Xieyang Sun1 Β· Yuanqing Zheng2 Β· Wei Xi1 Β· Zuhao Chen1 Β· Zhizhen Chen1 Β· Han Hao1 Β· Zhiping Jiang3 Β· Sheng Zhong4
1Xi'an Jiaotong University Β· 2The Hong Kong Polytechnic University Β· 3Xidian University Β· 4Nanjing University
ACM CCS 2025
This repository contains the source code and instructions for reproducing the results of "TEMPEST-LoRa: Cross-Technology Covert Communication", accepted to ACM CCS 2025.
Watch our demonstration of TEMPEST-LoRa in action:
TEMPEST-LoRa demonstrates a novel cross-technology covert communication technique that exploits electromagnetic radiation (EMR) from video cables. By crafting malicious images or videos displayed on a monitor/projector/TV, we can cause the connected VGA or HDMI cable to emit electromagnetic radiation that encodes LoRa-compatible packets.
- Transmitter: A specially crafted video is displayed in full-screen mode on a monitor
- Medium: The VGA/HDMI cable acts as an unintentional antenna, emitting EMR
- Receiver: Commercial Off-The-Shelf (COTS) LoRa devices receive and decode the packets
π Published: ACM CCS 2025
π Preprint: arXiv:2506.21069
The following articles provide excellent summaries our work:
- π Hackaday - "Video Cable Becomes Transmitter With TEMPEST-LoRa"
- π RTL-SDR Blog - "TEMPEST-LoRa: Emitting LoRa Packets from VGA or HDMI Cables"
- π Hackster.io - "TEMPEST-LoRa Breaches Air-Gapped Systems with Video Cables"
- π Treadstone71 - "TEMPEST-LoRa Capabilities, Threats, and Strategic Implications in Modern Electronic Warfare"
- β Cross-Technology Communication: Bridge display technology and LoRa wireless protocol
- β COTS Hardware: Works with commercial LoRa devices (no custom hardware needed)
- β Flexible Configuration: Supports multiple LoRa parameters (SF, BW, frequency)
- β Ready-to-Use Samples: Pre-generated attack images and videos included
- β Academic Research: Demonstrates novel side-channel communication technique
- Computer with VGA or HDMI output
- Monitor/Projector/TV connected via VGA or HDMI cable
- Display Settings: Must be set to 1080Γ1920 @ 60Hz
Any Commercial Off-The-Shelf (COTS) LoRa device, in our paper, we used:
| Device | Manufacturer | Type |
|---|---|---|
| SX1262 | Lilygo | LoRa Node |
| SX1302 | Waveshare | LoRa Gateway |
- MATLAB (for generating attack videos)
- Arduino IDE (for SX1262 node setup)
- LoRa receiver hardware
- Configure parameters in
CrossConfigFile.m - Generate attack video using
GenerateAttackVideo.m - Display video in full-screen mode on target monitor
- Receive packets using configured LoRa device
For detailed instructions, see the sections below.
All transmitter scripts are located in the /EMR Tx folder.
File: CrossConfigFile.m
Sets the global parameters for the attack video.
Default Settings:
- Video resolution: 1080Γ1920 @ 60Hz
- EMR center frequency: 915 MHz
- LoRa Spread Factor (SF): 7
- LoRa Bandwidth (BW): 500 kHz
- LoRa Preamble length: 4
Usage:
Config = CrossConfigFile.getInstance;File: GetLoRaPacketInfo.m
Defines the symbol sequence representing the payload to be encoded as EMR.
Default Payload (SF=6): "Hello, TEMPEST-LoRa"
Custom Payloads:
Sample physical-layer symbol encoding sequences (SF6-SF12) are provided in /EMR Tx/PayloadSymbols.
To use a custom payload:
- Load the desired symbol sequence from
/PayloadSymbols/ - Replace
PacketInfo.PayloadinGetLoRaPacketInfo.mwith the loadedIndexvariable
Usage:
PacketInfo = GetLoRaPacketInfo;File: GenerateAttackVideo.m
Generates an attack video file named Attack-Video.avi in the current directory. Individual frames are saved in /EMR Tx/pics (1.png, 2.png, ..., x.png).
Usage:
GenerateAttackVideo(PacketInfo, Config);Calculate the pixel stream corresponding to each EMR chirp signal. These are used internally by GenerateAttackVideo.m to create the 1-D pixel stream, which is then reshaped into a 2-D attack image based on the configured resolution.
Generates black images for the first and last frames to mark video boundaries.
Analyzes chirps from captured physical-layer samples to extract encoded LoRa symbols (reverse-engineering aid).
Workflow:
- Use a COTS LoRa device (e.g., SX1262) to transmit data packets
- Capture physical-layer samples using USRP or SDR
- Analyze chirp encoding with
ReverseLoRaPacket.m - Manually save results to
/EMR Tx/PayloadSymbols
Visualizes the time-frequency graph of physical-layer signals (for debugging or calibration).
- Install Arduino IDE on Windows 10/11
- Install RadioLib library (Documentation)
- Connect SX1262 node to computer via USB
- Upload program: Load
SX1262_Receive_Interrupt.inofrom RadioLib examples - Monitor reception: Open Tools β Serial Monitor to view received packets (Data, RSSI, SNR)
The default parameters in SX1262_Receive_Interrupt.ino are configured to decode the samples in the AttackSamples folder:
radio.setFrequency(915); // Center frequency (MHz)
radio.setBandwidth(500); // LoRa bandwidth (kHz)
radio.setSpreadingFactor(7); // Spreading factor (6-12)
radio.setCodingRate(5); // Coding rate
radio.setPreambleLength(4); // Preamble lengthReference: For Lilygo SX1262 devices, see the official tutorial.
We tested with the Waveshare SX1302 LoRaWAN Gateway HAT on Raspberry Pi.
-
Configure SX1302_hal: Follow the SX1302_hal README
-
Reception Method 1 (Direct HAL):
Navigate to
/libloragwfolder and run:./test_loragw_hal_rx -a 915 -b 915 -m 1250
Parameters:
-a,-b: Center frequency (MHz)-m: Chip model (1250, 1255, or 1257, depending on your gateway)
-
Reception Method 2 (Packet Forwarder):
Navigate to
/packet_forwarderfolder and run:./lora_pkt_fwd -c global_conf.json.sx1250.US915
Parameters:
-c: Configuration file (modifyglobal_conf.jsonfor custom settings)
Pre-generated attack images and videos are provided in the /AttackSamples folder for quick reproduction.
Files are named according to their configuration:
SF[SpreadFactor]_[Bandwidth]kHz_[Payload]_[CenterFreq]MHz_[FreqOffset]Offset.png
Example: SF6_500kHz_ABC_915MHz_+50kHzOffset.png
- Spread Factor: 6
- Bandwidth: 500 kHz
- Payload: "ABC"
- Center Frequency: 915 MHz
- Frequency Offset: +50 kHz
Multiple frequency offset versions are provided for each configuration to account for hardware variations.
Caution
This project is developed solely for academic research and educational purposes. It aims to explore cross-technology covert communication and reveal potential security risks. Please respect applicable laws, regulations, and ethical standards when working with side-channel signals or wireless technologies.
Important
Ensure display settings are exactly 1080Γ1920 @ 60Hz. Some monitors may show "60Hz" but actually run at 59.91Hz or 59.94Hz. Verify the actual refresh rate in your OS display settings:
- Windows 10/11: Settings β Display β Advanced Display Settings
Note
Attack images/videos must be displayed in full-screen mode. Any media player (built-in or third-party like PotPlayer) can be used.
Tip
In practice, the actual EMR frequency may deviate from the configured frequency by several kHz to hundreds of kHz.
Calibration Method:
- Observe the frequency offset using USRP/SDR spectrum analyzer
- Modify
ConfigFile.LeakageOffsetinCrossConfigFile.mto compensate
Note
Some core MATLAB functions are provided in .p format to protect ongoing patent applications. Reviewers can run the code end-to-end as described in the instructions.
If you find this work useful in your research, please cite:
@inproceedings{TEMPEST-LoRa,
title={TEMPEST-LoRa: Cross-Technology Covert Communication},
author={Xieyang Sun and Yuanqing Zheng and Wei Xi and Zuhao Chen and Zhizhen Chen and Han Hao and Zhiping Jiang and Sheng Zhong},
booktitle={Proceedings of the ACM Conference on Computer and Communications Security (CCS)},
year={2025}
}This project is licensed under the MIT License - see the LICENSE file for details.