Raspberry Pi Can Detect Malware By Scanning For Electromagnetic Waves

An anonymous reader quotes a report from Gizmodo: A team of researchers at France's Research Institute of Computer Science and Random Systems created an anti-malware system centered around a Raspberry Pi that scans devices for electromagnetic waves. As reported by Tom's Hardware, the security device uses an oscilloscope (Picoscope 6407) and H-Field probe connected to a Raspberry Pi 2B to pick up abnormalities in specific electromagnetic waves emitted by computers that are under attack, a technique the researchers say is used to "obtain precise knowledge about malware type and identity."

The detection system then relies on Convolution Neural Networks (CNN) to determine whether the data gathered indicates the presence of a threat. Using this technique, researchers claims they could record 100,000 measurement traces from IoT devices infected by genuine malware samples, and predicted three generic and one benign malware class with an accuracy as high as 99.82%. Best of all, no software is needed and the device you're scanning doesn't need to be manipulated in any way. As such, bad actors won't be successful with their attempts to conceal malicious code from malware detection software using obfuscation techniques. "Our method does not require any modification on the target device. Thus, it can be deployed independently from the resources available without any overhead. Moreover, our approach has the advantage that it can hardly be detected and evaded by the malware authors," researchers wrote in the paper.

False positives

[Rockoon]

One way to increase rate of detection is to also increase the rate of false positives. Any detection rate, even up to 100%, is achievable.

Re: False positives

[IdanceNmyCar]

You can build a process based on false positives if the risk of false negatives supersedes the operating costs of managing the additional false positives.

One clear example of this is nuclear war. It's better to scramble assets for a false positive than to miss an actual threat via a false negative.

With IoT, you could easily have a rotation of spare devices if downtime is not acceptable for the piece of hardware. Switch in the hardware you know is clean, take the potentially infected hardware to a secure pla

Also the opposite

[raymorris]

> One clear example of this is nuclear war. It's better to scramble assets for a false positive than to miss an actual threat via a false negative

Also:

One clear counter example of this is nuclear war.
You don't want to launch a dozen nukes at Russia due to a false positive!

Not saying you're wrong.

Re:

[IdanceNmyCar]

A retaliation for a potential nuclear strike is to scramble jets, ready air defense, and prep the silos and subs -- all relating to raising the DefCon level. If a false positive of a potential nuclear strike was to instantly launch nukes, the world would of never made it through the cold war.

I get your point though it seems so far everyone has been more sensible than this. I think Russia has been probing alert systems more recently in northern Europe -- all relating to NATO readiness. This can open all kind

Re:

[Koen Lefever]

1983 Soviet nuclear false alarm incident [wikipedia.org]

Re:

[raymorris]

ICBMs reach mach 20. They get to their target pretty quick.
SSPARS tries to give 15 minutes or so warning before the ICBMs blow up the US.

Launching a retaliation takes several minutes after it's been ordered.
There's not a whole lot of time preparing, discussing, and confirming. Maybe 5 minutes between an alert of incoming missiles and the order to shoot back.

the CEO's will buy this for $399/unit!

[Joe_Dragon]

the CEO's will buy this for $399/unit!

Re:

[psergiu]

*I* would buy one for $399/unit. A PicoScope 6406 alone is $14093. The H-Field probes add another $500-$1000

Link to TFA

[msimm]

Proper link to TFA (PDF) here: https://hal.archives-ouvertes.fr/hal-03374399/document [archives-ouvertes.fr].

Bad OPSEC, this

[ve3oat]

This report is poor for Operational Security. Now the malware designers will change their code so that it does not execute in any manner different from "normal" computer operation, so as to avoid creating the tell-tale patterns in the electromagnetic emissions that give away their presence. All computers in operation emit EM waves (ask anyone with a sensitive shortwave or microwave receiver). The malware designers just don't want an infected computer to appear any different from an uninfected one.

Re: Bad OPSEC, this

[IdanceNmyCar]

The reply below you seems to outline the trouble with this. The question seems to be frequency of operations added to the device. if the device rarely polls to be activated for an attack, then the only real way to detect the anomaly is with 24-7 em scans.

And we would have to question with so much data, is it going to be easy to detect the miniscule difference in the moment of polling.

Likewise we would probably only discover the infection when the device goes hot for an attack which could be too late if the

Re:

[sensor1]

You are drastically over-estimating how hard malware designers need to work to be successful, and malware designers are already good at making sure their code looks enough like normal computer operation that it isn't picked up by various heuristic approaches.

This is an interesting science project. But conventional on device techniques and watching the stream of bits coming out of the device and where they are going is still likely to be far more cost effective.

Great Idea

[bubblyceiling]

I assume it is essentially detecting how much EM an IOT device is putting out, which is impossible to fool. Every operation the IOT device does, will lead to more EM radiation, which is essential if you want to use them in a botnet or something.

Moriarty

[ForkInMe]

I can't help but hear the name Moriarty at the end of the subject line...