Deriving cryptographic keys by listening to CPUs' "coil whine"

In RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis [PDF], a paper by Daniel Genkin and Eran Tromer of Tel Aviv University and Adi Shamir, the authors show that a sensitive microphone (such as the one in a compromised mobile phone) can be used to infer a secret cryptographic key being used by a nearby computer. The computer's processor emits different quiet sounds ("coil whine...caused by voltage regulation circuits") as it performs cryptographic operations, and these sounds, properly analyzed, can reveal the key.

It's a pretty stunning attack, the sort of thing that sounds like science fiction. But the researchers are unimpeachable (Shamir is the "S" in RSA), and their paper is very clear.

The techniques they demonstrated certainly aren't viable for casual attacks. Still, as Wednesday's updates from GnuPG attest, they represent a realistic threat for people who use cryptographic software and devices in certain settings. The researchers outline several countermeasures application developers can implement to prevent computers from leaking the secret keys in acoustic emanations, namely a technique known as RSA ciphertext randomization. People who rely on cryptography applications should check with the developers to make sure they're not susceptible. In the meantime, end users shouldn't assume that running a computer in a noisy environment will prevent attacks from working, since acoustic emanations that leak secret keys can often be filtered.

New attack steals e-mail decryption keys by capturing computer sounds [Dan Goodin/Ars Technica]

Notable Replies

  1. If I saw that in a movie I would have cried BULLSHIT in the middle of the freaking theatre.

    Now... wow... just wow.

    Time to put silencers on our motherboards Mr Bond!

  2. I'm not entirely convinced that "coil whine" -- which would respond to overall system activity -- would have enough information specifically about the cryptokey to make this work.

    If they were attributing this to a microphonic chip, I'd find it a bit more believable. But that's still a matter of whether the right chip is cooperating.

    If they were going after radio noise, Tempest-style, I'd find it more believable.

    I'm not quite ready to call bullshit. I AM ready to call for independent replication before we take the claim at all seriously.

    "Any sufficiently advanced technology is indistinguishable from a rigged demo."

  3. SamSam says:

    The article is by some of the foremost and most reputable researchers in cryptography. While I agree with replicating all findings, I think it's hardly justifiable to assume they've just made a "rigged demo" to get some publicity.

    Did you read the paper? It's very in-depth. And it builds on earlier proof-of-concept work that previously showed that this should be possible.

  4. But the researchers are unimpeachable (Shamir is the "S" in RSA)

    If I were him, I'd go around starting arguments with lesser crypto-nerds, just so I could finish them off with "Didn't you know? I'm the S in RSA, mofo!"

Continue the discussion

14 more replies