Security Researchers Turn Radeon GPU into a Radio Transmitter with 50ft Range to Steal Data

btarunr · Apr 24, 2020

Thursday we brought you a story of an improbable but ingenious cybersecurity attack vector called Air-ViBER, which uses fan vibrations to transmit data to a nearby listening device in an air-gapped environment. Another team of researchers, led by Mikhail Davidov and Baron Oldenburg, developed an equally ingenious but more insidious attack vector - rapid manipulation of clock speeds of an AMD Radeon Pro WX3100 GPU to turn it into a tunable radio transmitter; and ferrying data off as inaudible and invisible RF transmissions. The graphics card itself works as a radio transmitter, the computer needn't have a WLAN device.

What's worse, the signal has an impressive 50-foot (15.2 m) range, can pass through walls, and can have a far higher data-rate than the fan vibration hack. Even worse, the attack doesn't require any special hacks of the GPU driver or physical modification of the graphics card in any way - only a tool that can manipulate its clock speeds (any overclocking software can do that). Luckily, overclocking tools are privileged applications (requiring ring-0 access), and in most machines it springs up a UAC gate unless the overclocking software installs a driver and service that runs in the background (this installation requires a UAC authorization in the first place). If someone managed to install privileged software on your computer, you have bigger problems than a graphics card that likes to sing. Find technical details of the hack here, and a video presentation here.

View at TechPowerUp Main Site

btarunr · Apr 24, 2020

I have an idea for a mitigation. Reprogram the driver to apply user-specified clock speeds with a 4000 ms delay (without affecting the driver's internal clock-manipulation rate used by power-management). This will junk the hack's data-rate?

Lionheart · Apr 24, 2020

Nvidia right now :rolleyes:

Divide Overflow · Apr 24, 2020

NVidia cards can do this while minimizing the background noise!

lexluthermiester · Apr 24, 2020

I think 50M is optimistic. 15M is pushing it even with the right equipment.

btarunr · Apr 24, 2020

CORRECTION: I mixed up feet and meters. The range they claim is in feet. 50 ft = 15.2 m.

Jism · Apr 24, 2020

btarunr said:
I have an idea for a mitigation. Reprogram the driver to apply user-specified clock speeds with a 4000 ms delay (without affecting the driver's internal clock-manipulation rate used by power-management). This will junk the hack's data-rate?

A hack like this is more of a 007 bond type of hack shit that you see in movies. I mean it takes alot of skill to start using your GPU as a wireless device now. Any device inside a working pc is vulnerable towards a hack like this. I think they are better of using proper shielding of components in the first place if protected data should be kept sensitive in the first place.

mtcn77 · Apr 24, 2020

btarunr said:
I have an idea for a mitigation. Reprogram the driver to apply user-specified clock speeds with a 4000 ms delay (without affecting the driver's internal clock-manipulation rate used by power-management). This will junk the hack's data-rate?

Hysteresis is a baller idea. I don't know why it doesn't get its share of usual fanfare. It locks into step all useless fan ramp modulations at supramaximum.

It is present in MSI Afterburner for instance.

droopyRO · Apr 24, 2020

Use a passive cooled GPU, the iGPU and/or unplug fans from GPU, easy ... btw dose it interfere with the 5G spying ?

AusWolf · Apr 24, 2020

droopyRO said:
Use a passive cooled GPU, the iGPU and/or unplug fans from GPU, easy ... btw dose it interfere with the 5G spying ?

Or use and nVidia GPU that sets a target clock, and only decreases it with heat and/or increased power consumption. For example, my 1660Ti runs on 1920/1905 MHz all the time. I doubt anyone can extract any information from that.

Bruno Vieira · Apr 24, 2020

It doent need a patch, if the person has admin acess, turning the AMD gpu into a radio is not very efficient, you cant do so many easier things with the system

rutra80 · Apr 24, 2020

I'm doing a research of nVidia GPU leaking data with Morse code via flicking screen black & white.

Tartaros · Apr 24, 2020

I love this, this is fucking big brain thinking enabling conspirationists to a brand new cosmos of bullshittery. I hope this is merged into the 5g covid lore.

R-T-B · Apr 25, 2020

droopyRO said:
Use a passive cooled GPU, the iGPU and/or unplug fans from GPU, easy ... btw dose it interfere with the 5G spying ?

This hack doesn't use fans.

What 5G spying?

Tartaros said:
I hope this is merged into the 5g covid lore.

Oh god, please no.

rutra80 said:
I'm doing a research of nVidia GPU leaking data with Morse code via flicking screen black & white.

Honestly, it's just as practical as half of this, and not a bad idea. You could even set it to target a specific small pixel to avoid user notice. Because James Bonds screen capture software is always pixel-perfect... ENHANCE!

rutra80 · Apr 25, 2020

Vulnerability researched by me will be patched in the next nVidia drivers by applying a random 500-1500 ms delay on every frame render, thus bringing Morse transfer to unpractically low bandwidth. Sorry for making your lives miserable with 1 fps experience.

remixedcat · Apr 26, 2020

Tartaros said:
I love this, this is fucking big brain thinking enabling conspirationists to a brand new cosmos of bullshittery. I hope this is merged into the 5g covid lore.

Too late every frog is gay

lexluthermiester · Apr 26, 2020

btarunr said:
CORRECTION: I mixed up feet and meters. The range they claim is in feet. 50 ft = 15.2 m.

Ah, that makes more sense. I still say it's optimistic to expect any usable data from such an exploit.

Tartaros · Apr 26, 2020

remixedcat said:
Too late every frog is gay

candle_86 · Apr 27, 2020

Yet secure sites also have Faraday cages around the computer systems and usually the building to stop any leaks. It's vector I guess could be a corporate system that's not properly sheilded but military, governments, and government contractors are required to keep air gapped data also behind physical access barriers and a Faraday cage.

I worked on the call desk for a defense contractor and one specific computer acted up. He had to write instructions down and error messages and hand carry them to said computer because his phone wouldn't work in the building because as he put it, it's inside a sheilded concrete area to protect it from any possible attack on the em spectrum or someone sneaking in wireless devices to capture data. I couldn't see this type of attack working.

Octopuss · Apr 27, 2020

I don't undestand. What's this good for? So you can transmit data somehow to the next room.
What kind of data? This sounds more like script kiddie fun project rather than serious security problem.

System Name	RBMK-1000
Processor	AMD Ryzen 7 5700G
Motherboard	ASUS ROG Strix B450-E Gaming
Cooling	DeepCool Gammax L240 V2
Memory	2x 8GB G.Skill Sniper X
Video Card(s)	Palit GeForce RTX 2080 SUPER GameRock
Storage	Western Digital Black NVMe 512GB
Display(s)	BenQ 1440p 60 Hz 27-inch
Case	Corsair Carbide 100R
Audio Device(s)	ASUS SupremeFX S1220A
Power Supply	Cooler Master MWE Gold 650W
Mouse	ASUS ROG Strix Impact
Keyboard	Gamdias Hermes E2
Software	Windows 11 Pro

System Name	RBMK-1000
Processor	AMD Ryzen 7 5700G
Motherboard	ASUS ROG Strix B450-E Gaming
Cooling	DeepCool Gammax L240 V2
Memory	2x 8GB G.Skill Sniper X
Video Card(s)	Palit GeForce RTX 2080 SUPER GameRock
Storage	Western Digital Black NVMe 512GB
Display(s)	BenQ 1440p 60 Hz 27-inch
Case	Corsair Carbide 100R
Audio Device(s)	ASUS SupremeFX S1220A
Power Supply	Cooler Master MWE Gold 650W
Mouse	ASUS ROG Strix Impact
Keyboard	Gamdias Hermes E2
Software	Windows 11 Pro

System Name	Boomer Master Race
Processor	Intel Core i5 12600H
Motherboard	MinisForum NAB6 Lite Board
Cooling	Mini PC Cooling
Memory	Apacer 16GB 3200Mhz
Video Card(s)	Intel Iris Xe Graphics
Storage	Kingston 512GB SSD
Display(s)	Sony 4K Bravia X85J 43Inch TV 120Hz
Case	MinisForum NAB6 Lite Case
Audio Device(s)	Built In Realtek Digital Audio HD
Power Supply	120w External Power Brick
Mouse	Logitech G203 Lightsync
Keyboard	Atrix RGB Slim Keyboard
VR HMD	( ◔ ʖ̯ ◔ )
Software	Windows 11 Home 64bit
Benchmark Scores	Don't do them anymore.

Processor	Ryzen 9 5900X
Motherboard	Gigabyte X570 Aorus Master
Cooling	ARCTIC Liquid Freezer III 360 A-RGB
Memory	32 GB Ballistix Elite DDR4-3600 CL16
Video Card(s)	XFX 6800 XT Speedster Merc 319 Black
Storage	Sabrent Rocket NVMe 4.0 1TB
Display(s)	LG 27GL850B x 2 / ASUS MG278Q
Case	be quiet! Silent Base 802
Audio Device(s)	Sound Blaster AE-7 / Sennheiser HD 660S
Power Supply	Seasonic Vertex PX-1200
Software	Windows 11 Pro 64

System Name	RBMK-1000
Processor	AMD Ryzen 7 5700G
Motherboard	ASUS ROG Strix B450-E Gaming
Cooling	DeepCool Gammax L240 V2
Memory	2x 8GB G.Skill Sniper X
Video Card(s)	Palit GeForce RTX 2080 SUPER GameRock
Storage	Western Digital Black NVMe 512GB
Display(s)	BenQ 1440p 60 Hz 27-inch
Case	Corsair Carbide 100R
Audio Device(s)	ASUS SupremeFX S1220A
Power Supply	Cooler Master MWE Gold 650W
Mouse	ASUS ROG Strix Impact
Keyboard	Gamdias Hermes E2
Software	Windows 11 Pro

Security Researchers Turn Radeon GPU into a Radio Transmitter with 50ft Range to Steal Data

btarunr

Editor & Senior Moderator

btarunr

Editor & Senior Moderator

Lionheart

Divide Overflow

lexluthermiester

btarunr

Editor & Senior Moderator

Jism

mtcn77

droopyRO

AusWolf

Bruno Vieira

rutra80

Tartaros

R-T-B

rutra80

remixedcat

lexluthermiester

Tartaros

candle_86

Octopuss

System Name	Nebulon B
Processor	AMD Ryzen 7 7800X3D
Motherboard	MSi PRO B650M-A WiFi
Cooling	be quiet! Dark Rock 4
Memory	2x 24 GB Corsair Vengeance DDR5-4800
Video Card(s)	AMD Radeon RX 6750 XT 12 GB
Storage	2 TB Corsair MP600 GS, 2 TB Corsair MP600 R2
Display(s)	Dell S3422DWG, 7" Waveshare touchscreen
Case	Kolink Citadel Mesh black
Audio Device(s)	Logitech Z333 2.1 speakers, AKG Y50 headphones
Power Supply	Seasonic Prime GX-750
Mouse	Logitech MX Master 2S
Keyboard	Logitech G413 SE
Software	Bazzite (Fedora Linux) KDE

System Name	Rectangulote
Processor	Core I9-9900KF
Motherboard	Asus TUF Z390M
Cooling	Alphacool Eisbaer Aurora 280 + Eisblock RTX 3090 RE + 2 x 240 ST30
Memory	32 GB DDR4 3600mhz CL16 Crucial Ballistix
Video Card(s)	KFA2 RTX 3090 SG
Storage	WD Blue 3D 2TB + 2 x WD Black SN750 1TB
Display(s)	2 x Asus ROG Swift PG278QR / Samsung Q60R
Case	Corsair 5000D Airflow
Audio Device(s)	Evga Nu Audio + Sennheiser HD599SE + Trust GTX 258
Power Supply	Corsair RMX850
Mouse	Razer Naga Wireless Pro / Logitech MX Master
Keyboard	Keychron K4 / Dierya DK61 Pro
Software	Windows 11 Pro

System Name	Pioneer
Processor	Ryzen R9 9950X
Motherboard	GIGABYTE Aorus Elite X670 AX
Cooling	Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory	64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s)	XFX RX 7900 XTX Speedster Merc 310
Storage	Intel 905p Optane 960GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s)	55" LG 55" B9 OLED 4K Display
Case	Thermaltake Core X31
Audio Device(s)	TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply	FSP Hydro Ti Pro 850W
Mouse	Logitech G305 Lightspeed Wireless
Keyboard	WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software	Gentoo Linux x64 / Windows 11 Enterprise IoT 2024

System Name	RemixedBeast-NX
Processor	Intel Xeon E5-2690 @ 2.9Ghz (8C/16T)
Motherboard	Dell Inc. 08HPGT (CPU 1)
Cooling	Dell Standard
Memory	24GB ECC
Video Card(s)	Gigabyte Nvidia RTX2060 6GB
Storage	2TB Samsung 860 EVO SSD//2TB WD Black HDD
Display(s)	Samsung SyncMaster P2350 23in @ 1920x1080 + Dell E2013H 20 in @1600x900
Case	Dell Precision T3600 Chassis
Audio Device(s)	Beyerdynamic DT770 Pro 80 // Fiio E7 Amp/DAC
Power Supply	630w Dell T3600 PSU
Mouse	Logitech G700s/G502
Keyboard	Logitech K740
Software	Linux Mint 20
Benchmark Scores	Network: APs: Cisco Meraki MR32, Ubiquiti Unifi AP-AC-LR and Lite Router/Sw:Meraki MX64 MS220-8P

System Name	The86
Processor	Ryzen 5 3600
Motherboard	ASROCKS B450 Steel Legend
Cooling	AMD Stealth
Memory	2x8gb DDR4 3200 Corsair
Video Card(s)	EVGA RTX 3060 Ti
Storage	WD Black 512gb, WD Blue 1TB
Display(s)	AOC 24in
Case	Raidmax Alpha Prime
Power Supply	700W Thermaltake Smart
Mouse	Logitech Mx510
Keyboard	Razer BlackWidow 2012
Software	Windows 10 Professional

Processor	Ryzen 5800X
Motherboard	Asus TUF-Gaming B550-Plus
Cooling	Noctua NH-U14S
Memory	32GB G.Skill Trident Z Neo F4-3600C16D-32GTZNC
Video Card(s)	Sapphire Radeon Rx 580 Nitro+ 8GB
Storage	HP EX950 512GB + Samsung 970 PRO 1TB
Display(s)	HP Z Display Z24i G2
Case	Fractal Design Define R6 Black
Audio Device(s)	Creative Sound Blaster AE-5
Power Supply	Seasonic PRIME Ultra 650W Gold
Mouse	Roccat Kone AIMO Remastered
Software	Windows 10 x64