Security Group Figures Out How to Use GPUs As Radio Transmitters to Steal Information

A new and innovative side-channel attack is discovered by research security firm Duo.

The AMD Radeon Pro WX3100 was the subject of Duo’s side-channel attack. (Image courtesy of AMD.)

The AMD Radeon Pro WX3100 was the subject of Duo’s side-channel attack. (Image courtesy of AMD.)

A research security firm known as Duo is reporting quite unusual activity: they’ve managed to alter an AMD Radeon GPU into a radio transmitter that sends data transmissions without any physical modifications to the hardware.

How did they do this?

The answer? A series of manipulations to an AMD Radeon Pro WX3100’s shader clock rates. They tuned the shader clock rates so that the whole GPU would become a radio device. Using the radio device, they were then able to send radio transmissions a distance of 50 feet and steal data from an air-gapped PC—a PC that was behind a wall. Malwarebytes, Norton or any other anti-virus programs are not going to catch this one.

This incredible feat is an example of a side-channel attack. A side-channel attack is performed by manipulating intelligence on how a computer system is implemented, rather than internal operating system information. The way a computer uses power, the timing of how it uses hardware, electromagnetic information or even the sounds a computer hardware system makes can be utilized to perform a side-channel attack.

A Software Defined Radio (SDR) device plugs into a USB port and only cost about USD 100, though Duo researchers used a more sensitive version that costs anywhere between three to six times that amount. The researchers used it in concert with a directional ultra-wideband antenna and UHF to snag the information from the targeted computer, using GQRX, an open source software to program the receiver.

Using their Linux-operated rig, Duo researchers accessed the GPU’s standard power controls and began manipulating its shader clock frequencies. Using trial and error, they moved the power around between the two frequencies until they generated a signal that reached their rig, 50 feet away.

To secure a more efficient radio transmission of data from the PC, the Duo team shifted and alternated between five 1 MHz clock increments without the computer detecting a single thing.

Bottom Line

Side-channel attacks are among the most innovative because there is really no way of protecting against them until they are discovered. Zero-day exploits found from side-channel attacks are notoriously difficult to solve when hardware is involved. Software exploits are much easier to patch because software can be updated far more easily than hardware. Patching hardware attacks through software often causes performance issues.