[WTF!] Toughest encryption cracked by listening to your CPU with a phone

[kuverty]

Keep in mind that you need:

• to send several mails (amount depends on the length of the key) to the victim which you know the content off, mainly because of the bandwith of the used frequency.
• a victim using an old GPG version (2.x is not affected)
• to be able to get that close to your victim at the moment the prepared mails are encrypted
• a victim using specific hardware (as far as I understood the paper not every cpu, board etc. is affected)

so keep your panties on and update GPG, which you should have done allready anyway.

And which is also quite rare (clarifying number one on your list), the recipient has to have configured her system so that it automatically decrypts any received messages. But anyway, that was just a demonstration of the possibility of such things and a very neat one. Who knows what might be possible if government agencies point sufficient resources, probably a lot more. Remember how many cryptographers NSA has employed, many of them on par with Shamir et al.

That's one crazy attack! These hardware-based attacks are interesting to me.

[Gabi]

I'm not a hardware expert but haven't we known for years about this kind of thing? Not surprised somebody has found out how to work stuff out through the computer noises because you even can diagnose technical problems from the beeps that come from your motherboard when you turn on the computer.

I hope you are joking lol. The "beeps" come from the motherboard speaker, it is there exactly to make these beeps, it is not they appear randomly lol. The speaker is there exactly to make beeps to tell you what's wrong.

[shorena]

Keep in mind that you need:

• to send several mails (amount depends on the length of the key) to the victim which you know the content off, mainly because of the bandwith of the used frequency.
• a victim using an old GPG version (2.x is not affected)
• to be able to get that close to your victim at the moment the prepared mails are encrypted
• a victim using specific hardware (as far as I understood the paper not every cpu, board etc. is affected)

so keep your panties on and update GPG, which you should have done allready anyway.

And which is also quite rare (clarifying number one on your list), the recipient has to have configured her system so that it automatically decrypts any received messages. But anyway, that was just a demonstration of the possibility of such things and a very neat one. Who knows what might be possible if government agencies point sufficient resources, probably a lot more. Remember how many cryptographers NSA has employed, many of them on par with Shamir et al.

That's one crazy attack! These hardware-based attacks are interesting to me.

There is a lot more out there.

http://es.slideshare.net/endrazine/defcon-hardware-backdooring-is-practical

http://www.youtube.com/watch?v=8Mb4AiZ51Yk

Great talk on hardward backdoors.


http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/

The allready famous "badBIOS" virus.

[compro01]

The PC bios has "spread spectrum" options to mitigate this kind of attacks

I thought spread spectrum was to tweak the radio emissions (spread it out over a wider band, rather than having big spikes at specificly frequencies), not acoustic emissions.

AFAICT, what they're picking up is high-frequency coil whine off the VRM.

[black_swan]

Please read this article, the information quote from the OP is incomplete
http://www.forbes.com/sites/timworstall/2013/12/21/researchers-break-rsa-4096-encryption-with-just-a-microphone-and-a-couple-of-emails/

Here’s what the researchers did do though. Send several emails to the system itself: this way they knew what the content of the emails was. They also recorded the sounds of the computer decoding those known emails. For all computers do indeed make noises as they work: not just the disk, other components make small sounds as they heat up, cool and so on, even as electrical currents change.

[shorena]

Please read this article, the information quote from the OP is incomplete
http://www.forbes.com/sites/timworstall/2013/12/21/researchers-break-rsa-4096-encryption-with-just-a-microphone-and-a-couple-of-emails/

Here’s what the researchers did do though. Send several emails to the system itself: this way they knew what the content of the emails was. They also recorded the sounds of the computer decoding those known emails. For all computers do indeed make noises as they work: not just the disk, other components make small sounds as they heat up, cool and so on, even as electrical currents change.

I like how noone in this forum reads the comments others allready made.

Well to make this a little more than just a bitchy comment (sorry for that)

Dont read that forbes article its just as bad as any other, read the original paper, here: http://cs.tau.ac.il/~tromer/acoustic/

As allways, read the source.

[compro01]

Please read this article, the information quote from the OP is incomplete
http://www.forbes.com/sites/timworstall/2013/12/21/researchers-break-rsa-4096-encryption-with-just-a-microphone-and-a-couple-of-emails/

Here’s what the researchers did do though. Send several emails to the system itself: this way they knew what the content of the emails was. They also recorded the sounds of the computer decoding those known emails. For all computers do indeed make noises as they work: not just the disk, other components make small sounds as they heat up, cool and so on, even as electrical currents change.

Yeah, it's a known-plaintext attack.  Still potentially effective.  I send you a GPG-encrypted email (which I obviously know the content of) and listen in to it being decrypted and run off with your private key.

[Lethn]

I'm not a hardware expert but haven't we known for years about this kind of thing? Not surprised somebody has found out how to work stuff out through the computer noises because you even can diagnose technical problems from the beeps that come from your motherboard when you turn on the computer.

I hope you are joking lol. The "beeps" come from the motherboard speaker, it is there exactly to make these beeps, it is not they appear randomly lol. The speaker is there exactly to make beeps to tell you what's wrong.

How the hell did you come to the conclusion that I was saying they appeared randomly?