The actual sounds made by a computer CPU allowed researchers to break one of the world’s most secure encryption algorithms — 4096-bit RSA. By employing a new, beyond state of the art hacking technique — acoustic cryptanalysis — that actually leverages the microphone on a smartphone to listen in on a CPU while it is decrypting “secure” data. Expect the next James Bond movie to feature this new form of hacking as part of its plot.
A Closer Look at Acoustic Cryptanalysis
The cyber-security researcher team who proved acoustic cryptanalysis works included Adi Shamir, who actually developed the RSA encryption technique. This new method listens to the high pitched frequencies (anywhere from 10 kHz to 150 kHz) while the CPU is in the process of decrypting data. The actual acoustic sound used in the cryptanalysis process is made by the CPU’s voltage regulator; the voltage regulator works harder (and makes different sounds) when the CPU is processing a lot of data.
The researchers keyed in onto the telltale sound made when the CPU begins an actual decryption process. Once they detected the beginning of decryption, they were actually able to determine the key used during the process. Each encryption system would require a similar amount of effort to determine the right sounds to successfully hack the algorithm.
The research team was able to gain access to decryption keys using a high-quality parabolic microphone from a distance of about four meters. Even more disconcerting for today’s mobile workforce, they successfully used a smartphone microphone 12 inches away from a targeted laptop computer. The team also discovered that a similar, hackable audio signal was found at the target computer’s plugged-in wall socket in addition to the end of its Ethernet cable.
Considerations for Cyber-Security Professionals
The nefarious use of acoustic cryptanalysis puts fear into the hearts of many involved in cyber-security. The researchers themselves foretold of a scenario where a hacker places a microphone hidden inside a rack in a data center and collects the decryption keys from unsuspecting customers’ credit card data. Malware or even a website using HTML5 or Flash can be used with a smartphone’s microphone to provide similar functionality. It definitely makes one think twice before accessing any financial information on a computer or smartphone while in a public place.
Cyber technology professionals need to look at ways to acoustically isolate server equipment if acoustic cryptanalysis makes it from the research lab into the real world. As always, a robust combination of physical and encryption security techniques provide the best cyber-security against state of the art threats involving CPU sounds intercepted by a microphone. Individual users also need to keep their wits about them and their eyes peeled when choosing to access important websites while out in public.