Ambient Computer Noise Leaks Your Encryption Keys

[Daniel, Adi, and Eran], students researchers at Tel Aviv University and the Weizmann Institute of Science have successfully extracted 4096-bit RSA encryption keys using only the sound produced by the target computer. It may sound a bit like magic, but this is a real attack – although it’s practicality may be questionable. The group first described this attack vector at Eurocrypt 2004. The sound used to decode the encryption keys is produced not by the processor itself, but by the processor’s power supply, mainly the capacitors and coils. The target machine in this case runs a copy of GNU Privacy Guard (GnuPG).

During most of their testing, the team used some very high-end audio equipment, including Brüel & Kjær laboratory grade microphones and a parabolic reflector. By directing the microphone at the processor air vents, they were able to extract enough sound to proceed with their attack. [Daniel, Adi, and Eran] started from the source of GnuPG. They worked from there all the way down to the individual opcodes running on the x86 processor in the target PC. As each opcode is run, a sound signature is produced. The signature changes slightly depending on the data the processor is operating on. By using this information, and some very detailed spectral analysis, the team was able to extract encryption keys. The complete technical details of the attack vector are available in their final paper (pdf link).

Once  they had the basic methods down, [Daniel, Adi, and Eran] explored other attack vectors. They were able to extract data using ground fluctuations on the computers chassis. They even were able to use a cell phone to perform the audio attack. Due to the cell phone’s lower quality microphone, a much longer (on the order of several hours) time is needed to extract the necessary data.

Thankfully [Daniel, Adi, and Eran] are white hat hackers, and sent their data to the GnuPG team. Several countermeasures to this attack are already included in the current version of GnuPG.

Using A Screwdriver To Start Your Car

screwdriver-key

[Hahabird] uses this screwdriver to start his car. Despite what it may look like, only this particular screwdriver will start the ignition because it still uses the key lock. What he’s done is alter the screwdriver to act as an extension for the key. It’s purely aesthetic, but you have to admit it looks pretty gnarly hanging off of the steering column.

The hack merely involved cutting off the unneeded parts of the key and screwdriver. With the shaft of the tool cut down to size he clamped it in a vice and cut a slot into it using a hack saw. From there he headed over to the grinding wheel and smoothed out the sharp edges.

The key itself had the handle portion cut off and was thinned on the grinding wheel to fit snugly in the screwdriver slot. To permanently mate the two pieces he used a torch and some silver solder.

[via Reddit]

Freezing Android To Crack The Encryption

frozen-phone-encryption-hacking

Build a better lock and someone will make a tool to open it without the key. Or in this case they’ve made a tool to discover the key using a trip to through the deep freeze. The Forensic Recovery of Scrambled Telephones — or FROST — uses cold temperatures and a custom recovery image to crack Android encryption keys.

Cold boot hacks go way back. They leverage use of low temperatures to slow down the RAM in a device. In this case, the target phone must already be powered on. Booting a phone that uses the encryption offered by Android 4.0 and newer requires the owner’s pass code to decrypt the user partition. But it then remains usable until the next power cycle. By freezing the phone, then very quickly disconnecting and reconnecting the battery, researchers were able to flash their own recovery image without having the encryption key cleared from RAM. As you can see above, that recovery package can snoop for the key in several different ways.

[Thanks Rob]

LV0 Encryption Key Cracks Current And Future PlayStation 3 Firmware

It looks like the security of the PlayStation 3 has been cracked wide open. But then again we’ve thought the same thing in the past and Sony managed to patch those exploits. The latest in the cat and mouse game is the release of the LV0 encryption codes for the PS3 console. The guys who discovered the magic strings of characters supposedly intended to keep them a secret, but have gone public after there was a leak and some black-hats now intend to use them for profit.

The keys are the bottom layer of security when pushing firmware updates to the PS3. With keys in hand, current and future upgrades can be unencrypted, altered, and repackaged without the gaming rig putting up a fuss. Our only real beef with the tight security came when Sony removed the ability to install Linux on systems marketed with this option. The availability of these keys should let you install just about whatever you want on your hardware.

[Thanks Kris via Phys]

IButton Is Opening Doors At The TkkrLab

Finding alternative ways to unlock doors is a favorite hacker pastime. TkkrLab recently took on the challenge themselves. The hackerspace, which is located in the Netherlands, faced a problem common to communal workshops; how could they manage keyed access for a large number of members? The metal keys for the door are special, and cannot be cheaply duplicated. To further compound the issue, they are not the only tenants in the building so they can’t replace the lock with one that uses less-expensive keys. So they decided to add an electronic solution.

They first looked at a method for electronically opening the door. Often, this comes in the form of an electronic strike, but rather than alter the door jamb, they replaces the latching mechanism. The electronic latch was compatible with the original cylinder, which means the old keys still work in it. You can see the new assembly above. Just to the left of the lock is an iButton reader. We’ve seen this hardware in projects many times before. It’s cheap, and easy to work with. Now TkkrLab issues an iButton to each member, and can keep track of who is coming in door.

PS3 Hacking Start-to-finish – CCC

Well it looks like the Play Station 3 is finally and definitively cracked. FailOverflow’s Chaos Communications Congress talk on console security revealed that, thanks to a flaw on Sony’s part, they were able to acquire the private keys for the PS3. These keys can be used to sign your own code, making it every bit as valid (to the machine anyway) as a disk licensed by the media giant. We’ve embedded the three-part video of the talk, which we watched in its entirety with delight. We especially enjoy their reasoning that Sony brought this upon themselves by pulling OtherOS support.

We remember seeing a talk years back about how the original Xbox security was hacked. We looked and looked but couldn’t dig up the link. If you know what we’re talking about, leave the goods with your comment.

Continue reading “PS3 Hacking Start-to-finish – CCC”

Alternative Morse Code Keys

Add a bit of interest to your radio equipment with one of these unorthodox CW keys. [OH6DC] has been hard at work posting almost sixty of these hacks. Above you can see an alarm clock whose snooze button acts as the key, and a nail clipper used as a key. There’s a banana , a cross-country ski shoe , and a toaster key. The rest you’ll have to see for yourself. Any of these would work perfectly with that Morse code keyboard you’ve been wanting to build.