Side channel attacks

by Simon Biles
Founder of Thinking Security Ltd., an Information Security and Risk Management consultancy firm based near Oxford in the UK

Forensics is all about evidence, but the trick is knowing where to find it! Locard’s exchange principle effectively states that whenever a criminal comes into contact with his environment, a cross-transfer of evidence occurs (Edmund Locard, 1877–1966, was the founder and director of the Institute of Criminalistics at the University of Lyons in France). This is generally true in computing: there is evidence on both sides of any network connection client and server side, certainly in any action taking place with regard to the creation of documents or viewing of images (I’ve just had the fun of spending a week at Cranfield doing the Network Forensics course – so I know this to be true!) However, what if it was possible for a crime to take place on a network with evidence only being present on one side of the equation? [At this point, the reader may be pointing at bootable CD distributions and the like. However, the evidence in these cases is still created, it is just more fleeting – if you could do a live capture on the machine, you’d still obtain evidence.]

How can this be possible? Well, let’s take the most well known example of a side channel attack – TEMPEST. Contrary to popular belief, TEMPEST doesn’t actually stand for _anything_ (although there are countless suggestions of what it does stand for!), it is simply a codename relating to the prevention and detection of radio frequency emissions from computer systems. The actual UK Government documentation on the matter is protectively marked, and possession of equipment capable of detecting TEMPEST emissions is an offence in its own right, much as going about equipped for burglary is! However, there is so much independent work out there on the internet that you can quite easily construct your own – please note: you’ve been warned ! (For those of you who fearlessly seek knowledge – have a look at the following – http://www.erikyyy.de/tempest/ – this doesn’t mean you need anything other than a radio.) TEMPEST also crops up in “Cryptonomicon” by Neal Stephenson, a book that I rather enjoyed, but then again, I’m not a literary critic so I wouldn’t count that as necessarily a great recommendation – this was in fact the first time that I’d heard of it and yet another thing that made my career choice more of a foregone conclusion. I digress though, back to TEMPEST – and the principals behind it.

So here we go – an introduction to Physics … (I know that there are a bunch of radio frequency engineers on the forum, so feel free to jump in the discussion on this and correct me!) Basically, as a current moves through a wire, it acts like an aerial pumping out radio waves around it. A computer is a lot of wires, with a lot of electricity flowing around it throwing out a lot of radio frequency emanations. Given the right receiving equipment these radio waves can be collected and turned back into information. (To be honest, the biggest emitter used to be the old CRT tubes – which shunt out so much radio traffic you can’t pick up the BBC standing next to them! Although CPUs and other internal components do shunt out RF, it is much more limited and harder to work with.) This is a universal problem with all computers to a greater or lesser extent – and if you want to deal with it you are left either with ye olde Faraday cage (http://en.wikipedia.org/wiki/Faraday_cage) or six inches of lead.

That, however, is probably not news to a lot of you. How’s about these other side channel attacks though? The sounds that can be recorded from a printer (dot-matrix works best ) [http://www.usenix.org/events/sec10/tech/full_papers/Backes.pdf]? The sounds of a keyboard [http://personal.ie.cuhk.edu.hk/~kwwei/FYP/keyboard_acoustic_attack/Eric_Thesis2_final.pdf]? Screen reflections (in a _wide_ variety of objects)[http://www.infsec.cs.uni-saarland.de/projects/reflections/]? And, my own personal favourite, das blinkenlights [http://en.wikipedia.org/wiki/Blinkenlights]. Sadly, much as I searched, I couldn’t find a reference to this one, however, to quickly summarise it seems that in many systems the lights indicating activity are, somewhat unsurprisingly, coordinated with the movement or writing of data in such a way that watching the lights flashing on and off allows for the reconstruction of the data being written.

In all of the above cases though, there is no indication that the originating, emanating machine has been compromised in any way – these are forensically clean scenarios. And as we move forward, with the prevalence of wireless networks of many types (3G, Bluetooth, Wi-Fi) these kinds of sniffing and snooping attacks could well be a great source for credit-card numbers, login details and the like – with no evidence on the source machine. At the same time, the issues presented to security professionals are becoming more complex too, particularly as mobile devices are used everywhere for everything these days (a good lens on a digital camera can easily pull a reflection or a direct image from a significant distance, for example). User education becomes more and more of an issue just to get people to be sensible with their data given the potential risks.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

So, as a parting shot, I want all of you to think the next time you are typing in your password how well you are protected against these attacks – is your screen visible through the window, is there a big mirror behind you and are you needlessly broadcasting more information than you need to be? Be careful, there might be someone watching or listening …

Click here to discuss this article.

Read Simon’s previous columns

Simon Biles is one of the founders of Thinking Security Ltd., an Information Security and Risk Management consultancy firm based near Oxford in the UK. He has worked on security projects for commercial, charity and government organizations for over 10 years. Simon is studying Forensic Computing at Cranfield University, although very slowly because of work commitments! He posts on the forum as Azrael and you can read an interview with him here.

Leave a Comment

Latest Videos

Digital Forensics News Round Up, March 27 2024 #dfir #digitalforensics

Forensic Focus 20 hours ago

Digital Forensics News Round-Up, March 21 2024 #digitalforensics #dfir

Forensic Focus 21st March 2024 6:15 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles