AES-256 keys sniffed in seconds using €200 of kit a few inches away
Van Eck phreaking getting surprisingly cheap
Side-channel attacks that monitor a computer's electromagnetic output to snaffle passwords are nothing new. They usually require direct access to the target system and a lot of expensive machinery – but no longer.
Researchers at Fox‑IT have managed to wirelessly extract secret AES-256 encryption keys from a distance of one metre (3.3 feet) – using €200 (~US$224) worth of parts obtained from a standard electronics store – just by measuring electromagnetic radiation. At that distance sniffing the keys over the air took five minutes, but if an attacker got within 30 centimetres (11.8 inches) of a device, the extraction time is cut down to just 50 seconds.
The research team used a simple loop antenna, attached it to an external amplifier and bandpass filters bought online, and then plugged it into a software defined radio USB stick they bought for €20. The entire cost of the setup was less than €200 and the device could be hidden in a jacket or laptop case.
They used this kit to record the radio signals generated by the power consumption of the SmartFusion2 target system running an ARM Cortex-M3-powered chip. By measuring the leakage between the Cortex processor and the AHB bus, the data showed the peaks and troughs of consumption as the encryption process was carried out.
By running a different encryption run on a test rig, the researchers mapped out how the power consumption related to individual bytes of information. That allowed them to take guesses at the 256 possible values of a single byte and the correct choice showed the highest power spike.
"Using this approach only requires us to spend a few seconds guessing the correct value for each byte in turn (256 options per byte, for 32 bytes – so a total of 8,192 guesses)," they wrote [PDF]. "In contrast, a direct brute-force attack on AES‑256 would require 2256 guesses and would not complete before the end of the universe."
The electromagnetic signals drop off rapidly the farther away you are from the target, but the researchers still managed the extraction from a distance of one metre, even though it took much longer to do so. Spending more on the equipment, however, would increase the range and speed of the attack.
"In practice this setup is well suited to attacking network encryption appliances," they wrote. "Many of these targets perform bulk encryption (possibly with attacker-controlled data) and the ciphertext is often easily captured from elsewhere in the network. This again underscores the need for deep expertise and defense-in-depth when designing high assurance systems."
There are, of course, some caveats. The tests took place under laboratory conditions, rather than in a busy office or server room where other signals might interfere with the data collection. But it's an interesting example of how an attack previously thought of as unfeasible due to cost and distance has been made easier by smarter and cheaper technology. ®