Why the finding is significant in healthcare and elsewhere.
Milos Prvulovic and Alenka Zajic. Credit: Allison Carter, Georgia Tech
Researchers at the Georgia Institute of Technology have gotten very good at eavesdropping — but not in the traditional sense. Recently, computer science professors Milos Prvulovic and Alenka Zajic discovered that they could steal encryption keys from a major mobile security package by listening in to smartphone vibrations and electromagnetic signals with a portable device.
Zajic told Healthcare Analytics News™ that the exploit takes less than one second to complete. The device, which can be bought for less than $1,000, analyzes signal variations around a given device’s processor clock — basically measuring when its signal is changing to accommodate for the added burden of running encryption — and then sorts them into zeroes and ones, using that to extrapolate the encryption key.
Their work, which was supported by the National Science Foundation, Defense Advanced Research Projects Agency and the U.S. Air Force Research Laboratory, was recently presented at the USENIX Security Symposium in Baltimore. The researchers notified software developers of the exploit before it was published, but Zajic said it’s unclear whether any malicious actors found and used the exploit before her team caught it.
“It is hard to tell since bad actors do not advertise their success,” Zajic said.
Side-channel exploits aren’t new, but the specific exploit the Georgia team found completely changes the game.
“What is unique about our finding is that only one recording of the signal is sufficient to recover the full key,” Zajic said.
Prior side-channel attacks on encryption needed “thousands of observations” of a device’s signals or key to extract it, a process that wasn’t as viable for hackers because encryption keys change frequently.
“By needing only one recording, it makes the attack more practical and dangerous,” Zajic said. “Both electronic designers and software engineers need to worry about this problem and try to minimize side-channel leakage.”
The researchers tested the exploit on Android devices, but Zajic said that Apple devices are also susceptible to the same vulnerability “in principle.”
Zajic said hackers using a side-channel exploit would only need the encryption key to perform more sophisticated crimes. The exploit can also extract actual data — the encrypted information itself — but Zajic said that would be largely unnecessary if a hacker has the user’s personal key.
“Once you have a key, there are probably better ways to steal the data or pretend you are someone else (since you have their private key) than side channels,” Zajic told Healthcare Analytics News ™ in an email, “But it is possible to get data through side-channels too.”
In the healthcare system, Zajic said, encryption is often used to verify user identity and which data said user can access.
“If attackers obtain access to administrator's device, they could pretend to be an administrator and dispense the wrong medicine. Similarly, attackers could penetrate network protection (by having a key) and change many settings in a hospital network,” Zajic said. “We all operate under assumption that encryption will protect us from wrong persons having information about our identity or having our data, and this is mostly true, except when an unauthorized person gets the key to all that info.”
Get the best insights in healthcare analytics directly to your inbox.