RSA Keys Can Be Harvested With Microphones

Researchers have now demonstrated that even with modern laptop, desktop, and server computers, an inexpensive attack can harvest 4,096-bit encryption keys using a parabolic microphone within 33 feet -- or even from 12 inches away, using a cellphone microphone. An anonymous reader quotes this article from The Register: In both cases it took an hour of listening to get the 4,096-bit RSA key... As a computer's processor churns through the encryption calculations, the machine emits a high-frequency "coil whine" from the changing electrical current flowing through its components... The team recommends encryption software writers build in "blinding" routines that insert dummy calculations into cryptographic operations. After discussions with the team, GNU Privacy Guard now does this.

I'm safe!

Even if they have my RSA keys, they don't have my RSA locks!

Re:I'm safe!

[jmccue]

Glad I stuck to my guns and stayed with rot13

Old news

[NotInHere]

How is this not a reiteration of this old attack from 2014: http://www.tau.ac.il/~tromer/h...

Re:Old news

It's a different side channel attack, by some of the same people from the same lab.

Re:Get a stronger PSU

33 feet which is 10 meters, easy to spot, hardly "low key" (ehm) eves dropping.

I would imagine the eves dropper would get a bloody nose before getting to the door. All this fancy tech can be beaten by a low tech method. A blow to the face. The same low tech method can also obtain passwords from victims.

Play an MP3 at the same time

Play an MP3 at the same time so they get a audio download then send them a DCMA takedown notice :)

Re:Get a stronger PSU

[KiloByte]

Just look at the open source, and then adapt your eves dropping to accommodate. This is where closed source prevails. No leaking implementation details.

Some of us know how to RTFB.

Re:Get a stronger PSU

[geekmux]

33 feet which is 10 meters, easy to spot, hardly "low key" (ehm) eves dropping. I would imagine the eves dropper would get a bloody nose before getting to the door...

I'll remember you said that when you discover that "innocent" cell phone charger sitting in the corner of your office is actually a microphone with a 64GB microSD card and SIM card inside, dumping a day's worth of key listening across a covert channel, to include your voice conversations.

Or perhaps the device listening will be your cell phone itself. After all, those never get hacked.

Perhaps you should start considering the fact that it's hardly a human sitting in the room listening to high-frequency whine, nor does it need to be. Good luck with your bloody nose defense.

Smart cards?

I wonder how vulnerable smart cards are. In particular, I've been using an YubiKey for most of my RSA needs.

Re:Get a stronger PSU

[wonkey_monkey]

The Open source implementation Is WEAKER since we now know HOW they perform the DUMMY CALCULATIONS.

Yes, because obviously they were going to perform exactly the same dummy calculations every time in exactly the same place.

Oh, no, wait, not everyone is as dumb as you.

Car analogy please

[wonkey_monkey]

Can someone explain, vaguely, possibly with a car analogy, how they go about determining keys with coil whine? Is it because the same calculations are made over and over as it churns through data encrypting/decrypting it, so after listening long enough some kind of clues can be gathered about what bytes are in the key? I mean, I assume it's not as a simple as listening and going "Ooh, 14.5Khz, that's 0xBE."

Re:Car analogy please

[Opportunist]

What happens in such attacks is that there are different calculation paths for different results, and by "watching" (or in this case, listening to) the CPU perform, you can tell what calculation paths it took and determine from this what input it used.

A vague analogy would be that the CPU is giving off long and short beeps, and by listening to them and noticing when and how long it beeps you can assemble something akin to a Morse alphabet.

Re:Car analogy please

[PopeRatzo]

Can someone explain, vaguely, possibly with a car analogy, how they go about determining keys with coil whine?

OK, imagine a '63 Bel Air with hydraulic suspension and a horn that plays "La Cucaracha". It is traveling from Modesto to the Reservoir at exactly 48mph. Now imagine a 2006 Mercedes G-Class with extra-large wheels and spinning hubs that is booming some old-school NWA. It is traveling from Oakland to the Reservoir at exactly 52 mph.

If someone had a listening device installed in both cars, the probability that the phrase, "You know, that Donald Trump makes some good points" would be heard approaches zero.

I hope that clears it up.

Re:Car analogy please

[michelcolman]

If you listen to a car going round a race track, the tire noise, engine rpms and gear shifts, all of that together could give you a pretty good idea of the length of the straights, the intensity of the curves, and the smoothness of the road surface in various places. Listen to enough cars, and you may be able to reconstruct the entire track.

The cpu is the race car, the track is the RSA algorithm for that specific key.

Re:Car analogy please

[AmiMoJo]

It takes an hour of continuous use it the key before they can reproduce it. The measurements they take on each use of the key are not very accurate, but with millions of them they can narrow the possibilities down to something they can brute force.

Re:Car analogy please

[TechyImmigrant]

Can someone explain, vaguely, possibly with a car analogy,

Paul Kocher gets in a car, drives to work, gathers data from a sensor near a device performing the same calculation many times, does bayesian statistics on the data to determine what is noise and what is signal, then recovers the key.

Re:Car analogy please

[wonkey_monkey]

How likely is it for a computer to be continuously encrypting/decrypting for an hour with the same key?

Re:Car analogy please

[Lumpy]

in otherwords... it's a non exploit and only a proof of concept under very controlled environment and test parameters.

Re:Car analogy please

[johannesg]

So we are supposed to believe that different paths, which incidentally occur at a rate of around 4GHz or so, can be 'heard' in an audio stream that has a resolution of maybe 44KHz or so? In an environment that is not free of noise either - fans, other components doing other things, etc.

I find the whole thing very hard to believe.

Re:Car analogy please

[Impy+the+Impiuos+Imp]

So we are supposed to believe that different paths, which incidentally occur at a rate of around 4GHz or so, can be 'heard' in an audio stream that has a resolution of maybe 44KHz or so? In an environment that is not free of noise either - fans, other components doing other things, etc.

I find the whole thing very hard to believe.

Indeed, but proof of concept is amazing.

I recall 25 years ago some guy with "$2000 of Radio Shack hardware" was able to discern key strokes and video signals from the electron gun of the monitor tube. Nobody thought this possible. Now the government has their Faraday cage room for sensitive computers.

Everything since then has been refinement on this. They could do this already based on EMF, but on audio whine is doubly impressive.

Re: Car analogy please

[Impy+the+Impiuos+Imp]

Pre-gps navigation did this using "dead reckoning" (which is still built in). Based on speed, distance, and angle, it can match you to locations on the map. It could take a while, with a number of samples, but can be done. There are only a finite number of distance-intersection pair chains before it narrows down to one.

Re:Car analogy please

[Shinobi]

25 years ago? Try the late 70's, when multiple groups all over the world independently discovered it, one of those teams being engineers at Ericsson. The first public description of the issue was in 1985, by Wim Van Eck.

Re:Car analogy please

[chuckugly]

If the people running the attack can access the surface you're protecting with crypto, 100%

Re:Car analogy please

[wonkey_monkey]

Follow-up question: can someone explain how I got modded "Insightful" for asking a question and specifically demonstrating my lack of knowledge?

Re:Car analogy please

[UnderCoverPenguin]

The research mentioned in the OP does not mention anything beyond capturing the RSA or ElGamal keys. However, in normal use, these keys are used to create "session keys" (also known as "message keys"). From http://www.pgpi.org/doc/pgpint... (PGP is the forerunner of GPG, which was designed to inter-operate with PGP)

PGP then creates a session key, which is a one-time-only secret key. This key is a random number generated from the random movements of your mouse and the keystrokes you type. This session key works with a very secure, fast conventional encryption algorithm to encrypt the plaintext; the result is ciphertext. Once the data is encrypted, the session key is then encrypted to the recipient's public key. This public key-encrypted session key is transmitted along with the ciphertext to the recipient.

From the same page

A digital certificate consists of three things: A public key. Certificate information. ("Identity" information about the user, such as name, user ID, and so on.) One or more digital signatures.

Also, the page describes PGP Certificates as including

The certificate holder's public key — the public portion of your key pair, together with the algorithm of the key: RSA, DH (Diffie-Hellman), or DSA (Digital Signature Algorithm).

There is no description of a procedure for deriving any kind of intermediate key from the public key in the certificate.

So, the 4096 bit keys discussed in the OP might be the public keys contained in the certificates. In which case, these 4096 bit keys might be in use for months or years.

I hope there actually are intermediate keys being generated. If not, a disruptive redesign of the encryption tools we use will be needed. However, any existing encrypted files would still be subject to the analysis by the described attacks, so the "blinding" mentioned in the research would still be needed. Also, it does not mention anything about changes to how the keys are actually used.

Also, the OP (and headline) fails to mention that the research also discusses other methods, including a person, with a concealed device, merely resting their hand on the computer for a few seconds. I suspect this infers that blinding the analysis is even more important.

Re:Car analogy please

[lachlan76]

The actual multiplications are nowhere near as fast. A multiplication of an RSA-sized number takes thousands of cycles (see here), and modular arithmetic of that size is even slower. 44kHz corresponds to a sample per 45k 2GHz cycles, and Montgomery multiplication as in the link above takes up to two adds per bit if you do it quickly and insecurely, with each taking on the order of 100 cycles. An exponentiation of a 1024-bit message will need therefore around 100k (average-case) cycles i.e. 2.5 audio samples. This will go increase at least quadratically with key size, meaning that with 2048-bits you're looking at ten samples on average.

In any case, they are a reputable bunch, you'll notice Shamir (the S in RSA) in the author list.

Re:Car analogy please

[johannesg]

Analog signals are captured in analog fashion and can be used to reconstruct the original image. Sure, I buy that. But this... No, sorry. If anything, I'm inclined to believe that this news is simply a smoke screen; some method to point at when a private key has mysteriously been recovered using other ways (like a built-in weakness in the algorithm, for example).

Re:Car analogy please

[jrumney]

It's like when your mechanic hears your car drive up and says "ohh, it's going to cost you" before he's even seen your car.

Re: Car analogy please

[wonkey_monkey]

Aww, thanks, but there was really no need. Like, really.

Re:Car analogy please

[q4Fry]

Van Eck's exploit was used in a pivotal part of the Cryptonomicon that was honestly kind of silly. (MILD SPOILERS) If an adversary can do screen mirroring while you're in a prison they control, it is probably a given that they are also using statistical analysis on the sound made by your keyboard keys and the voltage fluctuations on the plug you're using to power your computer. Or (here's a thought) they could just film you from every angle.

Re:Play music at the same time

[TheReaperD]

That most likely won't work as they can simply discard all noise not part of the frequency range they are looking for which is trivial if the other sounds don't emit that range. As these are ultra-high frequency sounds, no MP3s or even FLAC files will have them as these ranges are discarded to keep the file size down. You'd have to be running the ultra quality studio files to even have a chance of having these ranges play but, as these are ranges that humans can't hear, they are only going to be there by accident, not intent and you won't be able to tell if they do or don't. Now, it would be possible to create audio tracks with these ranges for the express purpose of fouling these sort of attacks but, there would need to be many of them so there can be some form of randomness to prevent prediction attacks. Updating encryption systems to add junk processes at random would be an easier method of thwarting these however, it will take some time for everyone to update.

Baloney

[110010001000]

These "attacks" are always on carefully selected hardware running custom software. There is no way on a real system this would work.

Re:Baloney

[Antique+Geekmeister]

There is a great deal of "carefully selected hardware" in the world, especially in secure civilian and military installations, equipment which could present a broad and lucrative attack surface to such tools. And a good security vulnerability report is also much like a good scientific experiment: enough detail is included to allow clear repetition of the attack, without accidental disparities in the testing conditions obscuring the results.

Re:Baloney

[PopeRatzo]

There is no way on a real system this would work.

Especially since that loud knocking my hard drive's been making for the past week would totally drown out the coil whine.

I'm hoping that knocking sound goes away. Sometimes these things fix themselves, you know?

Re:Baloney

[michelcolman]

There is no way on a real system this would work.

Famous last words.

Re:Baloney

[EvilSS]

There is no way on a real system this would work.

Especially since that loud knocking my hard drive's been making for the past week would totally drown out the coil whine.

I'm hoping that knocking sound goes away. Sometimes these things fix themselves, you know?

Well the good news is that it's pretty much guaranteed to go away on it's own. Now as for the bad news....

Re:Baloney

[JustAnotherOldGuy]

I'm hoping that knocking sound goes away. Sometimes these things fix themselves, you know?

The knocking sound means that your system is low on hard drive oil.

Just get a can of WD-40, drill a small (1/8") hole in the drive, and spray a couple of healthy blasts of the WD-40 into the drive. This will almost always cure the knocking sound.

Re:Baloney

[JustAnotherOldGuy]

There is no way on a real system this would work.

Famous last words.

Along with:

"He'll stop, we have the right of way!"
"I'm sure it's unloaded."
"Of course I'm sure that the other guy shut the power off."
"If taking one of these pills is good, taking three means it'll work really fast."
"Oh yeah, it's strong enough to hold us."
"Watch this!"

Re:Baloney

[iggymanz]

this trick can also save your cars blinker lights when they get low on blinker fluid. but wd-40 can't be used to save rear muffler bearings, you need something more viscous like jello

Re:Baloney

[PopeRatzo]

The knocking sound means that your system is low on hard drive oil.

The guy from Geek Squad told me it was because I was using an unleaded power strip. He said they're better for the environment, but really mess up computer performance.

Re:Baloney

[Waffle+Iron]

I'm hoping that knocking sound goes away. Sometimes these things fix themselves, you know?

The knocking sound means that your system is low on hard drive oil.

Just get a can of WD-40, drill a small (1/8") hole in the drive, and spray a couple of healthy blasts of the WD-40 into the drive. This will almost always cure the knocking sound.

People never seem to get this straight: WD-40 is a water displacer. While it may help keep your hard drive from corroding, it won't properly lubricate the moving parts.

You need to squirt a generous amount of a suitable machine oil into your hard drive to properly address the noise. And don't forget to tape the hole when you're done: the oil can attract dirt that would mess up the delicate drive heads.

Re:Baloney

[TechyImmigrant]

These "attacks" are always on carefully selected hardware running custom software. There is no way on a real system this would work.

Yes. However these attacks show an attack works in principle and helps you understand what the bounds of the problem are and how to defend against it. The end result is that real products get made with all sort of mitigations against impractical attacks that might become practical given enough time or money.

Re:Baloney

What? No "Hold my beer"?

Re: Baloney

[110010001000]

Bullshit. I know how these "attacks" work. Every idiot comes out with one every few years in hope of getting some attention.

Re:Baloney

[david_bonn]

Probably.

I suspect that the exact signature of the coil whine is extremely system-dependent. Given that manufacturers often change parts even within a given model (especially of parts like capacitors) even "identical" models might have different coil whines. Coil whine is probably also very temperature sensitive, both to ambient temperature and how hard your PC is working.

One other thought is that TFA says that RSA keys can be extracted "within one hour". Does that mean you need to listen to coil whine for an hour to build up a big enough sample set? In which case this is a non-problem because no one ever spends a whole hour doing RSA encryption. Or does the "within one hour" refer to analyzing a much shorter sample? The article is ambiguous.

Finally, if the system jiffy time is small enough and the time to do an RSA encrypt/decrypt long enough one could probably blind this attack by running several cpu-intensive processes at the same time. Or at least make the attack much, much more expensive.

Re:Baloney

[DesertNomad]

You're crazy!

There's no way you need a 1/8" hole to put the WD-40 through, 1/16" is fine. In true Slashdot form, your idea sucks.

Re:Baloney

[Big+Hairy+Ian]

Along with:

"He'll stop, we have the right of way!" "I'm sure it's unloaded." "Of course I'm sure that the other guy shut the power off." "If taking one of these pills is good, taking three means it'll work really fast." "Oh yeah, it's strong enough to hold us." "Watch this!"

*Pulls finger*

Re:Baloney

[EndlessNameless]

The initial research has to be done that way. Just like any other kind of research and development, you need to eliminate variables to determine what can work and what won't.

Once you validate the concept, then you can start looking at implementing real-world, cost-controlled, mass-produced refinements.

I suspect it will be far more difficult in a real-world scenario because the real world is always more complex than the lab, but the underlying vulnerability is definitely there.

Fortunately or unfortunately, we will probably never hear of real-world cases. Anyone who develops this into a reliable surveillance tool is not going to publicize his success.

Re:Get a stronger PSU

[PPH]

Stronger PSU -> Bigger coils. It's the coil core that whines due to magnetostriction.

A laptop won't be of much help. There are a number of buck-boost voltage converters on the motherboard that provide all the different voltage levels needed by the CPU, memory, logic, etc. They use switch mode topologies, which incorporate coils. The alternative, linear regulators, produce a lot of heat due to inefficiency. So laptops are likely going to be better targets.

Re:Get a stronger PSU

[compro01]

Not if you're looking at a server in a datacentre. The bad guys can just rent a space in the next rack over and you're totally unaware that they're busy vacuuming up your keys for later exploitation.

Re: Get a stronger PSU

Wonkey monkey may not have done but ive got quite familiar with it over the last 3 days. Your assumption was pretty stupid to be fair. And incorrect.

Always Another Way...

[ytene]

Whilst I am prepared to accept the findings of this research and happy to accept that in principle it is possible to infer the calculations being performed by a computer system using nothing more than the "background noise", they produce, I have to believe that there are a myriad of easier ways that the same information could be obtained:-

https://xkcd.com/538/

It is likely that these attacks may be attempted by government agencies looking to crack encryption operated by foreign powers. However, in the majority of the cases I've personally looked at, I see poorly-implemented surrounding controls. Issues include having passphrase data stored on a computer so that an application can decrypt traffic without human intervention, only to have that passphrase file left protected by nothing more than local file system permissions. Let's be honest, owning the file with root and setting permissions to rw-/---/--- aren't going to pose much of a problem to a determined attacker, are they?

This is one of the fundamental issues with encryption: people believe that because they are using high strength key lengths that they are secure; no thought is given to local protection of critical data, to PRNG entropy, to side channel data.

Too many people get blinded by, "Oh, it's OK, it's encrypted", when that means squat if the related safeguards are compromised...

Re:Always Another Way...

[epine]

After only the thousandth trip down the rubber hose, $5 wrench, and single-ended extension cord & lavage basin aisle (special today-only if purchased together) I finally figured out that the core of this joke is actually narcissism.

***

Two agents dressed in black are confronted with a hapless chump, yanked out of bed at 04:00, now seated securely in front of them in a creaky wooden chair (missing most of its seat bottom) in his Dr No. vs Dr Evil footie pyjamas, refusing to give up his password at least until they serve him a fair-trade, organic, single origin Ethiopian peaberry so he can properly recover his wits.

Behind the observation screen.

"Does he want if flown in fresh from Africa this very morning?"

"I know some guys who could arrange to scramble a jet for a mere $12 large under the table."

"Risky. I don't think he's gonna sit there quietly for four hours. Once he notices the damage we've done to this footie pyjamas, he's gonna Hulk-up and destroy the entire facility. Have we got a faster, less expensive option?"

"For $240 we could scramble a hover-drone from Slacker's Choice. They've got one now that dangles a drogue-straw, completely hands-free."

"Innovative. That can't just be for our benefit. There's got to be some cover."

"Think I've got it figured. Like—here's a scenario—your dom gets a text message, then during the message storm—a natural dom always has to get the last word—leaves the room to get some munchies—"

"—shitty dom who won't even stay in character when the phone rings—"

"—no!—from his twisted point of view, it is in characterthe sub has to suffer through all the crunching and spooning sounds while being ignored for some stupid text barrage—but, and here's the thing, the sub has this figured before hand, and there's this iPhone app and the sub merely mumbles, or groans, or croaks the word "drogue" and the whole transaction is automatic, right down to geolocation of the right floor and window."

"We can't even do that."

"Which part? Bound-and-gagged speech recognition, or cell-based geolocation to a single window?"

"Only a muffled 'yerrrg!' comes though one of my gags, and it always means the same thing. The window bit."

"Yes, but we're just a single agency—a large, well funded agency with all the best toys—but even so, we can only stay a step ahead of the consumer flood up to a point."

"Yeah, I know what you mean. They've got the two of us detailed to extract just one password from one chump in his footie pyjamas. That's got to be hard to scale. You can get yourself a $5 wrench just about anywhere, but they don't hand out these retinal-projection aviator glasses without a year of hard-core indoctrination."

"Don't forget the three-hour semi-annual flutter."

"Or peeing into a bottle after every stat."

"Come to think of it, that can't be cheap, either."

"Equip that $240 drogue with a parabolic antenna, we could soon be out of a job."

"Ssssssh. Wipe that from your day log. Right now. If HQ clues into the economics of all this at scale, the glory days of hardware store expense accounts are over and done with."

MIB #2 sets his neuralyzer to 15 s. There's a bright flash. In perfect synchrony, both pairs of aviator glasses negate, dump, and eschew 15 s of recorded history—and the workings of the astrobuck underworld are spared from economic insight, yet again.

"So, what happened to the sub?"

"Well, the dom comes back into the room and the sub is sipping fair-trade, organic, single origin Ethiopian peaberry from a hovering straw."

"What about the gag?"

"Trivial, my dear Watson. The drogue contains a flexible plastic liner which is threaded into one nostril, through the sinus, right onto the taste buds."

"Without sneezing?"

"High-tech plastic, with a special c

Re:Always Another Way...

[buck-yar]

Its probably easier to gain someone's password by listening to their keyboard presses.

Re:Always Another Way...

[Qzukk]

The wrench is unbeatable when you have a specific person in mind. Sure, there's probably less violent and, shall we say... satisfying ways of getting the information, but application of the wrench doesn't require any fancy analysis or much know-how at all.

However, what if we wish to apply the wrench to every single person? That takes a lot of time and manpower. Even without the wrench, having someone take a look at the computer to see what is exploitable on it is a bit on the time consuming side, even if we automate the exploits by redirecting popular websites like slashdot.

In that case, it's much cheaper to install microphones everywhere.

Re:Get a stronger PSU

[EvilSS]

Not if you're looking at a server in a datacentre. The bad guys can just rent a space in the next rack over and you're totally unaware that they're busy vacuuming up your keys for later exploitation.

Just install some of those oldschool EMC storage towers that sound like jet engines running 24/7. Sure your DC employees will go deaf but your keys won't leak!

Man, this has to be a hoax

[jones_supa]

This possibly can't be real or, these guys are geniuses. Certainly the coil whine will change depending on the load of the machine. However, there's so much stuff happening in a CPU and the system bus that I find it extremely hard to believe that you could listen to any specific numbers. There's also all sorts of power filtering going on and there's decoupling capacitors on the chips.

However, if this is real, then I assume that listening to network traffic would be doable as well.

Re:Man, this has to be a hoax

[yes-but-no]

Seems a hoax; CPU processes using electrons; sound travel is mechanical. air-molecules vibrating can never carry the bandwidth of the coil-whine (whatever that is, I assume a disturbance in air surrounding the electro-magnetic changes inside the CPU). Is it april 1?

Re:Man, this has to be a hoax

[andrew71]

That's the first thing I thought myself. Actually, I looked for a April 1 timestamp.

Re:Man, this has to be a hoax

[swalve]

It belongs in the bin with the "you can spy on someone's internet by recording the LEDs!" Nonsense.

Re:Man, this has to be a hoax

[swalve]

(The LEDs on the modem. Dammit!)

Re:Man, this has to be a hoax

[jones_supa]

I still find it very strange that it would work. A CPU can have millions of transistors changing state at any given moment, in an asynchronous out-of-order fashion. Add to that all the other components in a PC, bus talk, etc. Even if we got an accurate print of all of the digital chatter happening in a PC, it would be nearly impossible to derive anything specific from that. A power filtering coil is an even much more crude component. You can hear big changes like CPU/GPU frequency stepping, but that's all.

Re:Man, this has to be a hoax

[110010001000]

Bullshit. Computers are always running millions of instructions per second. You cannot isolate "your instructions" by listening. You might be listening to known instructions in a loop, but that isn't realistic. Complete bullshit.

Re:Man, this has to be a hoax

[EndlessNameless]

Someone obviously didn't read the article.

The microphone listened while the system processed chosen ciphertext.

It is necessary to interact with the server somehow while recording, as it must be decrypting specific data.

This limits the scope of the attack significantly, but extremely resourceful organizations could probably manage it somehow.

Re:Man, this has to be a hoax

[jones_supa]

Thanks for the information. That certainly changes the whole picture a bit.

A good covert attack

Reminds me of a differential power analysis attack but that requires physical access to the machine. With this microphone attack you just need to know which type of machine it is and proceed in a completely covert manner.

It always amazes me how inventive a determined attacker can be. On a defense project back in the 90's we had to keep our analog phones six feet away from CRTs to prevent monitor EMI from entering the phone line. That EMI could be analyzed by a third party to recreate the monitor's image.

Re:A good covert attack

[jones_supa]

The scanning frequency of a CRT monitor is much higher than what a phone captures. There's no realistic way in which the other end could've recreated the picture.

Re:A good covert attack

[Shinobi]

He's not talking about audio, he's talking about EM, which could indeed be snooped upon via induction in cables etc, even when you couldn't snoop in on the monitor directly.

OK this just boggled my mind

[JustNiz]

How the hell do they isolate the key from all that is going on around it?

Re:OK this just boggled my mind

[avoisin]

Looking for a pattern, that's why it takes an hour. You're looking for a pattern in the noise that repeats, then looking for subtle variations in the pattern to pick out the specific bits. There's a lot of other noise from other sources, but if you listen long enough, you know the length and frequency of the pattern you're looking for, you'll still be able to pick it out.

This won't work as something that happens in a one off, and you still need the target machine to be compromised to be repeatably getting the pattern to be created in the first place. That said, it is still impressive, and it shows that the target algorithm needs more randomization, which is the fix that was mentioned. I do this in firmware that I write, I don't hide the private keys all in one variable, I have them cut apart in pieces so that you can't just read my firmware and try every contiguous 4,096 bit block and see if it's my private key.

Re:Get a stronger PSU

[Desler]

The term is EAVESDROPPING.

Effectively requires root

[laughingskeptic]

In order to obtain the laboratory effect of single threaded decryption of 4,096 approximately 1Mbit files in sequence you would have to be root and generally have all "messy" asynchronous processing such as interrupts from the network card disabled. This is a lab-only non-realistic attack. If you had that much control over the CPU you might as well just read the key out of the registers as it is used.

Re:Effectively requires root

[NoseyNick]

Not true. See https://youtu.be/DU-HruI7Q30 as posted by someone else. If the machine was really busy doing other stuff, you'd have trouble, but if the machine is MOSTLY idle, apart from running GPG on your chosen cyphertexts, then occasional network interrupts and short-lived cronjobs and stuff won't be too much of a distraction. He even demonstrates that his machine is running something really short every second, doesn't matter, you can trick GPG into making your machine emit the tell-tale squeals for a decent fraction of a second, telling you about ONE bit of key. Repeat with carefully selected cyphertexts and you can extract 1 bit per second until you're done with a 4096-bit key in about a hour. The example in the video had GPG in Enigmail in Thunderbird decrypting your email on receipt. If you know enough about SSL you could fairly easily do this as a series of negotiations on any TLS port.

Re:Get a stronger PSU

[Lumpy]

If it has a self deploying parabolic microphone that aims at the target, I'll be firstly impressed, and secondly take it apart for the very cool servo deployable parabolic dish and aiming system.

Video

[nsaspook]

https://youtu.be/DU-HruI7Q30

How do they come up with this stuff

[skovnymfe]

How do they come up with this stuff? Seriously?

Re:Get a stronger PSU

[Khyber]

If your outlet is in/near a corner, it's already got a half-assed parabolic to use. The casing could be modified to act like a stethoscope, no parabolic needed then.

Re: Get a stronger PSU

[EvilSS]

Yep! Couldn't recall what the brand name on them were. Had a customer (big health care org) that had a dozen or so of them on their DC floor. It was virtually impossible to have a conversation anywhere near that area of the data center. I imagine if OHSA ever somehow wondered in there they would have had the admins wearing hearing protection by the end of the day. I felt bad for the EMC tech who always seemed to be there replacing a drive or other parts on them. Poor bastard was probably deaf.

Re:The Register jargon

[mars-nl]

It's British humour (that's British English for humor). I love it. And it's much better website than all other copy-paste tech news sites with 50 ads and 200 trackers.

Re:Get a stronger PSU

[PPH]

Saturation is more a factor of voltage, not current. But more current through an inductor requires a larger window (hole in core) and so more ferromagnetic material. Also, reducing saturation requires more winding turns (less volts per turn) and so a larger winding and bigger core. More core material will produce more sound, since magnetostriction is a percent change in the core dimensions due to flux density.

Mechanical damping is probably not feasible, since the materials (steel, nickel, cobalt, etc.) involved are very stiff and the damping structure would have to act against that. Encapsulating inductors in some sound deadening material could work. But it would interfere with thermal performance.

Doesn't work!!!

[floatpt]

Now I can't access the drive at ALL!! I'm really hoping it comes back I have a lot of photos and music that aren't backed up. Also, the knocking is still there.

Re:Doesn't work!!!

[JustAnotherOldGuy]

Now I can't access the drive at ALL!! I'm really hoping it comes back I have a lot of photos and music that aren't backed up. Also, the knocking is still there.

Just use more WD-40, a few more blasts ought to do it. Keep spraying until the knocking goes away.

Re:Get a stronger PSU

[TheRaven64]

This kind of defence (and, indeed, the masking described in TFS) don't normally work against this kind of side-channel attack. They increase the noise, but there's still signal. All that they do is drive up the number of samples that you need to be able to run the analysis. If you're lucky, then the number of samples that they need is more than the number of samples that they can record in the available time, but for long-lived keys this can be a very long time. It's also worth noting that with this kind of thing you don't need to recover the entire key - if you have the public key, then you can quickly verify whether a guess at the private key is correct. Over time, as you record the samples, you gain a greater probability of each bit being 0 or 1. You run a directed brute force attack, with the bits with the least confidence being flipped more frequently.

Re:Get a stronger PSU

[TheRaven64]

It doesn't matter. The dummy calculations add noise. You can filter it out by taking more samples (this is a well-known countermeasure in the side-channel literature). The attack is already designed to work with a noisy source, the defence just makes it more noisy.

Re:Play music at the same time

[jrumney]

Forgive my ignotance, but is this encryption running on a separate CPU with separate power supply coils etc from the mp3 decode?

Re:Play music at the same time

[TheReaperD]

The volume doesn't matter if you hit the right frequencies. With the wrong ones, they're usually still trivial to separate out on sophisticated equipment, though it might drown out a cell phone microphone. But, creating the audio files and playing them is fairly simple for anyone who knows what frequency range to hit. But, the simple act, much less the creation and implementation of these counter-measures puts it outside 90%+ of the worlds userbase. As usual, the biggest threat to IT security is the idiot between the keyboard and the chair.

Re:Play music at the same time

[TheReaperD]

No but, I get the impression from reading all of this that the decryption sequence can somehow be isolated from all of the other high frequency noise the CPU puts out while doing other tasks. Don't ask me how; that's out of my pay grade.

Hacked? Not needed

[phorm]

I doubt the cellular phone even needs to be hacked. Half the people around you probably already have an app around that's already listening (but don't worry, they say they're not).

Re:Hacked? Not needed

[peawormsworth]

an app.. that's already listening (but don't worry, they say they're not).

Actually, they usually say they are listening. And reading your contact list and many other things they don't need. And most people click to accept whether they know or do not know what they are agreeing to.

Re:Get a stronger PSU

[lsatenstein]

33 feet which is 10 meters, easy to spot, hardly "low key" (ehm) eves dropping. I would imagine the eves dropper would get a bloody nose before getting to the door...

I'll remember you said that when you discover that "innocent" cell phone charger sitting in the corner of your office is actually a microphone with a 64GB microSD card and SIM card inside, dumping a day's worth of key listening across a covert channel, to include your voice conversations.

Or perhaps the device listening will be your cell phone itself. After all, those never get hacked.

Perhaps you should start considering the fact that it's hardly a human sitting in the room listening to high-frequency whine, nor does it need to be. Good luck with your bloody nose defense.

Maybe we should go back to pen and paper and snail mail. Do you think that the microphone pickup of pen scratching could follow what was being written?
Why do we have to encrypt a file with AES and one key. Why not alternate allow encrypting 8/16 bytes with one key and the next 8/16 bytes with an alternative key. One algorithm or both could be AES, with the other, twofish. And use cypher block chaining.
 

Re:Get a stronger PSU

[gzuckier]

If your outlet is in/near a corner, it's already got a half-assed parabolic to use. The casing could be modified to act like a stethoscope, no parabolic needed then.

I wondered why the neighbor's satellite dish was pointed at my house, not the equator.

Re:Play music at the same time

[EndlessNameless]

They were sampling around 1.7 MHz for RSA keys.

Since human hearing tops out at 20-25 KHz, most speakers aren't built to emit sounds higher than maybe 30 KHz.

There isn't exactly a huge market for speakers in the ultrasonic range. I'm sure there are some niche cases, but don't expect to find usable hardware or audio samples at the local Best Buy.

Re:Get a stronger PSU

[geekmux]

33 feet which is 10 meters, easy to spot, hardly "low key" (ehm) eves dropping. I would imagine the eves dropper would get a bloody nose before getting to the door...

I'll remember you said that when you discover that "innocent" cell phone charger sitting in the corner of your office is actually a microphone with a 64GB microSD card and SIM card inside, dumping a day's worth of key listening across a covert channel, to include your voice conversations.

Or perhaps the device listening will be your cell phone itself. After all, those never get hacked.

Perhaps you should start considering the fact that it's hardly a human sitting in the room listening to high-frequency whine, nor does it need to be. Good luck with your bloody nose defense.

Maybe we should go back to pen and paper and snail mail. Do you think that the microphone pickup of pen scratching could follow what was being written? Why do we have to encrypt a file with AES and one key. Why not alternate allow encrypting 8/16 bytes with one key and the next 8/16 bytes with an alternative key. One algorithm or both could be AES, with the other, twofish. And use cypher block chaining.

Pen and paper? People are LAZY. They don't even type into their cell phones anymore, they speak to dictate commands, and use a fingerprint rather than a complex passcode. And while there are many of us that recognize the additional benefits of using multiple encryption methods/ciphers/algorithms, unless you make that the baseline, people will continue to be LAZY and do the bare minimum.

People despise real security because that takes effort to create those long complex passwords and remember them. It takes effort to remember where they put their 2FA token, so forget 2FA. It takes effort to click a few more buttons to encrypt backup files. I'm still amazed when I hear about someone being involved in an automobile accident how they would have been fine had they taken 5 seconds to buckle up. Even physical security can be a burden on the lazy human. Sad, but true.

Re:Get a stronger PSU

[peawormsworth]

Would it be possible to simply turn on a radio or have a random whine noise generating device?