Sign in with
Sign up | Sign in

Just Touching a Laptop Can Reveal Secret Data

By - Source: Tom's Guide US | B 6 comments

Example setup for extracting encryption keys from electric currents. Credit: Daniel Genkin, Itamar Pipman, Eran Tromer. Example setup for extracting encryption keys from electric currents. Credit: Daniel Genkin, Itamar Pipman, Eran Tromer.

It's the most "current" news you'll read all day: The pattern of the electric currents that pass through your laptop computer can be used to determine your encryption keys, as a group of three Israeli researchers at Tel Aviv University have shown.

By measuring the electric potential running through a laptop's casing, or through a cable attached to the machine, or even by measuring the electric potential of a human touching the casing, the researchers were able to extract two different types of encryption keys used in the open-source encryption hardware known as GnuPG.

Shocking, isn't it?

MORE: Best Antivirus Software 2014

First, the researchers attached a small digitizer (a device that turns electric signals into digital data) to a laptop, and made sure the digitizer's  sensor was touching a conductive part of the laptop, such as the casing around a USB, Ethernet, VGA, HDMI or other kind of port, or a metal heatsink fan.

All encrypted data needs to be decrypted at some point to be read and used. When the computer's owner accessed GnuPG software and entered the decryption key, the pattern of electrical potential that flows through the laptop's metal parts was enough to let the researchers determine 4096-bit RSA keys and 3072-bit ElGamal encryption keys.

RSA and ElGamal are both well-respected and robust encryption algorithms, and keys of those lengths are considered extremely resistant to conventional attacks.

Attaching a device to the outside of a computer may be too obvious. The researchers also proved that the same attack could be performed by attaching a digitizer to the far end of a cable plugged into the target computer.

A third, and perhaps most incredible, method, was to measure the electric potential running through a person who was also touching a metal part of the target computer. In this scenario the person worked like a human cable, conducting electricity from the computer straight to a digitizer attached to her or his body. 

No expensive equipment was needed to carry out this attack; the researchers also successfully carried it out using a mobile phone instead of a digitizer to convert the electric potential into digital signals. Add to that a few alligator clips and an Ethernet cable, and even James Bond would be hard-pressed to do better.

The researchers published their findings in a white paper on the University of Tel Aviv's website.

Last December, a different group of Israeli researchers proved that computers can give up sensitive GnuPG information in another, equally fantastic way: via sound. The vibrations made by computers as they process complicated encryption algorithms can be used to decipher the encryption keys, the researchers showed.

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, on Facebook and on Google+.

Discuss
Add a comment
Ask a Category Expert
React To This Article

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

  • 0 Hide
    Christopher1 , August 22, 2014 11:10 AM
    Since this needs physical access to a computer, I believe you would see if someone is doing this.
  • 3 Hide
    gm0n3y , August 22, 2014 11:26 AM
    This an update of an old trick. Reminds me of seeing what is on a CRT screen from behind a wall by scanning the EM waves generated by the monitor.
  • -4 Hide
    derekullo , August 22, 2014 11:37 AM
    Apple knew about this years ago and designed the iphone 5c with plastic in mind knowing that it would be resistant to hacking.
  • Add your comment Display all 6 comments.
  • 3 Hide
    Darkk , August 22, 2014 11:49 AM
    Quote:
    This an update of an old trick. Reminds me of seeing what is on a CRT screen from behind a wall by scanning the EM waves generated by the monitor.


    Yep. That is known as tempest attack.
  • 0 Hide
    ickibar1234 , August 23, 2014 12:25 AM
    The first, "the pattern of electrical potential flowing through the laptop's metal parts..."

    What about multitasking, that would change the feedback, though I am confused why there would be electrical potential through a heatsink, that's why I am saying feedback.

    Also the last method, audio, vibrations. Multitasking? Dynamic overclocking, couldn't that easily modify the 'system noise' so much that there is no way to know what is going through the CPU registers?

    Perhaps 'rotating the clock frequencies' and voltages randomly within some narrow window while running another thread that takes a few percentages of each core and bounces around the core would fool this?
    Ha
  • -1 Hide
    SoWatt , August 23, 2014 11:41 AM
    I think I may know how this is happening. There are several websites that offer subcontractor work to anyone intelligent enough to fill out an online form and lie about their experience and credentials. It used to be different, you had to prove you had skills, go through checks, etc. But nowadays, the sleazy companies posting the work to be done are paying SO lowly that the professionals are ignoring those jobs and the unskilled people are taking them. No checks, no requirements, nothing except that they're willing to work for under minimum wage.
React To This Article

Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter