Wednesday, April 27, 2011

Trivial Key Extraction From Electromagnetic Emissions

I am at day 2 of a 2 day workshop at Cryptography Research in San Francisco, California.  The focus of this workshop is on side channel attacks using both Power Analysis (SPA and DPA) and EM analysis to extract secrets (such as keys) from various systems and devices.  By far, the most interesting demonstration I have seen is one where both RSA and ECC keys are extracted from a mobile device using a hobbyist antenna and some basic equipment (and software tools developed by Cryptography Research).  The total cost for the equipment is less than $2000 (even less if you scrounge around on Ebay, to be sure).

In this attack, a mobile device performing a cryptographic operation is held 10 feet away from an antenna, and with a few seconds of signal sampling, they are able to extract a key by analyzing peaks on a spectrograph.  One of the questions I asked is if a more powerful antenna could potentially read the EM from a longer distance, and was told that by simply focusing a parabolic dish at a target (similar to what has been done for reading long distance WiFi signals), the traces can be gathered from very long distances.

I found this quite fascinating, since I am not sure what (if any) protection currently exists for products being used in Smart Grid deployments.  There are indeed ways to protect devices against both EM and SPA/DPA attacks, but I am currently unaware of what protections exist.  Moreover, as we learned in the workshop, typically most devices "leak" this information in more ways than one, and what they typically discover in many implementations they test, known simple EM,SPA,DPA attack vectors are not considered during engineering (not always, but often enough to furrow ones brow).

I am not sure how serious an issue this may be, but it does raise some concern, when you consider that an attacker does not necessarily have to set foot on someone's property to gather enough information to extract a key from something like a meter (or a cellphone, or anything else where secrets may be stored).  One of the basic tenants of protecting against attacks is to prevent scalable attacks.  In other words, design the system so that if I get one secret I can only do one bad thing, and make it hard enough to get multiple secrets that an attacker simply gets exhausted with the "workload", and moves on to something else.  If an attacker has to get his hands on each and every device to perform an attack, one can see how this becomes non-trivial.  However, if an attacker can focus an antenna setup at (for example) a bank of meters on a wall for an apartment complex, now you may have something to write home about.

For those of you not familiar with Cryptography Research Inc., you can find out more about them at .  Paul Kocher, who is one of the founders, is co-creator of SSL 3.0.  This is a well established, and well respected research organization, with an impressive pedigree.

I have a video of Gilbert Goodwill from Cryptography Research (one of the workshop instructors) demoing an EM attack at RSA 2011 on my YouTube channel:

Forgive the background noise (the RSA Expo Hall is quite noisy). They will be demoing this at my EnergySec Smart Grid Security Summit in October, 2011.

This is indeed something to think about.

No comments: