In RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis [PDF], a paper by Daniel Genkin and Eran Tromer of Tel Aviv University and Adi Shamir, the authors show that a sensitive microphone (such as the one in a compromised mobile phone) can be used to infer a secret cryptographic key being used by a nearby computer. The computer's processor emits different quiet sounds ("coil whine...caused by voltage regulation circuits") as it performs cryptographic operations, and these sounds, properly analyzed, can reveal the key.
It's a pretty stunning attack, the sort of thing that sounds like science fiction. But the researchers are unimpeachable (Shamir is the "S" in RSA), and their paper is very clear.
The techniques they demonstrated certainly aren't viable for casual attacks. Still, as Wednesday's updates from GnuPG attest, they represent a realistic threat for people who use cryptographic software and devices in certain settings. The researchers outline several countermeasures application developers can implement to prevent computers from leaking the secret keys in acoustic emanations, namely a technique known as RSA ciphertext randomization. People who rely on cryptography applications should check with the developers to make sure they're not susceptible. In the meantime, end users shouldn't assume that running a computer in a noisy environment will prevent attacks from working, since acoustic emanations that leak secret keys can often be filtered.
New attack steals e-mail decryption keys by capturing computer sounds [Dan Goodin/Ars Technica]
Yes, irony is dead. The Washington Post reports that Presidential Daddy Daughter Ivanka Trump used a personal email account to receive and send emails about her work for the government of the United States.
Berlin-based security researcher Sébastien Kaul discovered that Voxox (formerly Telcentris) -- a giant, San Diego-based SMS gateway company -- had left millions of SMSes exposed on an Amazon cloud server, with an easily queried search front end that would allow attackers to watch as SMSes with one-time login codes streamed through the service.
Researchers at NYU and U Michigan have published a paper explaining how they used a pair of machine-learning systems to develop a "universal fingerprint" that can fool the lowest-security fingerprint sensors 76% of the time (it is less effective against higher-security sensors).
The key to learning any new language is feedback. When you’re immersed in conversation, it’s easy to pick up key phrases and pronunciation, but not all of us have the means to jet off to Spain, France or wherever we can learn to speak like a local. The next best thing: The Mondly app. Mondly […]
Got a gadget-minded geek on your holiday list this year? Don’t wait for Black Friday. The prices are already dropping on some quality tech toys, and we’ve got a roundup of some of our favorites. Force Flyers DIY Building Block Drone MSRP: $49.99 | Normally: $42.99 | Price Drop: $39.99 (20% Off) Compatible with everybody’s […]
Ever wondered what it takes to make the transition from amateur photography to a full career? If you answered “a better camera,” you’re half right. Before you get the equipment, get the know-how to use it with the Hollywood Art Institute Photography Course & Certification. Taught by experienced pros, this course is geared towards shutterbugs […]