Funtenna Malware Takes to the Airwaves to Steal Data

By Sean Michael Kerner  |  Posted 2015-08-05 Print this article Print

LAS VEGAS—Airwaves are used every day to transmit data via known wireless protocols, but what if a device could be manipulated to cause it to be able transmit a non-WiFi signal that no one knew about?

At the Black Hat USA security conference here, Ang Sui, founder of Red Balloon Security, demonstrated and provided great detail into a proof of concept security attack called the Funtenna.

"Funtenna is malware that intentionally causes compromising emanation," Sui said.

Emanation is a form of radio frequency (RF) signal that is leaked from an electrical device or cable. So, for example, Sui was able to demonstrate how with a tiny bit of Funtenna code, he could get a low-cost laser printer to emanate a signal that could be encoded with information. That signal could then be picked up by an AM radio and then demodulated to get the encoded information.

In contrast with WiFi, the Funtenna signal is not monitored or protected by organizations, Sui said. If someone wanted to exfiltrate data from a secret location without anyone knowing it, Funtenna could one day be an option.

Funtenna can potentially make use of multiple forms of acoustic, subacoustic and even ultrasonic signals. Sui noted that there was some evidence in the leaked U.S. National Security Agency documents from whistleblower Edward Snowden that the spy agency has a similar form of radio transmission technology. Sui noted however that the NSA needed hardware to be installed, while Funtenna is software and makes use of cables on a device to emanate the required signal.

"So say there is a secret location that you want to exfiltrate data from and you need something non-obvious, so you won't get caught," Sui said. "With Funtenna, you can exfiltrate with only software that can evaporate when it's done."

Beyond just the leaked NSA documents, Sui noted that there is a rich history of academic papers about data emanation potential. One such paper published in December 2013 and co-authored by Adi Shamir is titled "RSA Key Extraction via Low Bandwidth Acoustic Cryptoanalysis."

Sui noted, however, that the majority of the prior research was about taking a faint accidentally leaked signal and then capturing it with a big powerful receiver. Funtenna is a bit different in that the signal is intentionally created and can be picked up with a low-power device.

Sui explained that Funtenna can be used to emanate a signal by turning GPIO (General Purpose Input/Output) or UART (Universal asynchronous receiver/transmitter) pins on a device on and off. In a live demo with a Pantum P250W wireless monochrome laser printer, Sui showed how Funtenna code could in fact emanate a signal that could be picked up on a regular handheld AM radio. Sui is planning on providing another demo of Funtenna at the DefCon conference on Aug. 8. The Funtenna code is also set to be publicly available at and in a Github repository.

"The key take away here is that Funtenna works," Sui said. "And network defenses like IPS [Intrusion Prevention System] and firewalls are no substitute for full host-based defenses.

"Here with Funtenna I can beat the best network detection in the world with just an AM radio," Sui added.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist. |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel