Inspiration

The security of airgapped systems is generally taken for granted, as airgapping removes the primary vectors for infiltration and exploitation. It is also generally assumed that even an infiltrated airgapped system is still (relatively) safe, as the infiltrator has no way to activate their payload on demand.

What it does

Tesla's Wrath ("TW") uses the incidental RF emissions produced by the GPIO pin(s) of the Intel Edison and other compute boards to transmit and receive payloads between "airgapped" systems or IoT devices.

In its current state, TW is capable of sending a payload from an Edison board to a listening system, such as the RTL2832U SDR. This payload is sent on the FM band (at a frequency of approximately 100MHz) and is decoded by the client. Currently, no signal processing is performed - analysis is done by considering peaks over -45dB as binary '1' and all lesser signals binary '0'.

The ultimate goal of TW is to provide a full two-way channel between airgapped systems, without any specialized radio or signal processing equipment. In theory (and in practice on the transmission end), this is made possible by the effect of spurious emissions from a proximate transmitter on the receiver.

How we built it

TW currently uses a single Intel Edison chip and Arduino breakout board as the transmitter, as well as an SDR (NooElec RTL2832) as the receiver. Both leverage Linux and open source programs (RTL-SDR, GQRX).

Challenges we ran into

Our initial attempt focused on using an off-the-shelf FM transmitter to activate a GPIO pin on the Edison. This quickly proved infeasible, as the FM transmitter was imprecise and had substantial distortion and feedback issues. We switched to a dual-band transceiver, but experienced separate issues with power output and (legal) frequency limitations. Upon switching to the Edison for the role of transmission, we experienced problems with limited range and signal strength, although these were worked around by means of an antenna.

Accomplishments that we're proud of

Getting the Intel Edison to transmit on the FM band with limited resources and without specialized hardware.

What we learned

Interfacing with the Intel Edison and its GPIOs.

Radio regulations and power characteristics.

Frequency modulation techniques and signal mixing.

How to break RF equipment.

What's next for teslas-wrath

TW will ultimately be capable of complete two-way transmission, as mentioned above. Similarly, we plan to experiment further with noise reduction and range extension. We would also like to experiment with more diverse hardware, including the Raspberry Pi and other embeddable boards. Extending this potential to consumer-oriented hardware (desktops, tablets, servers) is also a natural conclusion for TW.

Built With

Share this project:
×

Updates