We Donβt Need to Hack Your Database β We Just Need to Be in the Same Room
We Donβt Need to Hack Your Database β We Just Need to Be in the Same Room
Your CPU leaks secrets through radio waves. Hereβs every tool you need to start listening.
Side-channel attacks sound like NSA shit β and they literally were, since 1943. But in 2026, you donβt need a classified budget or a PhD. A $50 board, some free Python scripts, and an afternoon is all it takes to extract an AES encryption key from a live chip. This is the complete dumb-proof starter kit β every repo, every tool, every βplug it in and goβ path β organized so you can actually do this, not just read about it.
No prior hardware knowledge. No signal processing background. No bullshit. If you can install Python and plug in a USB cable, you can do this.
π§ Wait β What Am I Actually Doing Here? (The 60-Second Version)
Think of your CPU as a lightbulb that gets slightly brighter or dimmer depending on what itβs thinking about. Every time it processes a β1β instead of a β0,β it draws a tiny bit more power. That power difference creates electromagnetic waves β basically, your processor is a shitty little radio station broadcasting everything it does.
Side-channel attacks listen to that broadcast. Instead of trying to break the math behind encryption (which would take billions of years), you listen to the physical side effects β power consumption, electromagnetic radiation, even sound β and work backwards to figure out what the CPU was processing.
Hereβs the wild part: this actually works. Researchers have extracted full encryption keys from laptops using equipment hidden inside a piece of pita bread. Not a joke. The gear cost less than a nice dinner.
| What Youβre Doing | How Hard It Is | What You Need |
|---|---|---|
| See your CPUβs power signature | Easy as hell | $50 ChipWhisperer Nano + USB cable |
| Break an AES encryption key | Surprisingly easy | Same $50 board + free Jupyter notebooks |
| Spy on a monitor through walls | Medium (but fun as fuck) | $30 RTL-SDR dongle + free software |
| Train AI to crack encryption | Advanced but doable | Free Python + Google Colab GPU |
πΈ The $0 Path β No Hardware, No Excuse
You donβt need to buy a single damn thing to start. Everything below is free, runs in your browser or on any computer, and teaches you the real stuff β not toy simulations.
| Tool | What It Does | Why Itβs Dumb-Proof | Link |
|---|---|---|---|
| ChipWhisperer Virtual Labs | Pre-recorded power traces + guided attack notebooks | Literally click-and-run in browser. Zero setup. | learn.chipwhisperer.io |
| PicoCTF Challenges | 3 progressive side-channel CTF problems (Warmup β Part 1 β Part 2) | Software-simulated, no hardware, available year-round, multiple walkthrough writeups exist | picoctf.org |
| Rainbow (Ledger Donjon) | Simulates side-channel leakage from any ARM/x86 binary β generates fake power traces without real hardware | pip install rainbow β feed it a binary β get traces β attack with Lascar |
GitHub |
| ASCAD Dataset | 50,000 real power traces from a masked AES chip β the βMNIST of side-channel analysisβ | Download β load in Python β train a neural network β crack the key. Google Colab works perfectly. | GitHub |
| Scared + Binder | Zero-install CPA attack in your browser. eShard hosts Binder notebooks β click, run, break AES. | 15 lines of Python for a complete attack. Has a PicoCTF walkthrough too. | GitHub / PicoCTF writeup |
The fastest path to βholy shit I just broke encryptionβ: Open the ChipWhisperer virtual labs β run the SCA101 CPA notebook β watch the correlation graph spike on the correct key byte. Takes about 30 minutes. Free. No install.
π§ The $50 Path β Your First Real Attack
This is where it gets real. You buy one board, plug it in, and extract an actual AES key from a physical chip in your hands.
The board: ChipWhisperer-Nano (~$50)
One USB cable. One board. A built-in target chip (STM32F0) running AES encryption. Thatβs it. The whole damn lab fits in your pocket.
Step 1 β Install ChipWhisperer:
pip install chipwhisperer
Step 2 β Plug the Nano into USB. Open the SCA101 Jupyter notebook from:
git clone https://github.com/newaetech/chipwhisperer-jupyter.git
Step 3 β Run the notebook cells. The board encrypts data while you record power traces β the notebook handles everything automatically. Capture 50-100 traces. Takes like 2 minutes.
Step 4 β Run the CPA (Correlation Power Analysis) cell. The script tests all 256 possible values for each byte of the key, correlates them against your power measurements, and the correct key pops out as the highest correlation peak.
Total time from unboxing to extracted key: 2-4 hours (including Python setup fuckery). The actual math takes under 60 seconds.
The Nano is limited β 8-bit capture, fixed target, no glitching. For learning? Itβs absolutely perfect. Limitations literally donβt matter at this stage.
π‘ The $30 Path β Spy on a Monitor Through Walls
Different attack, equally wild. Instead of power analysis, youβre catching electromagnetic emissions from a monitorβs video cable and reconstructing whatβs on screen. This is literally what the NSA called TEMPEST.
Shopping list:
| Item | Cost | Where |
|---|---|---|
| RTL-SDR Blog V4 | ~$30 | rtl-sdr.com or Amazon |
| Antenna (included with V4 kit) | $0 | Comes in the box |
| TempestSDR software | $0 | GitHub (RTL-SDR Blog fork) |
Steps:
Step 1 β Install SDR# (free, from airspy.com). Scan 300-700 MHz. Look for signals that visually change when the target monitorβs content changes.
Step 2 β Download TempestSDR from the RTL-SDR Blog fork (NOT the original dormant repo).
Step 3 β Launch JTempestSDR.jar. Enter the target monitorβs resolution and refresh rate. Set the frequency from Step 1.
Step 4 β Click Start. A grayscale reconstruction of the targetβs display appears in real-time.
VGA and DVI monitors leak the most. HDMI with shielded cables is harder but not impossible. For dramatically better results, the Deep-TEMPEST fork (GitHub) uses a neural network to clean up the image β drops character error rates from 90% to under 30%.
βοΈ The GitHub Repos That Actually Matter
Not all repos are created equal. Some have 2,000 stars and no documentation. Some have 50 stars and will teach you everything. Hereβs whatβs actually worth your time.
The Big Five β Start Here:
| Repo | Stars | What It Does | Beginner Score | Link |
|---|---|---|---|---|
| ChipWhisperer | 1,400+ | Complete hardware + software toolkit for power analysis and glitching |  |
GitHub |
| chipwhisperer-jupyter | β | The actual tutorials. Structured courses (SCA101, SCA201, Fault101) as Jupyter notebooks. | |
GitHub |
| Lascar (Ledger Donjon) | 404 | Full attack pipeline: SNR, CPA, DPA, template attacks, deep learning. Built by Ledgerβs security team. | |
GitHub |
| SCAAML (Google) | 191 | ML-powered side-channel analysis. Their GPAM model cracked AES from just 4 power traces. | |
GitHub |
| Scared (eShard) | ~88 | Fastest CPA implementation. A full attack in ~15 lines of Python. Binder notebooks for zero-install. | |
GitHub |
Specialized Tools:
| Repo | What It Does | Use Case | Link |
|---|---|---|---|
| TempestSDR (RTL-SDR fork) | Reconstructs monitor display from EM emissions in real-time | Screen eavesdropping with $30 SDR | GitHub |
| Deep-TEMPEST | Neural network enhancement for TempestSDR β way clearer image recovery | Makes TempestSDR actually readable | GitHub |
| gr-tempest | GNU Radio blocks for TEMPEST attacks with pre-built flowgraphs | Advanced SDR users | GitHub |
| Rainbow (Ledger) | Side-channel simulator β generates traces from binaries without hardware | Practice attacks with zero hardware | GitHub |
| SCALib | Python/Rust hybrid β 117Γ faster than Lascar for SNR computation | When Lascar is too slow | GitHub |
| EMMA | EM capture via SDR + neural network attacks (FOSDEM 2019 demo) | Historical β cool but dormant since 2020 | GitHub |
| PicoEMP | Raspberry Pi Pico-based electromagnetic fault injector | Glitch chips with EM pulses (~$50 DIY) | GitHub |
| awesome-side-channel-attack | Curated master list of everything β tools, papers, datasets, conferences | Your bookmark for βwhat else is out thereβ | GitHub |
π° Hardware Buying Guide β Every Budget Level
| Budget | What to Buy | What You Can Do | Link |
|---|---|---|---|
| $0 | Nothing β virtual labs + datasets | Learn CPA theory, solve CTFs, train ML models on real traces | learn.chipwhisperer.io |
| $30 | RTL-SDR Blog V4 | Spy on monitor displays, observe CPU EM emissions, listen to processors work | Amazon or rtl-sdr.com |
| $50 | ChipWhisperer-Nano | Break AES on a real chip in your hands. The gateway drug. | store.newae.com |
| $80 | Nano + DIY coax loop probe ($5) + RTL-SDR ($30) | Power analysis AND electromagnetic observation | β |
| $325 | ChipWhisperer-Lite | 10-bit capture + voltage/clock glitching β attack more targets | store.newae.com |
| $549 | ChipWhisperer-Husky Starter Kit | 12-bit 200MS/s + streaming mode β attack RSA, ECC, and asymmetric crypto | Crowd Supply |
| $330 | Tekbox TBPS01 probe set + amplifier | Professional EM near-field probes for precise chip-level measurement | tekbox.com / Amazon |
| $1,050 | Husky Kit + Tekbox probes + PicoEMP + RTL-SDR | The complete lab: power analysis, EM side-channel, fault injection, broadband capture | β |
Honest take: Start at $50 with the Nano. If youβre still doing this a month later, jump to the Husky. Everything else is βwhen you know what youβre looking for.β
π Learning Path β Zero to Key Extraction
Phase 1: Understand WTF is happening (free, 1-2 days)
| Resource | Format | Time | Link |
|---|---|---|---|
| Cloudflare β Hertzbleed Explained | Blog post β best beginner explainer of how power = vulnerability | 20 min read | cloudflare.com |
| ChipWhisperer Power Analysis 101 | Online course with virtual labs β no hardware needed | 2-4 hours | learn.chipwhisperer.io |
| FOSDEM 2019 β EM Attacks with RTL-SDR | Video talk by Pieter Robyns β attacking AES on an Arduino with a $25 SDR | 30 min | FOSDEM archive |
Phase 2: Break something (free or $50, 1 weekend)
| Resource | Format | Time | Link |
|---|---|---|---|
| PicoCTF side-channel challenges | Browser-based CTF β 3 progressive power analysis problems | 2-3 hours | picoctf.org |
| SCA101 Jupyter notebooks | Hands-on with Nano or virtual traces β from first trace to full AES key | 4-6 hours | GitHub |
| eShard PicoCTF writeup | Step-by-step walkthrough using the scared library |
1-2 hours | eshard.com |
Phase 3: Go deeper (weeks to months)
| Resource | Format | Cost | Link |
|---|---|---|---|
| TU Graz Side-Channel Security (edX) | 6-season video course β from software side-channels to Meltdown/Spectre. Season 4 = power/EM analysis. | Free audit / $129 cert | edX |
| The Hardware Hacking Handbook | Book by Colin OβFlynn (ChipWhisperer creator). ~1/3 is power analysis with lab exercises. | ~$40-50 | No Starch Press / hardwarehacking.io |
| Coursera Hardware Security (UMD) | University course β Week 4 covers side-channel attacks | Free audit | Coursera |
| Hackerβs Guide to DL Side-Channel Attacks | Blog series + code walkthrough for ML-powered attacks | Free | elie.net |
| CHES Challenge | Annual competition β 2025 was βGE Warsβ (DL SCA on Raspberry Pi traces) | Free | ches.iacr.org |
Phase 4: ML + advanced shit
| Resource | What | Link |
|---|---|---|
| ASCAD dataset + Google Colab | Train a CNN to break masked AES β runs free on Colab with GPU | GitHub |
| Google SCAAML notebooks | Pre-trained models that crack AES from 4 traces | GitHub |
| 2025 IACR DL-SCA Tutorial | Most up-to-date walkthrough β includes a Colab notebook | |
| Scadl (Ledger) | Deep learning SCA tool β profiling + non-profiling attacks | GitHub |
π§ Bonus: Hear Your CPU Think
This oneβs just for fun. You can literally listen to your processor working with a $30 SDR.
How: Tune your RTL-SDR to harmonics of your targetβs clock frequency. For a 16 MHz Arduino, try 32 MHz (2Γ harmonic) or 48 MHz (3Γ).
Quick spectrum sweep:
rtl_power -f 1M:500M:100k -g 40 -i 1 scan.csv
In SDR# with AM demodulation, CPU-heavy operations produce audible buzzing that stops when computation ends. Run a tight loop on the Arduino β hear the buzz. Stop the loop β silence.
What you can visually see in a power trace:
- RSA: Each private key bit is visible β a β0β creates a short spike (square only), a β1β creates a taller spike (square + multiply). The entire key is right there in the graph.
- AES: All 10 rounds show up as repeating power clusters. S-box lookups create spikes whose height correlates with the actual data.
This isnβt theoretical. This is βopen the notebook, look at the graph, read the key.β
Quick Hits
| Want | Do |
|---|---|
 Fastest βI broke encryptionβ moment |
β ChipWhisperer virtual labs β free, 30 minutes, zero install |
 Best $50 youβll ever spend |
β ChipWhisperer-Nano β break AES on a real chip in your hands |
| Spy on a screen for $30 |
β RTL-SDR V4 + TempestSDR |
 Train AI to crack encryption |
β ASCAD dataset + Google Colab (free GPU) |
 Master bookmark |
β awesome-side-channel-attack |
 No hardware, full attack practice |
β Rainbow + Lascar β simulate + attack entirely in software |
Your encryption is only as strong as the physics around it. Now you know how to listen.
!