Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not a subscriber? Subscribe now for unlimited access to online articles.

Intelligent Machines

How to Break Cryptography With Your Bare Hands

The latest way to snoop on a computer is by measuring subtle changes in electrical potential as data is decrypted.

Cryptographic keys are used to protect online banking, sensitive e-mail messages, and valuable personal data.

With enough technical savvy, simply touching a laptop can suffice to extract the cryptographic keys used to secure data stored on it.

Touch sensitive: In a demonstration, a researcher captures cryptographic keys stored on a computer using a sophisticated algorithm that measures ground potential conducted through the skin.

The trick is based on the fact that the “ground” electrical potential in many computers fluctuates according to the computation that is being performed by its processor—including the computations that take place when cryptographic software operates to decrypt data using a secret key.

Measuring the electrical potential leaked to your skin when you touch the metal chassis of such laptops, and analyzing that signal using sophisticated software, can be enough to determine the keys stored within, says Eran Tromer, a computer security expert at Tel Aviv University.

The remarkable result is described in this paper due to be presented at a conference in South Korea next month, but it was demonstrated Tuesday at a cryptography conference in Santa Barbara, California.

A signal can be picked up by touching exposed metal on a computer’ chassis with a plain wire. Or that wire can make contact anywhere on the body of an attacker touching the computer with a bare hand (sweaty hands work best). The ground signal can also be measured by fastening an alligator clip at the far end of an Ethernet, VGA, or USB cable attached to the computer, or even wirelessly with sensitive voltage-detection equipment. The catch is that contact must be made as data is unlocked with a key—during decryption of a folder or an e-mail message, for instance.

Tromer says his research team has used all those methods to extract encryption keys based on widely used, high-security standards—4,096-bit RSA keys and 3,072-bit ElGamal keys.

The work contributes to a growing body of evidence that regardless of the software protections people place on computers, there are indirect ways to extract data—so-called “side channel” attacks.

Previous research efforts have found, for example, that analyzing the power consumption of a computer can reveal cryptographic keys. The good news is that analyzing subtle trends in power usage can also reveal whether a computer is being attacked (see “Tiny Changes in Energy Use Could Mean Your Computer Is Under Attack”).

“Overall, there are likely tens of undiscovered hardware-related side channels—and we are likely going to hear more from these authors and others,” says Radu Sion, a computer security expert at Stony Brook University.

Tromer says he doesn’t know of anybody performing a ground-potential attack to steal real data, but he has notified cryptography software makers. It is possible to avoid such attacks by adding random data to computations. The developers of one popular free cryptographic software package, GnuPG, incorporated such a patch into the latest version of their software.

Learn from the humans leading the way in intelligent machines at EmTech Next. Register Today!
June 11-12, 2019
Cambridge, MA

Register now
More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe to MIT Technology Review.
  • Print + All Access Digital {! insider.prices.print_digital !}* Best Value

    {! insider.display.menuOptionsLabel !}

    The best of MIT Technology Review in print and online, plus unlimited access to our online archive, an ad-free web experience, discounts to MIT Technology Review events, and The Download delivered to your email in-box each weekday.

    See details+

    12-month subscription

    Unlimited access to all our daily online news and feature stories

    6 bi-monthly issues of print + digital magazine

    10% discount to MIT Technology Review events

    Access to entire PDF magazine archive dating back to 1899

    Ad-free website experience

    The Download: newsletter delivery each weekday to your inbox

    The MIT Technology Review App

  • All Access Digital {! insider.prices.digital !}*

    {! insider.display.menuOptionsLabel !}

    The digital magazine, plus unlimited site access, our online archive, and The Download delivered to your email in-box each weekday.

    See details+

    12-month subscription

    Unlimited access to all our daily online news and feature stories

    Digital magazine (6 bi-monthly issues)

    Access to entire PDF magazine archive dating back to 1899

    The Download: newsletter delivery each weekday to your inbox

  • Print Subscription {! insider.prices.print_only !}*

    {! insider.display.menuOptionsLabel !}

    Six print issues per year plus The Download delivered to your email in-box each weekday.

    See details+

    12-month subscription

    Print magazine (6 bi-monthly issues)

    The Download: newsletter delivery each weekday to your inbox

/3
You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.