Practical TEMPEST Attack

Four researchers have demonstrated a TEMPEST attack against a laptop, recovering its keys by listening to its electrical emanations. The cost for the attack hardware was about $3,000.

News article:

To test the hack, the researchers first sent the target a specific ciphertext -- ­in other words, an encrypted message.

"During the decryption of the chosen ciphertext, we measure the EM leakage of the target laptop, focusing on a narrow frequency band," the paper reads. The signal is then processed, and "a clean trace is produced which reveals information about the operands used in the elliptic curve cryptography," it continues, which in turn "is used in order to reveal the secret key."

The equipment used included an antenna, amplifiers, a software-defined radio, and a laptop. This process was being carried out through a 15cm thick wall, reinforced with metal studs, according to the paper.

The researchers obtained the secret key after observing 66 decryption processes, each lasting around 0.05 seconds. "This yields a total measurement time of about 3.3 sec," the paper reads. It's important to note that when the researchers say that the secret key was obtained in "seconds," that's the total measurement time, and not necessarily how long it would take for the attack to actually be carried out. A real world attacker would still need to factor in other things, such as the target reliably decrypting the sent ciphertext, because observing that process is naturally required for the attack to be successful.

For half a century this has been a nation-state-level espionage technique. The cost is continually falling.

Posted on February 23, 2016 at 5:49 AM • 33 Comments

Comments

ThothFebruary 23, 2016 6:27 AM

@all
Software side channel resistance is long overdue. It's about time that software side-channel protection should be found inside all major crypto libraries (e.g. OpenSSL, LibreSSL, BouncyCastle ...etc...). Software side-channel resistance are not fool-proof but they provide the first steps to higher security implementations and assurances. Using dynamic whitebox cryptigraphy techniques with randomised data access and execution (and probably including dummy access to system resiurces and dummy rounds) to make the more common and weaker side-channel analysis useless.

Peter GerdesFebruary 23, 2016 6:32 AM

Hopefully this is a good thing since with a cheaply priced version of the attack developers can more easily test fixes.


I notice they don't discuss modifying the multiplication algorithm to (wastefully) employ the same operations on every path (e.g. always generate garbage output corresponding to what the other branch would do and save in a different part of memory). I'm curious whether this would be a robust defense against attack or end up being optimized away by fancy features of modern hardware.


Also, does anyone know WHERE the signal is actually coming from? Would shielding the processor make a difference or does this get conveyed through the power system and leak out everywhere?

---

Also has anyone done any work on provable side channel resistance under reasonable assumptions, e.g., all mod 32 multiplications and additions are indistingushable etc..

Jakub NarębskiFebruary 23, 2016 7:00 AM

> I notice they don't discuss modifying the multiplication algorithm to (wastefully) employ the same operations on every path (e.g. always generate garbage output corresponding to what the other branch would do and save in a different part of memory).

Actually if you read ArsTechnica article on this issue, you would know that the result was changes to OpenSSL protecting against this attack (and side-channel attacks in general), by (a bit wastefully) always using the same operations.

Peter GerdesFebruary 23, 2016 7:16 AM

>Actually if you read ArsTechnica article on this issue, you would know that the result was changes to OpenSSL protecting against this attack (and side-channel attacks in general), by (a bit wastefully) always using the same operations.

Couldn't find that ars article but if it is the one I vaguely remember the solution was merely about equalizing execution time for all inputs. It would seem this kind of attack that looks at the EM emissions wouldn't be stopped by this kind of response and instead would require that functional units be used in the same pattern regardless of the data.

I've tracked down one or two articles that mention doing something like this (dummy assignments etc..) but nothing that either suggested what operations were indistinguishable or comprehensively used this fact to blind side channels.

I suspect this was the obvious response and everyone just assumes one knows about it in the literature.

Tad TaylorFebruary 23, 2016 7:50 AM

Interesting. I would have thought it easier to use TEMPEST techniques to get login credentials and then you've probably got everything (including private keys) already. Not guaranteed to get everything, but probably would.

Jurgen VoorneveldFebruary 23, 2016 8:25 AM

Lets assume I don't trust my crypto library to protect me against this side-channel, would starting up two threads to decrypt the cyphertext, one with the actual key and the other with a random junk-key, provide protection?

Is it reasonable to assume the context switching or at least both core's radiation would mix the surveillance data?

Mike D.February 23, 2016 8:32 AM

Jakub, I wonder if this is that fix:

Changes between 1.0.0h and 1.0.1  [14 Mar 2012]

[...]

*) Add optional 64-bit optimized implementations of elliptic curves NIST-P224,
NIST-P256, NIST-P521, with constant-time single point multiplication on
typical inputs. Compiler support for the nonstandard type __uint128_t is
required to use this (present in gcc 4.4 and later, for 64-bit builds).
Code made available under Apache License version 2.0.

Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command
line to include this in your build of OpenSSL, and run "make depend" (or
"make update"). This enables the following EC_METHODs:

EC_GFp_nistp224_method()
EC_GFp_nistp256_method()
EC_GFp_nistp521_method()

EC_GROUP_new_by_curve_name() will automatically use these (while
EC_GROUP_new_curve_GFp() currently prefers the more flexible
implementations).
[Emilia Käsper, Adam Langley, Bodo Moeller (Google)]

http://www.openssl.org/news/changelog.html

Clive RobinsonFebruary 23, 2016 10:56 AM

As I noted before the 3000USD tag is quite high, if you make your own pickup coil and not use lab grade amplifiers and scout around for newer SDR dongle devices with wider A-D bandwidths you could probably get the cost down to 150USD.

Think of the non PC side of the equipment as the same used for Van Eck Phreaking of CRT terminals back in the late 1970's and the later work on LCD display done by Markus Khun at CeBit back in 2006 which was getting quite a significant range and good image fidelity,

http://www.lightbluetouchpaper.org/2006/03/09/video-eavesdropping-demo-at-cebit-2006/

There are several ways to reduce "Compromising Emanations" which have been talked about on this blog many times. You can also have a look on the Cambridge Labs Web sight for more information including a download of Ross J. Anderson's book on security engineering. But the best place to start if you have some knowledge of electronics are the many books and articles on "Electromagnetic Compatability" (EMC).

EMC is a requirment for modern design to gain European CE or US FCC compliance.

However not all EMC techniques will reduce Compramising Emanations. The problem is the way EMC testing is done.

The regulations supply "masks" in which radiated energy must remain and give time periods for measurements. The problem with computers is the energy tends to be radiated as harmonics of the CPU clock and it's subharmonics, that is not as broadband noise but frequency spurs. One way to reduce the energy at a frequency spur is to wideband modulate it with noise. Thus some PC designers rather than spend on profit stealing analog filtering components and shielding use "whitenning" or "spread spectrum" techniques.

Whilst this is fine for EMC compliance it tends to make EmSec attacks easier because the modulating signal is usually well known and thus the spread signal can be de-spread. Due to corelation techniques not only does this give an attacker a realy good refrence / synchronisation signal, it also tends to spread other interfearing signals making them easier to remove...

So it also pays to have knowledge of signals and modulation systems.

Which brings us back to what is going on in the attack PC. Put simply it's looking at the power spectrum to find signals it can not just lock onto but also analyse. In essence you are pulling the signal out of the noise by various forms of averaging and synthetic filtering to get a stream of binary data. This data can by other techniques distinguish key bits in encryption or decryption.

In the case of block ciphers this is the "round keys" after key expansion, in case of multiplication etc it's looking for bits in the Private Key. In both cases it does not need all the bits if both the plaintext and cipher text is known, thus it can work with less than perfect signals at a greater range between the attack antenna and the target PC.

Which brings us onto another range improving technology, multiple antennas and receivers. I wont go into details but have a look at how radio astronomers use multiple antennas and receivers to make Very Long Base Line systems, and how synthetic aperture radar antennas work.

So this "demo system" could quite easily be improved quite a lot, if you have a ten to twenty thousand USD front end budget. Likewise gains can be made on the software side.

Clive RobinsonFebruary 23, 2016 11:10 AM

@ Tad Taylor,

Interesting. I would have thought it easier to use TEMPEST techniques to get login credentials and then you've probably got everything...

No it's a key recovery attack using known plaintext and ciphertext.

The reason is you are looking for the crypto algorithm to be run many many times usually hundreds if not thousands so you can average out other signals.

Due to the fact you want a paasword system to be slow to prevent dictionary attacks and similar you try to change the plaintext and key on every encryption round and thus the ciphertext as well in a password algorithm. Which does not give you waveforms you can as easily average. There are also tricks to make a password algorithm effectivly mask the input plaintext as well.

Nick PFebruary 23, 2016 12:18 PM

@ Clive Robinson

As I read on these things, I have to wonder where these waves come from in terms of the physical device. Do they move through the chip plastic or radiate outward from the electrical connectors? If the former, probably will require tricky shielding. However, if the latter, then analog filters could be installed in the power and I/O interfaces to knock that out. I have no idea what effect that would have on performance or cost. There would at least be hope of preventing passive EMSEC without full shielding.

Clive RobinsonFebruary 23, 2016 1:36 PM

@ Nick P, ALL,

As I read on these things, I have to wonder where these waves come from in terms of the physical device.

Any where they can is the simple answer. Think of the circuit like a crazy mans central heating plumbing system, heat escapes from every part but certain parts radiate more heat than others. Further you can reduce the heat radiated from the pipes (PCB traces / wires / leads) etc by putting insultation around them... but using standard insulation there will always be places where it does not fit properly or there is a gap and thus heat escapes. Also just like heating pipes the heat radiated depends on flow (current) and preasure (voltage) in the various places.

And that's about as far as the analogy will stretch.

Any length of wire be it streatched straight or coild up will when a current flows in it create a magnetic field around it, this much most people will learn in high school physics. What they will also learn but probably not remember is that any changing magnetic field cutting a conductor will induce a current in the wire. Further this will act against the wire both electricaly and physicaly, hence motors and generators.

As some may remember the magnetic field around a wire can be added, by putting a loop in the wire. Each loop or turn of the coil adds to the other magnetic fields so very roughly the magnetic field is multiplied by the number of turns. Hence two coils close together give you a transformer and as the constant between them is the magnetic field the current in the two coils is proportional to the turns ratio.

As the rate of change of a magnetic field increases a whole load of other effects start to happen one of which is energy can be coupled from a conductor into a dielectric and that it will to a lessor or greater extent radiate out. This behaviour is dependent on both the E and H fields. Usually these are in phase, but over a distance of about two wavelengths they change their relationship and become an EM wave in the "far field" where the E and H waves serve to push each other out further and further, hence the combined EM waves travel through the dielectric of free space untill the meet either a change in dielectric or a conductor. In the case of a conductor energy from the EM wave gets coupled in, and unless absorbed by a load, the conductor will reradiate the energy. However in the proces it travels along the conductor.

As a somewhat inacurate analogy, conductors --or dielectrics-- can be aranged to sort of act like lenses and focus the EM wave into one conductor, hence you have multielement yargi and log-periodic antennas that serve like a large lense or parabolic reflecter to focus and concentrate an EM wave and thus act like passive amplifier.

In a similar way coils that are a significant proportion of a wavelength radiate better. Up to a point it can be aproximated to the area in the loop multipled by the number of turns. On a PCB it's usually a single loop, but it does radiate better than a straight trace or track. But it's not just PCB traces it's any wire such as a hookup wire or interconection cable.

However you can reduce the radiation by bringing another conductor in close proximity to the wire, such that it either encloses the wire like a Faraday sheild or in the case of PCB traces turns it into a transmission line where the induced magnetic field pushes back and keeps the energy in the wire. Transmission lines have a charecteristic impedence and if this is met by the source and sink loads then minimum energy is radiated. There are also other tricks, one of which is to have two wires closely coupled with equal but opposit currents flowwing, in effect their magnetic fields cancel out and do not radiate. However it's very dificult to get good balance and the transmission line impedence changes due to bends and adjacent conductors and dielectrics and thus starts to radiate. Thus one trick is by pulling the conductors appart of a transmission line you actually turn it into an antenna (look up Rhombic antenna).

Hopefully the above will give you a feeling for why signals radiate from just about every part of an active circuit. Even though Ive taken a number of liberties with the analogies ;-)

Further to my post above where I linked to a blog page by Markus Khun on the Cambridge labs blog. He did follow up on the comnents on that page and publish further papers and provide other information. Thus the three links below might be of some interest,


https://www.cl.cam.ac.uk/research/security/tamper

https://www.cl.cam.ac.uk/~mgk25/temc2013-tv-draft.pdf

https://www.cl.cam.ac.uk/~mgk25/covisp/

JacobFebruary 23, 2016 4:10 PM

Werner Koch at gnupg.org
Tue Feb 9 16:25:04 CET 2016

Hello!

The GNU project is pleased to announce the availability of Libgcrypt version 1.6.5.
This is a security fix release to mitigate a new side channel attack.

Noteworthy changes in version 1.6.5
===================================

* Mitigate side-channel attack on ECDH with Weierstrass curves [CVE-2015-7511]. See http://www.cs.tau.ac.IL/~tromer/ecdh/ for details.

Arthur TeacakeFebruary 23, 2016 4:48 PM

(Read the article, glanced at the paper)

I'm not an expert in this but I have been amusing
myself writing portable crypto primitives.

I've pretty much convinced myself that there is no
point trying to protect yourself using constant-time
operations. There's no guarantee that they will stay
constant time as CPUs get reimplemented. Anything
you measure today can be compromised tomorrow by
the next performance optimization. It's not like
this stuff is part of the CPU architecture.

Even just trying to execute a uniform sequence of
instructions regardless of the (key) data presented
is surprisingly difficult -- and makes really ugly,
non-obvious and error-prone code -- and I don't
have a good feeling that it solves any real problem.

An approach that looks good to me is blinding. So
with RSA, for example, you multiply your key by a
locally generated random number before you let it
anywhere near the decrypt function. Afterwards,
you multiply the result by a suitable inverse.
This moves the problem usefully. You have to be
concerned about your random number generator (but
you're already paranoid about that) and you have
to be sure your multiplications and inverse
aren't leaking (so you might need ugly expensive
code for that), but then you mightn't have to
worry so much about the massive block of activity
in the decrypt.

Maybe I'm missing something fundamental here, but
I'd like to see a blinded form of AES, for
example. So the key doesn't go near anything
monitorable, like a noisy cache in front of an
S-box, until it's been nicely mixed with a
random number that's never seen outside.

JacobFebruary 23, 2016 5:33 PM

@ Arthur Teacake

You proposal of multiplying the key by a random number and then multiplying by the inverse implies a linear function of encrypt/decrypt, and they are not. So that idea would not work.

albertFebruary 23, 2016 5:40 PM

@Clive, @Nick, etc.

I remember wading through the original paper, which found the strongest emanations came from electrolytic capacitors. It seems that this latest test uses radiation from the computer itself. Running from the charger needs to be tested as well. When laptops run on battery power (even with the charger connected), they lack any sort of earth ground, the best place to dump unwanted RF. Would an earth-grounded Faraday shield be effective? Has anyone tested a laptop with a chassis-to-earth connection?

. .. . .. --- ....


Clive RobinsonFebruary 23, 2016 6:39 PM

@ Albert,

... which found the strongest emanations came from electrolytic capacitors...

Which immediately tells me a lot about the circuit design and the designers.

Electrolytic capacitors have a high Effective Series Resistance (ESR) and likewise quite a high series inductance and low self resonant frequency. Which means they don't realy look like capacitors beyond a few MHz even when in "surface mount" form. However to the UHF and Microwave frequencies the aluminum cans on some electrolytics look like broad band stub antennas.

It's why RF designers use two or three capacitors to bypass to ground, an electrolitic for DC-low frequencies, poly caps for low-high frequencies and ceramics for high-ultra high frequencies, and then enlarged PCB pads for microwaves.

From an EmSec point of view, as an attacker you prefer VHF through low microwaves. For several reasons, firstly antennas are small and tend to be both broadband and high gain. Secondly buildings tend to be more transparent at these frequencies as the likes of windows and doors are a wavelength or more in size, likewise the gaps in construction steels. The downside of course is mobile phones and wireless data communications and PMR.

sooth_sayerFebruary 23, 2016 9:52 PM

Did they forget to mention that the target must NOT do anything else .. but decrypt the message.
And also MUST tell them when they start doing it .. otherwise it kills my fun ..
i.e. decoding a video while decoding the message simultaneously is strongly discouraged .. yadda yadda ..

science is ok but practicality is far fetched -- it's like those circus guys opening locks underwater and escaping death trap.

WaelFebruary 24, 2016 12:09 AM

@sooth_sayer,

Did they forget to mention that the target must NOT do anything else...

Spot on. This is a demonstration of an ability to remotely extract the needed side channel parameters and reconstruct a cryptographic key. CRI has been doing that for quite some time and demoed their remote key extraction technology on a laptop as well, although the antenna needed to be in very close proximity to the laptop. I believe that was done at RSA expo 2014 or 2015. They may do the same this year.

This side channel snooping capability can be inhibited by the use of proprietary WBC and or a proper secure execution environment with proper shielding.

Related links, for the curious eyes of "gold digging" obtuse whiners ;)

@Clive Robinson's beef with CRI

A recommended article by the host

type of gapping needed, what @Clive Robinson more succinctly calls Energy-gap

WaelFebruary 24, 2016 12:13 AM

@albert,

Would an earth-grounded Faraday shield be effective

If constructed properly, yes!

Has anyone tested a laptop with a chassis-to-earth connection?

A chassis connected to earth[1] won't stop radiation of EM waves. Long time ago (Marconi's time) an antenna and a ground were essential components of the early "wireless" communication systems he developed.

As for shielding, check this link

[1] Some say there is no gravity. It's just that earth 'sucks'. Whatever it is, earth won't suck radiation out of a laptop. Perhaps if you connect the laptop to a blackhole, then that might do the job.

Arthur TeacakeFebruary 24, 2016 2:40 AM

@Jacob:

Nah, shouldn't have said multiply, shouldn't have said
AES. It's just that modular multiply/modular inverse
will blind RSA. (And I didn't even remember that
correctly, you process the ciphertext of course.)

What I'd like to achieve is that the ciphertext and/or
key don't go into the bulk of the symmetric decryption
process without being thoroughly mixed with a random
value, yet the result can be restored using something
associated with that random value. That is, you'll get
the same result regardless of the random value you
choose.

Maybe magical thinking, I know, but it's a worry that
such variable and noisy processes are driven off a
secret plus a value that might be used for analysis.
Transforming the whole lot into something neither
predictable nor observable afterwards should close
off that whole line of attack.

Clive RobinsonFebruary 24, 2016 3:10 AM

@ Nick P, Wael,

Sort of on topic...

Do you remember back to the TAO "Retroreflector Bugs" --with which I disagreed with the term "radar" being used-- and the subsequent conversations?

In which I mentioned I was working on improving my own existing designs in various ways?

Well it appears others have had similar ideas,

http://passivewifi.cs.washington.edu/files/passive_wifi.pdf

http://abc.cs.washington.edu/files/comm153-liu.pdf

At the very least such devices have the potential to shake up the IoT market quite a bit.

The first paper just addresses producing WiFi compatible signals (but due to image they would not be standards compliant, but as they explain it does not realy matter).

The second paper gives information on how to also power a pasive device off of the actual (illuminating source) RF.

There are links in both papers back to better descriptions of the hardware.

Jonathan WilsonFebruary 24, 2016 3:53 AM

So how hard would it be (for typical mainstream computer hardware) to build some sort of shielding that could prevent EMF leaks of the type that would be picked up by this tech yet wouldn't impair the functioning of the computer by e.g. blocking vent holes?

WaelFebruary 24, 2016 4:45 AM

@Jonathan Wilson,

So how hard would it be (for typical mainstream computer hardware) to build some sort of shielding that could prevent EMF leaks [...] yet wouldn't impair the functioning of the computer by e.g. blocking vent holes?

I started by describing a computer room shield but realized you are talking about shielding the computer itself. So you can use a self adhesive copper sheet, described below...

Depends on your determination and needs. You need to apply two high level concepts: Shielding and Noise injection. Noise injection would be analogous to Cryptography as it obfuscates the 'meaning of the message' and Shielding would be analogous to Steganography as it obscures the 'existence of the message'. Check with @Slime Mold with Mustard for an update of the project's progress!

As for shielding, you can cover your vent holes with an appropriate grounded metal mesh and line your walls with copper (leave the tin foil for the hat) shielding sheets and tape[1]. The effect of this structure will attenuate the radiated signal to a degree that will require the white van (with the guy reading a news paper) to be parked in your driveway. For noise injection, have a few computers running random operations at the macro and micro levels [2].

Whatever you do, make sure you don't allow anyone with a camera inside your secure abode.

However, do keep in mind that if you are 'targeted' then you are basically... screwed.

[1] You can find more info and products at Omega shielding or at RA Mayes. Amazon offers similar products as well.

[2] Truly yours doesn't practice what he preaches. In fact I'm thinking about replacing the recommended shield with an antenna to make it easier for them®.

WaelFebruary 24, 2016 5:04 AM

@Clive Robinson, @Nick P,

Do you remember back to the TAO "Retroreflector Bugs" --with which I disagreed with the term "radar" being used-- and the subsequent conversations?

Vividly!

thus hiding the heat signiture requires carefull planing by an attacker, and aside from myself I've not seen obvious signs that other attackers even try

Actually you have, but I still believe this isn't a viable attack vector. You made 9 comments on that thread! Don't get senile on us now, or I'll double the dosage for you!

I'll read the papers another time, but a first glance at them didn't reveal anything new.

WaelFebruary 24, 2016 5:12 AM

@Clive Robinson,

Correction: 5 comments. I need to sleep now, getting close to 4:00AM but I finished the work I had to do and I need to wake up in a couple of hours.

ThothFebruary 24, 2016 5:56 AM

@Jonathan Wilson
Here's an old post by @Clive Robinson on how basic EMSEC setup. Not very hard for the most part.

Have fun :). Just make sure to secure that particular room you want to protect and make sure no one finds a way into it. Physical OPSEC like placing some form of notification (like a sticker) on the windows to detect someone broke in would be nice as a way to identify possible attempts to intrude into your room.

Link: https://www.schneier.com/blog/archives/2015/07/friday_squid_bl_486.html#c6700762

WaelFebruary 24, 2016 10:26 AM

I wonder what kind of a laptop this experiment was conducted on. It would seem reasonable to expect an Apple MacBook Pro to radiate weaker signals since it is encapsulated in an aluminum enclosure -- a carved out block of aluminum (the Unibody design.)

albertFebruary 24, 2016 11:57 AM

@Wael,

I didn't mean to suggest that earth grounding alone would stop radiation leakage. Bypass capacitors are very effective in reducing radiation, if they have a place to bypass to, i.e., an earth ground. With laptops, pads, etc. you have a floating system; there is no ground reference. To get rid of noise energy(incoming or outgoing), you need to reflect it, send it somewhere, or turn it into heat by absorbing it.

Interestingly, the human body is quite effective at absorbing HF noise, even without a skin-to-dirt connection.

Drink plenty of water :)

. .. . .. --- ....

albertFebruary 24, 2016 1:48 PM

@Wael,

:)
You may want to check those pills for isotope content first...
. .. . .. --- ....

I wish I was DJBFebruary 26, 2016 8:13 PM

I'm surprised no one here mentioned ed25519...

From https://ed25519.cr.yp.to/
>No secret array indices. The software never reads or writes data from secret addresses in RAM; the pattern of addresses is completely predictable. The software is therefore immune to cache-timing attacks, hyperthreading attacks, and other side-channel attacks that rely on leakage of addresses through the CPU cache.
>No secret branch conditions. The software never performs conditional branches based on secret data; the pattern of jumps is completely predictable. The software is therefore immune to side-channel attacks that rely on leakage of information through the branch-prediction unit.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.