Tuesday, January 08, 2013

Funtenna!

I just watched Hacking Cisco Phones: Just because you are paranoid doesn't mean your phone isn't listening to everything you say, an excellent presentation by Ang Cui and Michael Costello at 29C3. I particularly liked that they coined the term "funtenna" to describe the potential capability of malware using the off-hook switch in a VoIP phone as an antenna to transmit data over RF.

I appreciate that they credited me with the idea, but I would like to set the record straight. I met Ang and Michael at a Cyber Fast Track event a couple months ago, and they approached me with the idea of exfiltrating data from the phone by toggling a GPIO pin on the embedded CPU at radio frequencies. My only contribution was looking at the hardware and suggesting that the wire extending to the off-hook switch was probably the best candidate antenna for the hack.

Although it hasn't been implemented yet, I think the idea has merit. I don't know how fast a GPIO pin can be toggled on the platform, but the CPU operates at something like 800 MHz. That makes it very likely that the maximum GPIO toggle rate is at least in the tens of MHz, maybe even over 100 MHz. I don't know the resonant frequency of the wire extending to the off-hook switch, but it is probably a few hundred MHz. If my guesses are close, then it is likely that the funtenna could be used to transmit data a short distance, perhaps through a wall or two. It isn't a very good radio, but it should work to some extent. Even a short range wireless transmission is very interesting when it originates from unmodified hardware not intended for wireless operation.

With Ang and Michael's approval, I would like to formalize the definition of "funtenna" a bit: A funtenna is an antenna that was not intended by the designer of the system to be an antenna, particularly when used as an antenna by an attacker. In the case of the Cisco phone, the funtenna could be used to transmit data from the phone. In certain systems, it may be possible to use a funtenna to receive radio signals as well. (I even know of some people working on a way to inject data into an untouched device using nothing but a high power radio signal; it is a very limited capability but theoretically possible.) The field of emission security studies unintentional radio emissions that leak data, and I would call any radiating element (a cable with poor shielding, for example) that leaks useful or sensitive information a funtenna.

Whenever I crack open an electronic device for the first time, I now look for potential funtennas. Maybe you will too. :-)

22 comments:

Luke said...

What an awesome idea! Looks like it would be totally possible. Someone has already done this with the Raspberry Pi and turned it into an FM Transmitter simply by toggling a GPIO pin:
http://www.icrobotics.co.uk/wiki/index.php/Turning_the_Raspberry_Pi_Into_an_FM_Transmitter

Lucas Daniel said...

Sorry my bad english, i'm brazilian ;)I read your post and I remembered about a distrust I have on mobile devices regardless of OS. do you think the phone can open a listening device without calling? as if the mobile network operator could hear our conversations without needing to give a ring ... do you think that would be possible in a hardware appliance any gsm?
thanks for the reply

Anonymous said...

Reminds me of an old hack, which makes dvb-t transmitter out of vga card.
http://bellard.org/dvbt/

Michael Ossmann said...

Nice links! The oldest prior art related to intentional funtenna transmission I can recall is Tempest for Eliza.

Lucas: Yes, there have been examples of mobile phones used as listening devices. If your network operator or anyone else controls the software on your phone, they can probably do that. I've never heard of an operator doing such a thing.

Jared said...

Prior art is much older than Tempest for Eliza. Try: Altair at Homebrew Computer Club, 1975
There isn't a specific funtenna here, so much as an entire computer's collective EMI.

Unknown said...

This would be a nice way to export data gathered by a device like the phones, but do you know of any juicy protocols that it could directly attack at those frequencies?

Michael Ossmann said...

Jared wins!

Hugh: It is unlikely that we could attack much over the air with this technique (at least on the Cisco phone platform). We have limited modulation capability and can only transmit at low power up to something like 100 MHz. Perhaps we could transmit control signals to a toy remote control vehicle at 27 or 49 MHz.

GB3 said...

You didn't mention that you're the one who gave them the idea for Funtenna! :)

Great talk, thanks for sharing it.

Unknown said...

One further idea, probably mentioned already somewhere, but the microphone might be used to capture keystrokes, or more interestingly the funtenna might be a nice place to sniff for TEMPEST like emissions.

AKA the A said...

Would you happen to have any materials/sources for the RF injection? I have seen some examples, but nothing very "trustworthy"...

Michael Ossmann said...

AKA the A: If you are referring to the ability to use RF to inject data into a system not intended for RF operation, I don't have any specific resources. The research that I know of is very preliminary, not public, and highly dependent on the characteristics of the target device.

jim smith said...

They can probably do that. I've never heard of an operator doing such a thing.
Transmission Fort Lauderdale

Unknown said...

we are offering latest amazon Special Offers & Deals to save your money and time. As well get the best products with best prices. Don't waste your time join us today!! : Lg smart phone

Agen Bola Terpercaya said...

all of your posting i very like thank . Agen bola terpercaya

Agen Bola said...

hello Agen Bola

John Adam said...

What is negative carbon emission?
emissions software

Used PC Exporter said...

Nice Blog Post !

Anonymous said...

I'm Khloé Zac, I tried to invest my savings into forex broker's trade during Pandemic and ever since last year December have been trying to withdraw my savings and each time i try to withdraw i'm asked to pay for fees and Tax fees, last Month june 26th i discovered that it was all scam and i have already lost $450,000 US dollar's. I was referred by my bestie who know so much about the internet and he referred me to Vitor programmer, i emailed him and he asked me to get in touch on WhatsApp and i did as he instructed, after 32 hours of reaching out to Vitor Programmer i received a notification on my phone screen and it was blockchain and my funds were recovered full without stories, i am writing this because a lot of people complain of being scammed online while trying to have there funds recovered, kindly Email: Vitor@programmer.net, WhatsApp contact: (+1) 519 / 398 / 1460, and tell him that you are from Khloé Zac.




Recovery Lost Funds From Online Scammer's/ Cryptocurrency/ Recovery of Stolen bitcoin 

Unknown said...

I recommend professional expert Programmer Email: vitorzprogrammer@gmail.com, for Recovery Funds / Cryptocurrency / Binary / Forex / Recovery of Stolen Bitcoin / Report scammers and blocking of Scammers Emails, website's, phone number's / Removing Bad Records from Both Public and Private database: Whats App (+1) 519 / 398 / 1460

Unknown said...

Have you been defrauded by deceptive Bitcoin traders? Or are you seeking to recover funds you lost on telegram accounts to take over hackers/rippers?. I personally will recommend no one other than albertgonzalezwizard (@) gmail com This is the least I could do for them after they saved my life by helping me recover up to 3.966BTC in less than two weeks from an online ripper lately. I got referred to them via my colleague at work , they also helped his spouse recover tokens and coins lost to scams .I'm glad I got in contact with this specialist because I would have most likely fallen victim to another online fraudster all in the name of them trying to help me. I owe this people a lot because it is so hard to see legit help online. Are you having similar issues with your BTC Wallet,Don't get scammed by these online fraudsters, contact albertgonzalezwizard (@) gmail com they are the most efficient and most trusted recovery expert on here Whatassp +31684181827 or Telegram: +31687920980

Anonymous said...

I humbly implore your attention to discuss with you a great hacker called Wizard Brixton who helped me in recovering my funds when I trusted a faker rippers who rip out my money and I was broke and could not even afford to pay my rents or to feed myself my girlfriend left me because there was no hope anymore lost all my life saves to this ripper but suddenly I saw an advert about this hacker and I contact him on wizardbrixton@gmail.com and explain my situation to him, he said that he will help me to recover my funds and I think is just a normal way hacker do say but suddenly Brixton got me proof to show he can get my funds, at last, he recovers my 357,000 USD from the rippers and it was a shock to me so I promise him to sing the praise of him so other people can benefit from his good job email him directly via WIZARDBRIXTON (AT) GMAIL (DOT) COM and reach him on WhatsApp +1- /807-23 4-0428 Immediately for your help and discuss further

Anonymous said...

QUALITY SSN DOB DL HIGH CREDIT SCORES Leads
CC with CVV Fullz (USA, UK, CANADA)
Tutorials & E-Books For Ethical Hacking
Tools For Everything You Need

I'm On Telegram = @killhacks & I C Q = 752822040

Stuff available for
(Spamming, Carding, Ethical Hacking, LINUX, Programming, Scripting, etc. )

Deals in all kind of Tools, Tutorials, E-books, Leads/Fullz/Pros
Availability 24/7
FASTEST DELIVERY

Build Your Own Business with proper guide & Legit Tools
Always glad to serve

GOOD LUCK
Here I'm:
I C Q = 752822040
Tele-gram = @killhacks