Pulling RSA Keys by Listening

Friday, December 20, 2013 @ 05:12 PM gHale

Sound is becoming a new way to hack into systems as there is an attack method that can extract full 4096-bit RSA keys simply by listening to the sound generated by computers. That comes on top of a malware prototype introduced earlier this month that uses inaudible audio signals to communicate and covertly transmit sensitive data even when infected machines have no network connection.

As far as the RSA keys method goes, researchers from the Tel Aviv University and the Weizmann Institute of Science have come up with the technique.

Air Gaps Not Even Secure
Resilience Metrics can Beat Threats
Management Seeing the Security Light
Data Breaches Go Undisclosed

Researchers tested the method on GNU Privacy Guard (GnuPG), an open source variant of the OpenPGP standard. The researchers found, on almost all computers, it’s possible to distinguish different patterns of CPU operations.

In the case of GnuPG, the researchers have been able to differentiate the acoustic signatures of different RSA secret keys by measuring the sound generated by the device during the decryption process.

While researchers used expensive hardware, in some cases, a regular mobile phone might be enough to intercept the valuable information. With the aid of specialized hardware, the researchers acoustically extracted the keys from four meters away.

The method also worked with a mobile phone placed 30 centimeters away from the targeted computer.

The attack works even if there are loud fan noises, several computers in one room, or if the user is multitasking.

“The interesting acoustic signals are mostly above 10KHz, whereas typical computer fan noise and normal room noise are concentrated at lower frequencies and can thus be filtered out. In task-switching systems, different tasks can be distinguished by their different acoustic spectral signatures,” the researchers said.

“Using multiple cores turns out to help the attack (by shifting down the signal frequencies). When several computers are present, they can be told apart by spatial localization, or by their different acoustic signatures (which vary with the hardware, the component temperatures, and other environmental conditions).”

There are several plausible attack scenarios. It is possible to grab the keys with the aid of a phone placed near the victim’s computer, with a piece of malware installed on the victim’s own phone, and a malicious website that uses the device’s microphone to capture sound.

The scientists notified GnuPG of the issues and some countermeasures are now in place in GnuPG 1.x and libgcrypt to mitigate the attack. On the other hand, it’s uncertain if other algorithms of cryptographic implementations are vulnerable.

Click here to download a copy of the paper entitled, “RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis.”

This information comes on the heels of researchers from Germany’s Fraunhofer Institute for Communication, Information Processing, and Ergonomics using nothing more than the built-in microphones and speakers of standard computers to transmit passwords and other small amounts of data from distances of almost 65 feet. The software can transfer data at much greater distances by employing an acoustical mesh network made up of attacker-controlled devices that repeat the audio signals.

Leave a Reply

You must be logged in to post a comment.