Slashdot Mirror

← Back to Stories (view on slashdot.org)

RSA Keys Can Be Harvested With Microphones (theregister.co.uk)

Posted by EditorDavid on from the sound-of-your-keys dept.

Researchers have now demonstrated that even with modern laptop, desktop, and server computers, an inexpensive attack can harvest 4,096-bit encryption keys using a parabolic microphone within 33 feet -- or even from 12 inches away, using a cellphone microphone. An anonymous reader quotes this article from The Register: In both cases it took an hour of listening to get the 4,096-bit RSA key... As a computer's processor churns through the encryption calculations, the machine emits a high-frequency "coil whine" from the changing electrical current flowing through its components... The team recommends encryption software writers build in "blinding" routines that insert dummy calculations into cryptographic operations. After discussions with the team, GNU Privacy Guard now does this.

28 of 157 comments (clear)

  1. Old news by NotInHere · · Score: 4, Informative

    How is this not a reiteration of this old attack from 2014: http://www.tau.ac.il/~tromer/h...

    1. Re:Old news by Anonymous Coward · · Score: 3, Interesting

      It's a different side channel attack, by some of the same people from the same lab.

  2. Play an MP3 at the same time by Anonymous Coward · · Score: 5, Funny

    Play an MP3 at the same time so they get a audio download then send them a DCMA takedown notice :)

  3. Re:Get a stronger PSU by geekmux · · Score: 5, Insightful

    33 feet which is 10 meters, easy to spot, hardly "low key" (ehm) eves dropping. I would imagine the eves dropper would get a bloody nose before getting to the door...

    I'll remember you said that when you discover that "innocent" cell phone charger sitting in the corner of your office is actually a microphone with a 64GB microSD card and SIM card inside, dumping a day's worth of key listening across a covert channel, to include your voice conversations.

    Or perhaps the device listening will be your cell phone itself. After all, those never get hacked.

    Perhaps you should start considering the fact that it's hardly a human sitting in the room listening to high-frequency whine, nor does it need to be. Good luck with your bloody nose defense.

  4. Re:Get a stronger PSU by wonkey_monkey · · Score: 3, Interesting

    The Open source implementation Is WEAKER since we now know HOW they perform the DUMMY CALCULATIONS.

    Yes, because obviously they were going to perform exactly the same dummy calculations every time in exactly the same place.

    Oh, no, wait, not everyone is as dumb as you.

    --
    systemd is Roko's Basilisk.
  5. Car analogy please by wonkey_monkey · · Score: 4, Insightful

    Can someone explain, vaguely, possibly with a car analogy, how they go about determining keys with coil whine? Is it because the same calculations are made over and over as it churns through data encrypting/decrypting it, so after listening long enough some kind of clues can be gathered about what bytes are in the key? I mean, I assume it's not as a simple as listening and going "Ooh, 14.5Khz, that's 0xBE."

    --
    systemd is Roko's Basilisk.
    1. Re:Car analogy please by Opportunist · · Score: 4, Informative

      What happens in such attacks is that there are different calculation paths for different results, and by "watching" (or in this case, listening to) the CPU perform, you can tell what calculation paths it took and determine from this what input it used.

      A vague analogy would be that the CPU is giving off long and short beeps, and by listening to them and noticing when and how long it beeps you can assemble something akin to a Morse alphabet.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:Car analogy please by PopeRatzo · · Score: 2, Funny

      Can someone explain, vaguely, possibly with a car analogy, how they go about determining keys with coil whine?

      OK, imagine a '63 Bel Air with hydraulic suspension and a horn that plays "La Cucaracha". It is traveling from Modesto to the Reservoir at exactly 48mph. Now imagine a 2006 Mercedes G-Class with extra-large wheels and spinning hubs that is booming some old-school NWA. It is traveling from Oakland to the Reservoir at exactly 52 mph.

      If someone had a listening device installed in both cars, the probability that the phrase, "You know, that Donald Trump makes some good points" would be heard approaches zero.

      I hope that clears it up.

      --
      You are welcome on my lawn.
    3. Re:Car analogy please by michelcolman · · Score: 4, Informative

      If you listen to a car going round a race track, the tire noise, engine rpms and gear shifts, all of that together could give you a pretty good idea of the length of the straights, the intensity of the curves, and the smoothness of the road surface in various places. Listen to enough cars, and you may be able to reconstruct the entire track.

      The cpu is the race car, the track is the RSA algorithm for that specific key.

    4. Re:Car analogy please by Lumpy · · Score: 2

      in otherwords... it's a non exploit and only a proof of concept under very controlled environment and test parameters.

      --
      Do not look at laser with remaining good eye.
    5. Re: Car analogy please by Impy+the+Impiuos+Imp · · Score: 2

      Pre-gps navigation did this using "dead reckoning" (which is still built in). Based on speed, distance, and angle, it can match you to locations on the map. It could take a while, with a number of samples, but can be done. There are only a finite number of distance-intersection pair chains before it narrows down to one.

      --
      (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
  6. Re:Play music at the same time by TheReaperD · · Score: 4, Interesting

    That most likely won't work as they can simply discard all noise not part of the frequency range they are looking for which is trivial if the other sounds don't emit that range. As these are ultra-high frequency sounds, no MP3s or even FLAC files will have them as these ranges are discarded to keep the file size down. You'd have to be running the ultra quality studio files to even have a chance of having these ranges play but, as these are ranges that humans can't hear, they are only going to be there by accident, not intent and you won't be able to tell if they do or don't. Now, it would be possible to create audio tracks with these ranges for the express purpose of fouling these sort of attacks but, there would need to be many of them so there can be some form of randomness to prevent prediction attacks. Updating encryption systems to add junk processes at random would be an easier method of thwarting these however, it will take some time for everyone to update.

    --
    "Be particularly skeptical when presented with evidence confirming what you already believe." -
  7. Re:Get a stronger PSU by PPH · · Score: 4, Insightful

    Stronger PSU -> Bigger coils. It's the coil core that whines due to magnetostriction.

    A laptop won't be of much help. There are a number of buck-boost voltage converters on the motherboard that provide all the different voltage levels needed by the CPU, memory, logic, etc. They use switch mode topologies, which incorporate coils. The alternative, linear regulators, produce a lot of heat due to inefficiency. So laptops are likely going to be better targets.

    --
    Have gnu, will travel.
  8. Re:Get a stronger PSU by compro01 · · Score: 2, Interesting

    Not if you're looking at a server in a datacentre. The bad guys can just rent a space in the next rack over and you're totally unaware that they're busy vacuuming up your keys for later exploitation.

    --
    upon the advice of my lawyer, i have no sig at this time
  9. Re:Baloney by Antique+Geekmeister · · Score: 4, Insightful

    There is a great deal of "carefully selected hardware" in the world, especially in secure civilian and military installations, equipment which could present a broad and lucrative attack surface to such tools. And a good security vulnerability report is also much like a good scientific experiment: enough detail is included to allow clear repetition of the attack, without accidental disparities in the testing conditions obscuring the results.

  10. Re:Baloney by PopeRatzo · · Score: 2

    There is no way on a real system this would work.

    Especially since that loud knocking my hard drive's been making for the past week would totally drown out the coil whine.

    I'm hoping that knocking sound goes away. Sometimes these things fix themselves, you know?

    --
    You are welcome on my lawn.
  11. Re:I'm safe! by jmccue · · Score: 4, Funny

    Glad I stuck to my guns and stayed with rot13

  12. Re:Baloney by michelcolman · · Score: 2

    There is no way on a real system this would work.

    Famous last words.

  13. Re:Get a stronger PSU by EvilSS · · Score: 4, Funny

    Not if you're looking at a server in a datacentre. The bad guys can just rent a space in the next rack over and you're totally unaware that they're busy vacuuming up your keys for later exploitation.

    Just install some of those oldschool EMC storage towers that sound like jet engines running 24/7. Sure your DC employees will go deaf but your keys won't leak!

    --
    I browse on +1 so AC's need not respond, I won't see it.
  14. Re:Baloney by EvilSS · · Score: 4, Funny

    There is no way on a real system this would work.

    Especially since that loud knocking my hard drive's been making for the past week would totally drown out the coil whine.

    I'm hoping that knocking sound goes away. Sometimes these things fix themselves, you know?

    Well the good news is that it's pretty much guaranteed to go away on it's own. Now as for the bad news....

    --
    I browse on +1 so AC's need not respond, I won't see it.
  15. Man, this has to be a hoax by jones_supa · · Score: 2

    This possibly can't be real or, these guys are geniuses. Certainly the coil whine will change depending on the load of the machine. However, there's so much stuff happening in a CPU and the system bus that I find it extremely hard to believe that you could listen to any specific numbers. There's also all sorts of power filtering going on and there's decoupling capacitors on the chips.

    However, if this is real, then I assume that listening to network traffic would be doable as well.

  16. Re:Baloney by JustAnotherOldGuy · · Score: 3, Funny

    I'm hoping that knocking sound goes away. Sometimes these things fix themselves, you know?

    The knocking sound means that your system is low on hard drive oil.

    Just get a can of WD-40, drill a small (1/8") hole in the drive, and spray a couple of healthy blasts of the WD-40 into the drive. This will almost always cure the knocking sound.

    --
    Just cruising through this digital world at 33 1/3 rpm...
  17. A good covert attack by Anonymous Coward · · Score: 4, Interesting

    Reminds me of a differential power analysis attack but that requires physical access to the machine. With this microphone attack you just need to know which type of machine it is and proceed in a completely covert manner.

    It always amazes me how inventive a determined attacker can be. On a defense project back in the 90's we had to keep our analog phones six feet away from CRTs to prevent monitor EMI from entering the phone line. That EMI could be analyzed by a third party to recreate the monitor's image.

  18. Re:Baloney by JustAnotherOldGuy · · Score: 4, Funny

    There is no way on a real system this would work.

    Famous last words.

    Along with:

    "He'll stop, we have the right of way!"
    "I'm sure it's unloaded."
    "Of course I'm sure that the other guy shut the power off."
    "If taking one of these pills is good, taking three means it'll work really fast."
    "Oh yeah, it's strong enough to hold us."
    "Watch this!"

    --
    Just cruising through this digital world at 33 1/3 rpm...
  19. Re:Baloney by iggymanz · · Score: 2

    this trick can also save your cars blinker lights when they get low on blinker fluid. but wd-40 can't be used to save rear muffler bearings, you need something more viscous like jello

  20. Re:OK this just boggled my mind by avoisin · · Score: 2

    Looking for a pattern, that's why it takes an hour. You're looking for a pattern in the noise that repeats, then looking for subtle variations in the pattern to pick out the specific bits. There's a lot of other noise from other sources, but if you listen long enough, you know the length and frequency of the pattern you're looking for, you'll still be able to pick it out.

    This won't work as something that happens in a one off, and you still need the target machine to be compromised to be repeatably getting the pattern to be created in the first place. That said, it is still impressive, and it shows that the target algorithm needs more randomization, which is the fix that was mentioned. I do this in firmware that I write, I don't hide the private keys all in one variable, I have them cut apart in pieces so that you can't just read my firmware and try every contiguous 4,096 bit block and see if it's my private key.

  21. Re:Get a stronger PSU by Lumpy · · Score: 2

    If it has a self deploying parabolic microphone that aims at the target, I'll be firstly impressed, and secondly take it apart for the very cool servo deployable parabolic dish and aiming system.

    --
    Do not look at laser with remaining good eye.
  22. Video by nsaspook · · Score: 4, Informative

    https://youtu.be/DU-HruI7Q30

    --
    In GOD we trust, all others we monitor.