Electromagnetic eavesdropping is a well-established attack vector for remotely monitoring a target activity, most notably displays, over considerable ranges. Other targets have been considered resistant to such attacks or do not exhibit sufficient electromagnetic leakage for practical exploitation. Radio-frequency retroreflector attacks (RFRA) were developed to enable covert, active monitoring of a target by implanting a minimal hardware Trojan. These implants, typically implemented using discrete components such as transistors or diodes, do not betray their presence by emitting signals themselves; rather, they modulate the electromagnetic reflectivity of the target depending on the probed signal line data. Prior RFRA work has demonstrated their viability against video links and low-speed peripheral interfaces. In this work, we extend the applicability of RFRA to high-speed targets by presenting a successful attack on the 100BASE-TX Ethernet standard. We describe the design and realization of a compact implant capable of recovering the MLT-3 encoded signaling used in Fast Ethernet, as well as a dedicated demodulation and interpretation pipeline that mitigates errors introduced by the radio channel and maximizes the amount of recovered information. Experimental results validate the feasibility of covertly monitoring Fast Ethernet traffic using RF retroreflection and highlight the viability of such attacks for high-speed links.

翻译：电磁窃听是一种成熟的可远程远距离监测目标活动（尤其是显示器）的攻击手段。其他目标被认为对此类攻击具有抵抗力，或未表现出足以实际利用的电磁泄漏。射频逆向反射攻击（RFRA）旨在通过植入微型硬件木马，实现对目标的隐蔽主动监控。这些植入物通常采用晶体管或二极管等分立元件实现，本身不发射信号，而是根据所探测信号线的数据调制目标的电磁反射率。先前的RFRA研究已证明其对视频链路和低速外设接口的可行性。本研究中，我们通过展示针对100BASE-TX以太网标准的成功攻击，将RFRA的适用性扩展至高速目标。我们描述了一种紧凑型植入物的设计与实现，该植入物能够恢复快速以太网中使用的MLT-3编码信号，并建立了一套专用的解调解译流水线，用以减轻无线电信道引入的误差并最大化信息恢复量。实验结果验证了利用RF逆向反射隐蔽监测快速以太网流量的可行性，并突显了此类攻击对高速链路的有效性。