Multi-Screaming-Channel Attacks: Frequency Diversity for Enhanced Attacks

TL;DR

This paper addresses the threat of EM screaming-channel attacks by treating leakage at multiple RF frequencies as separate channels and applying multi-channel fusion techniques. It shows that, compared to single-frequency attacks, frequency diversity—especially when combined with decision fusion—significantly reduces the number of traces required and enables successful attacks at 15 m and 30 m, even under polluted spectra. The study provides two practical case analyses and demonstrates diminishing returns with higher diversity, while confirming robust gains in both laboratory and more realistic conditions. The findings expand the attack surface and offer actionable insights into how to exploit frequency diversity, with implications for defenses against remote EM side-channel leakage.

Abstract

Side-channel attacks consist of retrieving internal data from a victim system by analyzing its leakage, which usually requires proximity to the victim in the range of a few millimetres. Screaming channels are EM side channels transmitted at a distance of a few meters. They appear on mixed-signal devices integrating an RF module on the same silicon die as the digital part. Consequently, the side channels are modulated by legitimate RF signal carriers and appear at the harmonics of the digital clock frequency. While initial works have only considered collecting leakage at these harmonics, late work has demonstrated that the leakage is also present at frequencies other than these harmonics. This result significantly increases the number of available frequencies to perform a screaming-channel attack, which can be convenient in an environment where multiple harmonics are polluted. This work studies how this diversity of frequencies carrying leakage can be used to improve attack performance. We first study how to combine multiple frequencies. Second, we demonstrate that frequency combination can improve attack performance and evaluate this improvement according to the performance of the combined frequencies. Finally, we demonstrate the interest of frequency combination in attacks at 15 and, for the first time to the best of our knowledge, at 30 meters. One last important observation is that this frequency combination divides by 2 the number of traces needed to reach a given attack performance.

Figures (8)

• Figure 1: State-of-the-art on combination methods: Leakage from $N$ channels can be combined using $3$ different strategies. 1/ Data fusion: merges the trace data from the different channels directly. 2/ Feature fusion: extracts features from data of all channels jointly. 3/ Decision fusion: merges decisions from attacks performed independently on each channel. POIs: Points of interest
• Figure 2: Data-fusion steps: (a) Leakage amplitude of the two initial channels at samples corresponding to poi. (b) Normalized values with equivalent amplitudes between the two channels. (c) Merged values: averaging the normalized values.
• Figure 3: Data fusion: Combinations of $2.464$ GHz with $150$ frequencies using data fusion. The lower the ge, the better the result of the direct combination.
• Figure 4: Profile similarity: Normalized leakage profiles for byte $0$ at (a) two frequencies with similar profiles: $2.464$ GHz and $2.465$ GHz; and (b) two frequencies with inverted leakage profiles: $2.464$ GHz and $2.592$ GHz.
• Figure 5: Aggregation functions for decision fusion: Combinations of $2.521$ GHz (orange horizontal line) with the $150$ frequencies (black circles). The frequencies where the combination improves attack performance are highlighted in green. The results for the $3$ aggregation functions are shown in (\ref{['fig:c5:aggregation_func_AVG']}) for the average, (\ref{['fig:c5:aggregation_func_MAX']}) for the maximum and (\ref{['fig:c5:aggregation_func_PROD']}) for the product of scores.