Breaking 4096-bit RSA with an Acoustic Cryptanalysis attack

Israeli Security researchers explained how to break 4096-bit RSA analyzing CPU sound emitted during decryption (Acoustic Cryptanalysis attack).

Israeli Security Researchers at Tel Aviv University recently published an interesting paper titled “RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis” to explain how they have successfully broken 4096-bit RSA analyzing Computer’s CPU Sound emitted during execution of decryption routines.

The trio of scientists composed by Daniel Genkin, Eran Tromer and co-inventor of famous RSA Shamir have verified that results they first proposed a decade ago are valid, the researchers were able in fact to extract a 4096-bit RSA key from a laptop with an acoustic side-channel attack that enables the recording of noise coming from the device during decryption with using a smartphone placed nearby.

The results are exciting, attackers are able to discover a long RSA key in less than one hour with the method dubbed “acoustic cryptanalysis attack”.

“Here, we describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG’s current implementation of RSA. The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. We experimentally demonstrate that such attacks can be carried out, using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters away.” states the paper summary.

The paper explains that is realistic to perform a chosen-ciphertext attack on GnuPG, to do this the researchers exploited GnuPG automatic decryption ciphertexts chosen by the attacker using encrypted e-mail messages following the OpenPGP and PGP/MIME protocols. Common application including Thunderbird e-mail client plug-in automatically decrypts incoming e-mail using GnuPG.

The attack scenario it intriguing, a hacker can send a suitably-crafted email messages to the victims, wait until they decrypted once reached the target computer. The attackers recorded the acoustic signature of their decryption thereby closing the adaptive attack loop.

The scientists conducted several thousand repetitions of the algorithm’s operation discovering that there was sound leakage directly correlated to RSA key in use.

“The noise produced during decryption is The acoustic signal of interest is generated by vibration of electronic components (capacitors and coils) in the voltage regulation circuit, as it struggles to supply constant voltage to the CPU despite the large fluctuations in power consumption caused by different patterns of CPU operations.”

Be aware the signal analyzed by researchers doesn’t include noise generated by mechanical components such as the fan or hard disk, nor by the laptop’s internal speaker.

The security demonstrated that many other applications are susceptible to the same acoustic cryptanalysis attack.

“We observe that GnuPG’s RSA signing (or decryption) operations are readily identified by their acoustic frequency spectrum. Moreover, the spectrum is often key-dependent, so that secret keys can be distinguished by the sound made when they are used. The same applies to ElGamal decryption.”

The researchers observed that the acoustic attack range surpassed 4 meters using a sensitive parabolic microphone, meanwhile without this kind of receiver they achieved a range of 1 meter.

The vulnerability has been notified to GnuPG by the researchers , the three also recommended to protect users’s PC during decryption using sound dampening equipment, such as “sound-proof” boxes,

The attack is effective against a number of laptop models and information that is possible to leak depends on the specific hardware, experiments conducted  demonstrated that for every machine, it is possible to distinguish an idle CPU (x86 “HLT”) from a busy CPU and on many machines, it is possible to distinguish different patterns of CPU operations and different programs.

Resuming using GnuPG on some machines it is possible to:

• distinguish between the acoustic signature of different RSA secret keys (signing or decryption), and
• fully extract decryption keys, by measuring the sound the machine makes during decryption of chosen ciphertexts.

The attackers were able to implement an Acoustic Cryptanalysis attack using a mobile app running on a Smartphone located nearly the target machine, another possibility is using a malware specifically designed to exploit the device for the malicious purpose.

The developers of GnuPG have already developed a patch to fix the vulnerability exploited by the trio in the Acoustic Cryptanalysis attack, the fix is included in version 1.4.16 of GnuPG.

If you believe that the attack is limited to the proximity of the antenna to victim PC you are wrong, the researcher confirmed that it is possible to perform the attack from a greater distance using a parabolic microphone and it may also be conducted with a laser microphone or vibrometer.

It is not the first time that acoustic signals are used as a vector of information in an attack scenario, recently we discussed also the opportunity to transfer a malicious payload via audio signals. Security measures must also be designed to secure systems in these innovative attack schema.

Pierluigi Paganini

(Security Affairs –  Acoustic Cryptanalysis attack, hacking)