Researchers Get Crypto Keys Off Laptop by Touching it

[Terry Olaes]

Some smart people figured out how to extract cryptographic keys from a laptop by touching it. Pretty ingenious.

Measuring the electrical potential leaked to your skin when you touch the metal chassis of such laptops, and analyzing that signal using sophisticated software, can be enough to determine the keys stored within, says Eran Tromer, a computer security expert at Tel Aviv University.

 

[atp1916]

"The work contributes to a growing body of evidence that regardless of the software protections people place on computers, there are indirect ways to extract data—so-called “side channel” attacks."

Gotta wonder how far along the NSA et all are on this type of stuff.

 

[Kueller]

Q7: How can low-frequency (kHz) leakage provide useful information about a much faster (GHz) computation?
This is the key idea behind our technique. Individual CPU operations are too fast for our measurement equipment to pick up, but long operations (e.g., modular exponentiation in RSA) can create a characteristic (and detectable) spectral signature over many milliseconds. Using a chosen-ciphertext, we are able to use the algorithm's own code to amplify its own key-leakage, creating very drastic changes, detectable even by low-bandwidth means.

This was the main question I had.

 

[Insula Gilliganis]

Ahh, touch me
(This isn't right)
Ahh, touch me
I want to feel your crypto

Full moon in Tel Aviv
And the researchers are Israelis
I was hungry for electrical potential
I was hungry for cryptographic keys

They was hunting me down
And my laptop was the bait
When I saw the metal chassis
Analyzing signals couldn't wait

This isn't right
This isn't right
This is like slime
Tel Aviv U got it right

(This isn't right)
Touch me, touch me
I want to feel electrical potential
Your laptop next to mine
(This isn't right)
Touch me, touch me now

 

[LoneWolf]

Man, Insula, making me feel old. lol.

In relation to the original article, it makes me think of Van Eck phreaking, as discussed in Neal Stephenson's Cryptonomicon. At the time I first read it, I had a hard time believing it, but I searched and found it is very real, and proof-of-concept has been demonstrated.

 

[temujin987]

i thought i had a decent understanding of how computers and its components work, but the things i've read the past year about the capabilities of the NSA et al. sound pretty much like magic. problem is, magic doesn't work, but these attacks unfortunately actually do.

 

[Jagger100]

If someone has physical access to your computer, you're screwed anyway.

 

[Reimu]

The attackers gaining physical access of the said machine is about the worst thing from a security point of view. It feels as if that it is a matter of time and will for the system to be compromised when it's already served up on a platter.

 

[FLECOM]

just put a tesla coil next to your pc, good luck getting any radio receiver to hear anything!

 

[MindBuster]

just put a tesla coil next to your pc, good luck getting any radio receiver to hear anything!

Tinfoil cover

 

[raz-0]

Article Summary:
Don't let sweaty dudes grope your computer while it's encrypting or decrypting something.

 

[Jagger100]

Article Summary:
Don't let sweaty dudes grope your computer while it's encrypting or decrypting something.

Hardware keylogger that burst transmits is likely cheaper and much less likely to ever be discovered than this.

 

[FiveFig]

Article Summary:
Don't let sweaty dudes grope your computer while it's encrypting or decrypting something.

So basically TSA...

Solution: Either never travel with your encrypted laptop, or turn it OFF when traveling.

 

[DocSavage]

Q7: How can low-frequency (kHz) leakage provide useful information about a much faster (GHz) computation?
This is the key idea behind our technique. Individual CPU operations are too fast for our measurement equipment to pick up, but long operations (e.g., modular exponentiation in RSA) can create a characteristic (and detectable) spectral signature over many milliseconds. Using a chosen-ciphertext, we are able to use the algorithm's own code to amplify its own key-leakage, creating very drastic changes, detectable even by low-bandwidth means.

This was the main question I had.

Doesn't this mean that the attack only works with their specially crafted ciphertext? This doesn't illustrate a working attack in the field.

 

[Kueller]

Doesn't this mean that the attack only works with their specially crafted ciphertext? This doesn't illustrate a working attack in the field.

You are correct, and you only get one bit per ciphertext. They sent emails to an enigmail (thunderbird) client that automatically decrypts incoming mail when it is received. So, physical, unattended, access to a machine you can make run the decryption algorithm on cue.

 

[shade91]

Gotta wonder how far along the NSA et all are on this type of stuff.

Not very far. The Israeli's are usually a few hundred steps ahead in terms of technology compared to the US government. That is why we partner with them so heavily as they are a nation of very savvy and smart technologists. The day we completely shun Israel is the day we shoot ourselves in the foot.

I'm curious how effective such an attack is against FDE. That is a major line of defense against an attacker who has physical possession of the asset you're trying to protect.

 

[drakken]

I random has length would defeat this but you would have to add about forty lines of code to your security, basically on windows hall says hello to gina and if there was a special interface between when the system thinks the password is being decrypted to compare and when it actually happens all the hacker would get is garbage. On nix it would be easier since you could just add the lines to anytime the root is called and ignore the rest of the calls because password checks are so fast I can't see how they would be able to gather enough info with out a lot of over head like in windows.

 

[flashoverride]

Doesn't this mean that the attack only works with their specially crafted ciphertext? This doesn't illustrate a working attack in the field.

Eh, for a captured encrypted laptop maybe. Doesn't seem to be remotely executable. A lot of these novel type attacks are kind of one-off deals that's don't pan out, but are interesting nonetheless. Makes you want to build a Faraday cage.

 

[BladeVenom]

What's next, a sonic screwdriver?