If you think that air-gapped networks are totally secure you are wrong, in the past, many research teams have devised methods to steal data from computers disconnected from the Internet.
They demonstrated that it is possible to exfiltrate data through the analysis of sound waves and heat emissions, now a new research shows that it is possible to steal RSA encryption keys through a PC’s noises and an old AM radio from a few metres away.
In the past groups of researchers used very expensive equipment in order to capture fluctuations in electrical current/electromagnetic emanations/heat emissions during the execution of encryption routines, but now experts from Israel have explained that it is possible to use also an inexpensive kit.
The Israeli researchers (Daniel Genkin, Lev Pachmanov, Itamar Pipman, Adi Shamir, Eran Tromer) demonstrated that it is possible to harvest 4,096-bit encryption keys from distances of around 10 metres (33 feet), and they made it in just a few seconds.
They are the same researchers that exactly one year ago demonstrated thet encryption keys can accidentally leak from a PC via radio waves, the team demonstrated that this is possible by using a cheap consumer-grade kit.
Now, the experts demonstrated how to exfiltrate encryption keys by using acoustics while the target machine is performing encryption calculations. In this phase, in fact, the processor emits a high-frequency “coil whine” from the changing electrical current flowing through its components.
“The power consumption of a CPU and related chips changes drastically (by many Watts) depending on the computation being performed at each moment. Electronic components in a PC’s internal power supply, struggling to provide constant voltage to the chips, are subject to mechanical forces due to fluctuations of voltages and currents. The resulting vibrations, as transmitted to the ambient air, create high-pitched acoustic noise, known as “coil whine,” even though it often originates from capacitors. Because this noise is correlated with the ongoing computation, it leaks information about what applications are running and what data they process.” reads the paper published by the experts.
“Most dramatically, it can acoustically leak secret keys during cryptographic operations. By recording such noise while a target is using the RSA algorithm to decrypt ciphertexts (sent to it by the attacker), the RSA secret key can be extracted within one hour for a high-grade 4,096-bit RSA key.”
Of course, the equipment in the above picture is not possible to conceal, so the researcher tried to obtain the same results from a mobile phone’s microphone placed 30 centimetres (12 inches) away from the target machine.
“We experimentally demonstrated this attack from as far as 10 meters away using a parabolic microphone (see Figure 1) or from 30cm away through a plain mobile phone placed next to the computer.” states the paper.
“In some cases, it even suffices to record the target through the built-in microphone of a mobile phone placed in proximity to the target and running the attacker’s mobile app.”
The team is able to get the 4,096-bit RSA key in an hour of listening, even using a mobile phone.
“Side-channel leakage can be attenuated through such physical means as sound-absorbing enclosures against acoustic attacks, Faraday cages against electromagnetic attacks, insulating enclosures against chassis and touch attacks, and photoelectric decoupling or fiber-optic connections against “far end of cable” attacks.” said the experts.
The team also provided recommendations to prevent such kind of side-channel attacks, in the specific case they suggest using acoustic dampening inside a PC.
The researchers also suggest coders to insert in their software “blinding” routines that perform dummy calculations into cryptographic operations, in this it is possible to prevent a wide range of side-channel attacks, including the acoustic one.
(Security Affairs – encryption keys, side-channel attacks)