That innocent-looking pita sandwich someone is ostensibly eating across from you at your neighborhood café could contain a cyber-spying system that could infiltrate the most secure document encryption protocols on your laptop.
Worse, said Tel Aviv University researchers, there is little computer users can do to protect themselves.
“Physical mitigation techniques… could include Faraday cages,” special grounded metal screens that can keep such radiation out, or in. “However, inexpensive protection of consumer-grade PCs appears difficult,” the team said.
In a paper released Tuesday, the researchers described how cheap, Radio Shack-type equipment – easily hidden inside a standard-size pita bread – could be used to “read” the electromagnetic pulses emanating from a standard laptop’s keyboard, including the keystrokes used to decrypt secure documents.
The TAU team playfully named the attack PITA – Portable Instrument for Trace Acquisition. The study, authored by researchers Daniel Genkin, Itamar Pipman, Lev Pachmanov, and Eran Tromer, was released to coincide with a major cyber-security conference taking place at Tel Aviv University this week.
“We successfully extracted keys from laptops of various models running GnuPG (popular open source encryption software, implementing the OpenPGP encryption standard), within a few seconds,” the TAU team wrote in the paper, titled Stealing Keys from PCs using a Radio: Cheap Electromagnetic Attacks on Windowed Exponentiation.
Besides OpenPGP, the team was able to successfully duplicate the attacks on other popular, and ostensibly secure, encryption implementations, including RSA and ElGamal.
“The attack sends a few carefully-crafted ciphertexts, and when these are decrypted by the target computer, they trigger the occurrence of specially-structured values inside the decryption software,” the researchers said.
Using a device that can receive radio signals – an actual radio, or a USB dongle that can receive broadcasts and play them back on a computer – the researchers were able to observe fluctuations in the electromagnetic field surrounding the laptop and translate those fluctuations into keystrokes using analysis software.
The paper provides full details on how what equipment is needed (all of it cheaply available at local electronic stores or on the web), how to assemble and connect the parts, and even how to fold it up into a pita bread. The equipment detects the fluctuations in the electromagnetic pulse emanated by hardware (keyboard and processor) when the computer tries to decrypt the signals (the decryption modules contain components that can be exploited to run automatically when encrypted text is encountered).
By sending out these trick texts, hackers could steal the authentication keys on a user’s computer, allowing them free access to encrypted documents and data.
A PITA attack would likely be used by hackers in conjunction with an attack that “sweeps” data and documents off a computer. If that data is encrypted, it’s unlikely the hackers would be able to read it (depending on how strong the encryption is) – but with the encryption keys, the hackers could figure out encrypted information like credit card numbers, passwords, and more.
The only caveat is that the “spy” pita needs to be within 50 centimeters (about 20 inches) of the target. On the other hand, the team said, the entire operation can be accomplished within seconds – making the attack perfect for hackers hanging out at coffee shops, where many computer users take advantage of electrical outlets, free wifi, and strong brews to get some serious work done. A hacker could obtain the keys in a “drive-by” – or rather “walk-by” – attack, carrying their “poisoned pita” on a tray with real food. The study noted, however, that “signal quality varied dramatically with the target computer model and probe position.”
The TAU team is not the first to think of using electromagnetic pulses to hack systems. In 2014, Ben Gurion University researchers could use cellphone-based malware to pick up the electromagnetic radiation emanating from keyboards, monitors, and other equipment to read key information. The BGU team demonstrated how data collected by malware previously placed on a computer (via a phishing attack or other method) could be sucked out by a cellphone that created a local network using the electromagnetic pulses emanating from hardware. The information could be lifted from the target system even if it was not connected to the Internet, or even a local area (Ethernet) network.
The worst part, said the team, is that there is little computer users can do to prevent these attacks – other than staying out of cafés and keeping their laptops away from pita sandwiches.
Unfortunately, the team said, “preventing such low-level leakage prevention is often impractical” because implementing any effective measures (such as Faraday cages) would either be major hassles due to the excessive hardware requirements, or slow down performance to the extent that users would not be able to get any work done.
“Even when a cryptographic scheme is mathematically secure and sound, its implementations may be vulnerable to side-channel attacks that exploit physical emanations,” the team said. The hack “can target commodity laptop computers. We have tested numerous laptop computers of various models and makes” – and when it comes to a PITA attack, every laptop user needs to be concerned.