How to Detect Viruses with a Raspberry Pi and No Software
Andrei Mihai
AI-generated image for this topic (Dall-E 3).
The first virus started infecting computers in 1986. Nowadays, the virus architecture has changed, operating systems have changed, but viruses are still a big threat to digital ecosystems. People who take security seriously use specialized software (often called an antivirus) to detect and eliminate such threats.
Antiviruses use different approaches to find all types of malicious software (or malware). The first approach is to scan a computer’s hard drive and look for the signatures of known viruses. This involves having a big database and will only work for viruses that are well known. Another approach is a heuristic analysis, which looks for suspicious patterns that deviate from normal operations, which works for unknown viruses but can also falsely detect some software that looks suspicious but is not in fact harmful. Lastly, many types of software also use behavior monitoring – observing the action of software in real time and flagging any activities that mirror the characteristics of malware. Together, these strategies form a robust defense mechanism.
The idea is that just like a virus can send suspicious software signals, it can also send suspicious electromagnetic waves. Every piece of software produces its own unique wave pattern as it executes the code. Pham thought this could also be used to detect malicious signatures – and he was right.
The researchers set up an H-probe, a specialized device used to detect and measure magnetic field intensity, typically employed in electromagnetic compatibility testing, capturing the wave pattern of known computer viruses running on various devices. They also used an oscilloscope, an electronic test instrument that graphically displays varying signal voltages, to view the results.
Example of an oscilloscope view (not from this research). Image in Creative Commons (CC BY 4.0). Credits: Wiki Commons / Radarvector.
They confirmed unique oscilloscope patterns created by the viruses and were able to predict three generic malware types (and one benign class) with an accuracy of 99.82%.
Then, they took it to the next step. They set up a system with a Raspberry Pi, an oscilloscope and an H-Field probe. A Raspberry Pi is a single-board computer designed mostly for educational and hobbyist purposes, but capable of running various operating systems and supporting multiple programming languages.
With this simple system, they were still able to detect viruses with the same accuracy. What is perhaps even more exciting is that this can be done externally on any device and the attackers have no way of knowing that they have been detected.
“Our method does not require any modification on the target device. Thus, it can be deployed independently from the resources available without any overhead,” the researchers write in the abstract.
A Raspberry Pi can fit in the palm of your hand. Image in Creative Commons (CC BY 3.0). Credits: Wiki Commons / Onepiece84.
Physics Can Become a Cybersecurity Battleground
This approach is important for two main reasons. Firstly, because it introduces a new dimension to cybersecurity. Instead of looking at bits and code and software signals, it is the physical byproducts of the software activity that become indicators of malicious activity. The detector is also separated from the computer itself, enabling a layer of security that is invisible to attackers.
In fact, it is one of the few ways in which malware detection may be ahead of attackers, because the physical world is already being exploited. Previously, separate teams showed how thermal signatures and even just noise signals can be used to crack passwords and attack accounts. With this approach, cybersecurity is taking a more proactive approach, positioning non-traditional defense mechanisms that go beyond digital barriers.
The other reason is that it fits well with the Internet of Things (IoT) framework and accessible technologies like the Raspberry Pi. Smart devices (smart cameras, smart lights, even smart toothbrushes) are becoming increasingly common and interconnected to “traditionally smart” devices like laptops or smartphones through the internet. But these instruments are also vulnerabilities for our home networks, and IoT cybersecurity is currently playing a game of catch-up.
Although this electromagnetic approach focused on only a few types of malware and on laptops, it could be expanded to multiple types of devices and multiple types of attacks.
“Given our experimental results, malware analysts therefore profit from our robust methodology to gain a better understanding about the variant, type/family, forensic, and/or evolution of malware groups and campaigns, particularly in the context when software systems fail (due to malware evasion) or cannot be applied (due to restricted resources or update processes on the embedded device),” the researchers write in the full paper.
“Another interesting direction could be the investigation of other architectures and devices, to assess in which measure the knowledge learned by a model on one device can be transferred to another one.”
As the attacking techniques become more refined and diverse, it is important to also implement more layered cybersecurity practices. Although still incipient, approaches like this electromagnetic one promise to fortify digital ecosystems against the ever-evolving tactics of cybercriminals. This will hopefully help usher in an era where security defenses are not just reactive, but predictively preemptive, keeping one step ahead in the perpetual race against cyber threats.
But there is one catch: The technique uses an expensive bit of kit that can cost up to $10,000 to build. All that is mentioned above can only become scaled if the detection can be done with cheaper equipment. So if you are a computer scientist looking to dive into the physical world of cybersecurity – here is a research avenue that is worth exploring.
