Just Touching a Laptop Can Reveal Secret Data
Example setup for extracting encryption keys from electric currents. Credit: Daniel Genkin, Itamar Pipman, Eran Tromer.
It's the most "current" news you'll read all day: The pattern of the electric currents that pass through your laptop computer can be used to determine your encryption keys, as a group of three Israeli researchers at Tel Aviv University have shown.
By measuring the electric potential running through a laptop's casing, or through a cable attached to the machine, or even by measuring the electric potential of a human touching the casing, the researchers were able to extract two different types of encryption keys used in the open-source encryption hardware known as GnuPG.
Shocking, isn't it?
First, the researchers attached a small digitizer (a device that turns electric signals into digital data) to a laptop, and made sure the digitizer's sensor was touching a conductive part of the laptop, such as the casing around a USB, Ethernet, VGA, HDMI or other kind of port, or a metal heatsink fan.
All encrypted data needs to be decrypted at some point to be read and used. When the computer's owner accessed GnuPG software and entered the decryption key, the pattern of electrical potential that flows through the laptop's metal parts was enough to let the researchers determine 4096-bit RSA keys and 3072-bit ElGamal encryption keys.
RSA and ElGamal are both well-respected and robust encryption algorithms, and keys of those lengths are considered extremely resistant to conventional attacks.
Attaching a device to the outside of a computer may be too obvious. The researchers also proved that the same attack could be performed by attaching a digitizer to the far end of a cable plugged into the target computer.
A third, and perhaps most incredible, method, was to measure the electric potential running through a person who was also touching a metal part of the target computer. In this scenario the person worked like a human cable, conducting electricity from the computer straight to a digitizer attached to her or his body.
No expensive equipment was needed to carry out this attack; the researchers also successfully carried it out using a mobile phone instead of a digitizer to convert the electric potential into digital signals. Add to that a few alligator clips and an Ethernet cable, and even James Bond would be hard-pressed to do better.
The researchers published their findings in a white paper on the University of Tel Aviv's website.
Last December, a different group of Israeli researchers proved that computers can give up sensitive GnuPG information in another, equally fantastic way: via sound. The vibrations made by computers as they process complicated encryption algorithms can be used to decipher the encryption keys, the researchers showed.
- Best Android Antivirus Software 2014
- What to Do If Your Social Security Number Is Stolen
- Mobile Security Guide: Everything You Need to Know
Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, on Facebook and on Google+.