How to avoid the risksintroduced byside-channel attacks
Government and military organisations the world over are only too aware of the dangers posed by attackers. Protecting confidential data is a key responsibility for security teams and IT security alike, but the threat landscape continues to emerge and become ever more complex.
As well as highly visible cyber incidents such as ransomware and denial of service incidents, organisations are open to more covert infiltrations known as side-channel attacks.
The National Institute of Standards and Technology (NIST) defines a side-channel attack as one that is: “enabled by leakage of information from a physical cryptosystem. Characteristics that could be exploited in a side-channel attack include timing, power consumption, and electromagnetic and acoustic emissions”.
The UK’s National Cyber Security Centre adds that: “In the worst case, code running on a device can access areas of memory it does not have permission to access. This can result in compromise of sensitive data, including secret keys and passwords.”
Unlike many types of cyber incidents, side-channel attacks don’t target weaknesses in the cryptosystems themselves, but instead observe how the cryptosystem works, and then identify information that may give them details about the cryptographic system’s operation.
So what is the background behind side-channel attacks, what are the different types, and how can government and military organisations guard against data loss caused by them?
A brief history of side-channel attacks
The concept of side-channel attacks can be traced right back to the second world war, when the Signal Corps used Bell 131-B2 devices to encrypt communications data. Engineers from Bell Labs discovered that it was possible to identify the details of their messages by measuring electromagnetic spikes that could be seen via an oscilloscope whenever the devices stopped.
The engineers replicated the same routine from a location 80 feet away and managed to reconstruct three quarters of the encrypted messages within a few hours. They identified solutions to the problem, such as masking, shielding and filtering magnetic emissions from the devices, but the ultimate decision was taken to secure a diameter of 100 feet around communications centres to prevent any interference.
A similar approach was taken by the CIA in the 1950s, when they imposed an exclusion zone of 200 feet in all directions, and used multiple devices to block interventions.
By the 1980s, a much wider range of side-channel attacks had been identified under the intelligence community’s catch-all term Transient Electromagnetic Pulse Emanation STandard (TEMPEST).
A scientist called Wim van Eck also demonstrated how easy it could be to steal encrypted data using low cost equipment, publishing research into the possibility of eavesdropping on video display units by picking up and decoding electromagnetic interference.
Different types of side-channel attacks
Today, there is a well-documented range of approaches that attackers use when deploying side channel attacks. Some of the best known include:
Acoustic cryptanalysis, where sounds emanating from devices such as printers, mobile phones, PC keyboards and ATM pads can be monitored and analysed for information relating to logging into systems or inputing a PIN.
Timing attacks, which involve measuring how long it takes for a cryptosystem to perform a set of operations. In a published paper, Paul Kocher showed how an attacker may be able to break cryptosystems such as RSA by eavesdropping on different timings and gaining information to break a software key and access data.
Attacks on specific chipsets and operating systems. They include Meltdown and Spectre, which were two vulnerabilities discovered by researchers in 2018, and which exploited the way in which chips were designed to manage data. Again, by timing how processes were managed, criminals could potentially access sensitive data.
Power consumption side-channel attacks, where simple power analysis can "be used to break RSA implementations by revealing differences between multiplication and squaring operations," according to research by Paul Kocher.
Guarding against attacks
There are several mitigation techniques that organisations can take when avoiding the risks associated with side-channel attacks. The U.S. Department of Defence (DoD) requires military electronics to meet TEMPEST-resistant standards, including secure casings for laptops, for example.
In the case of specific vulnerabilities such as Meltdown and Spectre, chipset and operating system providers provide software patches and updates worldwide, often before the attacks are well-known by end-user organisations. For government bodies and the military, it is just one more important reason to ensure that systems are always kept up to date with the latest software releases.
Other techniques include using a Faraday cage to protect the most vulnerable data, introducing additional noise to a process to foil attacks, replacing traditional keyboards with those with rubber keys, or adopting specialised software with the capability to protect data against side-channel attacks.
Whatever measures organizations take today, it is unlikely that attackers will cease their efforts to come up with novel approaches to side-channel attacks. In a recent paper, researchers Elena Dubrova, Kalle Ngo, and Joel Gärtner stated that even CRYSTALS-Kyber, one of the post-quantum public key encryption algorithms chosen to underpin future U.S. government encryption standards, could be vulnerable.
Eavesdropping on machines has come a long way since the second world war, and smart technologies can be applied to reduce the worst of the risks. But it is not a problem that is going to disappear any time soon, and one for which government and military organizations need to be fully prepared.
