Clever stuff
That's very clever, someone found a genuine use for a pita bread.
Discerning secret crypto keys in computers and gadgets by spying on how they function isn't new, although the techniques used are often considered impractical. A new paper demonstrates this surveillance can be pretty easy – well, easier than you might imagine – to pull off, even over the air from a few metres away. We all …
Tinfoil hats actually amplify the frequencies that the US military uses for mind control satellite communications.
Given that the routine is running at GHz and is presumably completing in much less than a second, that's not very many cycles of audio per bit of key.
Some will comprehend the inherent difficulties, but then take this to be more reason to be impressed by the accomplishment. These days, as we're swimming in so much BS hype, a better reaction is to wonder how many unmentioned 'cheats' were required to generate this "proof" of concept.
In any case, crypto code branches need to be balanced. Didn't everybody already know that?
"Given that the routine is running at GHz and is presumably completing in much less than a second, that's not very many cycles of audio per bit of key."
I think you mean that the cycles on the computer should take longer than 1/20,000 of a second, the maxim frequency that humans can hear and that microphones and speakers designed for human ears can handle.
Then there is that debye frequency, "The Debye frequency of a crystal is a theoretical maximum frequency of vibration for the atoms that make up the crystal".
As a consequence, ultrasound at 1 or 2 MHz can only propagate in air over a distance of a few centimeters.
But apparently somehow they've found a way around that. Maybe because the calculations require much more than one cycle to complete. I don't know. The mechanics of how would be interesting.
Or maybe the ear piece mic is picking up the electrical impulses directly, rather than acoustically?
I've pretty much forgotten the acoustics I learned in university, except for a few limitations that I've kept to remind me to consult an expert (recent EE grad) when they come up.
Why is a Faraday cage not realistic?
So long as it doesn't cover the radio parts (in a desktop, zero, in a laptop, the screen, in a phone, the radio?), it seems eminently sensible to put in a Faraday cage, and it doesn't have to be a solid block of metal if you choose the spacing correctly, and I reckon you could even double-up part of it as a heatsink, no?
Most of these types of side-channel attacks only seem to work at short distances, like a few metres. Perhaps the answer is to stay out of your office, keep moving, and only work where there is no-one physically near to you. You would probably notice someone walking behind you and setting up a parabolic dish, a thermographic camera and a shotgun microphone whenever you stop.
With acoustically transparent cloth - y'know, the sort of thing hi-fi speakers are clad with - a parabolic dish can be disguised as a suitcase. Or indeed, a loudspeaker.
It appears on first thoughts that a easy enough countermeasure would be to generate noise - maybe just have your computer run through some redundant, unused crypto algorithms.
Dave "...have your computer run through some redundant, unused crypto algorithms."
Back in the late-1970s or very early-1980s, there was a 'Ghost' themed game for the Tandy Radio Shack Z80-based TRS-80 Model 3 / Model 4. The game's instructions included putting an AM radio near the computer, and music would be played. Yep, the EMI was that strong.
The more interesting point is that the code, presumably single threaded, included music. Think about that.
Imagine somebody trying to do a side channel attack, and the coder has included music or similar.
There's an opportunity in this sort of concept. Somebody spends weeks doing a side channel attack, and they're successful in pulling out some key-like data. Later they realize it's not the key, but a rude joke involving parrots and nuns, etc.
"Back in the late-1970s or very early-1980s, there was a 'Ghost' themed game for the Tandy Radio Shack Z80-based TRS-80 Model 3 / Model 4"
Are you referring to Android NIM?
"The game's instructions included putting an AM radio near the computer, and music would be played. Yep, the EMI was that strong."
Which is why the FCC came down fairly hard on the early PC makers over emissions. I discovered my TRS80 was wiping out the neighbours' TV reception (low band VHF) only when they asked my parents if we were having trouble viewing XYZ programs (we had an external antenna, they were using bunny ears and the PC was a few metres away through 2 wooden walls, unshielded cables everywhere)
My college (NDSU) built an AM radio into an IBM 1620 computer and had a deck of cards that played "Flight of the Bumblebee". I was there in 1974, I don't know how long they'd had that set up.
Alas, the code deck was randomized partway through, and nobody had the source. So it played perfectly for a while, then spit out some noise and stopped.
This post has been deleted by its author
>Why is a Faraday cage not realistic?
If the encryption is being used to encrypt communications, then the computer has to be able to, er, communicate. If the connection to the wider world is wired, then okay, but a Faraday cage would stop any wireless RF data from being transmitted or received.
You could, I suppose, have your Faraday-clad computer use light to communicate to a modem.
>Why is a Faraday cage not realistic?
A Faraday cage wouldn't help. This attack works by listening to sound waves, not electromagnetic waves.
A window pane protects you from the wind, but not from peeping toms. A lace curtain protects you from peeping toms, but not from the wind.
>You could, I suppose, have your Faraday-clad computer use light to communicate to a modem.
Back to IR ? NOOOOOOO!!!!!!!
Or have the antennas outside the cage ... for example, take a laptop .... Faraday cage as the casing of the mobo (e.g. where keyboard is etc), antennas around the screen (as is already today in most laptops) ... That is what the comment@rd up there was on about, or at least, how I understood it.
On a desktop, same, get a Faraday-cage case and buy a USB dongle/PCI-e wifi card with external antenna (if you need wifi on your desktop) .... done.
Faraday cages block electromagnetic signals; if I'm reading this article correctly, they're using audio to measure changing workloads.
Paul Kocher's been doing various differential power and timing analysis things for years, all of which have told us that we need to do calculations in ways that take the same amount of work regardless of the keys, which means undoing some of the optimization methods for long-number arithmetic and such.
A metal case is a Farady cage.
The issue is of course the cords and wires, which act like antennas outside the case.
And for laptops the case is plastic. And if the case isn't plastic you have the screen.
Engineering labs and US consulates have Faraday cages and acoustic isolation rooms.
Depending on the frequencies it has to work over, it can be a coarse conductive net. Like the mosquito netting North American in north American windows. It can be conductive paint in your walls.
But that won't shield from what is inside the cage. And that is probably the thing. A cage big enough to encompass your power and network cables would also encompass the eavesdropping device.
I really can't imagine how this could possibly work. It surely can't be listening in on the CPU because that runs at many gigahertz, well above what you should be able to pick up with a mic. There's ram which is in the 100s of megahertz, but given that's accessed in parallel how could you pick out individual lines? Anyone got any idea what kind of signal they might be using, assuming it does work as they say it does?
It does work from a technical view. For most people, I doubt this is much of a threat. However for certain people, think high ranking official or business leader, this might be a handy way to break into their accounts assuming you can get within a few meters for long enough.
But how can it work from a technical point of view.
I get that a computer science person might think it would obviously work, but only if they didn't study acoustical and electrical engineering/physics.
My guess is he's assume the mike only picks up sound, and that really it is picking up electrical impulses, as mikes will do.
You just cannot say 10 GHz sounds, even 10 MHz sounds, can be transmitted through room temperature air without explaining how.
Either something must reduce the frequency with which each bit is processed, or the transmission is electro magnetic. I'm a rusty on this, but that is how it seems to me technically.
I would love to read the theories of someone who is actually up-to-date in the EE aspects of this.
That said, I agree that this is not much of a threat to someone working in an acoustically and electrically noisy office.
But people who need privacy often also end up with a fair degree of silence.
And no matter what we do to prevent it, a dozen intelligence agencies around the world can capture our data. There is no privacy against the FSB, NSA, and so on.
I assume the signal received is not in the GHZ range. It is a much more smoothed out blur of the encryption/decryption key.
However, just one or two hints in the direction of the key, reduces the search space many fold.
ED, if I had a million long line of gibberish as a key, but you picked up that the first half is a higher value than the second half, then you've reduced the search space from "completely random" to "at least similar to this".
With more data points, you can multisample too, so you can get down to smaller blocks of the key, and in the end (I assume) get like 100 small data points in the 4096bit key. Some saying "high" at this point, some saying "low" at others, possibly even "medium". Within this you search for the key, now within the computational power of your brute force server farm.
"Anyone got any idea what kind of signal they might be using, assuming it does work as they say it does?"
Modern computers use switch mode power supplies in which DC-DC conversion is achieved via transformers running at a high frequency which still tends to be in the acoustic band. There are multiple SMPS in most modern PCs, for instance the programmable multiphase one which drives the CPU. Because these have very fast response to load changes, they generate lower frequencies which are a function of power consumption.
The transformer actually vibrates due to the changing magnetic field, and creates sound. The amount of sound depends on how well it is constructed and secured. A lot of PC transformers now seem to have visible coils, for effective heat loss, and these I imagine will create more sound than fully encapsulated ones.
I would have thought that if you were using a mobile phone, which runs off a true DC supply - the battery - this would be much less of an issue.
Can someone smarter than me explain how a CPU that operates in the billions of cycles per second range, can have any intelligible information about the instructions and branches it executes (presumably the only way to extract data about the contents of its registers) by the sounds it is making which are captured in a tens of thousands of cycles per second range?
To me, it sounds like trying to decode a spoken conversation with a sample rate of one per minute... the orders of magnitude seem far too disjoint.
"...smarter than me..."
No guarantee on that point.
"...explain..."
We live in 'The Age of BS Hype'.
At least 75% of these sorts of amazing news items are over-hyped nonsense.
They (those penning the press release) always leave out important technical details that 1) enable it to 'work' at all, 2) make it perfectly impractical and 3) means it's far less impressive than you were led to believe.
In this case, they probably wrote their own code, slowed it down, included instructions to pulse the power consumption, looped it a zillion times, synchronized summation somehow, etc. Things like that.
They probably couldn't get a key out of your laptop, ever, even for a billion dollar prize,
Paper "...target is using the RSA algorithm to decrypt ciphertexts (sent to it by the attacker), the RSA secret key can be extracted within one hour for a high-grade 4,096-bit RSA key. "
Not so much 'proof of concept', as 'proof of impractical'.
But still, crypto code requires some attention to side channel attacks.
The side channels should be emitting music or rude jokes.
I can't wait until somebody does a rebuttal presentation showing that the 'secret key' that somebody else extracted from a side channel attack was actually a rude joke encrypted by ROT13.
To add to comments I made above, I assume it needs multiple key uses. If you get the "sound" at the beginning of the use, middle and end, you'll get 3 data points. Even if it took just one cycle to process, and our reading has lots of "noise" in it.
That is an extreme example, but it's all time x computation power x stubbornness. ;)
See http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=882477
There are also ways of detecting signals smaller than your sample rate. I cant think of the links off the top of my head, but it's used in things like astronomy to detect stars or even planets orbiting them with very few readings.
This post has been deleted by its author
Some posters above have had a good bash at explaining...
Basically, the attackers aren't trying to get the key directly, but to reduce the number of 'guesses' required ('reducing the search space'). If you know what noises a computer system makes when performing encryption / decryption, then you can, over time, start to build a picture. So, to come back to your analogy:
>To me, it sounds like trying to decode a spoken conversation with a sample rate of one per minute... the orders of magnitude seem far too disjoint.
If the conversation was actually a looped snippet of speech, you could recreate it even at a sample of rate of 1Hz - if you had enough time. Note that in the article the attackers require an hour.
Generating your keys remotely over SSH (on a VPS in another country) then wrapping them in PGP using a one time key to come back over the SSH tunnel sounds in order.
Seriously when are we nerds going to get together to launch a satellite for encrypted comms?
Its none-geographic. The feds cant kick the door in and its cold up there so we dont need a stupid gamer case to cool it.
If they try and blow it out of the sky we win anyway as it will show Joe Public the lengths a government is prepared to go to in an effort to stifle speech.
Ive got some wire coathangers, foil, rubber bands and a load of old RAM. Thats a start. Right?
Shurely running any other computationally intensive* software parallel with the decryption would fool this device?
* How intensive depends on many factors, and it may slow things down enough to piss off users. Hmm, maybe if you just allowed Microsoft's horrible search indexer service to run, you'd be immune to this type of attack...
... demonstrating why these sort of attacks continue to work - TEMPEST has been around for a long time now, it's serious business because unless you take extraordinary precautions then anything can be hacked - and if you've ever messed with this environment then you know that extraordinary precautions may not help you.
Nothing makes the NSA's work easier than people not believing that it is possible in the first place.
There's a lot I don't know about electronics, and I know nothing about how to sniff out CPU operations, but that doesn't mean I'm blind to the possibility.
On the other hand, it would seem that this paper refers to a phone being left a foot away from my PC for an hour. I don't think that a top-level anybody is going to have an hour-long meeting with anybody else with them nonchalantly placing their mobile next to the laptop.
Once again, a miracle in surveillance tech that is impractical in real life. Keep foreign mobiles away from your PC and you'll be fine. Because if the NSA is interested in you, you're screwed anyway.
On the other hand, it would seem that this paper refers to a phone being left a foot away from my PC for an hour. I don't think that a top-level anybody is going to have an hour-long meeting with anybody else with them nonchalantly placing their mobile next to the laptop.
And
Keep foreign mobiles away from your PC and you'll be fine
There is one issue with that - what if their phone that has been compromised? Ok, so they know not to log in to the company network with their phone due to the possibility of malware (and I guess it's safe to assume that CEO's are a target of some of this stuff), but if their phone is also acting as a mic for this sort of thing..
Of course, you'd hope that those who have access to the sensitive stuff also don't take their phones into "clean" areas with them.
Perhaps a defense against this sort of attack (if it really is feasible) is to have a number of machines working on such stuff in close proximity, so that the collective noise is enough to screw with anyone trying to snoop? Like conducting your "clandestine meetings" in a crowded bar where it is theoretically harder to eavesdrop (but watchers of 'Sue Thomas' would suspect the blonde chick at the other end of the room who is watching you quite carefully)
"Perhaps a defense against this sort of attack (if it really is feasible) is to have a number of machines working on such stuff in close proximity, so that the collective noise is enough to screw with anyone trying to snoop? Like conducting your "clandestine meetings" in a crowded bar where it is theoretically harder to eavesdrop (but watchers of 'Sue Thomas' would suspect the blonde chick at the other end of the room who is watching you quite carefully)"
Actually, notorious Mafia don John Gotti used this technique to beat bugs. He'd conduct his sensitive meetings outside where all the ambient noise meant bugs wouldn't be able to make out the very soft muttering between them from everything else out there. This also defeated shotgun mics that tended to rely on window glass or a similar flat surface.
If my reading of the paper is correct, the victim's computer has to be told to decrypt carefully formulated packets of data, in a pattern, over the course of the entire period for them to fall victim- that sounds really hard to pull off!
They also mention various countermeasures- like acoustic shielding- however they don't mention doing anything about the power supply, like, for instance, putting (back?) in the proper smoothing capacitors!
It might work well in a lab, as most TEMPEST attacks do. But in reality it's VERY hard to do it out in the real world, I for one am not going to be worrying about my communications or the communications of the organisation I work for being intercepted via this means. It would require a low noise floor for a start and that just isn't going to happen. What about in a room with a few human conversations, the hum from some other electronics, a couple of laptops and other computers...?
And as I work in a room that has it's own Faraday cage, filtered power and is TEMPEST tested by some nice guys in a van every so often I do take this stuff seriously, I just don't believe it's that feasible in the real words.
AC for reasons...
This is like the popular press claiming that MMR caused this, that, and the other, on the back of a study published in the Lancet, without waiting to see if the results could be replicated.
If another unrelated group can replicate this I'll START to think it isn't nonsense. Until then...
If the countermeasures to this attack are cheap and easy to implement - just have your computer run some other encryption code to create noise - why not implement them, even if you are doubtful that the attack is viable? The only 'cost' is slightly greater power consumption. I for one can't be arsed, because i don't work with state-level secrets - I'm just not worth the effort! Those people who do have state secrets will have their computers administered by folk who are in a position to replicate this - if replicated it can be.
Contrast this to the people who believed the trash about MMR, and as a result the lives of some people have been damaged.