Sniffing your storage could lead to sensitive leaks, warn infosec bods

Electromagnetic fields aren't a miscreant's magic key, though

Silhouette of spy discerning password from code uses a command on graphic user interface
Pic: Shutterstock

Data from storage devices leaks through electromagnetic radiation to a much greater extent than previously thought, according to new research.

Near-field analysis allowed security researchers at MWR Security to infer (or ‘sniff’) data transferred internally within a device.

The finding means that resilient systems are far more vulnerable to attack than was previously thought.

Attackers are increasingly gaining access to the sophisticated hardware needed for such an attack, giving them access to (unencrypted) data, according to MWR Security.

Piotr Osuch, an information security researcher with MWR, explained: “All cryptographic operations within modern data processing and storage devices are physical processes where data elements must be represented by physical quantities in physical structures such as gates and transmission lines. These physical quantities and structures must necessarily have a time- and spatial-extent.

“As a result, a finite amount of energy must be transmitted during operation, necessarily giving rise to an EM field. The result is an unavoidable leakage of secret information,” he added.

Hardware required to pull off the attack would cost from a “few thousand dollars to tens of thousands of dollars” depending of the sophistication of an attack – which is easily within the potential budget of cybercriminals, rather than being restricted to the likes of governments or intel agencies.

“[One] possible approach is to analyse leaked EM data during a challenge-response authentication protocol, by means of a simple H-field loop sensor (essentially just a looped piece of wire that is placed in the close vicinity of the [device],” Osuch told El Reg. “This sensor would pick up multiple sources of leaked EM information and so it would be impossible to ‘focus’ on just the source of interest, i.e. where the actual authentication operation happens. Nonetheless from an understanding of the internal operations performed by the crypto-algorithm and from a statistical analysis some information about the internal cryptographic operation could be inferred.”

“There has been a surge in both the sophistication and frequency of EM side-channel attacks, successfully employed to sniff secret information in underlying hardware,” he added.

More advanced techniques explored by MWR demonstrate that it is possible to “extract data non-intrusively from individual data lines in modern devices”.

“This [MWR Labs] research has formalised our near-field EM analysis methodology, allowing for the non-intrusive sniffing of data at a low abstraction level, and giving security researchers a view of a device’s data transmission under test,” Osuch explained.

“At this low level, various security measures are often not yet in place, such as data encryption which is usually done at a later, higher-abstraction stage of the process. If no provision has been made to sufficiently reduce this leaked EM field, then a near-field EM analysis will uncover, at least partially, any secret information being transmitted, allowing organisations to identify where defensive action needs to be taken,” he added.

Monitors and computers also give out stray electro-magnetic radiation, a problem at least partially addressed by tempest shielding. Something similar could be attempted to shield storage devices but this would be far from trivial, according to MWR.

“In most cases, tempest shielding is included as an ‘afterthought’ in the design, usually in the form of a simple metal enclosure, which *might* (fingers crossed) reduce leaked signal strength sufficiently,” Osuch explained. “The same could as well be done for storage devices. However, to ensure security, an EM-aware design is necessary which requires skilled professionals (such as RF engineers) – a practice not often employed in industry."

More details on the research are due to be published on the MWR Labs’ blog on 13 September 2016. ®

Sponsored: Becoming a Pragmatic Security Leader

Biting the hand that feeds IT © 1998–2019