Is Your Digital Infrastructure Truly Secure?

Introduction

Every digital system leaks. Not in the way most cybersecurity professionals are trained to think about, such as through unpatched software or weak passwords, but physically through electromagnetic, optical, acoustic, and conducted signals that escape even the most hardened environments. These emissions are not bugs or accidental flaws. They are fundamental to how modern electronics operate, and when properly understood, they form a complete passive attack surface.

Modern threat actors no longer require direct access to extract data. They do not need to compromise firmware or deploy malware. They only need to listen. This can happen from the other side of a wall, down a hallway, through utility conduits, or from across the street. Today’s adversaries leverage passive emanation channels that convert normal system behavior into intelligence-bearing signals. These attacks leave no digital trace, generate no alerts, and bypass every layer of the software stack.

Recent demonstrations have confirmed the viability of these methods. Researchers have used software-defined radios to reconstruct full video output from HDMI cables. They have extracted cryptographic keys by capturing RF leakage from RAM and CPU buses. They have exfiltrated data by manipulating the blinking patterns of NIC and HDD LEDs. Some have used acoustic variations from cooling fans and coil whine to capture keystrokes and compute activity. Others have exploited facility power lines by modulating CPU load to leak binary data into electrical infrastructure. Even fully air-gapped systems are vulnerable, as malware can induce emissions from internal buses and transmit information over FM or GSM frequencies without any networking hardware.

This paper is not a retrospective. It focuses only on verified and repeatable threats that exist right now in operational environments. Historical vulnerabilities and speculative risks are not included. Every example is grounded in peer-reviewed research, lab-validated experiments, and real-world toolsets.

The objective is to give subject matter experts in signals intelligence, cyber defense, and secure system design a current-state assessment of emanation-based threats. These are not academic curiosities. They are field-validated and operationally viable. As adversaries expand their exploitation of electromagnetic, optical, acoustic, and conducted domains, defenders must evolve their assumptions. Systems assumed to be silent are already leaking. And the intelligence community should be listening.

RF Emanation Threats from Modern Computing Interfaces

HDMI Interface RF Leakage:

Recent research has demonstrated that HDMI cables inherently emit exploitable RF signals correlated with the transmitted video data. In a experiment conducted in 2024, researchers successfully intercepted HDMI video signals using commercially available Software-Defined Radios (SDRs), specifically the Airspy R2 receiver. The researchers positioned standard SDR antennas several meters away from an unmodified HDMI cable carrying 1080p video signals. Captured RF signals underwent signal processing, after which a convolutional neural network trained on synchronized screen captures was applied. The neural network significantly enhanced the recovered data, substantially reducing character error rates and successfully reconstructing legible text and recognizable images. Such AI-driven signal reconstruction confirms that even relatively noisy, low-power RF leakage from HDMI interfaces can yield actionable intelligence.

USB 3.x Broadband Emanations:

Validations highlight USB 3.x interfaces as notable broadband RF emitters across a frequency range extending from DC up to 5 GHz. Intel's authoritative investigation into USB 3.x RF interference reveals practical disruptions to L-band GPS and Iridium satellite communications caused by broadband USB emissions. Furthermore, documented experiments by researchers at Northeastern University have utilized USB hub congestion as a covert side-channel for information extraction. Specifically, congestion-based timing analysis enabled passive inference of user keystrokes with 36.3% accuracy within the top 10 guesses. In separate experiments employing machine learning classification, the same USB congestion analysis successfully fingerprinted browsing behavior with 83.4% accuracy, correctly identifying which of the top 100 websites users visited. Crucially, these attacks require no malware installation or privileged access; they rely solely on passive analysis of USB traffic patterns, rendering them covert and difficult to detect.

Ethernet (UTP/STP) Vulnerabilities:

Ethernet cabling, specifically Unshielded Twisted Pair (UTP), constitutes a verified RF emission vector, validated through peer-reviewed experimentation. Researchers using the USRP X300 SDR and near-field RF probes demonstrated the reliable passive interception of full 10BASE-T Ethernet frames from unmodified UTP cables at close range, reconstructing transmitted Ethernet frames without requiring direct electrical contact. Conversely, Shielded Twisted Pair (STP) cables have exhibited vulnerabilities when improperly grounded. In such cases, the shielding of STP cabling can inadvertently become an antenna, amplifying emissions beyond those observed in standard UTP cables. This scenario has been demonstrated in laboratory conditions, highlighting that shielding alone is insufficient unless coupled with rigorous, verified grounding procedures. These findings highlight critical operational vulnerabilities inherent to Ethernet infrastructure within high-security environments, emphasizing the essential role of verified physical security measures and meticulous EMSEC grounding practices.

RF Leakage from Internal System Components

CPU and Memory Bus (RAM) Emanations:

Studies have demonstrated that CPUs and DDR memory modules emit distinct RF signals that are directly correlated with sensitive internal data processes. Georgia Institute of Technology's experimental analysis verified that CPU and RAM operations produce unique, detectable electromagnetic signatures, particularly during off-chip memory accesses. This near-field RF leakage has been exploited in controlled laboratory conditions to extract cryptographic keys from standard computing hardware. One rigorously documented demonstration involved the successful recovery of RSA encryption keys from a typical laptop through RF emissions captured at approximately 1.7 MHz using a commercially available RTL-SDR dongle positioned roughly half a meter from the device.

Further reinforcing this threat, the GSMem attack, developed by Ben-Gurion University, demonstrated intentional modulation of RAM buses to emit RF signals within standard GSM cellular frequency bands (850/900 MHz). GSMem leveraged specific cache-bypassing instructions (e.g., MOVNTDQ) to create sustained, modulated RF emissions from unmodified DDR RAM modules. These emissions were captured by standard Software-Defined Radios (USRP B210) at distances exceeding 30 meters, achieving practical data transmission rates between 100 and 1000 bits per second. The GSMem experiment thus establishes RAM bus emanations as both passively detectable and actively exploitable at operationally significant ranges using readily available, non-specialized equipment.

PCIe Bus and Power Delivery Networks:

The Peripheral Component Interconnect Express (PCIe) bus, commonly used within modern computing architectures, has been demonstrated to be a significant internal RF emission vector. Commercially available diagnostic and debugging equipment, such as near-field magnetic probes and high-fidelity differential signal probes manufactured by Teledyne LeCroy and Keysight, has enabled passive monitoring of PCIe signals directly from unmodified circuit boards. MITRE ATT&CK explicitly recognizes bus-based eavesdropping as a realistic exploitation technique based on publicly available proof-of-concept experiments. These documented demonstrations have validated that high-speed PCIe buses, operating at frequencies up to and beyond 16.0 GT/s, inherently emit RF signals sufficiently distinct to infer operational patterns and, potentially, sensitive transmitted data.

Similarly, Switch-Mode Power Supplies (SMPS) and voltage regulator modules within the system's power delivery network generate measurable RF emissions that are directly correlated with CPU and memory activity. Differential electromagnetic analysis techniques have confirmed that power supply units unintentionally amplify minute changes in electrical load driven by internal computational processes, enabling potential extraction of sensitive information, including cryptographic keys, through entirely passive RF monitoring. These findings highlight verified risks associated with internal high-speed digital buses and power supply units, emphasizing the necessity of comprehensive EMSEC measures within high-performance computing systems.

Conducted Emission Threats via Facility Power Lines

PowerHammer Attack Methodology:

The PowerHammer attack, developed and publicly demonstrated by researchers at Ben-Gurion University, provides hard evidence that power lines themselves can serve as viable exfiltration channels for data originating from air-gapped systems. This technique requires no hardware modification and operates by controlling CPU workloads through user-level malware. By precisely modulating the number of active threads on a multi-core processor, the system's overall power consumption fluctuates in a controlled pattern. These variations create detectable current signatures on the power line connected to the device. The data is encoded using modulation schemes such as Frequency Shift Keying, allowing binary information to be transmitted entirely through conducted emissions.

PowerHammer was validated in both line-level and phase-level configurations. At the line level, with a sensor clamped directly around the target machine's power cord, researchers achieved transmission rates up to 1000 bits per second with zero bit error rate. At the building-level phase, the tap, typically placed at the facility's main electrical panel, achieved stable rates of 10 bits per second with an error rate of 4.2 percent, which dropped to zero when the rate was lowered to three bits per second. These results were obtained using only a split-core current transformer and standard audio digitization hardware connected to a laptop's audio interface. No invasive electrical contact was required. This demonstrated that, under realistic conditions, an adversary with access to a building's utility infrastructure could perform long-term passive data collection with minimal risk of detection.

SCIF and Tactical Shelter Limitations:

Sensitive Compartmented Information Facilities (SCIF) and tactical shelters are designed to meet stringent emission security requirements, including the mandatory use of power line filters rated to TEMPEST and SDIP-27 standards. These filters are typically rated to provide up to 100 decibels of insertion loss across a broad spectrum extending from 14 kilohertz to several gigahertz. While such filters are highly effective against broadband electromagnetic interference and high-frequency switching noise, their efficacy against intentionally modulated low-frequency signals remains a point of concern.

The PowerHammer attack specifically operates in the very-low-frequency range of zero to 24 kilohertz, a domain not commonly emphasized in commercial or even military-grade EMI filtering specifications. This introduces a doctrinal vulnerability. Many filters are not tested against intelligent signal patterns that mimic legitimate current draw. Additionally, older facilities or field-deployed shelters may rely on legacy filtering components or ad hoc grounding methods that were not engineered to suppress modern conducted emission threats.

These findings highlights the need for the Department of Defense and the Intelligence Community to reassess and update existing power line filtering standards in light of modern low-frequency conducted emission threats. Facilities must conduct targeted emissions testing under real-world load conditions and adopt filter designs specifically validated to block modulated signals of the type generated by malware, such as PowerHammer. The conducted emission channel presents a unique risk due to its hardwired nature, long reach, and ability to bridge the security perimeter without any over-the-air signature. Passive interception from a remote utility closet or subpanel is both operationally feasible and demonstrated, making this vector a credible and pressing security concern.

Optical and LED-Based Data Exfiltration

HDD and NIC LED Indicators:

Recent peer-reviewed research has demonstrated that common device status indicators, including hard drive activity and network interface card LEDs, can be repurposed for covert optical data transmission. These indicators, while seemingly benign, operate under direct or indirect control of the host system. Malware can manipulate their blinking patterns with precise timing to encode binary data. In the "LED-it-GO" attack developed at Ben-Gurion University, researchers-controlled HDD activity to modulate the drive's LED at frequencies up to 5800 Hz, well beyond the human eye's perception threshold. Using on-off keying and Manchester encoding, they successfully transmitted data at rates up to 4000 bits per second using a high-sensitivity photodiode receiver. Even standard smartphone cameras were able to capture this channel at rates ranging from 15 to 60 bits per second under line-of-sight conditions.

The "ETHERLED" attack expanded the threat to NIC LEDs, which are present on nearly all networked devices, including servers, printers, VoIP phones, and desktop workstations. These LEDs can be manipulated through firmware or driver-level access to create structured blink patterns that encode information. In practical tests, researchers successfully transmitted 4096-bit RSA keys using simple Morse code modulation, with effective transmission times ranging from under a minute to several minutes depending on blink duration and ambient lighting conditions. The collection range for these attacks exceeds 100 meters when using a telescope or drone-mounted camera equipped with high-resolution optics, enabling passive long-distance observation from outside a secure facility. Because these LEDs often blink during regular operation, the channel is difficult to distinguish from legitimate activity, presenting a high level of covertness.

Subtle Screen Modulation Techniques:

Beyond peripheral indicators, the primary display itself can function as a covert optical transmitter. The "Brightness" attack demonstrated that screen backlight intensity can be modulated at a level imperceptible to the human eye but detectable by remote light sensors. In this method, malware subtly adjusts the screen's overall brightness to encode data. Photodiodes or high-frame-rate cameras can recover the modulated signal and reconstruct the transmitted information. This approach leverages the high surface area of a monitor as a radiative optical source, increasing collection potential at longer distances.

In the "VisiSploit" attack, researchers used low-contrast images embedded in the screen's visual output to exfiltrate data. These images are invisible to the human eye but become detectable when recorded using a digital camera and subjected to frame integration or contrast enhancement algorithms. The attack demonstrated recovery of text and QR code data from images displayed on screen with a contrast differential below the perceptibility threshold for most users. This method requires no modification to the hardware and can be executed entirely in software, making it exceptionally difficult to detect.

The critical vulnerability in both types of screen-based attacks is the assumption that display output is inherently safe from passive observation. In reality, any window, glass wall, or exposed camera angle introduces a clear optical path that can be exploited. Combined with modern optics, long-range observation, and post-processing, these covert optical channels can be used to exfiltrate high-value data without triggering any alarms or traditional intrusion detection mechanisms. These techniques bypass all forms of RF shielding, including those used in fully TEMPEST-compliant environments, and therefore demand dedicated optical countermeasures as part of modern EMSEC strategy.

Acoustic and Mechanical Eavesdropping Threats

Acoustic Cryptanalysis:

Controlled laboratory experiments have confirmed that acoustic emissions from electronic components carry data-correlated signatures that can be leveraged for passive cryptanalysis. High-frequency voltage regulators, inductors, and multilayer ceramic capacitors often produce audible or near-ultrasonic coil whine as a side effect of rapid current fluctuations during computational tasks. Research conducted by Genkin, Shamir, and Tromer demonstrated that these acoustic signatures vary depending on the cryptographic key being processed. Using standard parabolic microphones and even unmodified smartphone microphones, they were able to extract full 4096-bit RSA private keys from a laptop in less than an hour. The capture distance ranged from 30 centimeters using a smartphone to approximately four meters with a parabolic microphone in a quiet room.

More advanced methods utilize laser vibrometry to detect the minute vibrations induced on surfaces near or attached to electronic components. These laser-based systems measure Doppler or interferometric shifts in reflected laser beams to reconstruct acoustic waveforms with extreme precision. With sufficient line of sight, these sensors have demonstrated the ability to capture coil whine signatures and even human speech from exterior walls or windows. Commercially available laser vibrometers used in security research have validated collection ranges exceeding 100 meters under controlled conditions. The primary advantage of laser vibrometry is that it requires no microphone inside the target space and does not rely on air as a transmission medium, thereby bypassing traditional acoustic masking techniques, such as white noise generators.

Mechanical Side-Channels (Fan and HDD):

In addition to component-level coil whine, entire mechanical subsystems within computers can serve as covert acoustic transmitters. The "Fansmitter" attack developed by Ben-Gurion University demonstrated that standard CPU, GPU, and chassis fans can be controlled via software to modulate their revolutions per minute, generating acoustic tones with encoded binary data. The attack achieved a maximum data rate of 900 bits per hour and could be received by a smartphone microphone from distances between one and eight meters. Because fan speed modulation does not require elevated system privileges, this attack can be executed from a user-space process and is extremely difficult to detect without active fan telemetry analysis.

Hard disk drives present two additional acoustic vectors. The "DiskFiltration" technique uses malware to induce specific seek operations in the actuator arm, producing controlled audible clicks that encode data. Experimental validation confirmed that this signal could be collected at distances of two meters using standard microphones. Even more concerning is the "Hard Drive of Hearing" demonstration, in which the HDD's internal position error signal was repurposed as a high-sensitivity acoustic sensor. The malware monitored this internal feedback loop and successfully captured ambient sound from the surrounding environment. Audio recordings were sufficiently clear to be identified by commercial audio fingerprinting services, such as Shazam, confirming that usable voice information could be extracted using only the hard drive's built-in sensors.

These acoustic and mechanical side channels highlight a domain of vulnerability that bypasses all forms of electromagnetic shielding. They rely entirely on passive monitoring of physical phenomena generated by standard system behavior. They are difficult to mitigate without invasive physical changes such as potting components in epoxy, replacing mechanical drives with solid-state alternatives, or deploying acoustic dampening materials. Laser vibrometry in particular elevates this class of threats to a standoff intelligence collection capability, enabling adversaries to extract high-value data without physical entry or proximity to the target system.

Air-Gap Emanation-Based RF Exfiltration

Recent experiments have validated that even fully air-gapped systems can emit structured, intelligence-bearing RF signals through unmodified internal components when driven by malware. These intentional emissions occur without the use of network interfaces, antennas, or wireless hardware and rely entirely on the physics of high-speed digital electronics. The most notable demonstrations, AirHopper and GSMem, have provided hard performance data showing that internal buses and video hardware can be weaponized to transmit data via electromagnetic radiation detectable with standard COTS receivers.

AirHopper, developed by the Cyber Security Research Center at Ben-Gurion University, leveraged GPU video output to generate RF signals in the commercial FM radio band. By rendering rapid black-and-white pixel transitions at specific screen locations, the malware forced the GPU and its associated HDMI or VGA interface to emit harmonics centered around 100 MHz. These emissions, indistinguishable to the user, were received using an unmodified smartphone equipped with an internal FM radio. The maximum effective range in lab conditions was seven meters, and data exfiltration rates between 13 and 60 bytes per second were achieved. This validated that even low-power, near-field video interface activity could be harnessed to cross air-gaps with usable bandwidth.

GSMem represented a significant advancement in both transmission frequency and range. Using cache-bypassing CPU instructions, such as MOVNTDQ, to force high-volume direct writes to system RAM, the malware modulated the electromagnetic emissions of the memory bus. The resulting RF signals fell within GSM cellular bands (850 and 900 MHz). In operational testing, signals were received by two classes of collection platforms: a low-end Motorola C123 phone running custom baseband firmware and a USRP B210 Software-Defined Radio. The phone captured data at a range of up to five and a half meters at a rate of one to two bits per second. The USRP receiver, however, collected signals at distances over 30 meters and achieved data rates up to 1000 bits per second. This stark contrast in performance highlights the scalability of the threat based on adversary equipment class. A basic phone receiver may enable insider-assisted compromise, while a high-end SIGINT receiver permits standoff collection by a well-resourced threat actor.

These attacks were conducted using standard computing hardware, required no physical modification to the system, and used only software running at user-level privileges. They demonstrate that air-gapped machines are not electromagnetically silent and that modulated emissions can occur within operationally relevant bands, including those used for commercial and military communications. Moreover, these signals are inherently challenging to block without strict RF isolation of all internal components, including buses and memory channels, which is rarely implemented outside of high-assurance environments.

The operational implications are clear. Systems assumed to be secure by virtue of air-gapping may still be actively leaking data through unmonitored RF side-channels. The demonstrated performance metrics, up to 1 kbps at 30 meters using standard SDR equipment, are sufficient to exfiltrate sensitive data, cryptographic keys, or command-and-control instructions within seconds. These channels do not require elevated privileges, specialized hardware, or administrative access, and are fully passive from the attacker's collection standpoint. This elevates air-gap RF exfiltration from a theoretical concept to a field-validated method of non-networked data theft.

Operational Relevance and Mitigation Strategies

The validated threat vectors outlined in this assessment carry immediate implications for Department of Defense and Intelligence Community operations. Passive data exfiltration via RF, optical, conducted, and acoustic channels has been confirmed under real-world conditions. These attacks bypass traditional security controls by targeting the physical behavior of computing hardware rather than software vulnerabilities or network pathways.

Critical mission systems, including command terminals, tactical processors, and intelligence platforms, may be leaking sensitive information during normal operations. Eavesdropping through drone-mounted optical sensors, standoff RF receivers, or current probes attached to power lines is no longer speculative. These techniques have been demonstrated by academic and private-sector researchers using commercial tools without requiring privileged access or physical tampering.

Current EMSEC doctrine is insufficient to address the full spectrum of side-channel threats. Standards such as NSTISSAM TEMPEST/1-92 and SDIP-27 remain narrowly focused on high-frequency RF emissions and do not enforce mitigations for optical indicators, acoustic leakage, or low-frequency conducted emissions. This leaves mission-critical environments exposed despite apparent compliance.

Procurement strategy must be revised to include physical emission screening for all commercial hardware. Devices introduced into RED environments should be evaluated for indicator LED behavior, fan noise, acoustic signatures, and power line emissions. Preference should be given to systems with hardware-level disable options for visible indicators and BIOS-level control over component activity. Equipment prone to coil whine, unshielded interconnects, or firmware-controlled fans must be scrutinized for side-channel behavior prior to accreditation.

Host-based telemetry should be expanded to detect suspicious hardware states. Unusual blinking of LEDs, unexpected fan RPM changes, RAM bus saturation, and CPU thread anomalies must be logged and analyzed. AI-driven anomaly detection can be adapted to identify modulation patterns consistent with data exfiltration techniques such as GSMem or PowerHammer.

Fielded environments must include regular optical and acoustic surveys. High-frame-rate cameras and laser vibrometers should be used to scan for modulated light or vibration signals. Conducted emission testing with current clamps should be performed under operational load to detect malware-driven power modulation. These sweeps should be formalized within SCIF accreditation cycles and fielded EMSEC inspection routines.

For high-assurance facilities, design considerations must evolve. Power filters should be validated for low-frequency rejection below 24 kilohertz. Transparent materials around secure equipment must be replaced with opaque shielding. Indicator-bearing hardware must be positioned to eliminate line of sight from windows or external vantage points. Where necessary, facilities should integrate noise generators and randomized output modulation to mask unintentional emissions across all domains.

Adversary SIGINT collection capabilities have outpaced legacy assumptions about physical system behavior. Only a full-spectrum mitigation strategy that spans design, deployment, and real-time monitoring can provide meaningful defense against modern emanation-based attacks. These risks are validated, field-relevant, and must be addressed at both the engineering and operational planning levels.

Conclusion

The findings presented throughout this assessment confirm that modern computing infrastructure, even when air gapped and physically secured, remains vulnerable to a diverse and expanding set of passive emanation based exploitation techniques. These are not theoretical risks or speculative vulnerabilities. Each vector outlined, including radio frequency leakage from high speed interconnects and internal buses, conducted emissions through facility power lines, optical and photonic exfiltration via device indicators, acoustic signals generated by component level coil whine and mechanical subsystems, and intentionally modulated emissions from RAM and GPUs, has been independently validated through peer reviewed experimentation and demonstrated with commercially available tools.

The implications for national security and defense operations are clear. Any computing device processing sensitive or classified information, particularly those built from commercial off the shelf components, must be assumed to radiate some measurable intelligence bearing signal across one or more physical domains. The longstanding reliance on RF shielding, grounding, and separation alone is no longer sufficient. A threat actor with moderate resources and collection capabilities can exploit overlooked or underestimated vectors such as LED indicators, fan acoustics, or RAM bus emissions to recover sensitive data from outside the protected perimeter.

For expert level practitioners, the path forward begins with rethinking what constitutes a secure system. Security must extend beyond digital and network level protections into the physical behavior of electronic components. Systems engineering decisions must account for side channel risks as design parameters rather than addressing them as post deployment concerns. Monitoring tools should be capable of identifying both anomalous physical behavior and anomalous network traffic. Red teaming activities must incorporate signal analysis, optical collection, and power line surveillance. EMSEC audits must evolve to test for leakage across all physical layers, not just the RF spectrum.

Actionable mitigation requires a layered approach. This includes implementing strict physical isolation for indicator LEDs, validating grounding integrity on all shielded cabling, filtering power inputs across low and mid frequency ranges, disabling unnecessary device indicators, and selecting hardware based on emanation profiles. At the policy level, it means updating procurement requirements and EMSEC certification standards to reflect these modern threat vectors. At the tactical level, it means integrating side channel collection into adversary emulation exercises and threat modeling frameworks.

Ultimately, the burden now falls on the defender to assume that every system is a potential emitter. Every signal path, no matter how seemingly benign, can serve as an avenue for covert collection. With proper awareness, technical rigor, and operational discipline, these risks can be mitigated. Achieving this requires acknowledging that the electromagnetic, optical, and acoustic signatures of computing systems are not incidental. In the modern threat landscape, they are deliberate intelligence targets.