Elsevier

Digital Investigation

Volume 29, June 2019, Pages 43-54
Digital Investigation

A survey of electromagnetic side-channel attacks and discussion on their case-progressing potential for digital forensics

https://doi.org/10.1016/j.diin.2019.03.002Get rights and content

Abstract

The increasing prevalence of Internet of Things (IoT) devices has made it inevitable that their pertinence to digital forensic investigations will increase into the foreseeable future. These devices produced by various vendors often posses limited standard interfaces for communication, such as USB ports or WiFi/Bluetooth wireless interfaces. Meanwhile, with an increasing mainstream focus on the security and privacy of user data, built-in encryption is becoming commonplace in consumer-level computing devices, and IoT devices are no exception. Under these circumstances, a significant challenge is presented to digital forensic investigations where data from IoT devices needs to be analysed.

This work explores the electromagnetic (EM) side-channel analysis literature for the purpose of assisting digital forensic investigations on IoT devices. EM side-channel analysis is a technique where unintentional electromagnetic emissions are used for eavesdropping on the operations and data handling of computing devices. The non-intrusive nature of EM side-channel approaches makes it a viable option to assist digital forensic investigations as these attacks require, and must result in, no modification to the target device. The literature on various EM side-channel analysis attack techniques are discussed – selected on the basis of their applicability in IoT device investigation scenarios. The insight gained from the background study is used to identify promising future applications of the technique for digital forensic analysis on IoT devices – potentially progressing a wide variety of currently hindered digital investigations.

Introduction

Digital forensics is the field where legal investigations are assisted by analysing digital sources of evidence. In contrast, cybersecurity is the domain where the concern is to ensure the security of digital data and the privacy of their owners. In today's modern world, technology is becoming increasingly prevalent in everyday life and many people stay almost always connected to the Internet (Nie and Erbring, 2000). While various social networks facilitate their users to share their life events to the rest of the world intentionally, every computer-based device they interact with in everyday life leaves unintentional traces of their activities. Such sources of forensic information include computer hard disks, network activity logs, removable media, internal storage of mobile phones and many others (Soltani and Seno, 2017).

Internet of Things (IoT) is an emerging trend started as a narrow research domain called wireless sensor networks, which evolved into Internet-connected everyday objects. IoT ecosystem includes a wide variety of devices, such as smart-watches, smart TVs, CCTV cameras, medical implants, fitness wearables, etc. The increasing availability of IoT devices across society makes it inevitable to find them in modern crime scenes and digital forensic investigations. Most of these devices comes with limited data processing and storage capabilities and they usually possess limited standard interfaces to the outside world, such as USB ports or WiFi/Bluetooth wireless interfaces, unlike their PC counterparts (Stojkoska and Trivodaliev, 2017).

Due to the increasing concerns regarding security and privacy among communities, modern digital devices, such as computer systems, mobile devices, etc., are designed and shipped with built-in security. Popular smartphones, such as iOS and Android based devices, encrypt their internal storage in order to protect user data from third parties (Ahmad et al., 2013). Each of the mainstream PC operating systems, such as Mac OS, Windows, and Linux, provide built-in hard disk encryption. Meanwhile, network communications, both wired and wireless, commonly employ strong packet encryption mechanisms (van de Wiel et al., 2018). Modern computer hardware has made the automated handling of encrypted data an everyday possibility in consumer, industrial and military applications (Fritzke, 2012). Computer devices seized at a crime scene containing encrypted data poses a significant challenge to the investigation (Lillis et al., 2016; Sayakkara et al., 2018a). The IoT device ecosystem is no exception for this data encryption trend making the challenge of digital forensic investigations on IoT devices even more complex.

Side-channel analysis attacks have been proven to be useful to breach security on computer systems when standard interfaces, e.g., network interfaces and data storage devices, are sufficiently protected (Spreitzer et al., 2018; Dhem et al., 1998; Zhang et al., 2014; O'Malley and Choo, 2014). In order for a side-channel attack to be effective in practical scenarios for a security breach, it has to be executable without having physical access to the device being attacked (Wakabayashi et al., 2017). In the case of digital investigation, the investigator has the freedom to handle the device, and ideally, any investigative activity must not affect or change the digital information in the device (Du et al., 2017). Electromagnetic (EM) Side-channel Attacks is one approach that has shown promising results. It requires minimum physical manipulations to the device being inspected (Hayashi et al., 2013). EM emissions of a device can be passively observed to infer both the internal operations being performed and the data being handled (Sayakkara et al., 2018a). This condition is ideal for a digital investigator who attempts to ensure that the device does not go though any physical changes due to its investigation. It is worth noting that hardware manufacturers are continuously trying to circumvent EM side-channel attack vulnerabilities through EM shielding and operation obfuscating enabled firmware.

This paper discusses the possibility for EM side-channel analysis as a potential case-advancing possibility for digital forensic analysis of IoT devices. A comprehensive analysis of the literature is provided identifying some promising avenues for research and their future potential. EM side-channel attacks for the recovery of cryptographic keys and other forms of important information are evaluated for potentially overcoming the encryption problem in digital forensics on IoT devices. Since the nature of EM emission phenomena is associated with the power consumption of computing devices (Callan et al., 2015a), the literature that focuses on power analysis attacks are also discussed where appropriate.

The contribution of this work can be summarised as follows:

  • A comprehensive literature review and a comparative study of the research that has been carried out in EM side-channel analysis is provided and recent advances are summarised.

  • The scenarios where different EM side-channel attacks in the literature are relevant and applicable in digital forensic investigations are identified.

  • Light is shined on several new avenues of research that are possible to achieve in digital forensic investigations and cybersecurity through the adoption of EM side-channel analysis techniques.

  • The shortage of reliable tools and frameworks available to utilise EM side-channel analysis for digital forensic investigations on IoT devices is identified and the recommendations are made to overcome it.

The rest of this paper is organised as follows. Section 2 presents an overview of side-channel attacks. Sections Unintentional electromagnetic emissions, Electromagnetic emissions as a signature, Information leaking electromagnetic emissions explores approaches for acquisition, unique identification, and information leakage EM emissions relevant to digital forensics. In Section 6, the advancements in wireless communication technologies and standardisation, and the legal background relevant to EM side-channels are discussed. Section 7 provides insights of possible future ethical directions of this technique. Finally, Section 8 concludes the paper.

Section snippets

Side-channel attacks

The topic of side-channel attacks spans a wide variety of techniques. Each side-channel attack on a computer system focuses on one specific unintentional leakage of information from either hardware or software (Spreitzer et al., 2018). Some of such information leaking side-channels are listed below.

  • The memory and cache spaces shared between different software.

  • The amount of time a program takes to respond to different inputs.

  • The sounds different components of computer hardware make.

  • The amount of

Unintentional electromagnetic emissions

EM radiation is the underlying technology for numerous of wireless communication. Meanwhile, it is a well documented fact that electronic devices generate EM radiation on unintended frequencies as a side effect of their internal operations (Getz and Moeckel). Such unintended EM radiation are regulated by government agencies, such as Federal Communications Commission (FCC) in the USA, due to the possible interference they can make on legitimate wireless communication and the potential health

Electromagnetic emissions as a signature

When a computing device running a program generates EM emissions, the patterns observable depend on the precise settings of the device. In the EM emission spectrum of the Arduino device in Fig. 1, it is clearly evident that both the hardware and software settings have influenced the EM emission patterns. The signal captured at the first harmonic frequency of the Arduino device's system clock, i.e., 32 MHz, is showing a varying patterns in the spectrogram view according to the changes made to

Information leaking electromagnetic emissions

This section dives into the question of what information is contained in an EM emission trace of a particular computing system. From a digital forensic perspective, both the kind of software running on IoT devices and the data being handled by each software application are potentially of significant interest. Even if EM side-channel analysis cannot reveal all of data being handled by an IoT device platform, extracting critical information, e.g., cryptographic keys, can help progress forensic

Standards and tools

EM side-channel attacks are not currently commonly being used for digital forensics purposes. Therefore, it can be too early to find any existing standards or tools on EM side-channel analysis for digital forensics. However, in order for future establishment of standards and tools, it is important to review the relevant standards and tools in both hardware and software security domains.

The concerns of electromagnetic wave emissions from IoT devices from the software perspective are mostly

Discussion

Having discussed the scientific literature related to EM side-channel analysis attacks, it is important to identify the future impact it may cause in the domain of digital forensics on IoT devices. This section highlights some of the potential ways this impact may occur in the future under different themes. Fig. 4 illustrates the avenues for future research in this direction. Many of these future potentials are already starting to be realised and others are ambitious predictions that can prove

Conclusions

Traditionally, digital forensics focuses on analysing traces left behind by suspects on digital devices by inspecting file storage, log files, network traces, etc. Live data forensics can also be performed on systems that require more sophisticated investigative techniques and skills. As computing systems transform from less privacy and security concerned platforms into hardened platforms that are designed with security in mind from their inception, the typical work conducted by digital

Conflicts of interest

None.

References (125)

  • P. Belgarric et al.

    side-Channel analysis of weierstrass and koblitz curve ECDSA on android smartphones

  • D. Bharadia et al.

    BackFi: high throughput WiFi backscatter

    Comput. Commun. Rev.

    (2015)
  • A. Bianchi et al.

    Wearable authentication: trends and opportunities

    IT Inf. Technol.

    (2016)
  • A.B. Blanco et al.

    A framework for acquiring and analyzing traces from cryptographic devices

  • E. Blossom

    GNU radio: tools for exploring the radio frequency spectrum

    Linux J.

    (2004)
  • A. Bogdanov et al.

    Fast and memory-efficient key recovery in side-channel attacks

  • Calari U., Lampkin M.C., RFID reader, US Patent 5,621,199 (Apr. 15...
  • R.L. Callan

    Analyzing Software Using Unintentional Electromagnetic Emanations from Computing Devices

    (2016)
  • R. Callan et al.

    A practical methodology for measuring the side-channel signal available to the attacker for instruction-level events

  • R. Callan et al.

    Comparison of electromagnetic side-channel energy available to the attacker from different computer systems

  • R. Callan et al.

    FASE: finding amplitude-modulated side-channel emanations

  • R. Callan et al.

    Zero-overhead profiling via em emanations

  • G. Camurati et al.

    Screaming channels: when electromagnetic side channels meet radio transceivers

  • S. Cass

    A $40 software-defined radio

    IEEE Spectrum

    (2013)
  • S. Chari et al.

    Template attacks

  • ChipWhisperer Embedded Hardware Security Toolchain

  • S.S. Clark et al.

    Current events: identifying webpages by tapping the electrical outlet

  • V. Corey et al.

    Network forensics analysis

    IEEE Internet Computing

    (2002)
  • B. Danev et al.

    On physical-layer identification of wireless devices

    ACM Comput. Surv.

    (2012)
  • R.D. Deppensmith et al.

    Optimized fingerprint generation using unintentional emission radio-frequency distinct native attributes (rf-dna)

  • J.-F. Dhem et al.

    A practical implementation of the timing attack

  • X. Du et al.

    Evaluation of digital forensic process models with respect to digital forensics as a service

  • C.K. Dubendorfer

    Using RF-DNA Fingerprints to Discriminate ZigBee Devices in an Operational Environment

    (2013)
  • E. Casey et al.

    The impact of full disk encryption on digital forensics

    ACM SIGOPS - Oper. Syst. Rev.

    (2008)
  • F. Elibol et al.

    Realistic eavesdropping attacks on computer displays with low-cost and mobile receiver system

  • W. Entriken

    System Bus Radio

  • T. Espitau et al.

    Side-channel attacks on bliss lattice-based signatures: exploiting branch tracing against strongswan and electromagnetic emanations in microcontrollers

  • M. Ettus et al.

    The Universal Software Radio Peripheral (Usrp) Family of Low-Cost Sdrd, Opportunistic Spectrum Sharing and White Space Access

    (2015)
  • S. Fahl et al.

    Rethinking SSL development in an appified world

  • A.W. Fritzke

    Obfuscating against Side-Channel Power Analysis Using Hiding Techniques for Aes

    (2012)
  • K. Gandolfi et al.

    Electromagnetic analysis: concrete results

  • R. Getz, B. Moeckel, Understanding and eliminating EMI in Microcontroller Applications, National...
  • D. Genkin et al.

    RSA key extraction via low-bandwidth acoustic cryptanalysis

  • D. Genkin et al.

    Stealing keys from PCs using a radio: cheap electromagnetic attacks on windowed exponentiation

  • D. Genkin et al.

    Get your hands off my laptop: physical side-channel key-extraction attacks on pcs

    Journal of Cryptographic Engineering

    (2015)
  • D. Genkin et al.

    ECDH key-extraction via low-bandwidth electromagnetic attacks on PCs

  • D. Genkin et al.

    ECDSA key extraction from mobile devices via nonintrusive physical side channels

  • N. Golmie et al.

    Bluetooth adaptive frequency hopping and scheduling

  • L. Goubin

    A refined power-analysis attack on elliptic curve cryptosystems

  • S.K. Goudos et al.

    EMI reduction and ICs optimal arrangement inside high-speed networking equipment using particle swarm optimization

    IEEE Trans. Electromagn Compat.

    (2008)
  • Cited by (68)

    View all citing articles on Scopus
    View full text