A team of computer science researchers from the Israel Institute of Technology has developed a series of side-channel attacks that can steal encryption keys by monitoring acoustic, electric, and electromagnetic signals generated by a PC.
The researchers claim to have carried out the attacks on several public key encryption schemes and digital signature schemes using inexpensive and readily available equipment, according to a research paper contributed to the Association for Computing Machinery. The attacks are unlikely and difficult to pull off, but possible, according to industry experts.
In one attack, researchers were able to steal encryption keys by monitoring the acoustics of the “coil whine” or vibrations caused by electronic components inside a PC fluctuating as voltages and currents pass through.
The coil whines leak keys during cryptographic operations because the noise is correlated with the ongoing computation about what applications are running and what data is being processed, according to the paper.
“By recording such noise while a target is using the RSA algorithm to decrypt ciphertexts (sent to it by the attacker), the RSA secret key can be extracted within one hour for a high-grade 4096-bit RSA key,” the researchers said in the paper.
The attack can be carried out from as far as 10 metres away using a parabolic microphone or from 30cm away through a mobile phone placed next to the computer.
In another attack, the researchers were able to steal RSA and ElGamal keys after measuring how the electric potential energy of a laptop's chassis fluctuates. This can be done directly through a plain wire connected to a conductive part of the laptop, or indirectly through any cable with a conductive shield attached to a port on the laptop, they said.
An attacker could also steal RSA and ElGamal keys by monitoring the electromagnetic field radiated by the computer using a suitable electromagnetic probe antenna or even a plain consumer-grade AM radio receiver.
To defend against these attacks, hardware countermeasures like using sound-absorbing enclosures to protect against the acoustic attacks, Faraday cages against electromagnetic attacks, and insulating enclosures against chassis and touch attacks can be taken.
The researchers admitted, however, that these countermeasures are expensive and cumbersome.
Software countermeasures include the use of algorithms and other software implementations that are designed so that leakage through the given channel will not convey useful information, the researchers said.
Average PC users are unlikely to be affected by these kinds of attacks, Trend Micro vice president of cloud research Mark Nunnikhoven said.
“The manner in which hardware processes data has always exposed some vulnerabilities,” he said.
“There are things that manufacturers can do to reduce these possibilities, and they should protect their products when the solutions (increased insulation, shielding, etc.) are reasonable...that's just good, secure design.”
He said the attacks required specialised equipment and knowledge. The attacker would also need their equipment to be physically near the system in question for an extended period of time.
“Unlike average cybercrime campaigns and hacks, these attacks simply don't scale and aren't worth the attacker's investment,” he said.
Nunnikhoven did note, however, that such attacks could be enticing for those targeting governments and sensitive industries. He suggested such entities invest in counter measures such as cable isolation, physically securing systems in their data centres.
