Clever hack, but a lot of people are misinterpreting what’s going on here. These devices emit some very low level of 125MHz energy during normal operation. This software is simply turning that on and off, but not doing anything to increase the amount of emissions.
Presumably the 125MHz emissions are within the FCC allowed envelope anyway, so this isn’t doing anything to exceed normal emissions limits. This only works in a quiet RF environment, as noted in the README.
There is no need to be concerned about this signal reaching aircraft or otherwise interfering with normal transmissions.
Aviation radios on aircraft are typically 25w and ground stations the same to somewhat higher... and operations are generally line of sight and using analog AM modulation, which gets along nicely with CW. From a practical perspective (rather than regulatory), it is difficult to imagine miliwatt CW transmissions causing any meaningful problem with aircraft operations. Most radio systems used on aircraft are not really all that sensitive anyway, the most touchy thing would be the glideslope/localizer but it's only used at fairly short ranges and with fairly high power levels. This could perhaps cause a slight deflection of the ILS but that's assuming it's very close to the runway and at high power. This paper discusses security of the ILS system against tampering, which is generally the most "touchy" thing that aircraft use and the main interference concern: https://www.usenix.org/system/files/sec19-sathaye.pdf
That's all sort of besides the point anyway as nav aids use the lower end of the aviation band, 125MHz is used for AM voice where the interference would be, at worst, audible but not strong enough to cause problems unless reception was already extremely marginal.
Or to put it differently, two pilots hitting their PTT at the same time is already causing far more disruption to operations in the 125MHz range than this thing ever would.
I wanted to spin up a hardening service back in the mid-90s, based around what we knew of Tempest. I even named it Echelon Consulting (as in "upper echelon," but with a nod to ECHELON). My spouse wouldn't let me, they felt it'd be too risky to get involved with that environment, and we were just starting our family.
But... yeah. You could tune into VGA monitors up to a mile a way using consumer hardware, and reception is perfectly legal (lots of case history to back this up)!
I figured my pitch would be to walk in with a briefcase setup, flip a switch, and show them what the receptionist was working on. Then ask if they were worried if competitors could know what they were working on (not a threat, just bringing awareness), or would they be were interested in some expensive cables/hardware.
Now that the kids are grown up and divorce pending, I've debated getting back into the netsec field. Lots of fascinating angles to be had in unexpected hardware boundaries... and my background in data science/machine learning/DSPs could prove fruitful in signals reconstruction...
I love how a (metaphorically) air-gapped system can be attacked (literally) through the air. Maybe the truly critical things should also be vacuum-gapped (and put into Faraday cages while we're at it)?..
But the system still has some connection to the outside world, right? That means we could run some heavy GPU load and measure the variation in its power consumption, which apparently has been tried before: https://www.helpnetsecurity.com/2018/04/13/data-exfiltration...
Along these lines, the excess heat has to go somewhere, so maybe one could measure the variation in the work of the coolant system. I couldn't find any research about it right away (BitWhisper is similar, but a bit different), but I trust someone has already tried that.
(Note: As coderjames points out this could be dangerous tinkering. There is typically steady-state noise at 125MHz from Ethernet so it's not that we're putting more energy into the spectrum with this, but adding signal in the form of morse code could draw a lot of attention/distraction to pilots and ATC in the area.)
FWIW very brief example of 125MHz tone loss when going to 10MHz demonstrated here when my slow internet gets done uploading:
Sure but I could see this being used as a side-channel attack to exfil data from a customer in a red team assessment. Practitioners love little tools like this.
Also I'm not talking about 30 miles away...but if a completely intact cable can be detected with a directional antenna from 100m, an intentionally buggered patch cable installed at a client site for this purpose could pose a bigger concern for pilots in the area. (edit: I might be more tuned in to this (har har) because I live in the flight path of a medical helicopter that flies over at ~500' almost daily.)
Ham folks can seem a bit hair-triggered chicken littles with RF hygiene but it's the product of decades of fighting noise from people that aren't aware of the externalities of their actions.
Please don't try this at home! 118 MHz - 137 MHz is a protected Aviation band across the globe for airplanes to communicate with air traffic control. We already have enough industrial noise problems in this band; please don't contribute to pollution of protected spectrum. You will be interfering with the safe operation of the airspace.
This does not magically increase the power radiated by an ethernet cable or somehow change the base frequency of the interference. Furthermore, the power levels are very low. If you check the link at the bottom, he is using a directional (Moxon) antenna to receive this faint signal. If this could somehow pose an issue with anything, it would have been caught in EMI testing of all network equipment sold
As others have pointed out, EMC testing often only considers typical use and this is not one.
Another thing is that regulations don't only consider radiated power. Constant-level spurious transmissions are sometimes tolerated to a higher degree compared to modulated ones (e.g. in some bands maximum allowed interference is determined by quasy-peak level, not power). This is exactly because modulated interference (which is what this produces) is more harmful to communications systems.
Part 15 is pretty clear that any harmful interference should be minimized[1]. Even though it's low power that doesn't mean that it still can't be picked up. Just because equipment is sold at retail doesn't give you a free pass on it.
Take powerline ethernet where the power levels are "low" but still can cause significant issues[2].
I think the issue is introducing a signal (particularly morse code) on a noise source that is typically steady state. I can pick it up pretty easily with just a bare UHF connector, no antenna.
Does EMI testing consider "atypical" uses like this one? I'd assumed that they only tested normal use cases. I'd consider (wrongly, perhaps?) changing speed of a NIC several times per second to be an atypical use.
Unless you’ve made custom PHY hardware for those data packets to be pushed onto the line through, your data packets are going to be line-coded to ensure that the signal is self-clocking. Which basically precludes boosted harmonics.
As someone recently participated in an EMC measurement, I really don't understand how anyone passes these tests without some kind of cheating (using double-shielded, very expensive industrial cables + hacking with functional earthing).
I've spent months and sleepless nights trying to get a product through the EMC certification. It's certainly possible but it's time consuming and expensive. With a shoestring engineering budget and a product that needs to be on the shelves in a month? Not really.
I'm sure many devices on the market are not compliant. I follow lists of products removed from market for non-compliance and there are plenty each week. But the fact is that, if you're not in one of the categories that are under special scrutiny (aerospace, automobile, medical, etc.) or do something grossly incompetent (e.g. interfere with a mobile operator or someone else with a similar power to put you into the regulatory spotlight) you're unlikely to get into trouble for shipping a non-compliant device.
Make someone's Wi-Fi a bit slower and a bit more packet-lossy? Chances are nobody will care. It's a sad state of affairs really because pervasive radio interference is just making things worse for everyone.
Yeah, I remember in the early 2000s we had a wireless RCA audio/video transmitter, bought at a local electronics store, that played absolute havoc with the WiFi in our house as well as several neighbours.
Another classic example is early cellphones that you would pick up on stereo systems etc. - "dat-dara-dat-dara-dat-dara-dat-dara-daaaaaa" going out in full blast.
Because those A/V transmitters used the same 2.4GHz ISM band as WiFi at the time, there was actually no regulatory protection against this interference - from a regulatory perspective it's just a normal and expected part of using an ISM band where there is no protection. The increasing popularity of WiFi started to really surface the problems in this area, similar issues are seen in 900MHz far less often because it's mostly used with low-power, low-duty-cycle devices.... the same as was intended for 2.4GHz before widespread consumer WiFi.
Unlicensed equipment in the ISM WiFi band are operating under Part 15 (in USA) so must accept any interference.
And the phone interference to a stereo is caused by cheap and nasty design of the stereo. The phone itself cannot be blamed, and there's nothing which can be done to the phone to fix the interference (other than switching it off). Again the stereo is probably operating under Part 15, so must accept any interference.
The effect of GSM phones on analog audio equipment was actually an oversight in defining the standard. Fully compliant equipment had that effect.
Some years back when I had some small involvement in new EU regulations that case was actually given as an example of how, even after many reviews, some forms of harmful interference can only become apparent after a technology is already widely deployed.
Paying special attention to power distribution tends to help, along with encasing the product in something conductive. It's also really beneficial to have some kind of test equipment in house to get a general idea, think of it like having a debugger.
The first two options are somewhat expensive, the NRE for the power supply design isn't attractive to manager types and conductive coatings for plastic or a metal enclosure are not the cheapest options. But if you're dead set on compliance it's better to frontload the design costs instead of iterating 3 times before you get to market.
In college we had an I2C to ethernet adapter on our drone testbed that caused all sorts of RF interference for us. We eventually wrapped the whole fuselage in a farraday cage so that the datalink and flight controls wouldn't be overwhelmed. It was responsible for transmitting data at a 1 Hz rate, and we could visualize the interference on a spectrometer over a broad range of Rf at exactly 1 Hz.
Anyway, we totally could have made a transmitter out of that thing.
From reading the comments there it seems newer RPi (>3) don't work for this or mangle the GPIO port in some way to prevent this. I do have some 3s lying around so I may try this soon.
This is a neat side channel attack for data exfiltration. The author is a radio amateur (Poland) and would do well to look at FT8 or other error correcting CW modulations other than simple Morse code. I would estimate you could pick up a signal at nearly a kM using such a scheme.
I think what happens is the transformer inside the rj45 connector couples a litte of the differential mode signal (that should not radiate significantly) to all wires in the cable harness (common mode), which will radiate. You can select the cable length so it resonates well, acting like a good antenna, but bad antennas radiate as well (worse efficiency). A few mV of noise is quite well detectable from 10m of distance.
zsellera covered the mechanism of transmission very well.
The 125MHz frequency is specifically coming from the Ethernet standard, as its essentially the operating frequency of each pair in typical hundred megabit and gigabit Ethernet. 10Mbps Ethernet operates at 10MHz.
By flipping the port speed between 100 and 10Mbps they are essentially toggling the 125MHz oscillator. I don't think anything is intentially generating the frequency of the tone you hear, it's just intermodulation products of the noise and the LO in the receiver.
While this may not be of practical use for most of us, spy agencies and the like would be interested in this or and other ways to exfiltrate data from air gapped networks that are not connected to the internet.
Presumably the 125MHz emissions are within the FCC allowed envelope anyway, so this isn’t doing anything to exceed normal emissions limits. This only works in a quiet RF environment, as noted in the README.
There is no need to be concerned about this signal reaching aircraft or otherwise interfering with normal transmissions.