• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Security Researchers Turn Radeon GPU into a Radio Transmitter with 50ft Range to Steal Data

btarunr

Editor & Senior Moderator
Staff member
Joined
Oct 9, 2007
Messages
47,166 (7.56/day)
Location
Hyderabad, India
System Name RBMK-1000
Processor AMD Ryzen 7 5700G
Motherboard ASUS ROG Strix B450-E Gaming
Cooling DeepCool Gammax L240 V2
Memory 2x 8GB G.Skill Sniper X
Video Card(s) Palit GeForce RTX 2080 SUPER GameRock
Storage Western Digital Black NVMe 512GB
Display(s) BenQ 1440p 60 Hz 27-inch
Case Corsair Carbide 100R
Audio Device(s) ASUS SupremeFX S1220A
Power Supply Cooler Master MWE Gold 650W
Mouse ASUS ROG Strix Impact
Keyboard Gamdias Hermes E2
Software Windows 11 Pro
Thursday we brought you a story of an improbable but ingenious cybersecurity attack vector called Air-ViBER, which uses fan vibrations to transmit data to a nearby listening device in an air-gapped environment. Another team of researchers, led by Mikhail Davidov and Baron Oldenburg, developed an equally ingenious but more insidious attack vector - rapid manipulation of clock speeds of an AMD Radeon Pro WX3100 GPU to turn it into a tunable radio transmitter; and ferrying data off as inaudible and invisible RF transmissions. The graphics card itself works as a radio transmitter, the computer needn't have a WLAN device.

What's worse, the signal has an impressive 50-foot (15.2 m) range, can pass through walls, and can have a far higher data-rate than the fan vibration hack. Even worse, the attack doesn't require any special hacks of the GPU driver or physical modification of the graphics card in any way - only a tool that can manipulate its clock speeds (any overclocking software can do that). Luckily, overclocking tools are privileged applications (requiring ring-0 access), and in most machines it springs up a UAC gate unless the overclocking software installs a driver and service that runs in the background (this installation requires a UAC authorization in the first place). If someone managed to install privileged software on your computer, you have bigger problems than a graphics card that likes to sing. Find technical details of the hack here, and a video presentation here.



View at TechPowerUp Main Site
 

btarunr

Editor & Senior Moderator
Staff member
Joined
Oct 9, 2007
Messages
47,166 (7.56/day)
Location
Hyderabad, India
System Name RBMK-1000
Processor AMD Ryzen 7 5700G
Motherboard ASUS ROG Strix B450-E Gaming
Cooling DeepCool Gammax L240 V2
Memory 2x 8GB G.Skill Sniper X
Video Card(s) Palit GeForce RTX 2080 SUPER GameRock
Storage Western Digital Black NVMe 512GB
Display(s) BenQ 1440p 60 Hz 27-inch
Case Corsair Carbide 100R
Audio Device(s) ASUS SupremeFX S1220A
Power Supply Cooler Master MWE Gold 650W
Mouse ASUS ROG Strix Impact
Keyboard Gamdias Hermes E2
Software Windows 11 Pro
I have an idea for a mitigation. Reprogram the driver to apply user-specified clock speeds with a 4000 ms delay (without affecting the driver's internal clock-manipulation rate used by power-management). This will junk the hack's data-rate?
 
Joined
Apr 30, 2008
Messages
4,894 (0.81/day)
Location
Multidimensional
System Name Boomer Master Race
Processor Intel Core i5 12600H
Motherboard MinisForum NAB6 Lite Board
Cooling Mini PC Cooling
Memory Apacer 16GB 3200Mhz
Video Card(s) Intel Iris Xe Graphics
Storage Kingston 512GB SSD
Display(s) Sony 4K Bravia X85J 43Inch TV 120Hz
Case MinisForum NAB6 Lite Case
Audio Device(s) Built In Realtek Digital Audio HD
Power Supply 120w External Power Brick
Mouse Logitech G203 Lightsync
Keyboard Atrix RGB Slim Keyboard
VR HMD ( ◔ ʖ̯ ◔ )
Software Windows 11 Home 64bit
Benchmark Scores Don't do them anymore.
Nvidia right now :rolleyes:

13c.jpg
 
Joined
Apr 15, 2009
Messages
1,031 (0.18/day)
Processor Ryzen 9 5900X
Motherboard Gigabyte X570 Aorus Master
Cooling ARCTIC Liquid Freezer III 360 A-RGB
Memory 32 GB Ballistix Elite DDR4-3600 CL16
Video Card(s) XFX 6800 XT Speedster Merc 319 Black
Storage Sabrent Rocket NVMe 4.0 1TB
Display(s) LG 27GL850B x 2 / ASUS MG278Q
Case be quiet! Silent Base 802
Audio Device(s) Sound Blaster AE-7 / Sennheiser HD 660S
Power Supply Seasonic Vertex PX-1200
Software Windows 11 Pro 64
NVidia cards can do this while minimizing the background noise!
 

btarunr

Editor & Senior Moderator
Staff member
Joined
Oct 9, 2007
Messages
47,166 (7.56/day)
Location
Hyderabad, India
System Name RBMK-1000
Processor AMD Ryzen 7 5700G
Motherboard ASUS ROG Strix B450-E Gaming
Cooling DeepCool Gammax L240 V2
Memory 2x 8GB G.Skill Sniper X
Video Card(s) Palit GeForce RTX 2080 SUPER GameRock
Storage Western Digital Black NVMe 512GB
Display(s) BenQ 1440p 60 Hz 27-inch
Case Corsair Carbide 100R
Audio Device(s) ASUS SupremeFX S1220A
Power Supply Cooler Master MWE Gold 650W
Mouse ASUS ROG Strix Impact
Keyboard Gamdias Hermes E2
Software Windows 11 Pro
CORRECTION: I mixed up feet and meters. The range they claim is in feet. 50 ft = 15.2 m.
 
Joined
Dec 30, 2010
Messages
2,194 (0.43/day)
I have an idea for a mitigation. Reprogram the driver to apply user-specified clock speeds with a 4000 ms delay (without affecting the driver's internal clock-manipulation rate used by power-management). This will junk the hack's data-rate?

A hack like this is more of a 007 bond type of hack shit that you see in movies. I mean it takes alot of skill to start using your GPU as a wireless device now. Any device inside a working pc is vulnerable towards a hack like this. I think they are better of using proper shielding of components in the first place if protected data should be kept sensitive in the first place.
 
Joined
Jun 3, 2010
Messages
2,540 (0.48/day)
I have an idea for a mitigation. Reprogram the driver to apply user-specified clock speeds with a 4000 ms delay (without affecting the driver's internal clock-manipulation rate used by power-management). This will junk the hack's data-rate?
Hysteresis is a baller idea. I don't know why it doesn't get its share of usual fanfare. It locks into step all useless fan ramp modulations at supramaximum.

It is present in MSI Afterburner for instance.
 
Joined
Feb 14, 2012
Messages
1,843 (0.40/day)
Location
Romania
Use a passive cooled GPU, the iGPU and/or unplug fans from GPU, easy ... btw dose it interfere with the 5G spying ?
 
Joined
Jan 14, 2019
Messages
12,192 (5.75/day)
Location
Midlands, UK
System Name Nebulon B
Processor AMD Ryzen 7 7800X3D
Motherboard MSi PRO B650M-A WiFi
Cooling be quiet! Dark Rock 4
Memory 2x 24 GB Corsair Vengeance DDR5-4800
Video Card(s) AMD Radeon RX 6750 XT 12 GB
Storage 2 TB Corsair MP600 GS, 2 TB Corsair MP600 R2
Display(s) Dell S3422DWG, 7" Waveshare touchscreen
Case Kolink Citadel Mesh black
Audio Device(s) Logitech Z333 2.1 speakers, AKG Y50 headphones
Power Supply Seasonic Prime GX-750
Mouse Logitech MX Master 2S
Keyboard Logitech G413 SE
Software Bazzite (Fedora Linux) KDE
Use a passive cooled GPU, the iGPU and/or unplug fans from GPU, easy ... btw dose it interfere with the 5G spying ?
Or use and nVidia GPU that sets a target clock, and only decreases it with heat and/or increased power consumption. For example, my 1660Ti runs on 1920/1905 MHz all the time. I doubt anyone can extract any information from that.
 
Joined
Aug 22, 2016
Messages
167 (0.06/day)
It doent need a patch, if the person has admin acess, turning the AMD gpu into a radio is not very efficient, you cant do so many easier things with the system
 
Joined
Oct 10, 2009
Messages
792 (0.14/day)
Location
Madrid, Spain
System Name Rectangulote
Processor Core I9-9900KF
Motherboard Asus TUF Z390M
Cooling Alphacool Eisbaer Aurora 280 + Eisblock RTX 3090 RE + 2 x 240 ST30
Memory 32 GB DDR4 3600mhz CL16 Crucial Ballistix
Video Card(s) KFA2 RTX 3090 SG
Storage WD Blue 3D 2TB + 2 x WD Black SN750 1TB
Display(s) 2 x Asus ROG Swift PG278QR / Samsung Q60R
Case Corsair 5000D Airflow
Audio Device(s) Evga Nu Audio + Sennheiser HD599SE + Trust GTX 258
Power Supply Corsair RMX850
Mouse Razer Naga Wireless Pro / Logitech MX Master
Keyboard Keychron K4 / Dierya DK61 Pro
Software Windows 11 Pro
I love this, this is fucking big brain thinking enabling conspirationists to a brand new cosmos of bullshittery. I hope this is merged into the 5g covid lore.
 
Joined
Aug 20, 2007
Messages
21,403 (3.41/day)
System Name Pioneer
Processor Ryzen R9 9950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage Intel 905p Optane 960GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software Gentoo Linux x64 / Windows 11 Enterprise IoT 2024
Use a passive cooled GPU, the iGPU and/or unplug fans from GPU, easy ... btw dose it interfere with the 5G spying ?

This hack doesn't use fans.

What 5G spying?

I hope this is merged into the 5g covid lore.

Oh god, please no.

I'm doing a research of nVidia GPU leaking data with Morse code via flicking screen black & white.

Honestly, it's just as practical as half of this, and not a bad idea. You could even set it to target a specific small pixel to avoid user notice. Because James Bonds screen capture software is always pixel-perfect... ENHANCE!
 
Joined
May 8, 2019
Messages
132 (0.07/day)
Vulnerability researched by me will be patched in the next nVidia drivers by applying a random 500-1500 ms delay on every frame render, thus bringing Morse transfer to unpractically low bandwidth. Sorry for making your lives miserable with 1 fps experience.
 
Joined
May 13, 2010
Messages
6,040 (1.14/day)
System Name RemixedBeast-NX
Processor Intel Xeon E5-2690 @ 2.9Ghz (8C/16T)
Motherboard Dell Inc. 08HPGT (CPU 1)
Cooling Dell Standard
Memory 24GB ECC
Video Card(s) Gigabyte Nvidia RTX2060 6GB
Storage 2TB Samsung 860 EVO SSD//2TB WD Black HDD
Display(s) Samsung SyncMaster P2350 23in @ 1920x1080 + Dell E2013H 20 in @1600x900
Case Dell Precision T3600 Chassis
Audio Device(s) Beyerdynamic DT770 Pro 80 // Fiio E7 Amp/DAC
Power Supply 630w Dell T3600 PSU
Mouse Logitech G700s/G502
Keyboard Logitech K740
Software Linux Mint 20
Benchmark Scores Network: APs: Cisco Meraki MR32, Ubiquiti Unifi AP-AC-LR and Lite Router/Sw:Meraki MX64 MS220-8P
I love this, this is fucking big brain thinking enabling conspirationists to a brand new cosmos of bullshittery. I hope this is merged into the 5g covid lore.
Too late every frog is gay
 
Joined
Oct 10, 2009
Messages
792 (0.14/day)
Location
Madrid, Spain
System Name Rectangulote
Processor Core I9-9900KF
Motherboard Asus TUF Z390M
Cooling Alphacool Eisbaer Aurora 280 + Eisblock RTX 3090 RE + 2 x 240 ST30
Memory 32 GB DDR4 3600mhz CL16 Crucial Ballistix
Video Card(s) KFA2 RTX 3090 SG
Storage WD Blue 3D 2TB + 2 x WD Black SN750 1TB
Display(s) 2 x Asus ROG Swift PG278QR / Samsung Q60R
Case Corsair 5000D Airflow
Audio Device(s) Evga Nu Audio + Sennheiser HD599SE + Trust GTX 258
Power Supply Corsair RMX850
Mouse Razer Naga Wireless Pro / Logitech MX Master
Keyboard Keychron K4 / Dierya DK61 Pro
Software Windows 11 Pro
Joined
Dec 28, 2006
Messages
4,378 (0.67/day)
Location
Hurst, Texas
System Name The86
Processor Ryzen 5 3600
Motherboard ASROCKS B450 Steel Legend
Cooling AMD Stealth
Memory 2x8gb DDR4 3200 Corsair
Video Card(s) EVGA RTX 3060 Ti
Storage WD Black 512gb, WD Blue 1TB
Display(s) AOC 24in
Case Raidmax Alpha Prime
Power Supply 700W Thermaltake Smart
Mouse Logitech Mx510
Keyboard Razer BlackWidow 2012
Software Windows 10 Professional
Yet secure sites also have Faraday cages around the computer systems and usually the building to stop any leaks. It's vector I guess could be a corporate system that's not properly sheilded but military, governments, and government contractors are required to keep air gapped data also behind physical access barriers and a Faraday cage.

I worked on the call desk for a defense contractor and one specific computer acted up. He had to write instructions down and error messages and hand carry them to said computer because his phone wouldn't work in the building because as he put it, it's inside a sheilded concrete area to protect it from any possible attack on the em spectrum or someone sneaking in wireless devices to capture data. I couldn't see this type of attack working.
 
Joined
Aug 13, 2009
Messages
3,198 (0.58/day)
Location
Czech republic
Processor Ryzen 5800X
Motherboard Asus TUF-Gaming B550-Plus
Cooling Noctua NH-U14S
Memory 32GB G.Skill Trident Z Neo F4-3600C16D-32GTZNC
Video Card(s) Sapphire Radeon Rx 580 Nitro+ 8GB
Storage HP EX950 512GB + Samsung 970 PRO 1TB
Display(s) HP Z Display Z24i G2
Case Fractal Design Define R6 Black
Audio Device(s) Creative Sound Blaster AE-5
Power Supply Seasonic PRIME Ultra 650W Gold
Mouse Roccat Kone AIMO Remastered
Software Windows 10 x64
I don't undestand. What's this good for? So you can transmit data somehow to the next room.
What kind of data? This sounds more like script kiddie fun project rather than serious security problem.
 
Top