A Feasibility Study of Radio-frequency Retroreflector Attack


Satohiro Wakabayashi, Seita Maruyama, Tatsuya Mori, and Shigeki Goto, Waseda University; Masahiro Kinugawa, National Institute of Technology, Sendai College; Yu-ichi Hayashi, Nara Institute of Science and Technology
Awarded Best Student Paper!


Radio-frequency (RF) retroreflector attack (RFRA) is an active electromagnetic side-channel attack that aims to leak the target's internal signals by irradiating the targeted device with a radio wave, where an attacker has embedded a malicious circuit (RF retroreflector) in the device in advance. As the retroreflector consists of small and cheap electrical elements, such as a field-effect transistor (FET) chip and a wire that can work as a dipole antenna, the reflector can be embedded into various kinds of electric devices that carry unencrypted, sensitive information;, e.g., keyboard, display monitor, microphone, speaker, USB, and so on. Only a few studies have addressed the RFRA. However, they did not evaluate the conditions for a successful attack scientifically, and therefore, assessing the feasibility of the RFRA remains an open issue. In the present study, we aim to evaluate the conditions for a successful RFRA, empirically, through extensive experiments. Understanding attack limitations should help to develop effective countermeasures against it. In particular, as the conditions for a successful attack, we studied the distance between the attacker and the target, and the target signal frequencies. Through the extensive experiments, using off-the-shelf hardware, including software-defined radio (SDR) equipment, we revealed that the required conditions for a successful attack are (1) up to a 10-Mbps of a target signal and (2) up to a distance of 10 meters. We also demonstrated that a USB keyboard, using USB low-speed (1.5 Mbps), is attackable, and we succeeded to eavesdrop typing. We conclude that the RFRA threat is realistic.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {220592,
author = {Satohiro Wakabayashi and Seita Maruyama and Tatsuya Mori and Shigeki Goto and Masahiro Kinugawa and Yu-ichi Hayashi and Michael Smith},
title = {A Feasibility Study of Radio-frequency Retroreflector Attack},
booktitle = {12th USENIX Workshop on Offensive Technologies (WOOT 18)},
year = {2018},
address = {Baltimore, MD},
url = {https://www.usenix.org/conference/woot18/presentation/wakabayashi},
publisher = {USENIX Association},
month = aug