Spy in the sandbox attack to spy on your online activity

Four security researchers at the Columbia University have developed a new technique dubbed Spy in the sandbox attack to spy on victims’ online activity.

Four security researchers at the Columbia University (Yossef Oren, Vasileios Kemerlis, Simha Sethumadhavan, and Angelos Keromytis) have developed a new technique to hack computer using a Javascript that allow them to spy on keystrokes and mouse clicks in a web browser tab by snooping on the PC’s processor caches.

According to the researchers, the technique is effective against about 80 percent of desktop machines, they explained that it could be used to hack PC running a recent model Intel CPU, such as a Core i7, and any browser supporting HTML5.

The exploit, dubbed “the spy in the sandbox”, appears very insidious, the experts run a side-channel attack by using a JavaScript served from a malicious web ad network. The “the spy in the sandbox” exploit analyzes the time it takes to access data stored in the last-level cache, the L3 cache shared by all cores in a modern desktop machine and matches it to user activity.

Unlike other exploits, in the “the spy in the sandbox” attack scenarios the attacker does not need to install any malicious code on the victim’s PC to carry out “the spy in the sandbox” attack, as explained in the paper The Spy in the Sandbox – Practical Cache Attacks in JavaScript the victim can be hacked simply by visiting a page with malicious JavaScript.

“We present the first micro-architectural side-channel attack which runs entirely in the browser. In contrast to other works in this genre, this attack does not require the attacker to install any software on the victim’s machine — to facilitate the attack, the victim needs only to browse to an untrusted webpage with attacker-controlled content. This makes the attack model highly scalable and extremely relevant and practical to today’s web, especially since most desktop browsers currently accessing the Internet are vulnerable to this attack. “

The researchers urge IT giants Apple, Google, Microsoft and Mozilla upgrade their browsers to mitigate the spy in the Sandbox attack, there is the concrete risks that it could be carried out by criminal crews in the wild, because it doesn’t require specific effort:

“This is a very low-cost attack which would probably be used by small-time bad guys – the same creeps who bombard you with pop-up ads will probably add this to their popups so they can track you while they distract you,” said Oren.

The research conducted by the experts is the continuation of another interesting study related the last-level cache attacks that could be carried out to recover information belonging to other processes, other users and even other virtual machines running on the same physical host as the victim’s web browser.

“Our attack, which is an extension of the last-level cache attacks of (Adelaide University’s) Yuva Yarom, allows a remote adversary recover information belonging to other processes, other users and even other virtual machines running on the same physical host as the victim web browser,” state the researchers.

Once during execution, the JavaScript took a snapshot of the cache and monitor any modification caused by the user operations the user (i.e. user presses a key) and then uses the browser’s high-resolution timer to record the time it takes to iterate through a block of memory.

The cache is impacted for every access that is faster than others, data retrieved with this technique allow the attacker to map the pattern of memory accesses to keystrokes and mouse movements.

The researchers explained that the exploit cannot steal any passwords or data, but it can be used to spy on victim’s activity and an attacker can use the browser history for financial theft or other malicious purposes.

By testing the the spy in the sandbox attack on Intel Core i7 Mac running OS X 10.10.2 and Firefox 35.0.1, the researchers demonstrated that the malicious Javascript was able to map half the L3 cache in one minute, and about a quarter in roughly 30 seconds.

Dr Oren and his team will not release the exploit code until the browsers are patched, meantime close unused tabs when you are using on something important.

“In the meantime the best suggestion I have for end-users is: close all non-essential browser tabs when you’re doing something sensitive on your computer,” he says. 

Pierluigi Paganini

(Security Affairs –  spy in the sandbox, Javascript)