Israeli security researchers demo crypto key theft via radio leaks

News by Rene Millman

Encryption keys can be stolen via radio waves using cheap mobile equipment

Israeli-based security researchers have devised a way to quickly steal encryption keys stored on a PC using a cheap computer, an AM radio antenna and a piece of pitta bread.

While the risk is nothing new, the present research has found that keys can be stolen using equipment that can be bought over the counter for less than £100, rather than relying on laboratory equipment costing thousands.

Using the cheap equipment, researchers from Tel Aviv University could deduce keystrokes and tell what application is running on a computer, and find out encryption keys.

According to researchers Daniel Genkin, Lev Pachmanov, Itamar Pipman and Eran Tromer, to assemble the device, hackers would need a FUNcube Dongle Pro+ software-defined radio, an Android-based Rikomagic mini-computer to control the dongle and an AM radio antenna. All of which can be contained in and disguised as a piece of pitta bread.

“The setup is compact and can operate untethered; it can be easily concealed, eg, inside pita bread. Common laptops, and popular implementations of RSA and ElGamal encryptions, are vulnerable to this attack, including those that implement the decryption using modern exponentiation algorithms such as sliding-window, or even its side-channel resistant variant, fixed-window (m-ary) exponentiation,” the researcher said in a paper.

The researchers dubbed the device PITA (Portable Instrument for Trace Acquisition). The antenna sports a capacitor that picks up frequencies around the 1.7MHZ mark where signals are leaked from a computer.

These signals are logged on an internal microSD card. Researchers said that offline analysis could figure out the keys in a few seconds.

“We successfully extracted keys from laptops of various models running GnuPG (popular open source encryption software, implementing the OpenPGP standard), within a few seconds,” the researchers said.

The attack sends a few carefully-crafted ciphertexts, and when these are decrypted by the target computer, they trigger the occurrence of specially-structured values inside the decryption software.

“These special values cause observable fluctuations in the electromagnetic field surrounding the laptop, in a way that depends on the pattern of key bits (specifically, the key-bits window in the exponentiation routine).”

The researchers also also developed another device to collect signals. This connected a consumer device called “Road Master” radio to the microphone jack of an HTC EVO 4G smartphone, sampling at 48 kHz.

However, the researchers noted that for the attack to be successful, the eavesdropping device would have to be less than 50cm away from the computer that hackers want to listen in on.

The researcher said that one way of mitigating the attack is to put a vulnerable computer inside a Faraday cage, but “inexpensive protection of consumer-grade PCs appears difficult.”

“Alternatively, the cryptographic software can be changed, and algorithmic techniques employed to render the emanations less useful to the attacker,” said the researchers.

Alan Melia, head of Investigations and Incident Response at MWR InfoSecurity, told SC that while the attack was technically possible, as it only worked at a distance of less that 50cm, “the risk for the attacker being detected may be impractically high”.

“Not only that, but the victim must be using the cryptographic algorithms during the time the attacker is present. That said, there is a clear demonstrable risk, especially if you are using the same type of laptop used within the test. The article implies that ‘all' laptops can be attacked in this way, but there is no comprehensive results matrix which would allow an informed decision as to which laptops are more susceptible than others,” said Melia.

Melia said he could see the attack being refined. The sensitivity of the technique and the limited time window required for the attack to be effective is the limiting factor.

“I am sure that work will continue on refining the techniques used, however the ever-increasing frequencies used in CPU's combined with the parallel development of lower power usage is going to negatively impact the range and quality of the signal available for this form of attack,” he added.

Philip Lieberman, CEO of Lieberman Software, told SC that the research is interesting in that it shows a significant reduction in price for RF interception and crypto-analysis.

“The methodologies take a page from the well-worn book on Tempest. The researchers picked a corner case, but there are more valuable applications of the technology,” he added.

“The techniques employed in the paper go beyond the capabilities of common criminals and even sophisticated hackers.  The game of interception is still generally limited to nation states,” said Lieberman. “For what it is worth, there are more interesting things that can be done with this technology and have been done for the last 50+ years.”

Adrian Lewis, consultant at Context Information Security, told that while the attack is certainly made more accessible by utilising cheap equipment, a number of key pieces of information must still be known for it to be successful.

“The attack is currently only against certain versions of software, utilising particular implementations of encryption on specific models of hardware. All of this must be known prior to sending crafted cipher texts to prompt decryption, while the attacker is listening to the localised emissions of the device either by being physically close or by using further specialised radio equipment,” he said.

Lewis added that as a viable attack vector to determine the private components of a key, this is an extremely difficult attack to pull off as it currently stands.

David Kennerley, senior manager for Threat Research at Webroot, told that this form of attack vector is unlikely to become the norm for a couple of reasons.

“Firstly, it is still reliant on being close to the target, though the small and compact size of the equipment makes this a little more viable,” said Kennerle. ”Secondly, Electromagnetic and heat emission attacks still rely on the targeted machine being relatively idle until performing actions related to the data the attacker wishes steal.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews