Deriving cryptographic keys by listening to CPUs' "coil whine"




Bond. James Bond.


If I saw that in a movie I would have cried BULLSHIT in the middle of the freaking theatre.

Now... wow... just wow.

Time to put silencers on our motherboards Mr Bond!


I'm not entirely convinced that "coil whine" -- which would respond to overall system activity -- would have enough information specifically about the cryptokey to make this work.

If they were attributing this to a microphonic chip, I'd find it a bit more believable. But that's still a matter of whether the right chip is cooperating.

If they were going after radio noise, Tempest-style, I'd find it more believable.

I'm not quite ready to call bullshit. I AM ready to call for independent replication before we take the claim at all seriously.

"Any sufficiently advanced technology is indistinguishable from a rigged demo."



The article is by some of the foremost and most reputable researchers in cryptography. While I agree with replicating all findings, I think it's hardly justifiable to assume they've just made a "rigged demo" to get some publicity.

Did you read the paper? It's very in-depth. And it builds on earlier proof-of-concept work that previously showed that this should be possible.


GnuPG has already committed a fix.

Some comments describing it.


Apologies if I gave the impressing I was assuming a rigged demo. I'm not; I'm a trifle concerned that they may have fooled themselves, eg by finding one particular machine which is particularly vulnerable.

Given that we believe the result, the fix seems plausible.


But the researchers are unimpeachable (Shamir is the "S" in RSA)

If I were him, I'd go around starting arguments with lesser crypto-nerds, just so I could finish them off with "Didn't you know? I'm the S in RSA, mofo!"


I read the whole paper and I'm sold. Good read, though most of the heavier stuff is only barely understandable to me. I think one measure of the validity is this:

Current status. We have disclosed our attack to GnuPG developers and main distributors as CVE-
2013-4576 [MIT13], suggested suitable countermeasures, and worked with the developers to test them.
New versions of GnuPG 1.x, GnuPG 2.x and libgcrypt, containing these countermeasures and resisting
our current key-extraction attack, were released concurrently with this paper’s first public posting.
However, some of the effects presented in this paper (such as RSA key distinguishability) remain present.

The developers took it seriously and implemented countermeasures as they could. Still, further review and new attacks will be interesting to follow.


They used more than one machine.


Or make a t-shirt that says that, and wear it always.


i wouldn't call "one machine" fooling themselves. if it works on only one machine then the attack is sound. If that one machine was one that was purchased in bulk by large corporations or governments, bonus.


Am I right in understanding that the user has to be actively inputting their password in order for the extraction to work? Can it be masked by driving the cpu harder with another task simultaneously? Rendering 3dgraphics on high priority makes everything whine.


There's a simple fix - just play Bananaphone over and over again at maximum volume whilst doing your cryptowhatever.


I reference I saw in the Ars comments indicates that driving the CPU makes this easier.

Think of it this way -- the sound signature of the decoding of the specialized item will always be there. If it is against a randomly loaded and thus randomly fluctuating background, it could be harder to pick out. But if it is against a solid heavily loaded CPU, then that background noise becomes consistent.

As I understand it, the noise is associated with power consumption. Fully loading the CPU will make the variance in power consumption of the non-targetted processes very low, maximizing the signal (decode process) to noise (background task) ratio.


They're not kidding about the use of sensitive equipment. I immediately recognized the robin's egg blue of a B&K preamp from the picture. That kit is crazy expensive.


I remember a few years ago when it was apparently possible to see what was being written to an HDD via the indicator LED. I assume they're too fast for that now.


Apparently, we hear today, Shamir is also the S in NSA.


This topic was automatically closed after 5 days. New replies are no longer allowed.