On her microphone's secret service: How spies, anyone can grab crypto keys from the air Discerning secret crypto keys in computers and gadgets by spying on how they function isn't new, although the techniques used are often considered impractical. A new paper demonstrates this surveillance can be pretty easy – well, easier than you might imagine – to pull off, even over the air from a few metres away. We all …
Tinfoil hats actually amplify the frequencies that the US military uses for mind control satellite communications.
Given that the routine is running at GHz and is presumably completing in much less than a second, that's not very many cycles of audio per bit of key.
Some will comprehend the inherent difficulties, but then take this to be more reason to be impressed by the accomplishment. These days, as we're swimming in so much BS hype, a better reaction is to wonder how many unmentioned 'cheats' were required to generate this "proof" of concept.
In any case, crypto code branches need to be balanced. Didn't everybody already know that?
"Given that the routine is running at GHz and is presumably completing in much less than a second, that's not very many cycles of audio per bit of key."
I think you mean that the cycles on the computer should take longer than 1/20,000 of a second, the maxim frequency that humans can hear and that microphones and speakers designed for human ears can handle.
Then there is that debye frequency, "The Debye frequency of a crystal is a theoretical maximum frequency of vibration for the atoms that make up the crystal".
As a consequence, ultrasound at 1 or 2 MHz can only propagate in air over a distance of a few centimeters.
But apparently somehow they've found a way around that. Maybe because the calculations require much more than one cycle to complete. I don't know. The mechanics of how would be interesting.
Or maybe the ear piece mic is picking up the electrical impulses directly, rather than acoustically?
I've pretty much forgotten the acoustics I learned in university, except for a few limitations that I've kept to remind me to consult an expert (recent EE grad) when they come up.
Why is a Faraday cage not realistic?
So long as it doesn't cover the radio parts (in a desktop, zero, in a laptop, the screen, in a phone, the radio?), it seems eminently sensible to put in a Faraday cage, and it doesn't have to be a solid block of metal if you choose the spacing correctly, and I reckon you could even double-up part of it as a heatsink, no?
Most of these types of side-channel attacks only seem to work at short distances, like a few metres. Perhaps the answer is to stay out of your office, keep moving, and only work where there is no-one physically near to you. You would probably notice someone walking behind you and setting up a parabolic dish, a thermographic camera and a shotgun microphone whenever you stop.
With acoustically transparent cloth - y'know, the sort of thing hi-fi speakers are clad with - a parabolic dish can be disguised as a suitcase. Or indeed, a loudspeaker.
It appears on first thoughts that a easy enough countermeasure would be to generate noise - maybe just have your computer run through some redundant, unused crypto algorithms.
Dave "...have your computer run through some redundant, unused crypto algorithms."
Back in the late-1970s or very early-1980s, there was a 'Ghost' themed game for the Tandy Radio Shack Z80-based TRS-80 Model 3 / Model 4. The game's instructions included putting an AM radio near the computer, and music would be played. Yep, the EMI was that strong.
The more interesting point is that the code, presumably single threaded, included music. Think about that.
Imagine somebody trying to do a side channel attack, and the coder has included music or similar.
There's an opportunity in this sort of concept. Somebody spends weeks doing a side channel attack, and they're successful in pulling out some key-like data. Later they realize it's not the key, but a rude joke involving parrots and nuns, etc.
"Back in the late-1970s or very early-1980s, there was a 'Ghost' themed game for the Tandy Radio Shack Z80-based TRS-80 Model 3 / Model 4"
Are you referring to Android NIM?
"The game's instructions included putting an AM radio near the computer, and music would be played. Yep, the EMI was that strong."
Which is why the FCC came down fairly hard on the early PC makers over emissions. I discovered my TRS80 was wiping out the neighbours' TV reception (low band VHF) only when they asked my parents if we were having trouble viewing XYZ programs (we had an external antenna, they were using bunny ears and the PC was a few metres away through 2 wooden walls, unshielded cables everywhere)
My college (NDSU) built an AM radio into an IBM 1620 computer and had a deck of cards that played "Flight of the Bumblebee". I was there in 1974, I don't know how long they'd had that set up.
Alas, the code deck was randomized partway through, and nobody had the source. So it played perfectly for a while, then spit out some noise and stopped.
This post has been deleted by its author
>Why is a Faraday cage not realistic?
If the encryption is being used to encrypt communications, then the computer has to be able to, er, communicate. If the connection to the wider world is wired, then okay, but a Faraday cage would stop any wireless RF data from being transmitted or received.
You could, I suppose, have your Faraday-clad computer use light to communicate to a modem.
>Why is a Faraday cage not realistic?
A Faraday cage wouldn't help. This attack works by listening to sound waves, not electromagnetic waves.
A window pane protects you from the wind, but not from peeping toms. A lace curtain protects you from peeping toms, but not from the wind.
>You could, I suppose, have your Faraday-clad computer use light to communicate to a modem.
Back to IR ? NOOOOOOO!!!!!!!
Or have the antennas outside the cage ... for example, take a laptop .... Faraday cage as the casing of the mobo (e.g. where keyboard is etc), antennas around the screen (as is already today in most laptops) ... That is what the comment@rd up there was on about, or at least, how I understood it.
On a desktop, same, get a Faraday-cage case and buy a USB dongle/PCI-e wifi card with external antenna (if you need wifi on your desktop) .... done.
Faraday cages block electromagnetic signals; if I'm reading this article correctly, they're using audio to measure changing workloads.
Paul Kocher's been doing various differential power and timing analysis things for years, all of which have told us that we need to do calculations in ways that take the same amount of work regardless of the keys, which means undoing some of the optimization methods for long-number arithmetic and such.
A metal case is a Farady cage.
The issue is of course the cords and wires, which act like antennas outside the case.
And for laptops the case is plastic. And if the case isn't plastic you have the screen.
Engineering labs and US consulates have Faraday cages and acoustic isolation rooms.
Depending on the frequencies it has to work over, it can be a coarse conductive net. Like the mosquito netting North American in north American windows. It can be conductive paint in your walls.
But that won't shield from what is inside the cage. And that is probably the thing. A cage big enough to encompass your power and network cables would also encompass the eavesdropping device.
I really can't imagine how this could possibly work. It surely can't be listening in on the CPU because that runs at many gigahertz, well above what you should be able to pick up with a mic. There's ram which is in the 100s of megahertz, but given that's accessed in parallel how could you pick out individual lines? Anyone got any idea what kind of signal they might be using, assuming it does work as they say it does?
It does work from a technical view. For most people, I doubt this is much of a threat. However for certain people, think high ranking official or business leader, this might be a handy way to break into their accounts assuming you can get within a few meters for long enough.
But how can it work from a technical point of view.
I get that a computer science person might think it would obviously work, but only if they didn't study acoustical and electrical engineering/physics.
My guess is he's assume the mike only picks up sound, and that really it is picking up electrical impulses, as mikes will do.
You just cannot say 10 GHz sounds, even 10 MHz sounds, can be transmitted through room temperature air without explaining how.
Either something must reduce the frequency with which each bit is processed, or the transmission is electro magnetic. I'm a rusty on this, but that is how it seems to me technically.
I would love to read the theories of someone who is actually up-to-date in the EE aspects of this.
That said, I agree that this is not much of a threat to someone working in an acoustically and electrically noisy office.
But people who need privacy often also end up with a fair degree of silence.
And no matter what we do to prevent it, a dozen intelligence agencies around the world can capture our data. There is no privacy against the FSB, NSA, and so on.
I assume the signal received is not in the GHZ range. It is a much more smoothed out blur of the encryption/decryption key.
However, just one or two hints in the direction of the key, reduces the search space many fold.
ED, if I had a million long line of gibberish as a key, but you picked up that the first half is a higher value than the second half, then you've reduced the search space from "completely random" to "at least similar to this".
With more data points, you can multisample too, so you can get down to smaller blocks of the key, and in the end (I assume) get like 100 small data points in the 4096bit key. Some saying "high" at this point, some saying "low" at others, possibly even "medium". Within this you search for the key, now within the computational power of your brute force server farm.
"Anyone got any idea what kind of signal they might be using, assuming it does work as they say it does?"
Modern computers use switch mode power supplies in which DC-DC conversion is achieved via transformers running at a high frequency which still tends to be in the acoustic band. There are multiple SMPS in most modern PCs, for instance the programmable multiphase one which drives the CPU. Because these have very fast response to load changes, they generate lower frequencies which are a function of power consumption.
The transformer actually vibrates due to the changing magnetic field, and creates sound. The amount of sound depends on how well it is constructed and secured. A lot of PC transformers now seem to have visible coils, for effective heat loss, and these I imagine will create more sound than fully encapsulated ones.
I would have thought that if you were using a mobile phone, which runs off a true DC supply - the battery - this would be much less of an issue.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
