RolfAndreassen comments on Open thread for December 17-23, 2013 - Less Wrong

5 Post author: ciphergoth 17 December 2013 08:45PM

You are viewing a comment permalink. View the original post to see all comments and the full post content.

Article Navigation

Comments (301)
Tags: open_thread

Comments (301)

You are viewing a single comment's thread. Show more comments above.

Comment author: JoshuaZ 19 December 2013 05:08:24AM 29 points [-]

Recent work shows that it is possible to use acoustic data to break public key encryption systems. Essentially, if one can send specific encrypted plaintext then the resulting sounds the CPU makes when decrypting can reveal information about the key. The attack was successfully demonstrated to work on 4096 bit RSA encryption. While some versions of the attack require high quality microphones, some versions apparently were successful just using mobile phones.

Aside from the general interest issues, this is one more example of how a supposedly boxed AI might be able to send out detailed information to the outside. In particular, one can send surprisingly high bandwith even accidentally through acoustic channels.

Comment author: RolfAndreassen 20 December 2013 03:45:53AM 1 point [-]

Eh... if an attacker has the level of physical access to the CPU that's required to plant a microphone, you have worse problems than acoustic attacks.

Comment author: Pentashagon 20 December 2013 04:52:02AM 8 points [-]

For personal devices the attacker may have access to the microphone inside the device via flash/java/javascript/an app, etc.

Comment author: Lumifer 20 December 2013 05:46:58AM 1 point [-]

If the attacker can run code on your device, a keylogger is a much simpler solution.

Comment author: Pentashagon 20 December 2013 06:06:19AM 2 points [-]

I think it is probably simpler to enable the microphone from a web or mobile application than to install a keylogger in the OS. But then if you consider acoustic keyloggers...

Comment author: ChristianKl 20 December 2013 03:21:56PM 0 points [-]

With an acoustic keylogger you could scoop the my KeePass password but the actual passwords that I use to log into websites.

Comment author: Baughn 21 December 2013 11:11:27PM 1 point [-]

Not if it's sandboxed, but then timing and other side-channel attacks are still easier than using the mike.

Comment author: JoshuaZ 20 December 2013 04:09:47AM 6 points [-]

That might have been true a few years ago, but they point out that that's not as true anymore. For example, they suggest one practical application of this technique might be to put your own server in a colocation facility, stick a microphone in it and slurp up as many keys as you can. They also were able to get a version of the technique to work 4 meters away, which is far enough that this becomes somewhat different from having direct physical access. They also point out that laser microphones could also be used with this method.

Comment author: ChristianKl 20 December 2013 03:28:47PM 2 points [-]

In the example the used a mobile phone. Going from having owned a microphone to being able to know a key on a computer is a significant step.

Additionally there are other way to get audio access. Heating pipes conduct sound waves if the attacker has a good microphone.

Glass of windows vibrates in a way that can be detected from a distance.

Powered by Reddit Powered by Reddit