tech

Researchers Successfully Test How To Steal Data From Laptop By Simply Touching It

Hackers have a new potential method for extracting data from computers at their fingertips—literally.

Cover image via technobuffalo.com

Normally, breaking a laptop's security involves either finding security exploits or launching brute force attacks, neither of which is easy. However, a team at Tel Aviv University has come up with a potentially simpler way to swipe data from a computer: touch it.

Image via aolcdn.com

According to research conducted by Eran Tromer, Daniel Genkin, and Itamar Pipman, computer security experts at Tel Aviv University, using a simple electrical trick is enough for a sophisticated attacker to gain access to encryption keys on computers.

vice.com

If you make contact with a laptop while you're wearing a digitiser wristband, you can measure tiny changes in electrical potential that reveal even stronger encryption keys (such as a 4,096-bit RSA key)

"Our attacks use novel side channels and are based on the observation that the 'ground' electric potential in many computers fluctuates in a computation-dependent way," the researchers write online, ahead of a presentation at CHES 2014.

tau.ac.il

You don't even have to touch the system directly in some cases

"An attacker can measure this signal by touching exposed metal on the computer's chassis with a plain wire, or even with a bare hand. The signal can also be measured at the remote end of Ethernet, VGA or USB cables."

technologyreview.com

The remarkable result is described in this paper due to be presented at a conference in South Korea next month, but it was demonstrated Tuesday at a cryptography conference in Santa Barbara, California

A signal can be picked up by touching exposed metal on a computer’ chassis with a plain wire. Or that wire can make contact anywhere on the body of an attacker touching the computer with a bare hand (sweaty hands work best).

tau.ac.il

The ground signal can also be measured by fastening an alligator clip at the far end of an Ethernet, VGA, or USB cable attached to the computer, or even wirelessly with sensitive voltage-detection equipment. The catch is that contact must be made as data is unlocked with a key—during decryption of a folder or an e-mail message, for instance.

technologyreview.com

Basically, they claim to have extracted encryption keys by measuring the electrical signals of those keys being processed. The result?

Attackers could theoretically gain easy access to thousands of encrypted keys through solely touching the chassis of the computer.

vice.com

That potentially includes access to encrypted keys that make up hundreds of digital signatures used all the time by people when creating passwords, signing contracts, or perhaps most importantly, using credit and debit cards online.

engadget.com

It's not hard, either, to imagine a scenario where someone "accidentally" grazes your laptop's exterior. Of course, there are some caveats, as the authors write.

Image via bestofmicro.com

Most significantly, to capture encryption keys, the CPU has to actually be processing those keys at the moment the signal is being measured, so a drive-by attack would take a bit of planning.

technologyreview.com

The actual attack can be done quickly. According to the study, "despite the GHz-scale clock rate of the laptops and numerous noise sources, the full attacks require a few seconds of measurements using medium frequency signals (around 2 MHz), or one hour using low frequency signals (up to 40 kHz)."

vice.com

Other related stories on SAYS:

You may be interested in: