14 DAY TRIAL // Researchers from the Tel Aviv University have managed to extract the cryptographic key of an air-gapped laptop placed in another room, through the wall, using nothing more than standard electronic equipment.
The four-man team used only an antenna, some amplifiers, a software-defined radio, and a standard Lenovo 3000 N200 laptop. Researchers did not break the computer's case, nor did they make other modifications to its setup.
The laptop was running the latest version of the GnuPG 2, and its Libcrypt cryptographic library. GnuPG is an open-source implementation of the OpenPGP standard. Researchers targeted Libcrypt and its Elliptic Curve Diffie–Hellman (ECDH) encryption algorithm.
During its tests, the team sent a specific ciphertext to the laptop and then measured the electromagnetic leakage coming from the device. Initial tests were carried out in the same room, but the team also managed to conduct successful tests from an adjacent room, through a standard 15cm-thick reinforced drywall.
The attack only takes 3.3 seconds to carry out
Researchers only needed to send the ciphertext (a crypto message) to the laptop 66 times, and then analyze the surrounding electromagnetic field. After 3.3 seconds, they were able to retrieve the cryptographic key used by the laptop, through a classic side-channel attack.
A side-channel attack takes place when a nearby attacker watches, records, and then analyzes data from cryptographic operations. By observing fluctuations in power usage and the energy emitted during these tasks, they can later piece together various elements or the entire cryptographic key.
"Our attack is non-adaptive, requiring decryption of a single, non-adaptively chosen ciphertext in order to extract the whole secret key," researchers explained, referring to the fact that only specific ciphertexts can be used, and not random data.
Researchers also disclosed their research to GnuPG developers (CVE-2015-7511), who released an updated version of Libgcrypt to protect the library from this type of side-channel attack.
The entire research paper, ECDH Key-Extraction via Low-Bandwidth Electromagnetic Attacks on PCs, is available to read online.