Reflecthernet: Exfiltrating 100BASE-TX Ethernet Traffic Using a Retroreflector Hardware Trojan
Pierre Granier, Matthieu Davy, Philippe Besnier, Fran\c{c}ois Sarrazin
TL;DR
This paper demonstrates a novel electromagnetic attack method using a hardware Trojan to covertly eavesdrop on 100BASE-TX Ethernet traffic by modulating reflectivity and recovering high-speed data.
Contribution
It extends radio-frequency retroreflector attacks to high-speed Ethernet, designing a compact implant and demodulation pipeline for Fast Ethernet signals.
Findings
Successfully recovered 100BASE-TX Ethernet data covertly
Validated the attack's feasibility on high-speed links
Demonstrated a compact, effective hardware Trojan design
Abstract
Electromagnetic eavesdropping is a well-established attack vector for remotely monitoring a target activity, most notably displays, over considerable ranges. Other targets have been considered resistant to such attacks or do not exhibit sufficient electromagnetic leakage for practical exploitation. Radio-frequency retroreflector attacks (RFRA) were developed to enable covert, active monitoring of a target by implanting a minimal hardware Trojan. These implants, typically implemented using discrete components such as transistors or diodes, do not betray their presence by emitting signals themselves; rather, they modulate the electromagnetic reflectivity of the target depending on the probed signal line data. Prior RFRA work has demonstrated their viability against video links and low-speed peripheral interfaces. In this work, we extend the applicability of RFRA to high-speed targets by…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.