Acoustic cryptanalysis
On nosy people and noisy
machines
[preliminary
proof-of-concept presentation]
Adi Shamir Eran Tromer
A powerful method
for extracting information from supposedly secure systems is
side-channel attacks, i.e., cryptanalytic techniques that rely on
information unintentionally leaked by computing devices. Most attention
has been focused on electromagnetic emanations, power consumption and,
recently, diffuse
visible light from CRT displays. The oldest eavesdropping channel,
namely acoustic emanations, has received little attention. The
following demonstrates some preliminary results in the analysis of
acoustic emanations from personal computers, showing them to be a
surprisingly rich source of information on CPU activity.
Below are several short samples, given in the form of a spectrogram and
a WAV file. The spectograms are snapshots from the Baudline
signal analysis software running on GNU/Linux; horizontal axis is
frequency (0..48KHz), vertical axis is time, and intensity is
determined by
power per frequency window (the greener the stronger). All recordings
were equalized (roughly -10dB below 1KHz, +10dB above 10KHz) using the
mixer's rudimentary built-in equalizer.
The recordings below were made using low-end equipment: a Røde NT3
condenser microphone (US$170), an Alto
S-6 mixer (US$55) serving as an amplifier and rudimentary
equalizer, and a Creative Labs
Audigy 2 sound card (US$70) for recording into a seprate computer.
The recordings below were made under nearly ideal conditions: the
microphone was placed 20cm from the recorded computer, the PC case was
opened and noisy fans were disconnected (where applicable). Comparable
results where achieved under more realistic conditions
(i.e., the subject computer is intact and placed 1m to 2m from the
microphone) using more
expensive audio equipment. For example, a high-quality analog equalizer
can be used to attenuate strong low-frequency fan hums and background
noise, allowing further amplification of interesting signals before
analog-to-digital quantization.
Except where noted otherwise, the computer being recorded is a no-brand
box using a PC Chips
M754LMR motherboard, an Intel Celeron 666MHz CPU and an Astec
ATX200-3516 power supply. This computer was chosen for its particularly
striking acoustic emanations, but is by no means a special case: every
computer we tested showed significant correlation between acoustic
spectrum and CPU activities, and in about half the cases the effect
could be heard by naked ear when using appropriate CPU activity
patterns.
The sound of GnuPG RSA signatures
The following is a recording of GnuPG
1.2.4 signing a short message using a random precomputed 4096-bit
RSA key. The signature is repeated twice, each time
preceeded by a sleep state (HLT instruction), manifesting as wideband
noise. GnuPG
uses CRT-based exponentian for signing, and this is visible in the
spectrogram: the duration of each signature is partitioned into two
similar but distinct stages, corresponding to exponentiation modulo p and modulo q.
Acoustic or electromagnetic?
How can we be sure that we're picking up a real acoustic signal,
and not just electromagneric emanations with the microphone or its
cable acting as antenna? For one, an audible difference can be
heard by an attentive but unassisted human listener. For more
conclusive evidence, here is the above experiment repeated except that
this time the microphone is muffled by placing a non-conductive
folded handkerchief in front of it:
If we turn off the microphone (using its built-in switch) but leave it
connected to an running amplifier, the signal is all gone:
Sound signatures of signatures
The following records GnuPG 1.2.4 signing a fixed message using several
different 4096-bit RSA keys generated beforehand. Each signature is
preceeded by a short sleep (HLT state). An X-curve equalization is
applied to attenuate low frequencies. You can clearly see that each
signature (and in fact, each modulus p
or q) has a unique spectral
signature.
Loops of CPU operations
We next turn to a more controlled experiment, trying to distinguish
between characteristic spectra of different CPU operations. We wrote a
simple program that executes (partially unrolled) loops containing one
of the following x86 instructions: HLT, MUL, FMUL, memory access
missing the L1 and L2 caches, and REP NOP. Below we execute each such
homogenous loop, and then execute them a second time. X-curve
equalization is applied.
Here is the same experiment (apart
from a difference in time scale), carried out on an IBM ThinkPad T21
running on batteries. Notably, its acoustic emanations are different
(and less informative) when running on AC power supply.
Source of acoustic emanations
The PC Chips
M754LMR motherboard has a bank of 1500µF capacitors near the
CPU and power connector. Here is the effect of applying a generous dose
of Quik-Freeze spray (non-conductive, non-flammable, "will freeze small
areas to -48°C") to these capacitors while the CPU is executing a
loop of MUL instructions:
This
concludes the preliminary proof-of-concept presentation.
Questions and sugguestions are very welcome.
We are indebted to Nir Yaniv for use of the Nir Space Station
recording studio and for valuable advice. Erik Olson's Baudline signal analysis software
was instrumental to this research.
