Stealing Keys From a Laptop In Another Room — and Offline

← Back to Stories (view on slashdot.org)

Stealing Keys From a Laptop In Another Room — and Offline

Posted by timothy on Thursday February 18, 2016 @05:04AM from the it's-coming-from-inside-the-faraday-cage dept.

Motherboard carries a report that with equipment valued at about $3,000, a group of Israeli researchers have been able to extract cryptographic keys from a laptop that is not only separated by a physical wall, but protected by an air gap. This, they say, "is the first time such an approach has been used specifically against elliptic curve cryptography running on a PC." From the article: The method is a so-called side-channel attack: an attack that doesn't tackle an encryption implementation head on, such as through brute force or by exploiting a weakness in the underlying algorithm, but through some other means. In this case, the attack relies on the electromagnetic outputs of the laptop that are emitted during the decryption process, which can then be used to work out the target's key. Specifically, the researchers obtained the private key from a laptop running GnuPG, a popular implementation of OpenPGP. (The developers of GnuPG have since released countermeasures to the method. Tromer said that the changes make GnuPG âoemore resistant to side-channel attack since the sequence of high-level arithmetic operations does not depend on the secret key.â)

58 comments

Min score:

Reason:

Sort:

TEMPEST in a teacup..... by lowen · 2016-02-18 05:12 · Score: 1

Heh, time for TEMPEST. But isn't this what the spread-spectrum bus modes are supposed to help reduce?
1. Re:TEMPEST in a teacup..... by Anonymous Coward · 2016-02-18 05:24 · Score: 1
  
  No, they aren't "bus modes", they are just a way to spread out RF energy so the motherboard can pass EMC tests.
2. Re:TEMPEST in a teacup..... by Anonymous Coward · 2016-02-18 05:36 · Score: 1
  
  This was proposed fairly clearly in the "Leveraging the Analog Domain for Security (LADS) Program, DARPABAA1561" published September 25, 2015- as well as a bunch of other really interesting Analog attacks.
3. Re:TEMPEST in a teacup..... by lowen · 2016-02-18 05:44 · Score: 1
  
  Note that I'm not just talking about PCs.
Van Eck Phreaking by Anonymous Coward · 2016-02-18 05:12 · Score: 1, Interesting

Part of the plot in the 1999 novel Cryptonomicon by Neal Stephenson so this isnt new.
1. Re:Van Eck Phreaking by Anonymous Coward · 2016-02-18 05:51 · Score: 5, Funny
  
  Absolutely. Someone thinking about the possibility of something happening and someone implementing it are equivalent.
2. Re:Van Eck Phreaking by MightyYar · 2016-02-18 06:19 · Score: 4, Funny
  
  This is why I'll jest let out a big yawn when we finally discover faster-than-light travel.
  
  --
  W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
3. Re:Van Eck Phreaking by Anonymous Coward · 2016-02-18 07:15 · Score: 1
  
  Maybe they'll discover a speed that's slower than stopped too...
4. Re:Van Eck Phreaking by Dins · 2016-02-18 07:24 · Score: 1
  
  First they'll have to discover what "stopped" even means. In a relativistic sense, nothing is ever "stopped" unless in reference to some other object or point.
5. Re:Van Eck Phreaking by Anonymous Coward · 2016-02-18 07:31 · Score: 0
  
  I don't think so. Everything with mass is stopped w.r.t something else with mass in a least one reference frame.
Quick question! by Anonymous Coward · 2016-02-18 05:20 · Score: 0

Are there any computer or laptop cases which can help to shield or contain information leakage like this from getting out?
1. Re:Quick question! by NotInHere · 2016-02-18 05:29 · Score: 2
  
  Its more than just cases, you have to "clean" every cable connected to the machine as well. If the laptop had been connected to power, the researcher's job would have been much easier.
2. Re:Quick question! by Lumpy · 2016-02-18 05:40 · Score: 1
  
  Not if a $0.29 ferrite bead was put around it.
  
  --
  Do not look at laser with remaining good eye.
3. Re:Quick question! by NotInHere · 2016-02-18 05:53 · Score: 1
  
  I'm not sure whether the bead will help, but I know that noise suppression that's required by usual regulations (CE label in the EU) doesn't prevent information leakage.
4. Re:Quick question! by Anonymous Coward · 2016-02-18 06:35 · Score: 3, Insightful
  
  In the case of laptops, it would add so much weight to do it right, that it would render them unfit for purpose. The problem is that shielding doesn't completely nix the EM emissions, but it removes a percentage. The trouble with that is that if someone has a sufficiently good antenna and low-noise amplifier, even a tiny fraction of the original EM emission could give you away, so standard anti-EM foil isn't going to cut it. For now, it's better to try to design our software in such a way that it emits the same EM signature regardless of the cryptographic key used.
5. Re:Quick question! by Anonymous Coward · 2016-02-18 07:25 · Score: 0
  
  Ferrites cost .29 ??? Anyway isn't the steel wire in your Chinese power supplies good enough?
6. Re:Quick question! by Anonymous Coward · 2016-02-18 08:16 · Score: 0
  
  Place some old electric appliances with consumed motor brushes around the computer and let them run.
7. Re:Quick question! by AchilleTalon · 2016-02-18 08:17 · Score: 1
  
  The software has been patched to not leak an EM signal that can be exploited. Better to find a software solution rather than a hardware one, it will apply to all type of hardware the software runs onto.
  
  --
  Achille Talon
  Hop!
Tempest protocol by WSOGMM · 2016-02-18 05:24 · Score: 4, Informative

This is why our government uses the "Tempest" certification on buildings, categorizing whether information can be stolen from electromagnetic emanations within neighboring wall, room, just outside the building, etc.
It's called Van Eck phreaking, and it's one of the many modern day forms of wizardry. Essentially different components of your computer communicate via high frequency electric currents. These currents broadcast corresponding EM waves somewhere in the radio spectrum, and you decode the corresponding frequency components into your own information, which if you know what monitor they're using, for instance, you can catch the signal from their wires and reproduce their monitor image on your screen.
1. Re:Tempest protocol by lowen · 2016-02-18 05:58 · Score: 4, Informative
  
  One of the key concepts to realize with 'van Eck phreaking' is that no shielding provides infinite attenuation at all frequencies. Even solid copper shielding has a finite, if very large, attenuation. With a cryogenic-cooled HEMT or similar front-end and a high gain antenna, the requirements for shielding could be as high as an attenuation of 100dB or more (copper screen is good for 30dB or so typically).
  A cryo HEMT front-end isn't that far out of reach, even on pennies, as dry ice can get the temps low enough to foil thin shielding, and thicker shielding can be defeated with liquid nitrogen temps. Specialized near-field antennas that work on magnetic induction principles foil even the thickest pure copper, tin, or aluminum shielding; you need a ferromagnetic shield (mu metal is good) in addition to the copper to shield then.
  Vent holes are the hardest, as you then want copper honeycomb material to act as 'waveguide beyond cutoff' attenuators. Slots and gaps of any kind can act as antennas; the Parkes radio telescope, for instance, has a webcam that required a very special enclosure where even the screw spacing had to be controlled. (see http://www.atnf.csiro.au/outre... for details).
2. Re:Tempest protocol by Anonymous Coward · 2016-02-18 07:15 · Score: 1
  
  One of the key concepts to realize with 'van Eck phreaking' is that no shielding provides infinite attenuation at all frequencies.
  Much to my surprize, I was able to get WiFI inside a TEMPEST approved room soon after it was built (but before it was placed in service). This was in an old office building, so that particular room is no longer in use (which might be a good thing).
3. Re:Tempest protocol by Anonymous Coward · 2016-02-18 07:32 · Score: 0
  
  Theoretically speaking even if you have the thing fully isolated in a shielded room where no EMV can escape, you could still measure the gravitational waves resulting from the movement of the electrons.
4. Re:Tempest protocol by nullchar · 2016-02-18 14:48 · Score: 1
  
  So you're saying that Julian Assange, holed up in the Ecuadorian embassy and using varying forms of encryption and probably decent attempts at shielding EM leaks, is probably pwned?
  If so, why did the UK authorites waste $18m monitoring him in person? Or was $17m spent on setting up Van Eck phreaking, while $1m was spent on humans, donuts and coffee.
Better summary by Anonymous Coward · 2016-02-18 05:27 · Score: 5, Informative

When performing different operations, computers emit different EM signals. EM antennae and post-processing software have become sufficiently fast and accurate that if you know the source code of an encryption algorithm, you can trace through the code non-intrusively, simply by watching for patterns in the emitted EM radiation. As it happens, GnuPG's EEC implementation performed different operations depending on the private key, so you can reconstruct the private key. GnuPG's developers addressed this by changing the implementation to try to ensure that the same sequence of operations will always get executed, regardless of the key. This is similar to how cryptographic string comparisons always compare all characters in a string and don't stop when they encounter the first difference, as normal string comparisons do.
1. Re:Better summary by Anonymous Coward · 2016-02-18 05:42 · Score: 0
  
  > don't stop when they encounter the first difference
  It sucks that those paranoid right-wingers are dictating that we must make software slower and less efficient. I can't believe GPG decided to screw us like this by intentionally making their software slower and wasting our time.
2. Re:Better summary by Actually,+I+do+RTFA · 2016-02-18 05:43 · Score: 2
  
  This technique is facinating. GnuPG came under a similar attack a year or two ago for its implementation of RSA. (By the R, I believe)
  That they patched that instance, but did not fix their other implementations is a bit disturbing to me.
  
  --
  Your ad here. Ask me how!
3. Re: Better summary by Anonymous Coward · 2016-02-18 05:46 · Score: 0
  
  Those people hate computers so they don't understand the suffering caused by slowing them down. It's the same reason Republicans love Mictosoft.
4. Re:Better summary by Impy+the+Impiuos+Imp · 2016-02-18 06:00 · Score: 0, Troll
  
  Most political parties and dictators the past century who would abuse this are far left rather than far right.
  Just sayin'.
  
  --
  (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
5. Re:Better summary by Anonymous Coward · 2016-02-18 06:05 · Score: 2, Interesting
  
  These things are notoriously easy to overlook. For example, there have been versions of cryptographic string comparisons that were vulnerable to a compiler optimisation which caused them to bail out at the first difference, which was really hard to see because at first glance the loop looked like it would iterate over all characters.
  Here's an article by the authors with nice graphs (why wasn't that in the summary) and here's what a fix looks like. I'll let you judge for yourself whether you'd have realised you had a problem if you had seen the code.
6. Re:Better summary by Anonymous Coward · 2016-02-18 06:18 · Score: 0
  
  Think of it this way: if somebody listening in on your EM emissions can reconstruct your key, then all your time spent on cryptography is wasted. If something is worth doing, it's worth doing well.
7. Re:Better summary by Anonymous Coward · 2016-02-18 06:27 · Score: 0
  
  But those Republicans are slowing computers down because they don't care about computers. They are anti-technology.
8. Re:Better summary by Actually,+I+do+RTFA · 2016-02-18 08:52 · Score: 1
  
  Seeing the bugfix, I would have assumed it was fixing an off-by-one error or similar. But yeah, I totally don't even understand why that fixes the problem with it staring me in the face.
  I grant spying the problem is hard. It just seems like this is now a class of problems, like null pointer dereferencing or writing off the end of the array, that comes up frequently (and exclusively) in cryptography. In much the same way that we expect realtime high-performance programmers to be very concerned with cache misses and most others don't care. So, I would expect a code review to be constantly alert for this issue.
  
  --
  Your ad here. Ask me how!
x777x by Anonymous Coward · 2016-02-18 05:28 · Score: 0

poor quality motherboard
http://9su.ru
Oh you mean offline not offline. by sims+2 · 2016-02-18 05:30 · Score: 1

Offline as in not connected not offline as in off.

--
Minimum threshold fixed. Thanks!
1. Re:Oh you mean offline not offline. by NatasRevol · 2016-02-18 06:52 · Score: 1
  
  This isn't the 1970s, so yes.
  
  --
  There are two types of people in the world: Those who crave closure
Way Offtopic but Interesting by Anonymous Coward · 2016-02-18 05:30 · Score: 0, Insightful

This Day on Slashdot -- "2010 PA School Spied On Students Via School-Issued Laptop Webcams "
Here's a little follow-up:
In this case, a school had spying software put on their laptops that they loaned to their students. Turns out school officials were using the software to "check up" on their kids, sometimes in compromising situations. The activity was discovered and the school sued. Settlement was in the neighborhood of $600,000.
The IT Director who allowed this to happen: Virginia DiMedio. This "lady" shut down an IT student intern who raised objections about the spying software, telling him to “take a breath and relax,”... "we are not a police state" when in fact they were a police state. When the shit hit the fan, Virginia got the axe as she should. She couldn't get another IT job and now teaches Pilates.
https://www.linkedin.com/in/virginia-dimedio-4a87a430
Power corrupts. Never forget it.
300 processes by dargaud · 2016-02-18 05:36 · Score: 4, Interesting

I currently have 300 processes running on my laptop, more on my server. I really wonder how they can filter out the noise of 299 of them to find out the electromagnetic noise of the PGP process (which lasts for only a split second) and THEN exploit that. It's one thing to get the Van Eck of an analog signal of a monitor (two very regular frequencies), another one entirely to get this of an 8 core CPU which uses variable frequencies depending on load.

--
Non-Linux Penguins ?
1. Re:300 processes by Anonymous Coward · 2016-02-18 06:00 · Score: 1
  
  It's just a matter of sensitivity, repetition, and brain power. If your friend says something in a crowded room and you can't quite make out what they're saying, you ask them to repeat themselves. After several repetitions you can piece together what's being said. How many repetitions you require is a function sensitivity (& noise) and your predictive power.
  Same situation here. The attack took several dozen runs of the victim using his key. That didn't net them the entire key, just enough bits to be able to brute force it.
  Like most attacks, these attacks only get better because sensitivity and computational power only get better.
  Also, you probably overestimate how much noise your 300 processes are emitting. A cryptographic function is _highly_ regular, especially compared to the jitter of typical workload instruction flow. Even if all of your processes are pegged. For example, the kernel (and thus the process monitor) can't differentiate a process waiting on a cache miss from one doing a bignum operation with all data in L1. The former could be sitting idle for thousands of cycles while the latter is literally humming a sweet tune. But in both cases the core is at 100% apparent load.
2. Re:300 processes by Anonymous Coward · 2016-02-18 06:04 · Score: 0
  
  I currently have 300 processes running on my laptop
  I find that hard to believe. What would you be running besides systemd?
3. Re:300 processes by lowen · 2016-02-18 06:30 · Score: 1
  
  Regardless of number of processes or threads total only X can run at any given timeslice, where X equals the number of CPU's/cores (virtual cores for HT) that you have. Finding the RF signature for a context switch would not be hard, since it is so repetitious.
Tinfoil by Anonymous Coward · 2016-02-18 05:39 · Score: 1

Are there any computer or laptop cases which can help to shield or contain information leakage like this from getting out?
Tinfoil would seem an obvious solution. :-)
Wow ... Cryptonomicon? by gstoddart · 2016-02-18 05:42 · Score: 1

That's kind of amazing. We've all heard about it being theoretically true, and assumed it was totally implausible.
Scary, and a little too sci-fi turned real.

--
Lost at C:>. Found at C.
Bathroom prevents by Anonymous Coward · 2016-02-18 05:49 · Score: 0

I understand that storing your mail server in the bathroom prevents this attack?
1. Re:Bathroom prevents by beschra · 2016-02-18 06:34 · Score: 1
  
  Freezer is better. Put it next to your car keys.
  
  --
  It is unwise to ascribe motive
Guess: Yes, because .. by burni2 · 2016-02-18 05:53 · Score: 4, Interesting

Because even if you have 300 processes running, the 299 could be ignored because of their "cpu fingerprint".
They do not occupy one CPU to the max, most processes running on a computer do just a bit more than nothing.
I have the uncanny feeling that GnuPG is not parallalized at all.
A crypto application however runs - if it's not parallelized - on one CPU-Core 100% for a depending on the processing power of the machine certain amount of time.
(In crypto does not like timing sidechannel attacks)
I guess, without having read the article, this specific burst of activity is where a crypto "broadcast" can be identified by.
When I would attack a webservers private key using this tactic, I would just initiate a https connection and send certain data and than would see the what the spectrum says, I would then repeat it .. and I recognize patterns, and a again and again and again, till I have gathered enough data.
However I think your point hints at a possible counter measure, having similar fingerprints also similarly timed it would interfere with the "broadcast".
1. Re:Guess: Yes, because .. by dargaud · 2016-02-18 20:52 · Score: 1
  
  However I think your point hints at a possible counter measure, having similar fingerprints also similarly timed it would interfere with the "broadcast".
  Yeah, when you are about to do a decryption, spawn a bunch of other processes tasked at decrypting bullshit at the same time.
  
  --
  Non-Linux Penguins ?
*sigh* by sootman · 2016-02-18 06:13 · Score: 3, Insightful

Tromer said that the changes make GnuPG Ãoemore resistant to side-channel attack since the sequence of high-level arithmetic operations does not depend on the secret key.Ã
Hey, speaking of character encoding on Slashdot...
- or -
Hey, use the "Preview" button!
Bonus funny: that changed from a lowercase 'a' with a '^' to an uppercase 'A' with a '~' while posting.

--
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
1. Re:*sigh* by OverlordQ · 2016-02-18 06:22 · Score: 1
  
  > Hey, speaking of character encoding on Slashdot...
  You must be new here.
  
  --
  Your hair look like poop, Bob! - Wanker.
Limit with external hard drives by gurps_npc · 2016-02-18 06:28 · Score: 1

You can limit but not eliminate some of this risk by using high end low powered physical key pad based flash drives. They come with an internal security, all powered by a tiny watch battery.
While you can still do some side surfing on them, the minute power of the battery makes using Van Eck phreaking much harder. Of course, you still have the problem of the monitor, but at least you have kept the keys secret.

--
excitingthingstodo.blogspot.com
Not only but also by wonkey_monkey · 2016-02-18 06:40 · Score: 2

not only separated by a physical wall, but protected by an air gap
Normally you put the most surprising thing second. In this context a physical wall is an "air gap."

--
systemd is Roko's Basilisk.
1. Re:Not only but also by Anonymous Coward · 2016-02-18 07:25 · Score: 0
  
  The order is the most surprising thing here. And it is, surprisingly, in the middle.
2. Re:Not only but also by will_die · 2016-02-18 07:38 · Score: 1
  
  Not sure in the article but I would say not.
  The wall implies there was a way between the two computer but the air gap implies that the target, or attacker, computer were not on a network.
3. Re:Not only but also by psycho12345 · 2016-02-18 13:18 · Score: 1
  
  In this case, given the context, it is the less surprising thing: The researchers do not have physical access to the target. Then follows the more surprising in that they don't have remote access either, just proximity alone.
what was the selected message to decrypt? by Anonymous Coward · 2016-02-18 12:48 · Score: 0

aaaaaa......aaaaaaabbbb......bbbbb.....?
Very targeted by Anonymous Coward · 2016-02-18 21:28 · Score: 0

The sheer number of processes and em waves emitted from a standard computer setup is not going to help in isolating the em output. Strangely enough you surfing around is more resistant to this than a machine used primarily to encrypt/decrypt. Makes an interesting case against single use compute time.