Iowa State University Capstones, Theses and Graduate Theses and Dissertations Dissertations 2018 Intentional Electromagnetic Interference Attack on Sensors and Actuators Jayaprakash Selvaraj Iowa State University Follow this and additional works at:https://lib.dr.iastate.edu/etd Part of theElectrical and Electronics Commons, and theElectromagnetics and Photonics Commons Recommended Citation Selvaraj, Jayaprakash, "Intentional Electromagnetic Interference Attack on Sensors and Actuators" (2018).Graduate Theses and Dissertations. 16460. https://lib.dr.iastate.edu/etd/16460 This Dissertation is brought to you for free and open access by the Iowa State University Capstones, Theses and Dissertations at Iowa State University Digital Repository. It has been accepted for inclusion in Graduate Theses and Dissertations by an authorized administrator of Iowa State University Digital Repository. For more information, please [email protected]. Intentional electromagnetic interference attack on sensors and actuators by Jayaprakash Selvaraj A dissertation submitted to the graduate faculty in partial fulfillment of the requirements for the degree of DOCTOR OF PHILOSOPHY Major: Electrical Engineering (Electromagnetics Microwave and Nondestructive Evaluation) Program of Study Committee: Mani Mina, Major Professor Jiming Song Arun Somani Meng Lu Gary Tuttle The student author, whose presentation of the scholarship herein was approved by the program of study committee, is solely responsible for the content of this dissertation. The Graduate College will ensure this dissertation is globally accessible and will not permit alterations after a degree is conferred. Iowa State University Ames, Iowa 2018 ii TABLE OF CONTENTS LIST OF FIGURES ................................................................................................................. iv LIST OF TABLES ...................................................................................................................ix ACKNOWLEDGEMENT ....................................................................................................... ix ABSTRACT .............................................................................................................................. x CHAPTER 1 INTRODUCTION .............................................................................................. 1 1.1 Near-field shielding ............................................................................................................. 4 1.2 Data security in embedded system .................................................................................... 7 1.3 System level overview of IEMI attack .............................................................................. 9 1.4 Overview of the dissertation ............................................................................................. 10 CHAPTER 2 FALSE-DATA INJECTION FOR ANALOG SENSORS ............................... 14 2.1 Mechanism of Attack ........................................................................................................ 15 2.2 Experimental Setup............................................................................................................ 19 2.2.1 Victim Circuit ............................................................................................................. 19 2.2.2 Attacker Circuit .......................................................................................................... 21 2.2.3 Anechoic chamber ..................................................................................................... 28 2.3 Experimental Results ......................................................................................................... 30 2.4 Transmitted power requirement estimation .................................................................... 39 2.5 Conclusion .......................................................................................................................... 45 CHAPTER 3 FALSE DATA INJECTION FOR DIGITAL SENSORS ................................ 46 3.1 IEMI attack using continuous sinusoidal signal ............................................................ 48 3.1.1 Experimental results and discussion ........................................................................ 51 3.2 Modified experimental setup demonstrating IEMI attack using continuous sinusoidal signal ............................................................................................................................. 54 iii 3.2.1 Experimental results and discussion ........................................................................ 55 3.3 IEMI attack using continuous sawtooth waveform ....................................................... 58 3.3.1 Experimental results and discussion ........................................................................ 60 3.4 Conclusion .......................................................................................................................... 63 CHAPTER 4 FALSE DATA INJECTION FOR ACTUATORS ........................................... 64 4.1 Mechanism of attack for actuator .................................................................................... 68 4.2 Continuous sinusoidal attack ............................................................................................ 70 4.2.1 Experimental results and discussion ........................................................................ 71 4.3 Pulsed sinusoidal attack .................................................................................................... 73 4.3.1 Experimental results and discussion ........................................................................ 75 4.4 Saw tooth waveform attack .............................................................................................. 77 4.4.1 Transmitter circuit design ......................................................................................... 81 4.4.2 Experimental results and discussion ........................................................................ 90 4.5 Conclusion .......................................................................................................................... 93 CHAPTER 5 OTHER CONTRIBUTIONS ............................................................................ 94 5.1 Introduction ........................................................................................................................ 94 5.2 Magnetic Field Generator Circuit .................................................................................... 96 5.3 Optical Interferometer Setup .......................................................................................... 100 5.4 Results and Discussion .................................................................................................... 102 5.5 Conclusion ........................................................................................................................ 103 CHAPTER 6 CONCLUSION AND FUTURE WORK ....................................................... 104 6.1 Suggestions for future researchers ................................................................................. 106 REFERENCES ..................................................................................................................... 108 iv LIST OF FIGURES Figure 1-1 Wave impedance of a) electric dipole b) magnetic dipole [20] .............................. 5 Figure 1-2 Reflection loss introduced by shields under near-field condition of electric and magnetic sources [20] ............................................................................................................... 6 Figure 1-3 IEMI attack model showing the attacker circuit as well as circuits under attack [31] ............................................................................................................................................ 9 Figure 2-1 ESD protection circuits rectifying injected IEMI AC signal into DC .................. 16 Figure 2-2 Experiment to validate rectification hypothesis due to ESD diodes ..................... 17 Figure 2-3 Rectified DC voltage measured at the input of ADC, while directly connecting an AC signal to the input terminal........................................................................ 18 Figure 2-4 Signal clipping due to limited ADC input voltage range ...................................... 19 Figure 2-5 Experimental setup for false data injection on analog sensors ............................. 20 Figure 2-6 Schematic representation of victim circuit ............................................................ 21 Figure 2-7 Power Amplifier output vs frequency ................................................................... 22 Figure 2-8 Vivaldi antenna designed in ANSYS HFSS ......................................................... 24 Figure 2-9 Return loss of Vivaldi antenna compared against a monopole antenna................ 25 Figure 2-10 Electric field pattern of Vivaldi antenna under near-field conditions ................. 26 Figure 2-11 Vivaldi antenna shown with corresponding axes ................................................ 26 Figure 2-12 a) Magnetic field and b) Electric field plots of Vivaldi antenna along the end-fire direction ............................................................................................................... 27 Figure 2-13 Experimental setup with Radiation Absorbing Material (RAM) shields ............ 29 v Figure 2-14 ADC output when the distance of separation between the transmitter and victim circuit was 10 cm, under (a) No IR light condition. (b) Medium IR light condition. (c) Maximum IR light condition.................................................................... 32 Figure 2-15 Oscilloscope screenshot showing the DC offset induced at the input terminal of ADC, under no IR light condition ........................................................................ 34 Figure 2-16 Oscilloscope image showing DC offset induced at the victim circuit, under maximum IR light condition ................................................................................................... 35 Figure 2-17 Oscilloscope image showing same amplitude of induced sinusoidal signal, under medium IR light condition ............................................................................................ 36 Figure 2-18 ADC voltage induced under no IR light condition, with varying distance between the EM signal transmitting antenna and the victim circuit ....................................... 38 Figure 2-19 Equivalent circuit model for the IEMI attacker and the victim circuit ............... 39 Figure 2-20 Simplified equivalent circuit models for the attacker and victim circuits .......... 40 Figure 2-21 Comparison between theoretical and measured induced ADC voltage with varying distance between attacker and victim circuits ........................................................... 43 Figure 3-1 Experimental setup for demonstrating IEMI attack on digital sensors ................. 50 Figure 3-2 Photograph of experimental setup used to demonstrate IEMI attack on digital sensors.......................................................................................................................... 51 Figure 3-3 Percentage of misreads vs frequency when the transmitting microcontroller sends a) logic level 0, b) logic level 1 ..................................................................................... 52 Figure 3-4 Digital logic voltage level for 3.3 V systems ........................................................ 53 vi Figure 3-5 Modification to experimental setup to attack digital sensors, by using long interconnecting cable shaped as a coil .................................................................................... 54 Figure 3-6 Oscilloscope image showing the DC voltage present at the interconnecting cable, while transmitting logic level 1 .................................................................................... 55 Figure 3-7 Oscilloscope image showing a drop in the DC average voltage from 2.1 V, while transmitting a sinusoidal attack signal .......................................................................... 56 Figure 3-8 Oscilloscope image showing the signal present in the interconnecting cable, while the transmitting microcontroller sends a logic level 0 .................................................. 57 Figure 3-9 Experimental setup for injecting false data using sawtooth waveform ................. 59 Figure 3-10 Oscilloscope image showing sawtooth attack signal and the induced signal at the victim circuit's GPIO pin ............................................................................................... 60 Figure 3-11 Oscilloscope image showing high frequency sawtooth attack signal and the resultant induced signal at the victim circuit .......................................................................... 61 Figure 4-1 Block diagram of servo motor and control circuit ................................................ 67 Figure 4-2 PWM control signals and the corresponding degree of rotation of the actuator's armature .................................................................................................................. 68 Figure 4-3 Experimental setup for continuous sinusoidal signal attack ................................. 70 Figure 4-4 Oscilloscope screenshot showing continuous sinusoidal attack signal and PWM signal ............................................................................................................................ 72 Figure 4-5 Pulsed sinusoidal attack on actuator ..................................................................... 74 Figure 4-6 Oscilloscope measurement of the pulsed sinusoidal signal from the attacker and the coupled signal at the victim's PWM signal path ........................................................ 75 vii Figure 4-7 Oscilloscope screenshot showing the pulsed sinusoidal attack signal superimposed on the PWM control signal .............................................................................. 76 Figure 4-8 EM coupling model demonstrating Faraday's law ................................................ 78 Figure 4-9 MATLAB plot comparing the current at the transmitter with the voltage induced at the victim circuit .................................................................................................... 80 Figure 4-10 Schematic of the attacker circuit ......................................................................... 83 Figure 4-11 Buffer circuit used to boost the signal from microcontroller to gate terminal of IGBT..................................................................................................................... 88 Figure 4-12 Attacker circuit .................................................................................................... 89 Figure 4-13 Experimental setup showing sawtooth waveform attack on digital servo motor ....................................................................................................................................... 91 Figure 4-14 Oscilloscope image showing the sawtooth attack signal as well as the DC offset induced in the PWM signal .................................................................................... 92 Figure 5-1 Proposed magnetic field generator circuit............................................................. 96 Figure 5-2 Control signals for PMOS and NMOS transistors ................................................ 97 Figure 5-3 Optical interferometer setup .................................................................................. 98 Figure 5-4 Magnetic field generator circuit fabricated on a PCB ......................................... 100 Figure 5-5 a) Current sense resistor’s voltage output. b) Normalized optical output. ......... 101 viii LIST OF TABLES Table 4-1 Summary of the components used in the attacker circuit. …………………….....90 ix ACKNOWLEDGEMENT I would like to thank my committee chair, Prof. Mani Mina, and my committee members, Prof. Jiming Song, Prof. Gary Tuttle, Prof. Arun Somani, and Prof. Meng Lu, for their guidance and support throughout the course of this research. Prof. Mani Mina provided the opportunity for me to work on the electromagnetics research area, despite my little experience in this field. I am eternally thankful to him for supporting me, at my lowest points during the graduate studies. I would like to sincerely thank my collaborators at Virginia Tech University, especially Prof. Ryan Gerdes, whose unparalleled guidance and support throughout my research, has provided me a successful platform, to prove my expertise and excel in every project, that I got an opportunity to work with him. I would also like to thank my colleagues Gökçen Yılmaz Dayanıklı, Neelam Prabhu Gaunkar and David Ware for their dedication and hard work to transform this research into a pioneering work, in hardware security field. I would like to thank my loving wife, Priyam Rastogi, who has stood with me, through every joy and sorrow and provided me with motivation and confidence, to handle all the struggles which came towards me. I would also like to thank my in-laws who saw the potential in me and supported me throughout my graduate studies, without a hint of doubt in their mind. In addition, I would also like to thank my parents, friends, colleagues, the department faculty and staff for making my time at Iowa State University a wonderful experience.
Description: