission Security, and You

The following is a transcript, more or less, of a short talk I gave at ToorCon Seattle 2011. There was no video made of the presentation, so I'm doing this instead. The talk was a preview of some research into how spread spectrum clock generation affects the risk of eavesdropping on unintentional Radio Frequency (RF) emanations from electronic devices.

Probably half of you are sick of hearing me talk about Project Ubertooth and the other half will be, so today I'm talking about something completely different: clocks. Not the kind of clocks you hang on a wall but periodic electrical signals that drive the timing of digital electronics and the circuits that produce those clock signals. Every digital electronic device has a clock. When you talk about your fancy, new, 3.0 GHz computer, you are referring to the clock frequency.

A traditional clock signal looks like this. The top graph shows how the voltage changes over time. The timing is fairly consistent. If you plot the signal in the frequency domain, the bottom graph, you get a sharp spike at the clock frequency. Note that I am ignoring harmonics here and have zoomed in on the region around the fundamental clock frequency.

About twenty years ago, some guys in Kentucky had this idea to modulate the frequency of a clock over time. They called the technique Spread Spectrum Clock Generation (SSCG). A spread spectrum clock signal looks something like this. The frequency of the signal varies over time. If you look at the signal in the frequency domain, the bottom graph, you see a plateau over a range of frequencies instead of a narrow spike. (If you are familiar with spread spectrum communication systems, note that I'm talking about something only vaguely related.)

SSCG became popular, first with PC manufacturers and more recently for other electronic devices. The technique is used for one and (as far as I know) only one reason: to make it easier to pass electromagnetic compatibility (EMC) testing required by the FCC and other regulatory bodies around the world. EMC regulations are intended to limit RF emissions of electronic devices in order to avoid harmful interference to radio systems and other neighboring electronics. SSCG doesn't do anything to reduce the radiated power of such emissions; it simply shifts their frequencies around so the EMC test equipment doesn't register too high a power level at any one frequency. The electronics manufacturers are playing a shell game with their clock frequencies in order to evade detection.

A few of you may have seen a recent blog post of mine, If it isn't open, it didn't happen. In it I proposed a citation boycott: scientific works not open to the public shouldn't be considered to have been published at all and should not be cited. Well, I'm about to break my own boycott. Actually I am declaring an exception, an exception for ridicule: It is okay to cite a non-open scientific work if the citation is made for the purpose of ridiculing said work.

About ten years ago, there was growing concern that SSCG might be bad for electromagnetic compatibility. It was clear that the practice resulted in electronic devices that produced higher overall radiated emissions. Plus people were starting to get the idea that wideband interference from devices with spread spectrum clocks could be worse for radio signals than narrowband interference from traditional clocks, even when comparing the two at the same radiated power level. In response, Harry G. Skinner and Kevin P. Slattery of Intel published a short paper called Why Spread Spectrum Clocking of Computing Devices is Not Cheating. It is a truly awful paper. The authors, Intel, and the IEEE should all be embarrassed to have their names on it. It features bad theory, bad analysis, bad experimentation - just about everything that could be wrong with scientific literature is evident in this biased piece of garbage. I will limit myself to pointing out just one fallacy in detail.

The authors claim that concern over the wide bandwidth of SSCG emissions is misplaced because the emissions aren't actually wide at all. If you configure your test equipment the way the FCC requires, then the emissions appear to cover a wide range of frequencies. This doesn't tell the whole story, they say.

They propose looking at the emissions over shorter windows of time. A quick snapshot would show a signal that is actually narrowband, similar to the frequency spike produced by a traditional clock. Subsequent snapshots show that the signal is still narrow but shifted to different frequencies. (Click the graph for sophisticated and professional-looking animation.)

To some extent, the authors are correct, but they conveniently leave out a rather important detail. If you look at the signal the way the FCC requires, you see a wideband emission consisting of power at various frequencies under the regulatory limit.

If, however, you look at the signal the way the authors propose, you see a narrowband emission that exceeds the regulatory limit. You can't have it both ways, guys. You either show that the signal is wide, averaged over a range of frequencies, or you reveal that the radiated power exceeds the legal limit and that your spread spectrum clock is exploiting a loophole in the peculiarities of the FCC test specification.

Amazingly enough, this unscientific trash seems to be pretty much the last word on the subject. I think it is time for fresh eyes to look at spread spectrum clock generation. I've been looking at it for a little while and have developed two hypotheses.

Hypothesis #1: The increasing prevalence of spread spectrum clock generation is detrimental to the operation of a wide variety of radio systems. SSCG is becoming popular not just in PCs but in smartphones, LCD panels, and other high speed electronic devices. It is required by interface standards such as SATA and SuperSpeed USB. As more and more of these devices are deployed (probably billions per year), the noise floor is raised for everyone trying to use the radio spectrum. This hypothesis is hard to test, so I'm skipping it.

Hypothesis #2: Devices with spread spectrum clock generation are more susceptible to eavesdropping than those without. I'm talking about emission security, the problem that electronic devices tend to unintentionally emit radio signals that can reveal otherwise secret information. Someone might be able to discover the password for your bank account, for example, by monitoring radio signals produced by your computer.

There are two reasons I think SSCG results in an increased susceptibility to eavesdropping. The first is that SSCG devices produce stronger emissions. This is almost by definition: the reason SSCG is deployed in the first place is to get away with emissions stronger than those that would be permitted from a device without SSCG. The second is that SSCG emissions feature spread spectrum signatures that make it easier for an eavesdropper to pick the signals out of the noise. This will be a little more difficult to demonstrate, but techniques from the field of digital radio communication could be applied to the problem.

In the coming months I will attempt to test hypothesis #2. I'll start by analyzing the waveforms produced by popular spread spectrum clock generator integrated circuits, and then I will apply the knowledge gained to the problem of eavesdropping on consumer electronic devices. If you are interested in helping with this research, I would love to hear from you!

5 comments:

Gerg said...

I can't make any comments regarding security, byt your claim that "SSCG devices produce stronger emissions" seems like a non-sequitur. SSCG devices may employ a SS technique BECAUSE they radiate more, but they do not radiate more because they use SS.

I haven't read the IEEE paper you refer to, but it seems like you might be missing the point about interference reduction. Sure, if you look at it from a certain perspective, it might seem like cheating, just to get below that limit line. However, this doesn't change the fact that you are reducing the mean radiated power at one given frequency, at the cost of increased power at some other frequencies. This can be critical when the clock is a source of interference.

As an example, consider an 802.15.4 radio on channel 2.405 GHz, receiving a -40dBm signal. If, at the same receiver, I have a non-SS local clock impinging my desired signal with a strength of -33dBm, my received BER would be very high.

If we were to FM modulate the desired clock with an index of 2.5, we might reduce the mean power of the interference in-channel by 10dB to -43 dBm. With the interferer now 3dB down from the desired signal, the BER would be around 1% (required co-channel rejection for an 802.15.4 receiver is -3dBm).

If you can't reduce the radiated power of the clock for some specific reason, it is far better to modulate that clock and spread the interference out.

Michael Ossmann said...

Thanks for your comments, Gerg. I don't argue that SSCG is never an appropriate tool to use in specific cases of interference avoidance. Your example is a good one. If you are interested in seeing some counterexamples, I suggest reading the University of Hertfordshire paper I linked to.

Gerg said...

I see now that I misread that first part. Sorry about that.

Your counter-example is also a good one. Where the spreading is less than the receiver channel width, spreading is indeed completely worthless.

I do agree that spreading shouldn't be used because your design is so bad that you can't meet the CISPR limit without it. However, if you meet the limit, it makes a lot of sense to further spread the power of any emissions.

Would pseudo-random, rather than spreading based on a defined ramp function, help with the security issues? e.g. http://www.ece.rochester.edu/~salman/papers/socc08.pdf but maybe one based on a much longer PR sequence.

Steve Finnell said...

you are invited to follow my blog

Michael Ossmann said...

Sorry I didn't get a chance to read the paper you mentioned until recently, Gerg. I think that pseudo-random clock spreading might make it easier for an eavesdropper to fingerprint a device, but it depends on the length and predictability of the PN sequence. Do you know of any actual products that implement the pseudo-random technique?