Tuesday, January 08, 2013

Funtenna!

I just watched Hacking Cisco Phones: Just because you are paranoid doesn't mean your phone isn't listening to everything you say, an excellent presentation by Ang Cui and Michael Costello at 29C3. I particularly liked that they coined the term "funtenna" to describe the potential capability of malware using the off-hook switch in a VoIP phone as an antenna to transmit data over RF.

I appreciate that they credited me with the idea, but I would like to set the record straight. I met Ang and Michael at a Cyber Fast Track event a couple months ago, and they approached me with the idea of exfiltrating data from the phone by toggling a GPIO pin on the embedded CPU at radio frequencies. My only contribution was looking at the hardware and suggesting that the wire extending to the off-hook switch was probably the best candidate antenna for the hack.

Although it hasn't been implemented yet, I think the idea has merit. I don't know how fast a GPIO pin can be toggled on the platform, but the CPU operates at something like 800 MHz. That makes it very likely that the maximum GPIO toggle rate is at least in the tens of MHz, maybe even over 100 MHz. I don't know the resonant frequency of the wire extending to the off-hook switch, but it is probably a few hundred MHz. If my guesses are close, then it is likely that the funtenna could be used to transmit data a short distance, perhaps through a wall or two. It isn't a very good radio, but it should work to some extent. Even a short range wireless transmission is very interesting when it originates from unmodified hardware not intended for wireless operation.

With Ang and Michael's approval, I would like to formalize the definition of "funtenna" a bit: A funtenna is an antenna that was not intended by the designer of the system to be an antenna, particularly when used as an antenna by an attacker. In the case of the Cisco phone, the funtenna could be used to transmit data from the phone. In certain systems, it may be possible to use a funtenna to receive radio signals as well. (I even know of some people working on a way to inject data into an untouched device using nothing but a high power radio signal; it is a very limited capability but theoretically possible.) The field of emission security studies unintentional radio emissions that leak data, and I would call any radiating element (a cable with poor shielding, for example) that leaks useful or sensitive information a funtenna.

Whenever I crack open an electronic device for the first time, I now look for potential funtennas. Maybe you will too. :-)

12 comments:

Luke said...

What an awesome idea! Looks like it would be totally possible. Someone has already done this with the Raspberry Pi and turned it into an FM Transmitter simply by toggling a GPIO pin:
http://www.icrobotics.co.uk/wiki/index.php/Turning_the_Raspberry_Pi_Into_an_FM_Transmitter

Lucas Daniel said...

Sorry my bad english, i'm brazilian ;)I read your post and I remembered about a distrust I have on mobile devices regardless of OS. do you think the phone can open a listening device without calling? as if the mobile network operator could hear our conversations without needing to give a ring ... do you think that would be possible in a hardware appliance any gsm?
thanks for the reply

Anonymous said...

Reminds me of an old hack, which makes dvb-t transmitter out of vga card.
http://bellard.org/dvbt/

Michael Ossmann said...

Nice links! The oldest prior art related to intentional funtenna transmission I can recall is Tempest for Eliza.

Lucas: Yes, there have been examples of mobile phones used as listening devices. If your network operator or anyone else controls the software on your phone, they can probably do that. I've never heard of an operator doing such a thing.

Jared said...

Prior art is much older than Tempest for Eliza. Try: Altair at Homebrew Computer Club, 1975
There isn't a specific funtenna here, so much as an entire computer's collective EMI.

Hugh O'Brien said...

This would be a nice way to export data gathered by a device like the phones, but do you know of any juicy protocols that it could directly attack at those frequencies?

Michael Ossmann said...

Jared wins!

Hugh: It is unlikely that we could attack much over the air with this technique (at least on the Cisco phone platform). We have limited modulation capability and can only transmit at low power up to something like 100 MHz. Perhaps we could transmit control signals to a toy remote control vehicle at 27 or 49 MHz.

GB3 said...

You didn't mention that you're the one who gave them the idea for Funtenna! :)

Great talk, thanks for sharing it.

Hugh O'Brien said...

One further idea, probably mentioned already somewhere, but the microphone might be used to capture keystrokes, or more interestingly the funtenna might be a nice place to sniff for TEMPEST like emissions.

AKA the A said...

Would you happen to have any materials/sources for the RF injection? I have seen some examples, but nothing very "trustworthy"...

Michael Ossmann said...

AKA the A: If you are referring to the ability to use RF to inject data into a system not intended for RF operation, I don't have any specific resources. The research that I know of is very preliminary, not public, and highly dependent on the characteristics of the target device.

jim smith said...

They can probably do that. I've never heard of an operator doing such a thing.
Transmission Fort Lauderdale