This story is over 5 years old.


How to Steal an Encryption Key by Simply Touching a Laptop

Hackers have a new potential method for extracting data from computers at their fingertips—literally.

Hackers have a new potential method for extracting data from computers at their fingertips—literally.

According to research conducted by Eran Tromer, Daniel Genkin, and Itamar Pipman, computer security experts at Tel Aviv University, using a simple electrical trick is enough for a sophisticated attacker to gain access to encryption keys on computers.

"Our attacks use novel side channels and are based on the observation that the 'ground' electric potential in many computers fluctuates in a computation-dependent way," the researchers write online, ahead of a presentation at CHES 2014. "An attacker can measure this signal by touching exposed metal on the computer's chassis with a plain wire, or even with a bare hand. The signal can also be measured at the remote end of Ethernet, VGA or USB cables."


One scenario for measuring electrical signals outlined in the report

In essence, the team claims to have been able to extract encryption keys by measuring the electrical signals of those keys being processed. The result? Attackers could theoretically gain easy access to thousands of encrypted keys through solely touching the chassis of the computer.

Read More: At Facebook's Hacker Party, Can't We All Just Be Friends?

That potentially includes access to encrypted keys that make up hundreds of digital signatures used all the time by people when creating passwords, signing contracts, or perhaps most importantly, using credit and debit cards online.

It's not hard, either, to imagine a scenario where someone "accidentally" grazes your laptop's exterior. Of course, there are some caveats, as the authors write. Most significantly, to capture encryption keys, the CPU has to actually be processing those keys at the moment the signal is being measured, so a drive-by attack would take a bit of planning.

The actual attack can be done quickly. According to the study, "despite the GHz-scale clock rate of the laptops and numerous noise sources, the full attacks require a few seconds of measurements using medium frequency signals (around 2 MHz), or one hour using low frequency signals (up to 40 kHz)."

The results are impressive. As the authors write:

Using GnuPG as our study case, we can, on some machines:
- distinguish between the spectral signatures of different RSA secret keys (signing or decryption), and
- fully extract decryption keys, by measuring the laptop's chassis potential during decryption of a chosen ciphertext.


Although the report states that the best attacks are conducted using technical lab equipment, through trial and error, they figured out a way to use most mobile devices to recreate the desired lab apparatus.

In the report, the team explains they wanted to conduct the experiment to prove that, despite increased scrutiny over software security, there are physical hazards being ignored that warrant attention.

Spectrograms showing sharp bands indicating bits captured during the encryption process. Image: Tromer et. al

In a question and answer section of the report, Tromer said he doesn't think the attacks are being widely used yet, but he and his team have already found some countermeasures people can use to help protect their information and keep it secure.

"Physical mitigation techniques include Faraday cages (against EM attacks), insulating enclosures (against chassis and touch attacks), and photoelectric decoupling or fiber optic connections (against 'far end of cable' attacks)."

The main problem with the available countermeasures, Tromer admits, is the cost of enabling physical security. Also, wrapping your laptop in a Faraday cage isn't exactly the most practical idea. The team also says it has given the GnuPG developers a heads up regarding the vulnerabilities, and that software-based countermeasures can feasibly be developed.