1 min read

Researchers Find New CPU Security Vulnerability

Remember the Heartbleed scare we had a couple years back?  It was a nasty side-channel attack that was somewhat exotic and difficult to pull off, and it was absolutely devastating and sent shockwaves through the entire world.

Well, it’s back. In a way.

While this new side-channel attack isn’t identical, it’s similar enough that the researchers who discovered it gave it a similar sounding name:  Hertzbleed.  It allows remote attackers to pilfer full cryptographic keys by observing variations in CPU frequency enabled by dynamic voltage and frequency scaling, or DVFS for short.

In other words, hackers can monitor the electrical output of your PC and based on that, derive your cryptographic keys.

A team from the University of Texas at Austin, in collaboration with others from the University of Washington and the University of Illinois Urbana-Champaign are credited with the discovery of the new attack vector.

The team had this to say about their discovery:

“In the worst case, these attacks can allow an attacker to extract cryptographic keys from remote servers that were previously believed to be secure. [..] Hertzbleed is a real, and practical, threat to the security of cryptographic software.

First, Hertzbleed shows that on modern x86 CPUs, power side-channel attacks can be turned into (even remote!) timing attacks–lifting the need for any power measurement interface.

Second, Hertzbleed shows that, even when implemented correctly as constant time, cryptographic code can still leak via remote timing analysis.”

To Put Things in Perspective

To be fair, this is an incredibly exotic attack that would be extremely difficult for even the most experienced hackers in the world to pull off.  Even so, there are hackers out there in the world who have the skills to do this. That is why it’s somewhat disturbing that neither Intel nor AMD have any plans to issue a fix for the issues that make Hertzbleed possible.

Per an Intel spokesman:

“While this issue is interesting from a research perspective, we do not believe this attack to be practical outside of a lab environment.”

While that’s true, hackers have always been known for being more interested in bragging rights than practicality. In our view, it’s just a matter of time before we see Hertzbleed in the headlines.

Used with permission from Article Aggregator

IT Threat Intelligence: Is Your Firm Seeing The Whole Picture?

IT Threat Intelligence: Is Your Firm Seeing The Whole Picture?

Law firms today are sitting on a digital goldmine. From sensitive client communications and trade secrets to financial records and intellectual...

Read More
Mastering Digital Evidence: How Law Firms Turn Data into Trial-Winning Proof

Mastering Digital Evidence: How Law Firms Turn Data into Trial-Winning Proof

In 2011, a jury found Casey Anthony not guilty of murdering her two-year-old daughter. Later reviews revealed two key digital-evidence failures:...

Read More
The Predictive Edge: Turning Case Management Data Into Litigation Strategy

The Predictive Edge: Turning Case Management Data Into Litigation Strategy

The legal world is changing faster than a judge can say "sustained." Gone are the days when successful litigation relied solely on courtroom...

Read More

The Rising Threat of Cyber Attacks: A Modern Challenge

Cyber threats have transformed significantly over the years, progressing from basic spyware in the early 2000s to today’s sophisticated attacks that...

Read More

Ransomware Attack Wreaks Havoc On Prison Employees And Inmates

Chalk up another first for the hackers. For the first time that we know of, a successful hacking attack caused prisoners in New Mexico to be confined...

Read More

E-Mail From Department Of Labor Could Be Phishing Attack

There is a new phishing campaign to keep a watchful eye on according to email security firm INKY. It’s a particularly fiendish one.

Read More