Researchers deduce cryptographic key using microphone
In new research that is more reminiscent of a James Bond movie than computer security, computer scientists have worked out a way to deduce cryptographic keys by monitoring high-pitched sounds from a computer when an encrypted message is displayed, reports Ars Technica.
By monitoring sounds commonly made by computers as they ran GnuPG (GNU Privacy Guard), the scientists were able to distinguish between the acoustic signatures of different RSA secret keys. From there, they were apparently able to extract the decryption keys by measuring the sound the machine makes during decryption of ciphertexts that were prepared in advance. Captured sound could either be captured by the built-in microphone of a smartphone placed next (30 cm) to the laptop, or as far as four meters away with the use of a sensitive microphone.
"The acoustic signal of interest is generated by vibration of electronic components (capacitors and coils) in the voltage regulation circuit, as it struggles to maintain a constant voltage to the CPU despite the large fluctuations in power consumption caused by different patterns of CPU operations," says the researchers in a summary of their work.
In a nutshell, they were measuring the sound created by the electronics, not moving components like a fan or hard disk drive. You can access the paper outlining the attack titled "RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis" here (pdf).
The Fierce Take: As part of a coordinated measure, a new update for GnuPG containing countermeasures for preventing such attacks was released in tandem with report. Ultimately, this seemingly outlandish attack is a chilling reminder that it may not always good enough to protect against known attack vectors.
- check out this article at Ars Technica