Side-Channel Attacks and Hardware Vulnerabilities
Last month, a new attack method that can work against Intel CPUs was publicized: PLATYPUS. This new attack method—discovered by Moritz Lipp, Michael Schwarz, Andreas Kogler, David Oswald, Catherine Easdon, Claudio Canella, and Daniel Gruss—is a good example of a side-channel attack. This type of attack uses information related to the side-effects of computer activity in order to exploit a vulnerability. Ryan Singel of WIRED explained the origins of side-channel attacks. The first potential side-channel attack was discovered in 1943, an engineer working on a teletype encryption machine noticed that every time a letter was pressed, an oscilloscope in the laboratory would spike. The spikes, which resulted from the electromagnetic activity of the teletype machine, could be translated into the message that was typed. Even if the output of the teletype machine had been encrypted, the side-effect of electromagnetic activity could be used to get the original message. In today’s time, data related to power consumption, the timing of computer processes, and even acoustics can be analyzed for a side-channel attack.
According to the official PLATYPUS website, PLATYPUS is a power consumption side-channel attack. PLATYPUS is an acronym for Power Leakage Attacks: Targeting Your Protected User Secrets. Much like the teletype encryption machine example, a power consumption side-channel attack usually requires an oscilloscope and physical access to the victim device. However, PLATYPUS can be accomplished remotely thanks to Intel’s Running Average Power Limit (RAPL), an interface that is like a built-in power meter. RAPL can be used to keep track of differences in power consumption that correspond to different computer instructions and memory loads. This lets attackers recover data stored in otherwise “secure” locations. The researchers who discovered PLATYPUS found that they could recover cryptographic keys from the Intel Software Guard Extensions (SGX) enclave and the Linux kernel. Although Intel released firmware updates to mitigate the RAPL vulnerabilities, CPUs made by other manufacturers such as AMD, ARM, and NVIDIA contain similar built-in power meters and may be vulnerable as well.
Before PLATYPUS, two hardware vulnerabilities named Meltdown and Spectre made headlines in 2018. They are vulnerable to timing side-channel attacks that use the Central Processing Unit (CPU) cache. Timing side-channel attacks measure the time required by different operations in order to recover secret data. The CPU is the “brain” of a computer, and frequently used data is stored in its cache to improve performance. If the CPU needs to access data, it will check to see if the data is in the cache. If not, it will be placed into the cache for future reference. According to an IEEE Spectrum article by Nael Abu-Ghazaleh, Dmitry Ponomarev, and Dmitry Evtyushkin, attackers can measure the time it takes for data to be placed into the CPU cache, and they can use this information to figure out which specific pieces of data were accessed by the CPU. This type of side-channel attack allows bad actors to recover “encryption keys and other secrets.” The Meltdown and Spectre vulnerabilities affected processors made by Intel, ARM, IBM, and AMD. Fortunately, software patches were released to address the vulnerabilities.
Acoustic side-channel attacks exploit sounds emitted by devices. These attacks can sometimes be used by keyloggers. Keyloggers are malware designed to steal passwords by keeping track of what is typed onto a keyboard. There are different types of keyloggers, but it is possible for some to work by using acoustic data. Anyone who has ever used a keyboard will notice that pressing different keys results in distinguishable clicks and clacks. Acoustic keyloggers can use the sounds of keystrokes to reconstruct the typed message. Unfortunately, even virtual keyboards on mobile devices are vulnerable. Ilia Shumailov, Laurent Simon, Jeff Yan, and Ross Anderson discovered that it is possible to listen in on the sound waves made by tapping on the touchscreen of a smartphone or tablet to learn what someone typed onto a virtual keyboard. Fortunately, acoustic keyloggers are rare.
In summary, bad actors can carry out side-channel attacks by analyzing the side-effects of computer activity. Physical data, including electromagnetic data or even acoustic data, can be analyzed in order to retrieve sensitive information. In a world where sensitive information can be leaked in places that are overlooked, keeping firmware up to date is very important.