Researchers demonstrate stealing crypto keys from a offline computer using electromagnetic pulses
It has been a while now with security researchers trying to find ways and means to hack a air gapped computers. Over the years, researchers have been able to hack such computers using a basic feature phones as well using the heat generated by such air gapped computers. Now, researchers from Tel Aviv University and Technion have gone a step further than past efforts, and found a way to steal data from air-gapped machines while their equipment is in another room.
For the uninitiated, air gapped computers are those computers and laptops which are cut off from Internet purposefully to protect them from any kind of hacking. Most companies including defence departments and NASA use air-gapped computer to store their most confidential data.
The researchers from Tel Aviv University have build upon the side channel attack discovered by researchers from Georgia Institute of Technology in January, 2015. The method used by Tel Aviv University researchers is quite similar to the research carried out to steal crypto keys by “listening” so this isn’t the first time that such an approach has been used by researchers against elliptic curve cryptography being run on a computer
The attack
As said above, the method used by the researchers build upon the side-channel attack. This kind of an attack does not involve the implementation of an encryption head on, as with brute force or by making use of a vulnerability in the algorithm but relies upon other sources.
The researchers used the electromagnetic output from a laptop to conduct their attack. EM emanations emitted during the decryption process, which were used by the researchers work out the target’s key.
Researchers acquired the laptop’s private key by running GnuPG. GnuPG is a widely famous implementation of OpenPGP. Once done, they measured the electromagnetic emanations of the target computer and within seconds, they had the secret decryption key.
According to the team of researchers, which comprised of Daniel Genkin, Lev Pachmanov, Itamar Pipman, and Eran Tromer, the attack is launched using lab equipment that “costs about $3000.” This shows that the attack is unwieldy. They further stated, “the attacks are completely non-intrusive; we did not modify the targets or open their chassis.”
However, Tromer stated while talking to Motherboard “experience shows that once the physical phenomena are understood in the lab, the attack setup can be miniaturized and simplified.”
Tromer further explained that the modifications make GnuPG more “resistant to side-channel attack since the sequence of high-level arithmetic operations does not depend on the secret key.”
The attack’s legitimacy was tested by sending specific ciphertext to the target, which is basically an encrypted message.
“During the decryption of the chosen ciphertext, we measure the EM leakage of the target laptop, focusing on a narrow frequency band,” the research paper states.
After processing the signals “a clean trace is produced which reveals information about the operands used in the elliptic curve cryptography [and in turn] it is used in order to reveal the secret key.”
The equipment that the team used were quite varied such as they used amplifiers, an antenna and software-defined radio too along with, obviously, a laptop. This process was being carried out through a 15cm thick wall, reinforced with metal studs, according to the research paper.
The secret key was received after observation of around 66 decryption processes. Each of these procedures lasted for 0.05 seconds. This yielded overall measurement duration of around “3.3 seconds” the paper established.
The research team have published a paper (pdf) stating the process of the attack and will be demonstrating the same on 3rd March at the forthcoming RSA Conference.
