Electromagnetic eavesdropping is a well-established attack vector for remotely monitoring a target activity, most notably displays, over considerable ranges. Other targets have been considered resistant to such attacks or do not exhibit sufficient electromagnetic leakage for practical exploitation. Radio-frequency retroreflector attacks (RFRA) were developed to enable covert, active monitoring of a target by implanting a minimal hardware Trojan. These implants, typically implemented using discrete components such as transistors or diodes, do not betray their presence by emitting signals themselves; rather, they modulate the electromagnetic reflectivity of the target depending on the probed signal line data. Prior RFRA work has demonstrated their viability against video links and low-speed peripheral interfaces. In this work, we extend the applicability of RFRA to high-speed targets by presenting a successful attack on the 100BASE-TX Ethernet standard. We describe the design and realization of a compact implant capable of recovering the MLT-3 encoded signaling used in Fast Ethernet, as well as a dedicated demodulation and interpretation pipeline that mitigates errors introduced by the radio channel and maximizes the amount of recovered information. Experimental results validate the feasibility of covertly monitoring Fast Ethernet traffic using RF retroreflection and highlight the viability of such attacks for high-speed links.

翻译：暂无翻译