Tel Aviv team first to steal high-level PC crypto - through a wall
An Israeli security research team has described how to steal a cryptographic key from a computer simply by monitoring the radio waves it emits while decrypting a cipher.
Attacker's setup for capturing EM emanations. Left to right: power supply, antenna on a stand, amplifiers, software defined radio (white box), analysis computer (pic courtesy researchers)
Tel Aviv University researchers have for the first time hacked a standard laptop ostensibly protected by the latest ECDH commercial encryption, in an attack carried out in seconds and through a wall.
To mount the attack, all a hacker has to do is send the victim an email and then capture their decryption key by measuring the electromagnetic (EM) waves given off by the PC.
The hack can be done remotely using equipment costing about £2,000, and even if the computer is offline (air-gapped).
It's the latest breakthrough in researchers' attempts to hack devices via their EM emissions. The Israeli team have advanced this by remotely and easily cracking the latest ECDH public-key encryption, which is used by numerous email and chat systems.
fMilitary and other government systems that use the classified TEMPEST standards are protected from this kind of attack. But the researchers have raised the spectre of business PC users with high-level commercial encryption now being wide open to hackers sitting outside their building.
Security expert Professor Alan Woodward of Surrey University told SCMagazineUK.com: “We've known for some time EM emanations are important. They are the bits and bytes going through the CPU, and now you can decrypt them from the other side of a wall in seconds. You literally might have somebody on the other side of wall decrypting what you are doing.
“They could be sat in a van outside and suddenly they've got your keys. If you never let your computer out of your sight, out of your grasp, they can still be looking at your secrets.”
The research team – Daniel Genkin, Lev Pachmanov, Itamar Pipman and Eran Tromer – say in a new paper: “We present the first physical side-channel attack on elliptic curve cryptography running on a PC. We were able to completely recover the key within only a few seconds of measurements.”
The attack was carried out on an unmodified Lenovo 300 N200 laptop running the latest version of the Libcrypt cryptographic library, part of the GnuPG code base used by GnuPG 2.x, a popular implementation of the OpenPGP standard.
The researchers used an Aaronia Magnetic Direction Finder MDF 9400 antenna, whose signals were amplified by a Mini-Circuits ZFL-1000 and customised Mini-Circuits ZPUL-30P amplifier. The laptop was located behind a standard 15cm thick reinforced drywall.
The PC did not have to be modified and the attack required only a single piece of cipher text to be decrypted, which took around 3.3 seconds.
The researchers claim that other previous physical side-channel attacks have typically been on RSA and ElGamal-encrypted or smaller devices, or they required new crypto-analytic techniques or expensive lab equipment, or involved executing thousands of operations making them “easily detectable”.
ECDH is faster than RSA and ElGamal, they say, “so was harder to attack it using low-bandwidth measurements”.
In one attack, they cracked the popular Enigmail plugin for the Thunderbird email client, which decrypts email using GnuPG.
In an overview, the researchers admit their attack is currently “somewhat unwieldy”, but say: “It is likely that the new attack on ECDH can also be performed clandestinely and at even lower cost. This is especially true for low-bandwidth attacks such as ours.”
The researchers have disclosed the attack to GnuPG's developers (under CVE-2015-7511) and have helped them produce a fix that makes GnuPG's Libgcrypt 1.6. more resistant to a side-channel attack.
Alan Woodward believes laptop suppliers should react to their findings, telling SC: “People in government have known for years to be careful in this area. But clearly it's a lesson that laptop manufacturers in particular need to learn. Maybe they need to think about EM radiation and how they can screen it a little better.”
He added: “This is a way of rendering the encryption on your machine pointless. You are effectively transmitting the keys without realising. I'm not sure many commercial organisations are protected. It's the commercial world realising that this as a form of attack is very viable, whereas governments have protected against it for some time.”
Sarb Sembhi, acting CISO at the Noord Group and a leading member of the ISACA security professionals organisation, feels only users in sectors like defence and government should currently be concerned.
He told SC via email that the researchers themselves point out that “most adversaries would not go through the trouble of using such techniques, given the sorry state of security vulnerabilities at the software level”.
However, he added: “We need to look for solutions now before such attacks are a reality for most of us. At this time, this is only likely to be of concern if your organisation is dealing in highly confidential and valuable data (defence/government, etc).”
Last year, the same Israeli researchers developed a device they famously described as so small it could fit inside a piece of pitta bread. This could decrypt RSA and ElGamal keys from a laptop via EM waves. The device cost less than £200 but had to be located close to the PC.
Their new paper, ‘ECDH Key-Extraction via Low-Bandwidth Electromagnetic Attacks on PCs', will be presented at the CT-RSA 2016 conference in San Francisco from 29 February to 4 March.
A list of software that uses GnuPG encryption is provided here.