Detect malware with electromagnetic waves and Raspberry Pi

Researchers have discovered a way to check for malware on internet of things (IoT) devices with almost 100% accuracy using machine learning and a Raspberry Pi.

malware detector
The full kit

The method makes use of a signal probe that is passed over the device being tested, and can tell whether it is infected just by listening to the electromagnetic waves it gives off. The device can then “obtain precise knowledge about malware type and identity” by using machine learning to classify the malware.

Brilliant but expensive

This seems like a pretty big deal to us. And better still, the team behind the invention have shared all the code you need to make your own malware detector on GitHub. But before you get too excited, the project is based around a PicoScope 6407, which is an expensive bit of kit. You’re looking at spending upwards of $10,000 to build your own.

malware detector
Image taken from the full research paper

The project also features an oscilloscope, a Langer PA-303 amplifier and RF-R H-Field, and a Raspberry Pi 2 Model B. The Raspberry Pi was used to train the device, and its GPIO also serves as the trigger signal when it’s in detecting mode.

Steps taken to train the model using benign and malware datasets can be found here.

Meet the malware-detecting research team

This project is the work of Duy-Phuc Pham, Damien Marion, Mathieu Mastio, and Annelie Heuser from the Research Institute of Computer Science and Random Systems (IRISA) in France. They presented this work at the 2021 Annual Computer Security Applications Conference (ACSAC) in December. You can read their full research paper: Obfuscation Revealed: Leveraging Electromagnetic Signals for Obfuscated Malware Classification thanks to HAL open science.

2 comments

Avatar

This is very cool! If it is $10k for a scope to listen at 1.8 Ghz, then maybe $20k for enough resolution to do this for a 5 Ghz cpu?

I see some big problems with the methodology. They trained it with known malware binaries and then compared that to random or very crude benign activity (watching a video, opening a photo, or play audio). In the real world it is a lot more complicated using programs that more closely look like malware, such as running scripts for system administration, browsing websites, using many programs concurrently, running stuff in docker, etc. For whatever reason, sometimes legitimate software vendors use obfuscation techniques as well.

The claim of nearly 100% is a tough number to grapple with, and perhaps even dubious. Nearly all security products are somewhere near 100% coverage in a lab setting — yet still manage to drive everyone crazy with false positives or missing detection in the field. None of their data in their research paper showed A) 100% malicious detection (it had some false negatives) or B) 100% benign detection (it also had some false positives). With the nature of machine learning making a verdict based on a confidence level and some threshold this might never reach 100% in the future by design (with our current tech).

I think the strongest advantage to this system by far is the ability to monitor the host without detection (and risk of taking evasion action) of the malware, even if the malware is running in kernel space. Evasion is a real trouble for current security tools, and this is a very clever (and scary!) solution to the problem.

Avatar

Hi Josh,
You seem knowledgeable. I def have some sort of malware on my phone. My texts blink and sometimes go in out of order. I need to find someone that can check my phone out!

Leave a Comment

Comments are closed