How Radio Transmissions Can Hack You (and Dogecoin/Earthquakes, Catapults vs the Man in Ukraine)

In the discussion of the NSA “CTX4000” remote bug-interrogator radar on Schneier’s blog, longtime regular Clive Robinson made an interesting point…

You can use a continuous wave radar system to read out data from electronic systems — the NSA “ANGRYNEIGHBOR” family uses purpose-built bugs that encode data (like audio) onto the re-radiated signal. You can also just point a radio transmitter at a target device and sit back and pick up interesting data in the reflected beam (it’s possible to use say, the presence of a cell phone’s transmitter to read out encryption keys from the phone’s memory!).

However… what happens if you very carefully modulate that incoming radio signal?

Robinson did some experiments on this back in the ’80s, and found you could *hack systems remotely* just by pointing a radio transmitter at them. The maliciously modulated radio signal is evidently coupled with enough fidelity into the wiring to mess with the internals.

Dogecoin and earthquakes: After the Jamaican bobsleigh team qualified for the Winter Olympics but found themselves about $80,000 short of what they needed to go to Sochi, they put out a call for funds. News of this reached the head of the joke cryptocurrency-administering Dogecoin Foundation, who in turn recalled all the school trips he’d taken as a kid… almost all of them with “Cool Runnings” playing on the in-bus TV screens.

So he sent out a couple of emails, and within a few hours 26 million Dogecoins (worth about 30,000 USD) had been donated.[1] The transaction volume was enough to raise the exchange rate of Dogecoin by 50%. Combined with the $70,000 the Jamaicans raised with their own efforts, the team is now $20,000 past their goal.

Now it’s an interesting study in human nature to compare this to another crowdfunding effort I saw recently. (And actually took the time to do a little background research on, because it’s technically fascinating.) This other one isn’t meant to send a phallic fibreglass sled loaded with hard-bodied Jamaican men down a slippery chute into Vladmir Putin’s back, uh, yard. It’s actually meant to save lives.

Question for those of you who’ve heard of Fukushima. If there was a system out there that could have predicted the earthquake and tsunami a few days in advance and sent over a warning, “yo, shut down those reactors guys, something BIG is coming” — you think people would find that worth supporting?

OK, OK, that’s kind of far fetched. A bit risky to support something that hasn’t been proven, sure. So let’s change it.

What if there was a system that HAD predicted the earthquake, oh, two days in advance, and many more earthquakes besides? But since we need a reason to crowd fund it, let’s say the system was demolished in the aftermath of a real estate scam, and the crowdfunding effort was just to rebuild the thing — and bolt on a transmitter to get warnings where they needed to go.

How much you think THAT would pull in, in a couple of days?

Remember, we’re talking about saving thousands of lives a year on average, probably more — 186,000 dead in Indonesia here, 18,000 dead in Japan there, Haiti utterly demolished…

But wait, hold on a sec. Don’t you need government approval to do this kind of stuff? Permits, whatever? Sure you do. No matter where you are, permits can kill the best of intentions. Doesn’t matter how many people you got to pitch in $25 on Kickstarter, the guy down at the city hall is not gonna be impressed if you don’t have the paperwork.

Alright. So let’s say the engineer in charge of the thing went out and SOLD HIS FRIGGIN SOUL to the US national-security complex, telling them he’d make a neato way to talk to their submarines if they’d get the paperwork waved through. (I’m just guessing here.)

Wait, crap. Bad idea, sorry, let’s backtrack. Selling your soul or offering to use your mind to help the US government is ALWAYS a bad idea. Better to find another way.

What’s that you say? You’ve already read this far? No backsies? Damn. OK. Rule number one of “deals with the devil” (or his deputy, the “great satan”) are you never actually get what you want. So we’ll say they waved through the paperwork, and told our poor engineer “here’s the permits, you just need to come up with $10,000 in a month or they’re void. Looking forward to that secret submarine telephone of yours!”

May Bob have mercy on his soul.

Alright. So besides the cost of rebuilding the thing (which is cheap, we’ll say he’s a sharp cookie who can MacGuyver stuff together) he’s gotta come up with $10k to satisfy The Bureaucracy. On the upside, at least he now has approval from the state, federal, and shadow governments to build, baby, build.

How much does that come to? Well, the Dogecoin guys came up with $30k in a matter of hours to essentially see a live version of “Cool Runnings II.” This doesn’t have a Disney movie behind it, so we’ll say — $25,000 as a funding target.

Sound good to you? Too cheap? Screw it, we’ll go with it.

How much do you think they’d raise, then, in 5 days? Any guesses?

You there, in the back. How much you think?

Nah, way off.

Would you believe… 400 USD?

Quit laughing. I’m serious. See for yourself:


Catapult against the cops: because Molotov cocktails and rocks are for pussies, in Ukraine the protesters use CATAPULTS to fight the man.

“I actually took it quite a bit further in that I modulated the illuminating EM carrier to do active fault injection. Even though I mentioned this to Ross and to Paul Kocher neither of them followed it up (although the latter appears to have tried to patent it). It was not untill fairly recently that a couple of Cambridge Labs students used an unmodulated EM carrier at around 3CM (X-band / 10GHz) on a 32Bit TRNG and reduced it down to a little over 7bits of entropy that the academic community has taken any interest (and then just as quickly forgot about it again).

I’m kind of hoping that a few PhD students having now seen the Ed Snowden revelations will actualy start doing open research on Active Fault Injection by Modulated EM Carrier.”

Back in the 1980’s I used this to EM probe “electronic wallets” and “pocket gambling machines” and shoued how it could be used to illicit information from within a cased device. This was getting on for two degades before the “poor man’s” version DPA became news. I emailed several researchers looking into “smart card security” about not just how an EM signal gets modulated by the signal level on the PCB traces but also how yoou could use it in reverse to inject fault signals. The only person who thought about it seriously was Ross J. Anderson of at Cambridge Labs who also passed me the details of another researcher who was using micro-inductors to induce pulses of current into IC’s to enumerate fault charecteristics. Ross or some of his students did some further research with PC keyboard cables that you can read about in his security engineering book (a recomended read especialy as you can download it legaly).

%d bloggers like this: