Electromagnetic Interference Attacks on Cyber-Physical Systems: Theory, Demonstration, and Defense

Dayanikli, Gokcen Yilmaz

27 August 2021

A cyber-physical system (CPS) is a complex integration of hardware and software components to perform well-defined tasks. Up to this point, many software-based attacks targeting the network and computation layers have been reported by the researchers. However, the physical layer attacks that utilize natural phenomena (e.g., electromagnetic waves) to manipulate safety-critic signals such as analog sensor outputs, digital data, and actuation signals have recently taken the attention. The purpose of this dissertation is to detect the weaknesses of cyber-physical systems against low-power Intentional Electromagnetic Interference (IEMI) attacks and provide hardware-level countermeasures. Actuators are irreplaceable components of electronic systems that control the physically moving sections, e.g., servo motors that control robot arms. In Chapter 2, the potential effects of IEMI attacks on actuation control are presented. Pulse Width Modulation (PWM) signal, which is the industry–standard for actuation control, is observed to be vulnerable to IEMI with specific frequency and modulated–waveforms. Additionally, an advanced attacker with limited information about the victim can prevent the actuation, e.g., stop the rotation of a DC or servo motor. For some specific actuator models, the attacker can even take the control of the actuators and consequently the motion of the CPS, e.g., the flight trajectory of a UAV. The attacks are demonstrated on a fixed-wing unmanned aerial vehicle (UAV) during varying flight scenarios, and it is observed that the attacker can block or take control of the flight surfaces (e.g., aileron) which results in a crash of the UAV or a controllable change in its trajectory, respectively. Serial communication protocols such as UART or SPI are widely employed in electronic systems to establish communication between peripherals (e.g., sensors) and controllers. It is observed that an adversary with the reported three-phase attack mechanism can replace the original victim data with the 'desired' false data. In the detection phase, the attacker listens to the EM leakage of the victim system. In the signal processing phase, the exact timing of the victim data is determined from the victim EM leakage, and in the transmission phase, the radiated attack waveform replaces the original data with the 'desired' false data. The attack waveform is a narrowband signal at the victim baud rate, and in a proof–of–concept demonstration, the attacks are observed to be over 98% effective at inducing a desired bit sequence into pseudorandom UART frames. Countermeasures such as twisted cables are discussed and experimentally validated in high-IEMI scenarios. In Chapter 4, a state-of-art electrical vehicle (EV) charger is assessed in IEMI attack scenarios, and it is observed that an attacker can use low–cost RF components to inject false current or voltage sensor readings into the system. The manipulated sensor data results in a drastic increase in the current supplied to the EV which can easily result in physical damage due to thermal runaway of the batteries. The current switches, which control the output current of the EV charger, can be controlled (i.e., turned on) by relatively high–power IEMI, which gives the attacker direct control of the current supplied to the EV. The attacks on UAVs, communication systems, and EV chargers show that additional hardware countermeasures should be added to the state-of-art system design to alleviate the effect of IEMI attacks. The fiber-optic transmission and low-frequency magnetic field shielding can be used to transmit 'significant signals' or PCB-level countermeasures can be utilized which are reported in Chapter 5. / Doctor of Philosophy / The secure operation of an electronic system depends on the integrity of the signals transmitted from/to components like sensors, actuators, and controllers. Adversaries frequently aim to block or manipulate the information carried in sensor and actuation signals to disrupt the operation of the victim system with physical phenomena, e.g., infrared light or acoustic waves. In this dissertation, it is shown that low-power electromagnetic (EM) waves, with specific frequency and form devised for the victim system, can be utilized as an attack tool to disrupt, and, in some scenarios, control the operation of the system; moreover, it is shown that these attacks can be mitigated with hardware-level countermeasures. In Chapter 2, the attacks are applied to electric motors on an unmanned aerial vehicle (UAV), and it is observed that an attacker can block (i.e., crash of the UAV) or control the UAV motion with EM waves. In Chapter 3, it is shown that digital communication systems are not resilient against intentional electromagnetic interference (IEMI), either. Low–power EM waves can be utilized by attackers to replace the data in serial communication systems with a success rate %98 or more. In Chapter 4, the attacks are applied to the sensors and actuators of electric vehicle chargers with low–cost over–the–shelf amplifiers and antennas, and it is shown that EM interference attacks can manipulate the sensor data and boosts the current supplied to the EV, which can result in overheating and fire. To ensure secure electronic system operation, hardware–level defense mechanisms are discussed and validated with analytical solutions, simulations, and experiments.

Cyber-Physical System Security

Electromagnetic Attacks

Signal Integrity

Attaques électromagnétiques ciblant les générateurs d'aléa / Electromagnetic attacks on true random number generators

Bayon, Pierre

31 January 2014

Aujourd'hui, nous utilisons de plus en plus d'appareils "connectés" (téléphone portable, badge d'accès ou de transport, carte bancaire NFC, ...), et cette tendance ne va pas s'inverser. Ces appareils requièrent l'utilisation de primitives cryptographiques, embarquées dans des composants électroniques, dans le but de protéger les communications. Cependant, des techniques d'attaques permettent d'extraire de l'information du composant électronique ou fauter délibérément son fonctionnement. Un nouveau médium d'attaque, exploitant les ondes électromagnétiques est en pleine expansion. Ce médium, par rapport à des techniques de fautes à base de perturbations par faisceau LASER, propose l'avantage d’être à relativement faible coût. Nous présentons dans cette thèse la résistance d'un type de bloc cryptographique, à savoir les générateurs de nombres réellement aléatoires, aux ondes électromagnétiques. Nous montrons qu'il est possible d'extraire de l'information sensible du champ électromagnétique produit par le composant électronique, et qu'il est également possible de perturber un générateur en le soumettant à un fort champ électromagnétique harmonique / Nowadays, our society is using more and more connected devices (cellphones, transport or access card NFC debit card, etc.), and this trend is not going to reverse. These devices require the use of cryptographic primitives, embedded in electronic circuits, in order to protect communications. However, some attacks can allow an attacker to extract information from the electronic circuit or to modify its behavior. A new channel of attack, using electromagnetic waves is skyrocketing. This channel, compared to attacks based on LASER beam, is relatively inexpensive. We will, in this thesis, present a new attack, using electromagnetic waves, of a certain type of cryptographic primitive: the true random number generator. We will show that it is possible to extract sensitive information from the electromagnetic radiation coming from the electronic device. We will also show that it is possible to completly modify the behavior of the true random number generator using a strong electromagnetic field

Générateur d'aléa

Attaques électromagnétiques

Cryptographie

Sécurité matérielle

Oscillateur en anneau

Attaque en faute

Random number generator

Electromagnetic attacks

Cryptography

Hardware security

Ring oscillator

Attack at fault