Skip

NSA says: squeeeeeee!
December 19, 2013 6:56 PM   Subscribe

The attack can extract full 4096-bit RSA decryption keys from laptop computers ... within an hour ... using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters away. RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis

If this had come from anybody but Adi Shamir it would probably be dismissed as a cheap Hollywood fantasy:
Beyond acoustics, we demonstrate that a similar low-bandwidth attack can be performed by measuring the electric potential of a computer chassis. A suitably-equipped attacker need merely touch the target computer with his bare hand, or get the required leakage information from the ground wires at the remote end of VGA, USB or Ethernet cables.
posted by flabdablet (46 comments total) 30 users marked this as a favorite

 
PDF wasn't loading but this truly sounds like a bad movie, incredible if true.
posted by zeoslap at 6:58 PM on December 19, 2013 [1 favorite]


....aaand fixed. GnuPG users should probably update.
posted by flabdablet at 7:03 PM on December 19, 2013 [7 favorites]


In space, nobody can hear you decrypt.
posted by localroger at 7:04 PM on December 19, 2013 [1 favorite]


Here's a mirror of the PDF on my dropbox account.
posted by mathowie at 7:05 PM on December 19, 2013 [1 favorite]


Is this like when I plug cheap headphones into a cheap motherboard sound card and think I can hear the voice of God when my computer is doing worky works?
posted by lordaych at 7:05 PM on December 19, 2013 [8 favorites]


Another social network we'll have to give up.
posted by carping demon at 7:05 PM on December 19, 2013 [1 favorite]


Fuck it let's try radical transparency for a while.
posted by 2bucksplus at 7:07 PM on December 19, 2013 [4 favorites]


I'm going to start chewing kit kat wrappers in the hope the interference scrambles the signal. Damn you, Mercury fillings!
posted by arcticseal at 7:07 PM on December 19, 2013


So this was an attack on hardware and the OS didn't matter? I saw this earlier today and figured on the list of things I had to worry about it was pretty far down there even if true.
posted by cjorgensen at 7:08 PM on December 19, 2013


Radical transparency: monitoring activities from another dimension like a one way mirror. WTF AT&T, Y U ASK ME TO UPDATE OS JUST NOW
posted by lordaych at 7:10 PM on December 19, 2013 [1 favorite]


I'm pretty sure that this is similar to one of the hacking methods used in Cryptonomicon.

But seriously, if the problem is the audible noises made by the CPU, the solution would seem to be adding random noise by having the CPU perform unrelated random operations during a decrypt. Or just having a multi-core CPU running another operation in parallel. It seems pretty easy to foil.
posted by graymouser at 7:11 PM on December 19, 2013 [5 favorites]


This multi prong stuff is exhausting. Just put us in the Matrix and packet sniff my brain dude
posted by lordaych at 7:13 PM on December 19, 2013


Fuck. There's our priorities, in a nutshell. If the problem is a man doesn't have a job or food or healthcare, we're stymied. But if the problem is we can't see far enough up that man's ass, we can solve it even if requires magic.
posted by Benny Andajetz at 7:14 PM on December 19, 2013 [50 favorites]


Benny, securities researchers are gunna do security research.
posted by el io at 7:16 PM on December 19, 2013 [6 favorites]


I've skimmed the PDF, and it seems plausible to me.

Anecdotally, I recently used a GSM evaluation board that emitted some (very soft) audible clicking patterns when transmitting, which I assumed was due to some sort of parasitic piezoelectric effect from one or more of the capacitors.
posted by jcreigh at 7:18 PM on December 19, 2013


The solution is pretty cool. The last paragraph describes the RSA-specific fix.
posted by kiltedtaco at 7:20 PM on December 19, 2013


Shit. We're not even good at making secure code, and now we have to make quiet code?
posted by RobotVoodooPower at 7:20 PM on December 19, 2013 [3 favorites]


Too bad representatives gunna represent isn't a corollary.
posted by Benny Andajetz at 7:20 PM on December 19, 2013 [7 favorites]


I'm pretty sure that this is similar to one of the hacking methods used in Cryptonomicon.

That was Van Eck phreaking. IIRC, it's a method of spying on a computer by measuring the EM radiation coming off of the monitor. It doesn't get you the actual system processes, but it at least gets you what's being output on the screen.

This acoustical method is on a whole other level, though.
posted by Strange Interlude at 7:21 PM on December 19, 2013


the solution would seem to be adding random noise by having the CPU perform unrelated random operations during a decrypt

They talk about that in the Mitigation section.

This is not obvious stuff. Any naive guesswork about this based on a cursory reading runs right up against the fact that kilohertz-range acoustics shouldn't even be able to convey anything useful about operations at modern CPU speeds, even if they weren't parallelized and pipelined and hyperthreaded and contended the shit out of in any real world computing scenario. They're doing something a lot subtler here.
posted by George_Spiggott at 7:21 PM on December 19, 2013 [1 favorite]


Adi Shamir Facts dot com
posted by acb at 7:38 PM on December 19, 2013 [5 favorites]


There is an interesting tangentially related stories around so-called "gunshot detectors" and the Feds installing listening devices on city buses to eavesdrop on passnegers. And Oakland's surveillance center was designed to track protestors. Ain't too likely these listening technologies pick up enough for key extraction, but still.
posted by jeffburdges at 7:56 PM on December 19, 2013 [2 favorites]




From scanning the intro, am I right in thinking they're using the attack cipher to generate a pulse at intervals which create a waveform which is detectable in the audible/acoustic range and using that waveform to infer the operations that created those pulses? That's pretty damned ingenious to begin with right there, never mind the analysis needed to decrypt that signal
posted by TwoWordReview at 8:00 PM on December 19, 2013 [2 favorites]


The citation of Genesis is highly amusing.
posted by 7segment at 8:15 PM on December 19, 2013 [2 favorites]


All the cool kids are still using one time pad. Or so I've heard.
posted by InsertNiftyNameHere at 8:55 PM on December 19, 2013 [1 favorite]


So long as they're careful about the way they rustle its pages, that should still be good.
posted by flabdablet at 9:01 PM on December 19, 2013 [3 favorites]


For what it's worth, this work was heavily foreshadowed nearly a decade ago by the same authors.

http://tau.ac.il/~tromer/acoustic/ec04rump/

This new result obviously represents a lot of work on top of that to actually extract the keys, but looking at the earlier results, especially when combined with papers like Remote Timing Attacks are Practical, it should have been clear that this kind of result was possible.

Other cool side channel attack papers:
(sp)iPhone - Using the accelerometer on a mobile phone that's sitting on a desk next to a keyboard to do keylogging
PIN Skimmer - Using the accelerometer to recover pins and passwords that are typed in on the phone itself
Differential Power Analysis - Using the power a computer uses to recover keys

This just starts to scratch the surface of side channel attacks. They're a really cool class of attacks that stem in a large part from the way computers multiplex resources. Detection and mitigation can be very complicated, especially when it comes to trying to perform crypto operations in constant time (see the remote timing attacks above for a great example).
posted by yeahwhatever at 9:03 PM on December 19, 2013 [16 favorites]


Their side channel doesn't even need microphones. They identify two other usable side channels: power consumption, and chassis potential. The last one is especially interesting, because a probe connected to ground can pick up relevant signals from anything touching the computer's chassis, such as an ethernet or a VGA cable. Or a person, although the attacker would need to spend an inordinate amount of time keeping one hand on the targeted computer.
posted by Joe in Australia at 10:15 PM on December 19, 2013 [1 favorite]


I love the citation of eavesdropping in the book of Genesis as "related work".
posted by problemspace at 11:12 PM on December 19, 2013


Benny Andajetz: "Fuck. There's our priorities, in a nutshell. If the problem is a man doesn't have a job or food or healthcare, we're stymied. But if the problem is we can't see far enough up that man's ass, we can solve it even if requires magic."

A favorite on this one wasn't enough. This is so damn true that I had to quote it so I could help reinforce this point. WTF is wrong with a system that acts like this?!? I fear it's beyond saving at this point.

My grandfather was an avid gardener in his retirement, and he was damn good at it (he was a former farmer), and I'm told that a neighbor of his commented to him, after surveying his vast surplus of food that my grandfather's family could never have hoped to consume, that my grandfather could make some decent cash by selling the surplus food. My grandfather responded that he'd rather give the food to anyone who was truly in need of it rather than see them go hungry while he made a profit from those who could afford to buy the food. Apparently that attitude is as dead now as my grandfather is. He would be disgusted.
posted by InsertNiftyNameHere at 11:43 PM on December 19, 2013 [2 favorites]


Except those who have chosen to profit on others, instead of feeding them, have also chosen to increase their power by eliminating our privacy. The work of these security researchers is not in stead of feeding others; our ability to resist the will of the profiteers hinges upon their work--if we should choose to resist the status quo.
posted by insert.witticism.here at 1:24 AM on December 20, 2013 [1 favorite]


Are you seriously trying to draw an analogy between security researchers at universities doing public research and profiteering while people go hungry?

These are the people that are trying to make sure your information stays private. You'll notice this vulnerability is already patched in major implementations. Prior to this publication the only people who might have had access to these types of attacks could defend against them. Thanks to this paper, and other work in the field, your information is now safer and depending on who you are, this could mean a lot.

I understand being frustrated at a system which inordinately funds research which has potential weapons applications, but the idea that the people doing this research are callous asshole-peerers or gleeing raking in the cash while watching people starve seems like a misdirection of your unhappiness with the status quo.

(With the NSA angle, there are two possible reactions I can imagine are happening internally. Either they don't care because they have better ways of accomplishing the same goals, or they are unhappy because on of their methods is now public and is patched. The chances of them reading this research and being gleeful over a new attack metric is very, very low. As the tempest link above might illustrate, this is the type of realm that the US Govnt has been interested in for a really long time.)
posted by yeahwhatever at 1:29 AM on December 20, 2013 [14 favorites]


So every terrible Hollywood film where the spies just attached a tiny black box to the back of a PC turns out to be accurate.
I suppose in this new world at least viruses will be easier to spot because they'll all flood the screen with skulls and flames and shit.
posted by fullerine at 1:59 AM on December 20, 2013 [5 favorites]


Critics on this thread are not suggesting that cryptanalysts should all beat their motherboards into plowshares. They are lamenting that we as a species have built a society where that has not happened organically.
posted by radicalawyer at 5:41 AM on December 20, 2013 [2 favorites]


I never learnt a thing past GIGO myself.

*strokes beard*

In my considered opinion, gentle observer, this is simply a syntax error.

Shall we return to BASIC?
posted by infini at 6:09 AM on December 20, 2013


Suggestions of injecting randomness always seemed good but it looks like hardware random generators could already be compromised.

Resistance is Futile.
posted by sammyo at 6:27 AM on December 20, 2013


he'd rather give the food to anyone who was truly in need of it rather than see them go hungry

He was retired. How'd he manage that, by vibrating so much Good Karma that the universe just bestowed a 401(k) on him? I suppose it would be a 403(b), but you get the idea.
posted by yerfatma at 7:35 AM on December 20, 2013


kiltedtaco: The solution is pretty cool. The last paragraph describes the RSA-specific fix.

That is neat! And relatively simple to understand -- I was expecting true gobbledygook (I find abstract algebra as a subject to be an effective blinding function all on its own).
posted by bluefly at 8:06 AM on December 20, 2013


Are you seriously trying to draw an analogy between security researchers at universities doing public research and profiteering while people go hungry?

The point about priorities isn't an indictment of the researchers. Of course, that's their job. But it is an indictment of a system that promotes this type of advanced technology while neglecting basic needs. To paraphrase the discussion upthread: yes, we're paying for security researchers to research security, but it would also be nice to be paying for [basic care providers] to [provide basic care].
posted by So You're Saying These Are Pants? at 11:43 AM on December 20, 2013 [1 favorite]


he'd rather give the food to anyone who was truly in need of it rather than see them go hungry

He was retired. How'd he manage that, by vibrating so much Good Karma that the universe just bestowed a 401(k) on him? I suppose it would be a 403(b), but you get the idea.


What's your point, exactly? Someone does something charitable and, well, fuck them I guess because they had the audacity to not end up destitute and homeless in their old age?

Your comment comes across as desperately looking for something to take umbrage with.
posted by Dark Messiah at 12:07 PM on December 20, 2013 [1 favorite]


OK, can someone summarize for me how operations at gigahertz can be sampled at kilhertz and retain any information beyond "Yup, the power's on" and "Ooh, the CPU must be busy now"?

And, yes: if you're intercepting acoustic signals, you're sampling the signals. It's just through a helluva complicated filter.
posted by IAmBroom at 2:07 PM on December 20, 2013


They're relying on knowledge of how the algorithm handles specific cases during the loops. Basically they create a piece of cyphertext which is padded in such a way that they know if bit q(i) is a 0 it'll go through x loops to calculate whereas if it is a 1 it'll go through y loops, where there is a big difference between x and y. Since there is a big difference in the number of loops taken to calculate (several milliseconds) if the current bit under attack is a 1 or a 0, the difference in the audio leakage from the voltage regulator circuit between the two operations is discernible within the acoustic spectrum.

The attack can only check for 1 bit at a time and in order to determine bit q(i) of the key, you need to know what q(i-1) was and so on until you get through all 4096 bits.
posted by TwoWordReview at 2:53 PM on December 20, 2013


So in effect, you're correct, they're saying "Ooh, the CPU is busy now...and based on everything else I've learned so far and the input I gave it that means it must have been trying to run a calculation based on a 0 for this bit not a 1"
posted by TwoWordReview at 2:59 PM on December 20, 2013 [1 favorite]


yerfatma: "he'd rather give the food to anyone who was truly in need of it rather than see them go hungry

He was retired. How'd he manage that, by vibrating so much Good Karma that the universe just bestowed a 401(k) on him? I suppose it would be a 403(b), but you get the idea.
"

Last comment for this derail. Listen dumbass, my grandfather died in 1965! How did he retire? He saved money each year. He would have told you to stick your (k) and (b)'s right up your ass. And I'd laugh my ass off at you as he did. You deserve it.
posted by InsertNiftyNameHere at 7:26 AM on December 22, 2013 [4 favorites]


Offensive, yet worthwhile... and not as offensive as the original comment, which was pointless.

Internet-generation "expert" throwing pebbles at the memory of a working man of an age gone by. That sums it up.
posted by IAmBroom at 6:27 PM on December 23, 2013 [1 favorite]


« Older A GRAT Idea Whose Time Has Come   |   Jewel Box Sun, seeing the sun... Newer »


This thread has been archived and is closed to new comments



Post