Hacking through your computer’s noises
Every development in the world of hacking prompts a collective sigh and a defeated “Aww, really?” as we proceed to create complex four-mile long passwords that we’ll never remember in order to protect ourselves. Well, there’s a new threat in town. Surprise!
We’re all aware of the hums and whirrs our computers make, and they’re usually pretty annoying. But guess what — it’s music to a hacker’s ears. In addition to the sounds we can hear, our computers also emit high-pitched noises that can be picked up by the microphones in mobile devices and used to steal decryption codes.
The researchers succinctly summarize what this hacking process entails in their recently published paper on “Acoustic Cryptanalysis”: "We devise and demonstrate a key extraction attack that can reveal 4096-bit RSA secret keys when used by GnuPG running on a laptop computer within an hour by analyzing the sound generated by the computer during decryption of chosen ciphertexts. We demonstrate the attack on various targets and by various methods, including the internal microphone of a plain mobile phone placed next to the computer and using a sensitive microphone from a distance of four meters [a little more than 13 feet]."
This new development is pretty scary, but don’t don your tin foil hats and cower in a corner just yet. This attack method operates on a small scale, for now, and it lacks the power to do any quick, widespread damage just yet.
Most people don’t have the advanced equipment necessary to pick up sounds from the 4-meter maximum distance, so they’d probably be using a smartphone or tablet which has a much shorter range of about 30 cm. Plus, the large dome of the parabolic microphone needed to reach 4 meters is bound to arouse some suspicion.
Maybe you can discreetly place your smartphone on the table during the next business meeting and shake up the company a bit with stolen data like a 2013-version of “Office Space.” To do any real damage (inconspicuously), you’d need to get very close to the target and wait about an hour for results. It seems a bit too laborious for hackers who usually tend to favor the mass theft of personal information from their victims.
There has been an influx of similar theft in the form of “electronic pickpocketing,” and this requires thieves to get up close and personal with their victims, as well. Products like RFID-blocking wallets and Google Wallet have been created in response to this threat, so it’s likely that companies will do the same to protect computer noises from being used maliciously.
Will this new information aid software developers in their quest to combat online dangers or simply serve as an instruction manual for hackers?