Recent work shows that it is possible to use acoustic data to break public key encryption systems. Essentially, if one can send specific encrypted plaintext then the resulting sounds the CPU makes when decrypting can reveal information about the key. The attack was successfully demonstrated to work on 4096 bit RSA encryption. While some versions of the attack require high quality microphones, some versions apparently were successful just using mobile phones.
Aside from the general interest issues, this is one more example of how a supposedly boxed AI might be able to send out detailed information to the outside. In particular, one can send surprisingly high bandwith even accidentally through acoustic channels.
I think it is probably simpler to enable the microphone from a web or mobile application than to install a keylogger in the OS. But then if you consider acoustic keyloggers...
That might have been true a few years ago, but they point out that that’s not as true anymore. For example, they suggest one practical application of this technique might be to put your own server in a colocation facility, stick a microphone in it and slurp up as many keys as you can. They also were able to get a version of the technique to work 4 meters away, which is far enough that this becomes somewhat different from having direct physical access. They also point out that laser microphones could also be used with this method.
Recent work shows that it is possible to use acoustic data to break public key encryption systems. Essentially, if one can send specific encrypted plaintext then the resulting sounds the CPU makes when decrypting can reveal information about the key. The attack was successfully demonstrated to work on 4096 bit RSA encryption. While some versions of the attack require high quality microphones, some versions apparently were successful just using mobile phones.
Aside from the general interest issues, this is one more example of how a supposedly boxed AI might be able to send out detailed information to the outside. In particular, one can send surprisingly high bandwith even accidentally through acoustic channels.
Now that’s creepy.
Eh… if an attacker has the level of physical access to the CPU that’s required to plant a microphone, you have worse problems than acoustic attacks.
For personal devices the attacker may have access to the microphone inside the device via flash/java/javascript/an app, etc.
If the attacker can run code on your device, a keylogger is a much simpler solution.
I think it is probably simpler to enable the microphone from a web or mobile application than to install a keylogger in the OS. But then if you consider acoustic keyloggers...
With an acoustic keylogger you could scoop the my KeePass password but the actual passwords that I use to log into websites.
Not if it’s sandboxed, but then timing and other side-channel attacks are still easier than using the mike.
That might have been true a few years ago, but they point out that that’s not as true anymore. For example, they suggest one practical application of this technique might be to put your own server in a colocation facility, stick a microphone in it and slurp up as many keys as you can. They also were able to get a version of the technique to work 4 meters away, which is far enough that this becomes somewhat different from having direct physical access. They also point out that laser microphones could also be used with this method.
In the example the used a mobile phone. Going from having owned a microphone to being able to know a key on a computer is a significant step.
Additionally there are other way to get audio access. Heating pipes conduct sound waves if the attacker has a good microphone.
Glass of windows vibrates in a way that can be detected from a distance.