Power amplifiers, oscillators, and feedback amplifiers leak information in many ways. Understanding the analog circuitry from this chapter is the foundation for appreciating, attacking, and defending against side channels.
-
Power-supply side channels in audio chains. A class-AB amp's supply-rail current is modulated by the absolute value of its input signal. If the signal happens to be a smartphone call or a voice command processing a secret PIN spoken aloud, the supply-rail current carries the audio envelope, which an adversary on the same power network can recover. Defenses include heavy supply filtering, balanced (differential) signal paths, and careful current shaping.
-
TEMPEST emanations from oscillators. Local oscillators in radios radiate a small but characteristic amount of energy at their LO frequency. Adversaries with a sensitive receiver can detect this and confirm a target is tuned to a particular band, frequency, or even waveform, useful intelligence even without intercepting content. The famous Soviet "Great Seal Bug" (the Theremin-designed cavity resonator hidden in a Great Seal of the United States plaque in the Moscow embassy) was passive, but later eavesdropping devices used real oscillators that themselves leaked.
-
Power-amplifier fingerprinting. Every PA has slight nonlinearities that produce unique harmonic and intermodulation signatures: signature AM-AM and AM-PM curves, signature spurs, signature noise floor. Two transmitters with the same model and serial-adjacent build dates are not identical at the spectrum level. Spectrum forensics and SIGINT use this to identify and track individual transmitters even when the message content is encrypted.
-
Class-C switching transients. The on/off transitions in class-C amplifiers generate wide-band sidebands. In some IoT devices (LoRa nodes, Zigbee modules), these have been used to fingerprint the device and even geolocate it by timing the leading edges of its transmission bursts.
-
Amplifier instability as an attack vector. A well-tuned negative-feedback amplifier becomes unstable if its phase margin is reduced (e.g., by inductive load mismatch, supply-voltage manipulation, or temperature shock). Attacks have been demonstrated that deliberately destabilize an opponent's RF chain by injecting carefully-tuned out-of-band signals that load the amplifier's output reactively.
-
Ring-oscillator-based TRNGs and PUFs. As mentioned in section 4.4, ring oscillators on chip serve as both true random number sources (jitter as entropy) and physical unclonable functions (relative frequencies as identity). The same Barkhausen condition that enables clock generation enables hardware security primitives.
-
Miller-effect EM leakage. High-gain, non-cascoded stages in older analog ICs have huge Miller-multiplied input capacitances, which translate into large displacement currents on the input nets. These currents radiate EM at the data-clock harmonic frequencies. Side-channel attacks on smartcards have used near-field EM probes positioned over the input sections of analog blocks to recover key bits. Cascoding these stages reduces both bandwidth limitations and leakage.