>
curriculum/EM Waves and Transmission Lines
section 8 of 104 min read

8. Hardware Security Through the Lens of EM and Transmission Lines

Most of this material has direct security implications, often with the hardware engineer's casual familiarity with the physics doubling as the attacker's main tool.

8.1 TEMPEST and EM emanations

Every clock-driven trace radiates. Every switching transistor sets up a small time-varying current loop that, by Faraday and Ampere, throws a near-field magnetic and far-field electric pulse into space. The radiated waveform is correlated with the data being processed.

Classical TEMPEST attacks:

  • Reading a CRT or LCD's video signal at tens of meters by capturing the line-rate emanations.
  • Reading keyboard scan-codes from the radiated emissions of the matrix-scan logic.
  • Reading USB, HDMI, or Ethernet signals from cable radiation, sometimes at tens of meters.
  • Reconstructing audio from the laser-printed page motion (acoustic leak-back into the EMI).

Defenses, all rooted in this chapter:

  • Shielded cables. Coax and well-shielded twisted pair contain their fields by Gauss's-and-Ampere's-law arguments.
  • Faraday cages. A continuous, well-grounded conductive enclosure has zero internal field. Microwave oven doors have a perforated metal mesh whose holes are much smaller than λ\lambda at 2.45 GHz, blocking the cooking field while letting visible light through. TEMPEST-shielded SCIFs (Sensitive Compartmented Information Facilities) are huge Faraday cages with carefully gasketed doors and filtered power feeds.
  • Differential signaling. Two wires carrying opposite currents radiate cancellingly in the far field. Twisting the pair averages over any residual imbalance. This is why Ethernet, HDMI, USB, PCIe, DDR (the high-speed parts), and most other modern interconnect is differential.
  • Stripline routing. Sensitive analog or RF lines routed inside a PCB stackup, between two ground planes, are far better contained than top-layer microstrip.

8.2 Near-field side-channel probes

Bring a small magnetic loop or electric dipole near a chip, and it picks up the chip's switching activity by Faraday's law (for the loop) or capacitive coupling (for the dipole). Modern chip-level side-channel attacks use these probes to:

  • Extract AES keys from cryptographic accelerators that did not bother to balance their power consumption.
  • Recover RSA bits by spotting the difference in EM emissions during square-only versus square-and-multiply operations.
  • Read ECC operations on smartcards.

This is EM side-channel analysis (EMSCA), and it is the hardware-security application of Section 2.6 to small loops in your lab. Defenses include:

  • Decoupling and balanced power distribution to reduce the signal in the first place.
  • Conductive lid on the package or local shielding.
  • Masking and randomization in the cryptographic algorithm itself, so even leaked data tells the attacker nothing.

8.3 EM fault injection

Dual to passive EMSCA: actively induce currents in chip wires by parking a near-field probe over the die and pulsing it hard. The induced voltage can flip a bit during a critical operation, causing a fault that leaks the secret. This is EM fault injection (EMFI). The same probe can sometimes be used in two modes: passive read in step one, active injection in step two.

This is direct exploitation of Faraday's law on the victim chip, using millimeter-scale loops to dump tens of volts of induced spike into a transistor that expects sub-volt logic.

8.4 Time-domain reflectometry as physical-layer integrity check

A commercial-grade TDR can measure the cable trace to a specific connector, store the result as a reference, and compare future measurements against it. Any new reflection is evidence of a tap, a damage, or a tampering event. Some secure data-center installations sample TDR continuously on critical links and alarm on any change, providing physical-layer intrusion detection that does not depend on encryption.

8.5 Polarization and antenna pointing

The same polarization sensitivity that lets a satellite TV dish pick up its bird makes near-field eavesdropping setups polarization-sensitive too. A defensive technique is to deliberately rotate the polarization of an information-bearing emitter (e.g., physically rotating the bonding-wire orientation, or alternating between vertical and horizontal radiating modes). An attacker who fixes a polarization loses 3 dB minimum, and on the order of 20-30 dB if the polarizations are orthogonal.