Do you hear what I hear? HO HO HO!

As you know computers can be pretty noisy, with their beeping and dinging; however, did you know that many computers emit a high-pitched noise during operation, due to vibration in some of their electronic components? These acoustic aberrations are more than annoying, they can be threatening.  These sounds can convey information about the software running on the computer, and in particular leak sensitive information about security-related computations.

In a preliminary presentation (Eurocrypt’04 rump session), they have shown that different RSA keys induce different sound patterns, but it was not clear how to extract individual key bits. The main problem was that the acoustic side channel has a very low bandwidth (fewer than 20 kHz using common microphones, and a few hundred kHz using ultrasound microphones), many orders of magnitude below the GHz-scale clock rates of the attacked computers.

Daniel Genkin, Technion & Tel Aviv Univ, Adi Shamir, Weizmann Inst. Of Science, and Eran

Tromer, Tel Aviv University in a recent paper describes a new acoustic cryptanalysis key extraction attack, applicable to GnuPG’s current implementation of RSA. The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen cipher texts. We experimentally demonstrate that such attacks can be carried out; using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters away.

Uhhhh… It Gets Worse…

Beyond acoustics, we demonstrate that a similar low-bandwidth attack can be performed by measuring the electric potential of a computer chassis. A suitably-equipped attacker need merely touch the target computer with his bare hand, or get the required leakage information from the ground wires at the remote end of VGA, USB or Ethernet cables.

They describe that they focus on a different source of computer noise: vibration of electronic components in the computer, sometimes heard as a faint high-pitched tone or hiss (commonly called “coil whine”, though often generated by capacitors). These acoustic emanations, typically caused by voltage regulation circuits, are correlated with system activity since CPUs drastically change their power draw according to the type of operations they perform. However, the bandwidth of these signals is very low: up to 20 kHz for audible signals and commodity microphones, and up to a few hundred kHz using ultrasound microphones. (Beyond these frequencies, air attenuation and reduced microphone sensitivity render the signals undetectable.) 1 Cryptanalytic side-channel attacks typically require measurements with temporal resolution similar to the time scale of the target operation, but here the target cryptographic computation is many orders of magnitude faster (at the GHz scale), so we have no hope of observing individual operations. Moreover, the acoustic signals of interest are very faint. Indeed, a recent survey on side channels surmised that while “acoustic effects have been suggested as possible side channels2, the quality of the resulting measurements is likely to be low” [KJJR11].

Acoustic cryptanalysis.

They show that, despite these difficulties, full key recovery via acoustic cryptanalysis is quite

feasible on common software and hardware. As a study case, we focus on the GnuPG (GNU Privacy Guard) [Gnu], a popular, cross-platform, open-source implementation of the OpenPGP standard [CDF+07]. We observe that GnuPG’s RSA signing (or decryption) operations are readily identified by their acoustic frequency spectrum. Moreover, the spectrum is often key-dependent, so that secret keys can be distinguished by the sound made when they are used. The same applies to ElGamal decryption. They go in to devise and demonstrate a key extraction attack that can reveal 4096-bit RSA secret keys when used by GnuPG running on a laptop computer, within an hour, by analyzing the sound generated by the computer during decryption of chosen cipher texts.

In addition, they demonstrate the attack on various targets and by various methods, including the internal microphone of a plain mobile phone placed next to the computer, and using a sensitive microphone from a distance of 4 meters. In a nutshell, the key extraction attack relies on crafting chosen cipher texts that cause numerical cancellations deep inside GnuPG’s modular exponentiation algorithm. This causes the special value zero to appear frequently in the innermost loop of the algorithm, where it affects control flow. A single iteration of that loop is much too fast for direct acoustic observation, but the effect is repeated and amplified over many thousands of iterations, resulting in a gross leakage effect that is discernible in the acoustic spectrum over hundreds of milliseconds.

Espionage for Dummies

Just in case this didn’t alarm you.  Here are a few scenarios close to home that may change your mind.

An acoustic attack app.

Mobile phones are ubiquitous and contain internal microphones that, as we demonstrate, are of sufficient bandwidth and sensitivity for mounting key extraction attacks. Moreover, they have ample signal processing capabilities, and (using their wireless data connectivity) can close the adaptive chosen-cipher text loop in real time. Thus, the whole attack could be packaged into a software “app” requiring no special hardware or knowledge. An attacker would install this software, reach physical proximity to the target computer under some pretext, and place the phone appropriately for the duration of the attack. For example, in a meeting, the attacker could innocuously place his phone on the desk 5 next to the target laptop (as in Figure 4), and obtain the key by the meeting’s end. Similar observations apply to other mobile devices with built-in microphones, such as tablets and laptops.

Eavesdropping via compromised mobile device.

In a similar vein, a mobile device could be remotely compromised, through any of the numerous known attacks, and the attack code installed. When the device’s owner inadvertently places it in the vicinity of a target computer, the mobile device can autonomously attack the target and send the results to the attacker.

Self-eavesdropping.

Taken to the extreme, a device containing (or connected to) a microphone may spy on itself. In this scenario, the attacker controls an unprivileged process with no more than microphone recording permissions and network connectivity (e.g., a web page using the HTML Media Capture features or a Flash app, as in existing web-based videoconferencing services). Using these, the attacker can record and analyze cryptographic operations running in a different process, or even a different virtual machine, on that same computer.

Eavesdropping bugs.

Acoustic eavesdropping “bugs” are a staple of espionage. Matchbox-sized, battery-operated bugs, with built-in microphones and cellular network connectivity, are readily available for under $30. Traditionally used for eavesdropping on conversations, these may now find additional cryptanalytic use. Other traditional eavesdropping equipment, such as phone bugs, and laser microphones capable of listening through windows from afar, may likewise be re-purposed.

Targeted bugs.

For best signal acquisition, acoustic bugs can be hidden where they will be placed in close proximity or contact with the computer. For example, laptop computers are placed in a fairly predictable way when placed down on a charging station, presentation podium or a crammed table. An attacker may exploit this to place a hidden microphone, in advance, in close proximity and optimal orientation. Likewise, a cable or a Kensington lock, made conveniently available to visitors, may can contain hidden microphones that will be placed in perfect alignment when the plugged into the laptop.

Eavesdropping en masse.

In a setting where multiple devices are placed in proximity, such as a server room, an attacker could compromise some device equipped with a microphone. The software would then record the neighboring devices, disambiguate their (typically distinct) acoustic signatures, and mount attacks on each of them. After transmitting the findings, the attack software would self-erase, leaving no anomalous evidence in hardware.

Faraday cages and air gaps.

In sensitive applications, the dangers of network and side-channel attacks are recognized, and critical computers are protected by measures such as air gaps, Faraday cages, and power supply filters. Alas, none of these eliminate acoustic leakage. In particular, Faraday cages containing computers require ventilation, typically by means of vents covered with perforated sheet metal or metal honeycomb, which are very effective at attenuating compromising electromagnetic radiation (“TEMPEST”), yet are fairly transparent to acoustic emanations, for the sake of air flow.  Thus, even if all other communication and side channels are carefully controlled, acoustic emanations can still escape the enclosure and be acquired by nearby devices.

Source(s):

http://www.tau.ac.il/~tromer/papers/acoustic-20131218.pdf\

So “Once more unto the breach, dear friends, once more;”

____________________________________________________________

About Rick Ricker

An IT professional with over 21 years experience in Information Security, wireless broadband, network and Infrastructure design, development, and support.

For more information, contact Rick at (800) 399-6085 x502