Hacking Laptops Using a Device Hidden in Pita Bread

With the population of mobile devices such as laptops and tablets increasing like jackrabbits on a fertility drug, organizations are increasingly implementing bring-your-own device (BYOD) policies in the workplace to gain a competitive edge and reduce costs. But the benefits of mobility can be lost if laptops and tablets are not adequately protected against security threats.

Recently a four-man team from Tel Aviv University’s LEISec (Laboratory for Experimental Information Security) proved one could hack these devices by nonintrusively measuring electromagnetic emanations for a few seconds from a distance of 50 cm., using cheap components that simply monitor the signals given off when a nearby device’s CPU was processing data. And they did so using a device small enough to be concealed within a serving of pita bread.

The key factor in their efforts to see if they could steal data was the discovery that different data crunching operations in a computer--such as decrypting files or playing games--had a characteristic pattern of radio activity. The CPU’s different power demands while it was working gave further rise to these tell-tale signals. The attack sent a few carefully-crafted ciphertexts, and when these are decrypted by the target computer, they triggered the occurrence of specially-structured values inside the decryption software. These special values caused observable fluctuations in the electromagnetic field surrounding the laptop, in a way that depends on the pattern of key bits (specifically, the key-bits window in the exponentiation routine). The secret key can be deduced from these fluctuations, through signal processing and cryptoanalysis.

The attack can be executed using a consumer-grade radio receiver or a Software Defined Radio USB dongle. After demonstrating that the attack worked in the lab, the group created a mobile version called the Portable Instrument for Trace Acquisition, or PITA for short. Assembly of the PITA device required the purchase of an SDR device. The leakage signal is modulated around a carrier around 1.7 MHz, located in the range of the commercial AM radio frequency band. The researchers also managed to use a plain consumer-grade radio receiver to acquire the desired signal. They then recorded the signal by connecting it to the microphone input of an HTC EVO 4G smartphone.

During their follow-up test, they were able to prove that their technology worked from a distance of about a half meter, grabbing keys used in several widely used encryption programs and algorithms used to protect data. Popular implementations of RSA and ElGamal encryptions are vulnerable to this attack, including those that implement the decryption using modern exponentiation algorithms. The team successfully extracted keys from laptops of various models running GnuPG (a popular open source encryption software implementing the OpenPGP standard).

The group will formally present their findings at the Workshop on Cryptographic Hardware and Embedded Systems (CHES) 2015 in September.