Listening for encoded PC passwords.

For The Latest Radio News and what's going on in The Airwaves...

Listening for encoded PC passwords.

Postby m0lsx » Mon Jun 26, 2017 10:58 am

http://www.theregister.co.uk/2017/06/23/aes_256_cracked_50_seconds_200_kit/

Side-channel attacks that monitor a computer's electromagnetic output to snaffle passwords are nothing new. They usually require direct access to the target system and a lot of expensive machinery – but no longer.

Researchers at Fox‑IT have managed to wirelessly extract secret AES-256 encryption keys from a distance of one metre (3.3 feet) – using €200 (~US$224) worth of parts obtained from a standard electronics store – just by measuring electromagnetic radiation. At that distance sniffing the keys over the air took five minutes, but if an attacker got within 30 centimetres (11.8 inches) of a device, the extraction time is cut down to just 50 seconds.

The research team used a simple loop antenna, attached it to an external amplifier and bandpass filters bought online, and then plugged it into a software defined radio USB stick they bought for €20. The entire cost of the setup was less than €200 and the device could be hidden in a jacket or laptop case.

They used this kit to record the radio signals generated by the power consumption of the SmartFusion2 target system running an ARM Cortex-M3-powered chip. By measuring the leakage between the Cortex processor and the AHB bus, the data showed the peaks and troughs of consumption as the encryption process was carried out.

By running a different encryption run on a test rig, the researchers mapped out how the power consumption related to individual bytes of information. That allowed them to take guesses at the 256 possible values of a single byte and the correct choice showed the highest power spike.

"Using this approach only requires us to spend a few seconds guessing the correct value for each byte in turn (256 options per byte, for 32 bytes – so a total of 8,192 guesses)," they wrote [PDF]. "In contrast, a direct brute-force attack on AES‑256 would require 2256 guesses and would not complete before the end of the universe."

The electromagnetic signals drop off rapidly the farther away you are from the target, but the researchers still managed the extraction from a distance of one metre, even though it took much longer to do so. Spending more on the equipment, however, would increase the range and speed of the attack.

"In practice this setup is well suited to attacking network encryption appliances," they wrote. "Many of these targets perform bulk encryption (possibly with attacker-controlled data) and the ciphertext is often easily captured from elsewhere in the network. This again underscores the need for deep expertise and defense-in-depth when designing high assurance systems."

There are, of course, some caveats. The tests took place under laboratory conditions, rather than in a busy office or server room where other signals might interfere with the data collection. But it's an interesting example of how an attack previously thought of as unfeasible due to cost and distance has been made easier by smarter and cheaper technology.
Buy a database from Kimmy JS19 via http://ukscanningdirectory.co.uk/
Or do Google search of this forum via https://www.google.com/cse/home?cx=partner-pub-6291336405621919:2662881632
73 De Alan (M0LSX.)
http://www.qrz.com/db/M0LSX"
User avatar
m0lsx
 
Posts: 5363
Joined: Wed Nov 21, 2012 9:14 pm
Location: Norwich. TG21.

Re: Listening for encoded PC passwords.

Postby lars » Mon Jun 26, 2017 11:33 am

Fiendish. I suspect that the approach described would be difficult to use on a general-purpose computer, or even on a network router, because of the difficulty in disentangling the effects of encryption on power consumption from those of everything else the CPU would be doing. Also, I suspect that if an intruder can get within 30cm of the target system, there might be easier ways to achieve the same effect. Moving further away won't just reduce the signal strength -- it will increase the collection of all sorts of other data from nearby equipment.

Still, makes you think.
lars
 
Posts: 142
Joined: Fri Jun 10, 2016 9:03 am

Re: Listening for encoded PC passwords.

Postby m0lsx » Mon Jun 26, 2017 4:00 pm

It's certainly a step towards PC's being much less secure.
In the 1980's the Russians were able to watch what embassies typed in much the same way as the above. Except the Russians inserted the bug into the typwriters power switch.

https://qz.com/932448/forget-smart-tvs-in-the-1980s-spies-were-hacking-typewriters/

In the early 1980s, Russian spies did just that, according to a report released by the US National Security Agency in 2012. They developed electromechanical bugs that could be implanted in typewriters and used to transmit information as it was being typed.
The bugs had originally been discovered in 1983 at an embassy friendly to the United States, which the report doesn’t name. Once alerted, the NSA analyzed the bugs, and found that they “represented a major Soviet technological improvement over their previous efforts.” Those first bugs weren’t found in typewriters, but it was determined that they could be used in nearly any electric device.
The implants were the first electromechanical bugs ever recovered by the agency, according to the report. Before this, the US had assumed the only listening devices its Cold War opponents used were small microphones hidden in lamps and walls.


The NSA eventually discovered five unique versions of the implant, all with varying types of power sources and components. The devices used “magnetometers” to discern which keys in the typewriters were being pressed, by converting “the mechanical energy of key strokes into local magnetic disturbances,” and transmitted that information by radio. Those signals could be picked up by nearby receivers, which could then output the information being typed in realtime.


Image
Buy a database from Kimmy JS19 via http://ukscanningdirectory.co.uk/
Or do Google search of this forum via https://www.google.com/cse/home?cx=partner-pub-6291336405621919:2662881632
73 De Alan (M0LSX.)
http://www.qrz.com/db/M0LSX"
User avatar
m0lsx
 
Posts: 5363
Joined: Wed Nov 21, 2012 9:14 pm
Location: Norwich. TG21.


Return to Radio News

Who is online

Users browsing this forum: No registered users and 1 guest