How White Hat Hackers Stole Crypto Keys from an Offline Laptop in Another Room

Share this…

Last year, it was revealed that hackers can steal data from any computer via heat and how some technologies can hack into an offline computer and phone.

Now, Tel Aviv University and Technion researchers have discovered a way to steal data from air-gapped computers from another room. Air-gapped computers are machines that are disconnected from the internet so as to discourage hackers from remotely accessing the data stored in them. The research is due to be unveiled on 3rd March at the forthcoming RSA Conference.

It is quite similar to the research carried out to steal crypto keys by “listening” so this isn’t the first time that such an approach has been used by researchers against elliptic curve cryptography being run on a computer.

Elliptic curve cryptography is a powerful and dynamic approach to crypto that is used in securing everything from messages to websites.

How is it Possible?

The method used to conduct the attack is called side-channel attack. This kind of an attack does not involve the implementation of an encryption head on, as with brute force or by making use of a vulnerability in the algorithm but relies upon other sources.

In this case, the attack relies on the electromagnetic outputs of the laptop that are emitted during the decryption process, which are used to work out the target’s key.

Researchers acquired the laptop’s private key by running GnuPG. GnuPG is a widely famous implementation of OpenPGP. Once done, they measured the electromagnetic emanations of the target computer and within seconds, they had the secret decryption key.

According to the team of researchers, which comprised of Daniel Genkin, Lev Pachmanov, Itamar Pipman, and Eran Tromer, the attack is launched using lab equipment that “costs about $3000.” This shows that the attack is unwieldy. They further stated, “the attacks are completely non-intrusive; we did not modify the targets or open their chassis.”

However, Tromer stated while talking to Motherboard “experience shows that once the physical phenomena are understood in the lab, the attack setup can be miniaturized and simplified.”

Tromer further explained that the modifications make GnuPG more “resistant to side-channel attack since the sequence of high-level arithmetic operations does not depend on the secret key.”

The attack’s legitimacy was tested by sending specific ciphertext to the target, which is basically an encrypted message.

The Paper:

The research team published a paper (pdf) stating the process of the attack, which read:

 

After processing the signals “a clean trace is produced which reveals information about the operands used in the elliptic curve cryptography [and in turn] it is used in order to reveal the secret key.”

The equipment that the team used were quite varied such as they used amplifiers, an antenna and software-defined radio too along with, obviously, a laptop. This process was being carried out through a 15cm thick wall, reinforced with metal studs, according to the paper.

The secret key was received after observation of around 66 decryption processes. Each of these procedures lasted for 0.05 seconds. This yielded overall measurement duration of around “3.3 seconds” the paper established.

For the information of our readers, when the researchers state that the key was obtained in “seconds” they actually are referring to the total measurement time instead of how long it might take to carry out the attack.

Real Life Attack Possibilities:

When a real attacker launches an attack, various other factors will be involved in the target will decrypt the encrypted message reliably since observing that process is needed to successfully conduct the attack.

As far as an in-the-wild scenario is concerned, this attack is still quite theoretical and it is hard to imagine its wide-scale implementation.

Yet, Tromer believes that hackers could possibly adapt their identified techniques or other such mechanisms, and they may even make them more cheap and accessible.

While mentioning his previous researchers, Tromer stated that this latest attack “can also be performed clandestinely and at even lower cost. In this day and age, our personal data, financial assets and private communication are all protected by cryptographic algorithms, and there are ample incentives and precedents for sophisticated attacks on the general population.”

He further added that their work is most potentially pertinent to “systems that are carefully protected against software attacks, but—as we show—may be wide open to inexpensive physical attacks.”