Schneier on Security

Clive Robinson • April 29, 2022 10:37 PM

@ ALL,

Re : Speakers as Mics.

And “transducers” in general in information leakage side channels.

I’ve done several deep dives on this blog before about this but to give the reduced “Conferance Talk” version,

The first thing you have to keep in mind is a good knowledge of the physical laws of nature, not least being, Newton’s Third Law, of

“Every action has an equal and opposite reaction”.

Which can be more generalised with “action” being replaced with force/energy,

“Every force/energy has an equal and opposite force/energy”

It’s the fundemental law behind all transducers, with the perhaps not immediately obvious implication there are two forces at work.

Think “the cat sat on the mat”, the cat has a force that pulls it towards the “local” gravitational center of the earth, but also the earth has a force that pulls it towards the gravitational center of the cat. Both are present in all physical systems and they are symetrical and differentiable from Noether’s Theorem[1].

If you look at a DC Motor it is also a generator… and has to be if you do not want the coils to burn out or the power supply to be destroyed.

Thus as the magnetic field from the rotor winding pushes against that of the stator the stator pushes back and causes an opposition. Without going through the other electrical mechanical laws, engineers call the resultant generation “Back Electro-Motive Force”(Back EMF). It is proportional to the speed of the motor. Thus it can be used in “Motor Speed Controlers” where the load can be fairly variable such as in cordless drills and model railways and electric vehicals on uneven grades. Also as the speakers in audio systems are also motors called “Linear Voltage Displacment sensors/driver/transformer/trasducer”(LVDS LVDT) the movment of the cone can in larger units be subjected to a feedback circuit to make the displacment more linear over a greater range.

The issue is that both forces are seen as energy on the same terminals on the motor/speaker simultaneously but in opposition to each other. How then to seperate the in-going and out-going energy signals?

Well because they are effectively traveling in opposite directions you use a “hybrid coupler/combiner” that seperates the two energy signals. In the case of “audio on the wire” for a century now a circuit called a “2wire to 4wire hybrid/coupler” has been used in the “Plain Old Telephone System”(POTS) you can make one using other transducers known as “transformers”.

It has been said that the “audio bug” used in Soviet Era courtesy car radios in the passanger compartment was originally designed by Léon Theremin[2]. It is the first acknowledged use of an electrical speaker, playing an audio signal, simultaniously being used to spy on people. It seperated out any spoken voice or other noises in the passenger compartment from the radio audio output signal, by the use of a 2wire to 4wire hybrid, with the extracted signal being recorded by a wire recorder in a concealed compartment.

Modern “Digital Signal Processing”(DSP) can be used to do exactly the same task and the required circuitry comes “built-in” in nearly all audio codecs and driver chips used in consumer computers these days. Especially laptops where it’s effectively essential to do so, because the speakers have horrible frequency and amplitude responses. Due in part to their small physical size as well as “modal resonances”. The DSP Codec / Driver thus pre-distorts the audio signal going into the speaker to gain a linear air preasure response.

But the issue of transducers is way more general that is, it is,

“A device that converts energy from one form into another form”

And that basically covers any tangible physical device from atoms upwards that “does work” which is all physical systems apparent or not.

Even though it may not be immediately apparent all transducers reflect a signal backwards from the load to the source of the energy directly proportional to the action of the load. Simply because as the load changes the energy required to do the work changes and that goes all the way back to the primary energy source, as the law for “the conservation of energy” postulated by Émilie du Châtelet requires[3].

But the important thing to remember is that the behaviour of the load also reflects the environment it is in. That is the “total energy” involved is the vector sum of all the energy applied to it by all forces acting upon it.

The conservation of energy postulate gives rise to various equivalent energy laws one of which is the “conservation of charge” law which gives rise in turn to Gustav Kirchhoff’s First (current) and Second (voltage) laws also called in the more general form “Kirchhoff’s Charge Laws” they are fundemental to nearly all static circuit analysis. The First law is usually stated as,

“The sum of the currents/charge entering a junction/node is equal to the some of the currents/charge leaving the node/junction”.

Which is a fundemental axiom of not just electrical theory but all static systems that do work. That is the “zero sum” of “What goes in must come out” it can not “disapear”, though it can be “disapated” in time as the most fundemental form of pollution waste “heat energy” which is the vector sum of the energy “lost due to inefficiency” causing molecules and atoms to vibrate.

A consequence of this is “information” that is “impressed or modulated” onto energy or matter is also not destroyed just disipated beyond our currant ability to recover it. We call this vector sum various names but in general it is called “Noise” and it exists atleast as long as the universe is old (see cosmic background noise) and is increasing by the process of thermodynamic entropy as coherent energy is used to do work.

So at this point you have the required science to understand why such transducer duality or bi-directionality happens. Also more importantly why the “environmental signal” “impressed on the load” travels in the opposite direction to the motivation force right back to the energy source(s).

But now you have to ask what are the consequences of this?

Well consider the ambiant light sensor in your mobile phone, and how it effects the charge put into the display backlight. Which means charge from the battery that has “inefficiency” via the inherant circuit resistance causes changes to the battery terminal voltage. As the phone thanks to HTML 5 can now report that voltage back to a web site, your phone acts inescapably as a “remote environmental sensor”. Well you might say “so what”, but further consider that the ambiant light changes significantly when you put your phone upto your ear, or in your pocket. So indirectly can indicate if you are using the phone in “hands-free” mode even though there is no direct connection from the phone audio circuits.

But… consider a more general case, due to high efficiency energy conversion in modern switch mode power supplies they have a high reverse bandwidth for information.

Which means that every electrical device you use connected to the “mains power” provides a component signal of information in the “vector sum” at the mains power supply point to your house. Not just at your utility cabinate, but all the way across the supply grid to the generator where it causes a physical change in the alternator speed that in turn goes back through the steam turbine to the source of thermal energy that super heats the water.

Can that “information” be retrieved all the way back there?

Well the answer is, in theory yes, in practice it depends on two things,

1, Shannon Channel bandwidth.
2, Signal to noise ratio in a given bandwidth.

As previously noted “noise” is actually the fractional value of the “total energy” charge movment expressed as a vector sum (see KCL).

As a general rule engineers design systems so that the noise at the power input terminals of a circuit is as small as possible. They do this in two basic ways,

1, They reduce the bandwidth.
2, They reduce the effective source impedence.

The first reduces the reverse transmission of information, the second has the opposite effect. In the past the first solution was used but this was at best inefficent as it involved passive components with considerable “loss resistance” that could only be reduced by increasing physical dimensions.

With the advent of fast semiconductors the equivalent of the passive components could be synthesized at a “node” but KCL still applies so the required charge to hold the node at an invarient potential under changing load conditions has to be sourced or sunk from another node on a branch other than that of the load branch.

How far back this source node is depends on if it can store charge or not. Both inductors and capacitors store charge, as a result they interact with impedence and thus provide a bandwidth reducing function. This is not true of active circuits that synthesize inductors and capacitors they simply pass the charge requirments back to a more distant node. The more efficient the synthesis the further back the charge movment is passed and with it any information impressed on it…

So remember when you sit down to watch a naughty video on your computer or flat screen, their power supplies are betraying you, and alowing a signal that can be used to identify the naughty video back to the utility cabinate where the “smart meter” can see it and if instructed to do so send the identifing signal via a communications link to any point on earth… Likewise your washing machine will send a signal that reflects the wash load and wash program. So will any other appliance, so even your fridge betrays not just the fact you have opened the door but also the movment of “thermal mass” into and out of it’s internal environment. Your shower reveals you are probably in the bathroom likewise the hotwater heater in the kitchen or the sink garbage macerator, as do “saniflow” type toilets…

Can you stop such information leakage?

It’s actually not easy to do as I’ve explained in the past, but yes you can do it to a limited extent by “issolating the smart meter node” in various ways from the work load.

You need another source of charge that is firstly unpredictable to the observer at the smart meter node. In the past AC to DC conversion that then feeds large charge storage batteries and then uses a DC to AC converter to drive the “secure mains” circuit. It does however require you to know how to fit specialised filters between the AC2DC converter and the charge storage circuit to minimise information bandwidth. Or use alternative power generation such as a “natural gas powered” generator or “alternative / green” energy system such as Solar or Wind. Which secondly must have a much lower impedence and much higher bandwidth to it’s charge storage elements than your mains supply.

But the essential takeaway is that any energy path can carry information from one environment to another. As such any energy path, –even an open window– is a “communications channel” by which information can be monitored remotely. This includes the metal or stone construction of buildings that can carry “mechanical / acoustic” vibrational energy for which “Spike Mics” and similar were developed.

It’s also why I coined the expression “energy gap” which is what you actually need to, establish. As the old notion that “air gaps” were sufficient was very much not the case and caused much in the way of “muddled thinking” thus security leaks.

Back more than two decades ago, I had my arm twisted quite a bit by several academics to give the equivalent of this as a paper to present at PETS 2001 Workshop (the workshop did not happen for various reasons). For other reasons one of which was an ongoing despute with a University and it’s “River House Rat” I decided not to, and stoped with moving forward on the PhD… So the question I ask “If I had gone to PETS2002 would it realy have changed anything in the general scheme of information security?”

Honestly, probably not. But I would encorage people to take this snippet, and enlarge it back into a presentation for not just students but software and hardware designers and importantly managment.

The understanding that Privacy is directly tracable back to the fundemental laws of nature is essential if we are to move the InfoSec Industry forwards in a rational manner. InfoSec needs to be on a firm scientific foundation to stop most of the cr4p and snake oil we see in it. But as importantly it needs to learn from it’s history not ignore it.

[1] Which German Mathmatician Emmy Noether proved via her so called “First theorem”, that there is a

“Time/Temporal translation Symmetry”(TTS) relationship in all physical processes with the conservation laws just a little over a century ago in 1915, and it forms one of the most fundemental of physical proofs. It states in short that “Every differentiable symmetry of the action of a physical system with conservative forces has a corresponding conservation law”.

[2] Léon Theremin who was later a Professor of Physics at Moscow State University Department of Acoustics, and also designed “The Great Seal Bug” or “The Thing” that was given to a US Ambassador and caused issues for a number of years in the US Embassy in Russia. His other perhaps more widely shared invention is the “Theremin” ethreal sounding musical instrument you hear on the Beach Boy’s “Good Vibrations” introduction.

[3] Emilie du Chatelet was a French Natural Philosopher and Mathmetician who translated Issac newton’s “Philosophiae Naturalis Principia Mathematica” work into French. She was a lively and controversial figure in the French philosophical system of the time especially over her published work in 1740 of “Institutions de Physique”. She was also closely asscociated with Voltair. Her translation of Newton’s work was published a little over half a decade after her untimely death in 1749 and is still considered the difinitive translation. But very importantly she had added her own postulate of an additional conservation law for total energy. Based on what we now call kinetic energy of an object under motion, it led her to be the first to conceptualise energy as an independent entity, and to derive its quantitative relationships to the mass and velocity of an object.

Clive Robinson • May 6, 2022 7:48 AM

@ Eris, ALL,

Generally speaking I think security researchers should focus on mitigation

Mitigation by definition is not a solition of an issue but an avoidence of an issue.

As such it fixes nothing, it actually creates more issues by creating unnecessary complexity, thus increasing vulnerabilities.

As @SpaceLifeForm points out suppliers of closed source software especialy have a long long history of not acknowledging let alone fixing security issues their shody practices have created. In fact many go into denial and reach for “defamation or similar lawyers” to force any researcher into silence.

The POC code released early kicks away that option from such organisations.

Further the standard method of vulnerability disclosure has taken on the weight of “Best Practice” which not only protects the researchers by kicking the legs out from other “attacks by lawyer” it protects the consumers who have paid for the software, without them having to resort to costly and lengthy action through the courts. With a time period such that attackers will make hay with the defective software, and the company managment will “pull out assets” etc so that there is nothing left including employee jobs by the time the court action gets to the eyes of a judge.

Mitigation is thus the worst of all possible active remediations.