By Zach Epstein
Just when you thought you were safe, a new hacking toy comes along and rocks your world. Imagine a tool exists that lets hackers pluck encryption keys from your laptop right out of the air. You can’t stop it by connecting to protected Wi-Fi networks or even disabling Wi-Fi completely. Turning off Bluetooth also won’t help you protect yourself.
Why? Because the tiny device that can easily be hidden in an object or taped to the underside of a table doesn’t use conventional communications to pull off capers. Instead it reads radio waves emitted by your computer’s processor, and there’s really nothing you can do to stop it.
Researchers at Tel Aviv University and another Israeli research center called Technion have created a terrifying new hacking tool that can steal encryption keys out of the air. The device, which is assembled using about $300 worth of parts that are widely available, is about the size of a piece of pita bread. Not by coincidence, the team is calling it PITA (Portable Instrument for Trace Acquisition).
Here’s how it works: the PITA consists of a bunch of off-the-shelf parts and it runs on four AA batteries. Using an antenna that can read electromagnetic waves emitted by computer processors from up to 19 inches away, the device can swipe RSA and ElGamal data and decrypt it. Stolen data is then stored locally on the device’s microSD card, or the PITA can transmit data over Wi-Fi to the attacker’s computer.
Here’s a deeper dive from the team’s paper:
“We demonstrate the extraction of secret decryption keys from laptop computers, by nonintrusively measuring electromagnetic emanations for a few seconds from a distance of 50 cm. The attack can be executed using cheap and readily-available equipment: a consumer-grade radio receiver or a Software Defined Radio USB dongle. The setup is compact and can operate untethered; it can be easily concealed, e.g., inside pita bread. Common laptops, and popular implementations of RSA and ElGamal encryptions, are vulnerable to this attack, including those that implement the decryption using modern exponentiation algorithms such as sliding-window, or even its side-channel resistant variant, fixed-window (m-ary) exponentiation.
“We successfully extracted keys from laptops of various models running GnuPG (popular open source encryption software, implementing the OpenPGP standard), within a few seconds. The attack sends a few carefully-crafted ciphertexts, and when these are decrypted by the target computer, they trigger the occurrence of specially-structured values inside the decryption software. These special values cause observable fluctuations in the electromagnetic field surrounding the laptop, in a way that depends on the pattern of key bits (specifically, the key-bits window in the exponentiation routine). The secret key can be deduced from these fluctuations, through signal processing and cryptanalysis.”
So now you’re obviously wondering, “how can I block this crazy attack?” Bad news: You can’t.
“Physical mitigation techniques of electromagnetic radiation include Faraday cages,” the team wrote on its website. “However, inexpensive protection of consumer-grade PCs appears difficult. Alternatively, the cryptographic software can be changed, and algorithmic techniques employed to render the emanations less useful to the attacker. These techniques ensure that the rough-scale behavior of the algorithm is independent of the inputs it receives; they usually carry some performance penalty, but are often used in any case to thwart other side-channel attacks. This is what we helped implement in GnuPG.”
The team plans to present its creation at the Workshop on Cryptographic Hardware and Embedded Systems this coming September.