back to article AES-256 keys sniffed in seconds using €200 of kit a few inches away

Side-channel attacks that monitor a computer's electromagnetic output to snaffle passwords are nothing new. They usually require direct access to the target system and a lot of expensive machinery – but no longer. Researchers at Fox‑IT have managed to wirelessly extract secret AES-256 encryption keys from a distance of one …

Silver badge

Re: How well was the PC prepared?

Even a TEMPEST-rated case?

Where do you buy them? DDG, Google, Amazon - nada. the only reference is a /. post back in 1999!

0
0

This post has been deleted by its author

Silver badge

obviously...

The government needs to ban software defined radios.

6
5
Silver badge

Re: obviously...

Have you listened to our government recently? If May finds out, she will make software defined radios mandatory along with software to make them accessible by anyone over the internet.

7
2
TRT
Silver badge

Re: obviously...

No, she'll just ban encryption.

4
0
Anonymous Coward

Re: obviously...

She will probably ban software. Its easier that way. And it is a "soft" target. Followed up by banning pencils and paper, then reading and writing - after all, someone might draw a porno pic. Perhaps she is planning a secret coalition with Boko Haram.

Vote May: Fight for the right to be illiterate!

8
1
Anonymous Coward

Re: obviously...

She will probably ban software.

Given the way she's turning back the clock on social advances it's more likely she'll ban electricity and makes us all go back to candles.

3
0

All this shows is that the processor under test wasn't designed for security applications from the start.

Secure devices use constant current and constant time for all crypto operations, whether they need it or not, just to stymie this kind of analysis.

11
0
Anonymous Coward

What about in portable applications where consistent power (or even power altogether) cannot be guaranteed?

0
0
Silver badge
WTF?

What about in portable applications where consistent power (or even power altogether) cannot be guaranteed?

I think if power goes off to the machine, there ain't gonna be a lot of spurious radio waves emanating from it to be detected.

0
0
Silver badge

AES was not cracked, cut the click bait

A poor* implementation of AES permitted a side channel oracle attack on the key.

*That's not a criticism of the implementation. A non-poor implementation is really hard to achieve. A good implementation will not have a different profile between a correct and incorrect guess at part of the key.

20
0
Silver badge

Re: AES was not cracked, cut the click bait

Indeed. I feel they set this up to succeed.

Nothing wrong with that of course, but it would have been far more impressive had they pulled off the same trick against an x86 server running a busy workload as well as doing crypto operations. There would be far more background noise to obscure a useful signal. Also due to the mixed workload there's not likely to be an obvious signal to latch onto in the first place. And it'd have a metal case.

Therefore I don't see this result leading to any changes in practices. If there's someone who can get within a couple of meters of one's infrastructure then you've already got a problem. Installing a keyboard logger or something else like that sounds more productive for the attacker.

14
0

Re: AES was not cracked, cut the click bait

>> but it would have been far more impressive had they pulled off the same trick against an x86 server running a busy workload

Indeed, but that's not the application at hand. Crypto is increasingly being done on small systems, smart cards, access control, IoT applications, etc. That's where the problem lies. So it's not clickbait, it's a real issue.

11
3
Silver badge

Re: AES was not cracked, cut the click bait

"If there's someone who can get within a couple of meters of one's infrastructure then you've already got a problem."

You could very easily be in a shared data hall in a commercial datacentre. If security is paramount them you'll have a separate room or a cage, but most companies don't need the scale to run their own buildings. That leaves you open to others in the same room getting pretty close to your kit.

However, given the nature of this attack, in a noisy server room you'll be bloody lucky to discern a single signal. For now.

Maybe that's a justification for blade servers - pack the components tighter to blend the EM noise.

3
0
Silver badge

Re: AES was not cracked, cut the click bait

How many WiFi systems can you see from your home? You really don't need to be up close but given a bit of time (like when you are out at work, pub, mistress etc) your bit of kit can be hooveing up enough information to get the crack.

Now, just rent an office close to a competitor, setup the kit and walk away. In a few days, I'm sure that you will be able to see all those lovely emails in nice plain text.

0
4
Silver badge

Re: AES was not cracked, cut the click bait

But most of the worlds encryption users are now running ARM based phones or tablets. The majority of x86 are either work related laptops or in server rooms and now seriously outnumbered by ARM based gadgets etc.

1
1
Silver badge

Re: AES was not cracked, cut the click bait

> So it's not clickbait, it's a real issue.

I think you have missed the point on why I have called it out as click bait.

Just because something is a real issue doesn't mean it isn't misdescribed or exaggerated in order to get you to read something. That an implementation of AES can be oracle"d this way is very serious.

AES is a description of what should be done to a byte stream to encrypt a secret with a key and how to get that byte stream back knowing the key. For a crypto algorithm to be broken means that I am able to decode the byte stream cheaper than attempting every possible key in the keyspace.

As far as I am aware*, AES is still not broken, and this technique, whilst novel and even significant, shows a faulty implementation of AES, not a fault in AES generally.

*if some TLA does crack it then don't expect them to scream it from the roof top.

7
0
Silver badge

Re: AES was not cracked, cut the click bait

And I should acknowledge the title has been corrected (thanks) from "AES-256 crypto cracked in 50 secs using €200 of kit one metre away" to "AES-256 keys sniffed in seconds using €200 of kit a few inches away". If you didn't see the original headline then my comment definitely seems unreasonable. Wayback machine caught the original.

3
0
Silver badge

Re: AES was not cracked, cut the click bait

"However, given the nature of this attack, in a noisy server room you'll be bloody lucky to discern a single signal. For now."

Radio astronomers are pretty good at sorting out a relevant signal from all the others. Likewise the guys still talking to Voyager.

3
2

Re: AES was not cracked, cut the click bait

Ah. So not an electronics man?

0
0
Silver badge

Re: AES was not cracked, cut the click bait

@Mage,

But most of the worlds encryption users are now running ARM based phones or tablets. The majority of x86 are either work related laptops or in server rooms and now seriously outnumbered by ARM based gadgets etc.

Whilst that's true, there's still an effort / reward balance to be considered.

Look at Oyster cards on the London Underground. Are they the ultimate in security, the most impenetrable of contactless subway ticketing, proof against nation states and even capable amateurs? No. Do they need to be? Not really, it costs more to clone / hack one than the cost of just paying the fare.

So yes, it might be that someone could build a sniffer the size of a ruck sack, and start picking apart keys on random communications decrypted by crypto co-processors commonly found on, say, ARM SOCs in phones on the tube, in a coffee shop, or IoT devices in someone's home, etc. But to what purpose? I don't really see the point. It'll still be a needle in a haystack, and even if a phone is only moderately well screened (like they probably are to pass EMC accreditation), there's little prospect of being able to make anything of it.

Certainly if it ever became a problem it's so easy to counter it.

2
2
Silver badge

Doe anyone know ....

.... what that large component with the adjustment knob is? (I thought it was a lab bench gas tap at first. It's many years since I saw one or used one but the memories came flooding back.)

1
0
Anonymous Coward

Re: Doe anyone know ....

Just some sort of height/angle adjustable stand used to hold the antenna in place. A re-purposed mike stand perhaps - or maybe a dedicated laboratory stand.

4
0
Gold badge
Coat

So that's what "Pointless Albatross" is.....

I know.

1
0
Anonymous Coward

I wonder ...

I wonder if your ISP supplied router/modem could be used to do the same thing, with all the raw data picked up by the router being sent back down the net to your local nerd branch of the security services? I'd probably say yes. These routers can already work with multiple vci/vpi settings so you can still have your throttled adsl connection, whilst your ip tv box can use different vci/vpi settings to deliver your online films or tv programmes from your various TV providers, a simple test is to download a largish Linux ISO a few GB in size which can be delivered at your maximum rated download speed, and then go watch a tv program or film using your ISP supplied tv box, you'll find you can do both unhindered. Then you could also have mesh network capabilities using the multiple wifi access points often hidden from the router interface which will detect your neighbouring wifi signals, and with technologies like wifi Beam forming, not only is it possible to direct wifi signals to some degree to maximise performance to your device, its possible to use radio frequencies to track an individual moving around by detecting the radio frequencies that are reflected back to the router and detecting the omissions for the RF that gets absorbed by the body as noted by a recent-ish MIT paper documenting how wifi can be used to track people. Plus when you consider how easy it is to build wifi into a little cpu like those seen in Raspberrypi's, not to mention your smart phone, one can only conclude its more big brother than most people realise, when considering the above abilities whilst people travel around on their day to day business carrying their personal tracking device.

Of course getting the password for any form of encryption can be made a step in a process, by breaking up encrypted file with random data so the intended receiver has to use brute force to crack and decrypt the file. So whilst it might take the intended receiver say 5 or 10mins to brute force crack the file, scale that brute force cracking task up for the spooks who want to brute force crack multiple files and then time can be on your side, unless of course your OS just reports back every password when the encryption api's are used, which would be easier, or system updates and other background tasks are used to brute force crack files when given a portion of a password file. Perhaps security researchers should test their OS's for that functionality at the OS and HW level, it could be a profitable law suite at breaking up the hegemony of the US tech sector if such technologies can be proved to exist.

1
0
Anonymous Coward

Re: I wonder ...

Say wha?

7
0
Silver badge

So, to clarify...

For this cunning plan to work the attacker

1) needs to get pretty darn close to the target machine without anyone noticing (Gyood mornink, tovarich, Do you mind if I put my large briefcase that goes ping next to your computer?)

2) Needs to know what sort of processor etc the target is using, so that it can run the initial work 'on a test rig' (Oh, I seem to have lost my car keys, can we take the case off your computer so I can check they haven't fallen inside?)

3) Needs a radio quiet environment (could you just power down the rest of the building for a few minutes, I'm having trouble getting a signal on my phone?)

Interesting, but not exactly a major real-world threat.

4
2
Pint

BS Meter just exploded...

>Interesting, but not exactly a major real-world threat.<

Exactly!

But TOMORROW a smartwatch with an SDR inside may be possible, and The Nerd Who Cried Wolf will have his day!

Doesn't stop him from being an irritating dweeb in the meantime, though..

As the admin said in Wargames:

"Mr. POTATOHEAD!

Mr. POTATOHEAD!!!"

2
0

Re: So, to clarify...

"Interesting, but not exactly a major real-world threat."

...said the power plant operator, certain that his systems were not vulnerable to computer viruses because they were air-gapped from the network. Then someone found a really nice USB stick someone dropped in the parking lot...

The target isn't going to be data center servers, but laptops in coffeehouses, Apple pay, et al.

5
0
Anonymous Coward

And that's exactly the reason ....

... a nearby microwave oven can Hack into your computer system.

4
2
Silver badge
Happy

Re: And that's exactly the reason ....

".. a nearby microwave oven can Hack into your computer system."

Don't be silly, we all know that microwave ovens are really cameras :)

4
1

Genuine Question

Could this be defeated by running a randomised workload when encryption / decryption is taking place? Perhaps even perform parallel decryption / encryption using nonsense keys and nonsense data, lock-stepped to the genuine task.

Or, if the server if sufficiently shielded, would an RF white-noise generator defeat the snooping?

2
0
Anonymous Coward

Re: Genuine Question

by running a randomised workload

Or watching porn videos - the perfect justification!

3
0
Silver badge

How Practical

The distance, a couple of meters, indicates the technique needs to be used by someone very close. As one noted, inside a coffeeshop is more likely. Also, the demo had a relatively clean RF environment and in the real world RF interference could be a problem.

0
0
Silver badge

Now lets put that in perspective...

FoxIT is one of those "security" companies working for the Dutch agencies.

This works via the magnetic field near to the device, so it's very limited in reach. It's hard to shield as you need ferromagnetic shielding for this, but it also won't reach very far, anyhow. So in any case, you need that device under your control. You can do loads of stuff in that scenario.

So, if you combine that, the obvious use for this is the following:

You have an "encrypted" mobile phone of your "suspect". Instead of having to ask them for the PIN, you can now simply sniff the key... and you don't even need to disassemble the device. All you need to do is apply a coil to a model specific position at the phone, then wait a minute in which you can also get the IMSI via an IMSI catcher. All of that works quickly enough to get the encryption keys during a normal "random search".

3
0
Anonymous Coward

"those "security" companies working for the Dutch agencies."

"someone very close. As one noted, inside a coffeeshop is more likely."

hmmm.

0
0
Silver badge
Pint

Thirty-odd years ago...

There was a game for the Tandy Radio Shack TRS-80 Model 3 (not to be confused with the Model 1 in various "Levels") which included a musical soundtrack, to be heard through a nearby AM radio. It might have been "13 Ghosts", or similar.

Point being, the EMI was under programmer's control, and independent of other game functions.

Modern interpretation would be that the supposed key extracted by EM radiation should be a very rude phrase in ASCII, and not the actual key.

4
0

I'd buy that for a dollar

Sorry I meant $200

0
0

Worried about all this? you may be interested in purchasing one of my lead lined laptop cases very reasonably priced at £500. The first one hundred customers will also receive a free tin foil hat (RRP £400).

1
0
Anonymous Coward

And in the same El Reg page, there's the solution ...

2FA (as discussed re: HoC "hack")

0
0

Déjà viewer

In other news, the BBC has a rusty Transit van with a bent coat hanger on the roof that can tell what TV channel you're watching.

1
0
Anonymous Coward

Re: Déjà viewer

That used to be true - when analogue signals were used, it was possible to pick up the output of the local oscillator and determine what frequency it was running at (i.e. what channel it was demuxing).

0
0

Couldn't this sort of attack be defeated simply by putting the processor, memory, power supply, and some sort of UPS (maybe with some sort of randomized power intake algo) inside a faraday cage? Such a cage could be built as a desktop computer case, I suppose. And, if the designers for the UPS were clever enough they could probably combine it with the power supply into a package small enough to fit in the same spot a typical power supply would go.

I suppose one could then read the thermal output of the cooling system, but it seems like that would be pretty easy to randomize by introducing delays and dumps.

0
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018