Listen up: RSA keys snatched by recording CPU sounds with a phone

The co-inventor of the RSA algorithm has designed a way of deciphering the sounds a CPU makes as it crunches RSA-encrypted content

It sounds too preposterous for even James Bond: by placing a mobile phone next to a PC, researchers can "listen" to the faintest sound a CPU makes as it churns away on RSA-encoded content and extract the keys themselves.

Preposterous, except for the fact that Adi Shamir, one of the co-developers of the RSA encryption algorithm, co-wrote the paper that describes how to do it. Daniel Genkin and Eran Tromer were the other two authors.

"The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts," the paper's authors wrote. "We experimentally demonstrate that such attacks can be carried out, using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters away."

The authors were able to experimentally succeed with their method using either an ungainly, and extremely obvious, parabolic antenna from 4 meters away, or by using a generic mobile phone from just 30 centimeters away.  Naturally, better listening equipment decreased the time to extract the RSA keys.

And it gets even worse: merely touching the PC also allowed an attacker to extract the keys by measuring the electric potential of the PC chassis. In this case, users who touched the PC (and surreptitiously measured their electric potential) should be able to extract the keys. And be persuading the victim to plug in either an innocuous-looking VGA or ethernet cable into his laptop, the attacker could measure the shield potential elsewhere and get the keys as well.

Typically, simply having physical access to a unsuspecting PC is enough for some security experts to throw up their hands and concede that the attacker has won. And that's true, in this case, as well. But the paper's authors demonstrated an "attack" running in a lecture hall, and suggested other plausible scenarios:

" Install an attack app on your phone. Set up a meeting with your victim, and during the meeting, place your phone on the desk next to the the victim's laptop.

" Break into your victim's phone, install your attack app, and wait until the victim inadvertently places his phone next to the target laptop.

" Construct a webpage, and use the microphone of the computer running the browser using Flash or another method. When the user permits the microphone access, use it to steal the user's secret key.

" Put your stash of eavesdropping bugs and laser microphones to a new use.

" Send your server to a colocation facility, with a good microphone inside the box. Then acoustically extract keys from all nearby servers.

" Get near a protected machine, place a microphone next to its ventilation holes, and extract the secrets.

The techniques the authors describe can be countered by sound dampening, but the white noise of a PC's fan can be pretty easily filtered out. The researchers said that they supplied their attack vector to GnuPG developers before publication, let them develop revised code, and yet it was still vulnerable. The answer may lie in using software to try and obfuscate the audible sound emanations, they said.

In any case, the paper that Genkin, Shamir, and Tromer authored is seriously scary stuff, especially for business or government travelers carrying sensitive information outside the country as well as into and through strange hotels and conference rooms.

Join the CSO newsletter!

Error: Please check your email address.

Tags hackers[no company]security

More about RSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mark Hachman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts