Block-level algorithm classification based on RF side-channel

Abstract

Internet of Things (IoT) and other similar devices often have little to no security and thus can be readily exploited in any number of ways. In this work, we collect radio frequency (RF) emissions from simple processors on several IoT devices and apply machine learning techniques to detect modifications (corrupted or injected via malware) in ‘known’ software running on the processor. We can detect these modifications due to the correlation between RF emissions and the digital state of the devices. Every bit flip produces a small but potentially detectable electrical pulse. Our approach to developing the recognition algorithm is to adapt to the variability created by the input data by recognizing the sequences in which instruction blocks are executed. Seemingly minor changes to input values can have a detectable effect on the measured RF side channel. We collect RF data from a variety of IoT devices with clock speeds varying from 16-96 MHz. A 1-GHz Riscure RF near-field antenna probe was placed within a millimeter of the IoT device, RF emissions were acquired, and software controls triggered data collection. A classification architecture was trained using object code portioned into blocks to develop the truth data. We then applied new data to the trained block classifier. This approach detects deviations in individual blocks and block sequences as a whole, allowing a greater level of detection resolution than just binary ‘Yes/No’ classification. Initial testing results showed greater than 90% classification accuracy for block-level modifications, and we can detect deviations from truth data with 100% accuracy.