A team of computer science researchers from the Israel Institute of Technology (a.k.a the Technion) developed a series of side-channel-attacks that can steal encryption keys by monitoring acoustic, electric, and electromagnetic signals generated by a PC.
Researchers claimed to have carried out the attacks on several public-key encryption schemes and digital-signature schemes using inexpensive and readily available equipment, according to a research paper contributed to the Association for Computing Machinery, a professional association. The attacks are unlikely and difficult to pull off, but possible said industry experts.
In one attack, researchers were able to steal encryption keys by monitoring the acoustics of the “coil whine” or vibrations caused by electronic components inside a PC fluctuating as voltages and currents pass through. The coil whines leak keys during cryptographic operations because the noise is correlated with the ongoing computation about what applications are running and what data is being processed, according to the paper.
“By recording such noise while a target is using the RSA algorithm to decrypt ciphertexts (sent to it by the attacker), the RSA secret key can be extracted within one hour for a high-grade 4,096-bit RSA key,” researchers said in the paper.
The attack can be carried out from as far as 10 meters away using a parabolic microphone or from 30cm away through a plain mobile phone placed next to the computer.
In another attack, researchers were able to steal RSA and ElGamal keys after measuring how the electric potential energy of a laptop's chassis fluctuates. This can be done directly through a plain wire connected to a conductive part of the laptop, or indirectly through any cable with a conductive shield attached to a port on the laptop, researchers said in the post.
An attacker could also steal RSA and ElGamal keys by monitoring the electromagnetic field radiated by the computer using a suitable electromagnetic probe antenna or even a plain consumer-grade AM radio receiver, researchers said.
In order to defend against these attacks, hardware counter measures can be taken, such as, the use of sound-absorbing enclosures to protect against the acoustic attacks, Faraday cages against electromagnetic attacks, and insulating enclosures against chassis and touch attacks. However, researchers admitted that these countermeasures are expensive and cumbersome.
Software countermeasures include the use of algorithms and other software implementations that are designed so that leakage through the given channel will not convey useful information, researchers said.
The average person doesn't have to worry about these kinds of attacks and most users can safely ignore the risks they present, Trend Micro Vice President of Cloud Research Mark Nunnikhoven told SCMagazine.com via emailed comments.
“The manner in which hardware processes data has always exposed some vulnerabilities,” he said. “There are things that manufacturers can do to reduce these possibilities, and they should protect their products when the solutions (increased insulation, shielding, etc.) are reasonable...that's just good, secure design.”
Nunnikhoven said nevertheless that the attacks are real and can be carried out, but require specialized equipment and knowledge, and require the attacker and their equipment to be physically near the system in question for an extended period of time.
“Unlike average cybercrime campaigns and hacks, these attacks simply don't scale and aren't worth the attacker's investment,” he said.
Nunnikhoven did say the attacks could be worth investment for an attacker targeting governments and sensitive industries and that these entities should invest in counter measures such as cable isolation, physically securing systems in their data centers.