Hardware security still remains one of the hottest and unfortunately, not completely resolved topics in the hardware industry. The ultimate question remains:
As much as you want to think your hardware is secure, it is actually completely opposite. Current generation of hardware is not built to keep your secrets safe. But don't blame it too much. The reality is that attacks are getting created and developed much faster than hardware manufacturers can follow. One very plausible attack method uses information that leaks through the side channels.
You can call an attack as a side-channel attack if it uses a physical implementation of a system, rather than brute force or algorithm's weaknesses. It can be timing information, power consumption, electromagnetic leaks or even sound.
These unintended leaks can be exploited by attackers, who can utilize the flaws in the system in a straightforward manner using special equipment. The most well-known and effective side-channel attack today is the one that implements information leaked through the power consumption.
This kind of attacks attempt to find a correlation between the instantaneous power consumption of the system and the internal state of a cryptographic implementation. To perform that, first you need to measure and record the values of items of interest, for example power consumption, and then evaluate the relationship between them.
Attacks on Advanced Encryption Standard (AES) implementations tend to require unrestricted physical access to the device. Which basically means you have to solder wires into your target device to catch multiple power traces of the cryptographic operation. But it doesn’t seems that handy and definitely has a room for improvement.
Alternative and more convenient way of reconnaissance shouldn't involve any physical access and dangling wires, right? So is it possible to gain access - remotely?
Today we can answer to this question yes!
Using an improved antenna and signal processing it is possible to covertly recover the encryption key from particular AES implementations. All that required is affordable equipment, up to 1 m distance and few minutes of time.
Are you fascinated by this improvement as much as we are? If you are interested to see the first actual public demonstration of this remote attack, come over to Craig Ramsay's talk at hardwear.io 2017.