Stealing AES-256 keys in seconds using €200 of off-the-shelf components

CERT-LatestNews Malware Security News SocialEngineering ThreatsActivists ThreatsCybercrime ThreatsEconomic ThreatsStrategic

Security experts at Fox‑IT have demonstrated that is possible sniff AES-256 encryption keys from a distance of one meter (3.3 feet) with a cheap equipment.

Security experts at Fox‑IT have demonstrated that is possible to power a side-channel attack to wirelessly extract secret AES-256 encryption keys from a distance of one meter (3.3 feet).

The researchers used €200 (~US$224) worth of parts obtained from off-the-shelf electronics components to monitors a computer’s electromagnetic radiation. The entire process of sniffing the keys over the air took around five minutes, but the experts noticed that reducing the distance within 30 centimeters (11.8 inches) it is possible to extract the keys in just 50 seconds.

The experts set up an equipment composed of a simple loop antenna connected to an external amplifier and bandpass filters that were bought online and then plugged it into a radio USB stick software they paid just €20.

The size of the resulting component was contained, the device could be hidden in a jacket or laptop case.

AES-256 side channel attack

” Using improved antenna and signal processing, Fox-IT and Riscure show how to covertly recover the
encryption key from two realistic AES-256 implementations while:

  • Attacking at a distance of up to 1 m (30 cm in realistic conditions; “TEMPEST”)
  • Using minimal equipment (fits in a jacket pocket, costs less than €200) and
  • Needing only a few minutes (5 minutes for 1 m and 50 seconds for 30 cm” reads the research paper.

The system designed by the experts is able to record radio signals generated by the power consumption of the SmartFusion2 target system running an ARM Cortex-M3-powered chip.

By measuring the leakage between the Cortex processor and the AHB bus, the analysis of consumption was then linked to encryption process in order to extract the keys. The researchers mapped out how the power consumption related to individual bytes of information by running different encryption process on a test rig.

“We see I/O to and from the Cortex-M3, calculations for the key schedule, and the 14 encryption rounds.
Overview trace showing pattern dependent on AES algorithm. So, we can measure a signal which is related to the instantaneous power consumption of part of the chip. This is still a long way from extracting secret keys though! To extract the key, we need to observe many different encryption blocks with different inputs and attempt to model how the device leaks information.” continues the paper.

By implementing this technique, the experts were able to guess at the 256 possible values of a single byte.

“Using this approach only requires us to spend a few seconds guessing the correct value for each byte in turn (256 options per byte, for 32 bytes – so a total of 8,192 guesses),” states the paper.  “In contrast, a direct brute-force attack on AES‑256 would require 2256guesses and would not complete before the end of the universe.”

The experts highlighted that the technique is more efficient in the proximity of the target system because the electromagnetic signals drop off rapidly with the distance.

The technique could be improved with more expensive equipment.

The tests were conducted in a controlled environment where possible interferences were limited respect a live environment.

Pierluigi Paganini

(Security Affairs – AES-256 encryption, side-channel attack)