In RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis [PDF], a paper by Daniel Genkin and Eran Tromer of Tel Aviv University and Adi Shamir, the authors show that a sensitive microphone (such as the one in a compromised mobile phone) can be used to infer a secret cryptographic key being used by a nearby computer. The computer's processor emits different quiet sounds ("coil whine...caused by voltage regulation circuits") as it performs cryptographic operations, and these sounds, properly analyzed, can reveal the key.
It's a pretty stunning attack, the sort of thing that sounds like science fiction. But the researchers are unimpeachable (Shamir is the "S" in RSA), and their paper is very clear.
The techniques they demonstrated certainly aren't viable for casual attacks. Still, as Wednesday's updates from GnuPG attest, they represent a realistic threat for people who use cryptographic software and devices in certain settings. The researchers outline several countermeasures application developers can implement to prevent computers from leaking the secret keys in acoustic emanations, namely a technique known as RSA ciphertext randomization. People who rely on cryptography applications should check with the developers to make sure they're not susceptible. In the meantime, end users shouldn't assume that running a computer in a noisy environment will prevent attacks from working, since acoustic emanations that leak secret keys can often be filtered.
New attack steals e-mail decryption keys by capturing computer sounds [Dan Goodin/Ars Technica]
After decades of fighting for open Web standards that let anyone implement software to receive and render online data, the World Wide Web Consortium changed course and created EME, a DRM system that locks up video in formats that can only be played back with the sender’s blessing, and which also gives media giants the […]
It’s World Password Day and you can celebrate it by fixing your crappy passwords.
The Supreme Court — at the behest of the US government — has announced changes to “Rule 41,” a crucial procedure of the US court system, which will give law enforcement sweeping powers to hack into computers anywhere in the world, including victims’ computers, with drastically reduced oversight.
White hat hackers get paid to find holes in their own employers’ online systems, and plug those holes before they become serious security risks. It’s a job that pays handsomely…mostly because few job candidates, even experienced IT professionals, have the skills to scamper over firewalls and infiltrate the deepest recesses of a battle-tested network. But […]
Why buy one of those expensive and confusing universal remotes, clogged with enough buttons to launch a space shuttle, when you could accomplish the same electronic control right on your favorite mobile device? The Blumoo Universal Remote, now just $52.99 in the Boing Boing Store, harnesses the audio power of all your household equipment right […]
You may not love Microsoft Word, but you’ve definitely used it. Other than being one of the most ubiquitous programs on the planet, it’s been the go-to word processing system for more than a quarter-century because it’s as basic as it gets. But occasionally, you’ve got assignments that beg for a lot more options than simple […]