Pages

24 January 2015

Hackers Don't Need Wi-Fi to Steal Your Data


Your laptop or smartphone may be leaking electronic emissions that contain your password or other private data, even when it’s not connected to the Internet, according to two groups of researchers.

The vulnerability could make it possible for a hacker to obtain information from your device just by sitting next to you at a coffee shop.

The researchers are tracing leaks of electromagnetic radiation that are byproducts of various electronic components of computer hardware, including computer processors and capacitors.

Passwords are sooo 1995. With today's technology there are some seriously wicked new ways to secure your life.

Some of the signals are created when you type at the keyboard and can be picked up with the right kind of electronic eavesdropping equipment.

In their recent study, the Georgia Tech researchers developed a way to measure the strength of the emissions and offer ways for hardware and software designers to plug those electronic holes.

So far, these kinds of leaks are not overly exploited by hackers.

“If you are comparing this to Internet attacks, it is less of a problem,” said Alenka Zajic, assistant professor of electrical and computer engineering at the Georgia Institute of Technology.

“But they are very hard to detect. With any sort of Internet attack, you will find the attacker. With this one you just need to be close by and there’s no way to know who took your data.”

Zajic and her colleagues say they were able to pick up keystroke information from laptops using just an AM radio and a cellphone. “You could probably hide it under the desk,” Zajic said. “It’s just a matter of motivation.”

These side-channel emissions can also be measured from hidden antennas in a briefcase, while acoustic emissions from the device’s electronic capacitors, can be picked up by tiny microphones.

In her research, Zajic typed a password on one laptop that was not connected to the Internet. On the other side of a wall, a colleague using another disconnected laptop was able to intercept the side-channel signals produced and read the password as it was being typed.

Zajic said these small electronic emissions are tough to stop.

Passwords are sooo 1995. With today's technology there are some seriously wicked new ways to secure your life.

Zajic and which was presented recently at IEEE/ACM International Symposium on Microarchitecture in Cambridge, UK. Another team from Israel’s Tel Aviv University has also been working on this problem.

The Georgia Tech researchers are also now studying smartphones, whose compact design and large differential between idle and in-use power may make them more vulnerable. So far, they have only looked at Android devices.

Because it’s difficult to control these electronic signals without a jammer or protective metal cage, Zajic believes the solution may be in modifying software so it doesn’t initiate a recognizable signal in the first place.

“If I can identify the part of the code that leaks the most,” she said. “We can mask the emanations so you are protected.”

So far, this kind of close-quarters hacking is probably only a threat to decision-makers, VIPs, politicians or celebrities that are in possession of valuable data, according to Miodrag Potkonjak, a computer scientist at UCLA. That might change as more people begin to use their smartphones to pay for consumer items, using near-field transmission to exchange data, such as Apple Pay.

“Soon it will be a big problem for everyone,” said Potkonjak, who has studied encryption technologies and side-channel signals.

Data centers that store vast quantities of private information are also at risk, believes Simha Sethumadhavan, assistant professor of computer science at Columbia University.

“I don't think one can prevent side-channel attacks completely,” he said via e-mail to Discovery News. “One solution is to add noise to frustrate the attacker, another solution is to make the secret signal output indistinguishable from non-secret operations -- this requires designers to think about the attack at run time, and yet another solution is to use algorithms that are leakage-resistant.”

No comments:

Post a Comment