publications
2024
- PURE: Payments with UWB RElay-protectionDaniele Coppola, Giovanni Camurati, Claudio Anliker, Xenia Hofmeier, Patrick Shaller, David Basin, and Srdjan CapkunIn 33rd USENIX Security Symposium (USENIX Security 2024), 2024
Distinguished Paper Award
Contactless payments are now widely used and are expected to reach $10 trillion worth of transactions by 2027. Although convenient, contactless payments are vulnerable to relay attacks that enable attackers to execute fraudulent payments. A number of countermeasures have been proposed to address this issue, including Mastercard’s relay protection mechanism. These countermeasures, although effective against some Commercial off-the-shelf (COTS) relays, fail to prevent physical-layer relay attacks. In this work, we leverage the Ultra-Wide Band (UWB) radios incorporated in major smartphones, smartwatches, tags and accessories, and introduce PURE, the first UWB-based relay protection that integrates smoothly into existing contactless payment standards, and prevents even the most sophisticated physical layer attacks. PURE extends EMV payment protocols that are executed between cards and terminals, and does not require any modification to the backend of the issuer, acquirer, or payment network. PURE further tailors UWB ranging to the payment environment (i.e., wireless channels) to achieve both reliability and resistance to all known physical-layer distance reduction attacks against UWB 802.15.4z. We implement PURE within the EMV standard on modern smartphones, and evaluate its performance in a realistic deployment. Our experiments show that PURE provides a sub-meter relay protection with minimal execution overhead (41 ms). We formally verify the security of PURE’s integration within Mastercard’s EMV protocol using the Tamarin prover.
2023
- Time for Change: How Clocks Break UWB Secure RangingClaudio Anliker, Giovanni Camurati, and Srdjan Capkun32nd USENIX Security Symposium (USENIX Security 2023), 2023
Due to its suitability for wireless ranging, Ultra-Wide Band (UWB) has gained traction over the past years. UWB chips have been integrated into consumer electronics and considered for security-relevant use cases, such as access control or contactless payments. However, several publications in the recent past have shown that it is difficult to protect the integrity of distance measurements on the physical layer. In this paper, we identify transceiver clock imperfections as a new, important parameter that has been widely ignored so far. We present Mix-Down and Stretch-and-Advance, two novel attacks against the current (IEEE 802.15.4z) and the upcoming (IEEE 802.15.4ab) UWB standard, respectively. We demonstrate Mix-Down on commercial chips and achieve distance reductions from 10 m to 0 m. For the Stretch-and-Advance attack, we show analytically that the current proposal of IEEE 802.15.4ab allows reductions of over 90 m. To prevent the attack, we propose and analyze an effective countermeasure.
- Screaming ChannelsGiovanni Camurati, and Aurélien FrancillonIn Encyclopedia of Cryptography, Security and Privacy, 2023
Modern devices often require wireless communication interfaces and therefore contain both digital, analog, and RF electronics. The term “Screaming Channels” denotes a leakage of sensitive information that occurs when side-channel leakage is accidentally broadcast by the radio transmitter alongside the intentional wireless communication, making it possible to recover cryptographic secrets from a large distance. Mixed-signal chips, containing both digital and radio blocks on the same chip, are especially vulnerable to Screaming Channels.
- EdgeTDC: On the Security of Time Difference of Arrival Measurements in CAN Bus SystemsMarc Roeschlin, Giovanni Camurati, Pascal Brunner, Mridula Singh, and Srdjan CapkunIn Network and Distributed System Security Symposium (NDSS 2023), 2023
A Controller Area Network (CAN bus) is a message-based protocol for intra-vehicle communication designed mainly with robustness and safety in mind. In real-world deployments, CAN bus does not offer common security features such as message authentication. Due to the fact that automotive suppliers need to guarantee interoperability, most manufacturers rely on a decade-old standard (ISO 11898) and changing the format by introducing MACs is impractical. Research has therefore suggested to address this lack of authentication with CAN bus Intrusion Detection Systems (IDSs) that augment the bus with separate modules. IDSs attribute messages to the respective sender by measuring physical-layer features of the transmitted frame. Those features are based on timings, voltage levels, transients and, as of recently, Time Difference of Arrival (TDoA) measurements. In this work, we show that TDoA-based approaches presented in prior art are vulnerable to novel spoofing and poisoning attacks. We describe how those proposals can be fixed and present our own method called EdgeTDC. Unlike existing methods, EdgeTDC does not rely on Analog-to-digital converters (ADCs) with high sampling rate and high dynamic range to capture the signals at sample level granularity. Our method uses time-to-digital converters (TDCs) to detect the edges and measure their timings. Despite being inexpensive to implement, TDCs offer low latency, high location precision and the ability to measure every single edge (rising and falling) in a frame. Measuring each edge makes analog sampling redundant and allows the calculation of statistics that can even detect tampering with parts of a message. Through extensive experimentation, we show that EdgeTDC can successfully thwart masquerading attacks in the CAN system of modern vehicles.
- MCRank: Monte Carlo Key Rank Estimation for Side-Channel Security EvaluationsGiovanni Camurati, Matteo Dell’Amico, and François-Xavier StandaertIACR Transactions on Cryptographic Hardware and Embedded Systems (IACR CHES 2023), 2023
Key rank estimation provides a measure of the effort that the attacker has to spend bruteforcing the key of a cryptographic algorithm, after having gained some information from a side channel attack. We present MCRank, a novel method for key rank estimation based on Monte Carlo sampling. MCRank provides an unbiased estimate of the rank and a confidence interval. Its bounds rapidly become tight for increasing sample size, with a corresponding linear increase of the execution time. When applied to evaluate an AES-128 implementation, MCRank can be orders of magnitude faster than the state-of-the-art histogram-based enumeration method for comparable bound tightness. It also scales better than previous work for large keys, up to 2048 bytes. Besides its conceptual simplicity and efficiency, MCRank can assess for the first time the security of large keys even if the probability distributions given the side channel leakage are not independent between subkeys, which occurs, for example, when evaluating the leakage security of an AES-256 implementation.
2022
- Noise-SDR: Arbitrary Modulation of Electromagnetic Noise from Unprivileged Software and Its Impact on Emission SecurityGiovanni Camurati, and Aurélien FrancillonIn 2022 IEEE Symposium on Security and Privacy (IEEE SP 2022), 2022
Electronic devices generate electromagnetic noise, also known as EM leakage when the noise leaks information. Many recent research papers exploit the fact that software activity can exploit this leakage to generate radio signals. This process breaks the isolation between simple unprivileged code and the radio spectrum, letting an attacker generate physical radio signals without accessing any radio interface. Previous work has discovered many leakage sources and covert communication channels, which generally use simple modulation schemes. However, a fundamental research question has been left unexplored: to which point can attackers shape electromagnetic leakage into signals of their choice? The answer to this question has an important security impact that goes beyond specific attacks or platforms. Indeed, arbitrary signal modulation is a useful primitive. This would allow attackers to use advanced modulations and better exploit the channel (leakage) capacity, for example, to establish advanced communication channels, or to inject malicious signals into victim receivers. At a first analysis, arbitrary modulation seems impossible: software has limited control on the leakage and existing attacks are therefore constrained to on-off keying or frequency-shift keying. In this paper, we demonstrate that shaping arbitrary signals out of electromagnetic noise is possible from unprivileged software. For this we leverage fully-digital radio techniques and call our method Noise-SDR because, similarly to a software-defined radio, it can transmit a generic signal synthesized in software. We demonstrate our approach with a practical implementation with DRAM accesses on ARMv7-A, ARMv8-A, x86-64, and MIPS32. We evaluate it on different types of devices, including smartphones, a laptop, a desktop, and a Linux-based IoT device. Although power, frequency and bandwidth are constrained by the properties of the leakage, we present several case studies, including transmission with advanced protocols, device tracking, and signal injection.
- Ghost Peak: Practical Distance Reduction Attacks Against HRP UWB RangingPatrick Leu*, Giovanni Camurati*, Alexander Heinrich, Marc Roeschlin, Claudio Anliker, Matthias Hollick, Srdjan Capkun, and Jiska ClassenIn 31st USENIX Security Symposium (USENIX Security 2022), 2022
We present the first over-the-air attack on IEEE 802.15.4z High-Rate Pulse Repetition Frequency (HRP) Ultra-Wide Band (UWB) distance measurement systems. Specifically, we demonstrate a practical distance reduction attack against pairs of Apple U1 chips (embedded in iPhones and AirTags), as well as against U1 chips inter-operating with NXP and Qorvo UWB chips. These chips have been deployed in a wide range of phones and cars to secure car entry and start and are projected for secure contactless payments, home locks, and contact tracing systems. Our attack operates without any knowledge of cryptographic material, results in distance reductions from 12m (actual distance) to 0m (spoofed distance) with attack success probabilities of up to 4%, and requires only an inexpensive (USD 65) off-the-shelf device. Access control can only tolerate sub-second latencies to not inconvenience the user, leaving little margin to perform time-consuming verifications. These distance reductions bring into question the use of UWB HRP in security-critical applications.
2020
- Security Threats Emerging from the Interaction Between Digital Activity and Radio TransceiverGiovanni CamuratiEURECOM - Sorbonne Université, 2020
Runner-up PhD Award from the GDR Sécurité Informatique
Modern connected devices need both computing and communication capabilities. For example, smartphones carry a multi-core processor, memory, and several radio transceivers on the same platform. Simpler embedded systems often use a mixed-signal chip that contains both a microcontroller and a transceiver. The physical proximity between digital blocks, which are strong sources of electromagnetic noise, and radio transceivers, which are sensitive to such noise, can cause functional and performance problems. Indeed, there exist many noise coupling paths between components on the same platform or silicon die. In this thesis we explore the security issues that arise from the interaction between digital and radio blocks, and we propose two novel attacks. With Screaming Channels, we demonstrate that radio transmitters on mixed-signal chips might broadcast some information about the digital activity of the device, making side channel attacks possible from a large distance. With Noise-SDR, we show that attackers can shape arbitrary radio signals from the electromagnetic noise triggered by software execution, to interact with radio receivers, possibly on the same platform.
- SoC Security Evaluation: Reflections on Methodology and ToolingNassim Corteggiani, Giovanni Camurati, Marius Muench, Sebastian Poeplau, and Aurélien FrancillonIEEE Design & Test, 2020
The growing complexity of Systems-on-Chip challenges our ability to ensure their correct operation, on which we rely for more and more sensitive activities. Many security vulnerabilities appear in subtle and unexpected ways in the interaction among blocks and across layers, where current verification tools fail at catching them or do not scale. For this reason, security evaluation still heavily relies on manual review. Inspired by the Hack@DAC19 contest, we present our reflections on this topic from a software and system security perspective. We outline an approach that extends the dynamic analysis of firmware to the hardware.
- Understanding screaming channels: From a detailed analysis to improved attacksGiovanni Camurati, Aurélien Francillon, and François-Xavier StandaertIACR transactions on cryptographic hardware and embedded systems (IACR CHES 2020), 2020
Google Bughunter Program, Honorable Mention
Recently, some wireless devices have been found vulnerable to a novel class of side-channel attacks, called Screaming Channels. These leaks might appear if the sensitive leaks from the processor are unintentionally broadcast by a radio transmitter placed on the same chip. Previous work focuses on identifying the root causes, and on mounting an attack at a distance considerably larger than the one achievable with conventional electromagnetic side channels, which was demonstrated in the low-noise environment of an anechoic chamber. However, a detailed understanding of the leak, attacks that take full advantage of the novel vector, and security evaluations in more practical scenarios are still missing. In this paper, we conduct a thorough experimental analysis of the peculiar properties of Screaming Channels. For example, we learn about the coexistence of intended and unintended data, the role of distance and other parameters on the strength of the leak, the distortion of the leakmodel, and the portability of the profiles. With such insights, we build better attacks. We profile a device connected via cable with 10000·500 traces. Then, 5 months later, we attack a different instance at 15m in an office environment. We recover the AES-128 key with 5000·1000 traces and key enumeration up to 2^23. Leveraging spatial diversity, we mount some attacks in the presence of obstacles. As a first example of application to a real system, we show a proof-of-concept attack against the authentication method of Google Eddystone beacons. On the one side, this work lowers the bar for more realistic attacks, highlighting the importance of the novel attack vector. On the other side, it provides a broader security evaluation of the leaks, helping the defender and radio designers to evaluate risk, and the need of countermeasures.
2018
- Screaming Channels: When Electromagnetic Side Channels Meet Radio TransceiversGiovanni Camurati, Sebastian Poeplau, Marius Muench, Tom Hayes, and Aurélien FrancillonIn 2018 ACM SIGSAC Conference on Computer and Communications Security (ACM CCS 2018), 2018
3rd place at CSAW Europe 2018
This paper presents a new side channel that affects mixed-signal chips used in widespread wireless communication protocols, such as Bluetooth and WiFi. This increasingly common type of chip includes the radio transceiver along with digital logic on the same integrated circuit. In such systems, the radio transmitter may unintentionally broadcast sensitive information from hardware cryptographic components or software executing on the CPU. The well-known electromagnetic (EM) leakage from digital logic is inadvertently mixed with the radio carrier, which is amplified and then transmitted by the antenna. We call the resulting leak screaming channels. Attacks exploiting such a side channel may succeed over a much longer distance than attacks exploiting usual EM side channels. The root of the problem is that mixed-signal chips include both digital circuits and analog circuits on the same silicon die in close physical proximity. While processing data, the digital circuits on these chips generate noise, which can be picked up by noise-sensitive analog radio components, ultimately leading to leakage of sensitive information. We investigate the physical reasons behind the channel, we measure it on several popular devices from different vendors (including Nordic Semiconductor nRF52832, and Qualcomm Atheros AR9271), and we demonstrate a complete key recovery attack against the nRF52832 chip. In particular, we retrieve the full key from the AES-128 implementation in tinyAES at a distance of 10 m using template attacks. Additionally, we recover the key used by the AES-128 implementation in mbedTLS at a distance of 1 m with a correlation attack. Screaming channel attacks change the threat models of devices with mixed-signal chips, as those devices are now vulnerable from a distance. More specifically, we argue that protections against side channels (such as masking or hiding) need to be used on this class of devices. Finally, chips implementing other widespread protocols (e.g., 4G/LTE, RFID) need to be inspected to determine whether they are vulnerable to screaming channel attacks.
- Inception: system-wide security testing of real-world embedded systems softwareNassim Corteggiani, Giovanni Camurati, and Aurélien FrancillonIn 27th USENIX Security Symposium (USENIX Security 2018), 2018
Connected embedded systems are becoming widely deployed, and their security is a serious concern. Current techniques for security testing of embedded software rely either on source code or on binaries. Detecting vulnerabilities by testing binary code is harder, because source code semantics are lost. Unfortunately, in embedded systems, high-level source code (C/C++) is often mixed with hand-written assembly, which cannot be directly handled by current source-based tools. In this paper we introduce Inception, a framework to perform security testing of complete real-world embedded firmware. Inception introduces novel techniques for symbolic execution in embedded systems. In particular, Inception Translator generates and merges LLVM bitcode from high-level source code, hand-written assembly, binary libraries, and part of the processor hardware behavior. This design reduces differences with real execution as well as the manual effort. The source code semantics are preserved, improving the effectiveness of security checks. Inception Symbolic Virtual Machine, based on KLEE, performs symbolic execution, using several strategies to handle different levels of memory abstractions, interaction with peripherals, and interrupts. Finally, the Inception Debugger is a high-performance JTAG debugger which performs redirection of memory accesses to the real hardware. We first validate our implementation using 53000 tests comparing Inception’s execution to concrete execution on an Arm Cortex-M3 chip. We then show Inception’s advantages on a benchmark made of 1624 synthetic vulnerable programs, four real-world open source and industrial applications, and 19 demos. We discovered eight crashes and two previously unknown vulnerabilities, demonstrating the effectiveness of Inception as a tool to assist embedded device firmware testing.