Researchers at the security firm Duo have discovered how to use an AMD Radeon Pro WX3100 graphics card as a radio transmitter to transmit data without having to physically modify the hardware in any way.
They did this by manipulating the graphics card’s shader clock rates to become a tunable radio device which they then used to steal data from an air-gapped PC that was behind a wall 50 feet away.
This is an example of a side-channel attack that steals data by manipulating and then observing external indicators such as blinking lights or fan vibrations on a user’s PC. What makes these kinds of attacks so dangerous is the fact that since the hardware is working as designed, it is not detectable by antivirus scanners or any other security software.
To siphon data from the air-gapped PC, the Duo researchers used the radio frequencies generated by the GPU as it operated at different clock rates.
Receiving the data
To receive the transmitted data, the researchers used a Software Defined Radio (SDR) device which plugs into a standard USB port. These devices are relatively cheap and can be picked up for around $100, though the researchers used a more sensitive model that costs between $300 and $600 in their tests.
They then paired the SDR device with both a UHF and a directional ultra-wideband antenna on the PC used to retrieve the data and used the open source software GQRX to run the receiver.
Using Linux, the researchers accessed the Radeon Pro card’s standard power controls and tried switching between two shader clock frequencies (734 MHz and 214 MHz). This change shifted power around and was able to generate a 428 MHz signal that they could pick up with the receiving device from 50 feet away and through a wall. To enable faster radio transmission of data, the researchers then shifted the power controls between five different 1 MHz clock increments.
Duo’s researchers proved that they could use a GPU to transmit data over detectable radio waves to steal info from a host computer even if it is not connected to the internet. However, there are limitations to this technique as the host machine would need to be compromised by another attack such as malware to set up the correct code.
Similar exploits could be developed using this technique for Nvidia GPUs and possibly even for CPUs but due to the complexity required to set up the attack, most users’ PCs aren’t at risk.
You can learn more about how the researchers were able to transmit data using a GPU by reading their full report here.
Via Tom’s Hardware