Stealing secret crypto-keys from PCs using leaked radio emissions

Your encryption keys can accidentally leak from your PC via radio waves, computer scientists have reminded us this week. This is a well-understood risk, but as these guys have demonstrated, it can be done cheaply with consumer-grade kit, rather than expensive lab equipment.

Tel Aviv University researchers Daniel Genkin, Lev Pachmanov, Itamar Pipman and Eran Tromer have built on Genkin’s earlier work on capturing 4096-bit RSA keys using the sound emitted by a computer while it runs a decryption routine.

The latest research involved extracting private decryption keys from GnuPG on laptops within seconds by measuring the electromagnetic emanations during the decryption of a chosen cipher text. The researchers used the Funcube Dongle Pro+, hooked up to a small Android embedded computer called the Rikomagic MK802 IV, to measure emissions within 1.6 and 1.75 MHz. It may even be possible to pull off the attack with a standard AM radio with the output audio recorded by a smartphone.

An abstract for the paper – Stealing Keys from PCs using a Radio: Cheap Electromagnetic Attacks on Windowed Exponentiation – explains:

We demonstrate the extraction of secret decryption keys from laptop computers, by non-intrusively measuring electromagnetic emanations for a few seconds from a distance of 50 cm. The attack can be executed using cheap and readily-available equipment: a consumer-grade radio receiver or a Software Defined Radio USB dongle. The setup is compact and can operate untethered; it can be easily concealed, e.g., inside pita bread. Common laptops, and popular implementations of RSA and ElGamal encryptions, are vulnerable to this attack, including those that implement the decryption using modern exponentiation algorithms such as sliding-window, or even its side-channel resistant variant, fixed-window (m-ary) exponentiation.

We successfully extracted keys from laptops of various models running GnuPG (popular open source encryption software, implementing the OpenPGP standard), within a few seconds. The attack sends a few carefully-crafted ciphertexts, and when these are decrypted by the target computer, they trigger the occurrence of specially-structured values inside the decryption software. These special values cause observable fluctuations in the electromagnetic field surrounding the laptop, in a way that depends on the pattern of key bits (specifically, the key-bits window in the exponentiation routine). The secret key can be deduced from these fluctuations, through signal processing and cryptanalysis.

Steve Armstrong, managing director of Logically Secure Ltd and former lead of the RAF's penetration and TEMPEST testing teams, said the type of attack demonstrated by the Tel Aviv team is well established. Such attacks have been possible for years; increasing the gap between the target machine and the eavesdropper mitigates the attack, according to Armstrong.

“Any device close to a computer can pick up RF signals – put your phone close to the car radio and listen to it chatting,” Armstrong explained. “The key thing of this attack will the the required proximity. If they can do it at 10 metres in a different room, I would be impressed; if the device needs to be within 20cm, I am not.”

The attack demonstrated by the Tel Aviv team may be unreliable in practice, because computers are usually juggling multiple tasks at the same time and not just exclusively decrypting data. That means lots of noise is added to the process, ruining attempts to extract private keys from the machines.

The Israeli researchers intend to present their work at the Workshop on Cryptographic Hardware and Embedded Systems (CHES) conference in France in September 2015. ®