How hackers use IT to break through
encryption barriers
Side-channel attacks are the result of
hacking techniques that allow outsiders to "watch" or analyze
seemingly unimportant aspects of equipment or power consumption to gather data.
Side-channel attacks are designed to get past encryption measures in order to
either gain access to data or corrupt a system from the outside. To help you
understand side-channel attacks and determine how much of a threat they might
be to your business, we'll walk you through how these attacks are carried out
and by whom, and discuss how you can put yourself in a better position to
prevent them.
How
hackers use IT to break through encryption barriers
How are they perpetrated?
Ramon Krikken, research vice president at
Gartner (www.gartner.com), compares the side-channel attacker's point of view
to that of someone who is locked out of a house. "Maybe you sit in the
chair outside and you hear sounds, and they give you an idea of what they're doing,"
says Krikken. "Maybe you can see whether the light is on or off and that
gives you an idea of what they're doing. All of those things don't directly
tell you what it is, but they give you a really good idea or an exact idea of
what is going on inside that black box."
The particularly scary thing about
side-channel attacks is that they can be carried out in a variety of ways.
Using side-channel attack methods, attackers can gather information about
"power use, computer clock cycles, and electrical emanations, which could
be used to determine important security information," says Matthew Scholl,
deputy division chief of the computer security division of the National
Institute of Standards and Technology (www.nist.gov). Scholl adds that the end
goal for these hackers is to get "cryptographic," or encryption,
keys that give outsiders the ability to access protected data or "corrupt
a system that depends on those keys to protect data."
Side
channel attacks are a method hackers can use to extract information such as
password by examining the physical workings of a system.
But monitoring power and electricity isn't
the only way for side-channel attackers to gather information. In fact,
according to Krikken, data thieves can simply watch the "patterns of packets
that go back and forth" during a VoIP call and "under very specific
situations" be able to figure out what is being talked about; even
something as inconsequential as a key press can lead to an opening for
hackers. "You type something on the keyboard and whenever you press a key
is when one computer sends an encrypted message to another," says
Krikken. "You press another key and it does it again. Just a pattern of
how those packets go over the network can give you an idea of what words and
sentences a user is typing."
Who is responsible?
As you can already tell, side-channel
attacks are much more complicated than more well-known alternatives, which
means the culprits of these attacks are knowledgeable in advanced cryptology
and other encryption-breaking techniques. This includes people trying to gain
access to personal information, such as medical records, as well as other
potentially compromising data. "I could imagine intelligence agencies and
foreign governments being very much interested in perpetrating these kinds of
attacks," says Krikken. Although he doesn't have any specific data or
research on the matter, Krikken does foresee the possibility of rival companies
using "these attacks for their espionage capabilities," as well.
Other people using side channel attacks,
for a much less nefarious reason, are researchers trying to illuminate the
presence of holes in encryption technology as well as for other purposes.
Scholl says researchers attempt to perform side-channel attacks in order to
"alert security communities of issues, seek solutions, and improve our
overall cyber ecosystems." The goal is to help put better measures in
place to prevent not only more traditional hacks, but these newer, more
complex side channel attacks, as well.
What can you do to prevent them?
Unfortunately, there is some bad news and
some good news when it comes to preventing side channel attacks. The bad news
is that "you can't prevent all of them under all circumstances," says
Krikken. He adds that the only way to protect against all side channel attacks
would be to "lock yourself in a lead room and do no business." The
good news is that Krikken believes that some encryption solution vendors are
building side-channel attack prevention technologies into their products in to
head attackers off at the pass.
The
only way to protect against all side channel attacks would be to "lock
yourself in a lead room and do no business."
Scholl has a few tactics that should help
companies minimize the potential for side-channel attacks, if not stop them
completely. He points out that perpetrators would need to be in close proximity
of their target, so he says you should "know who is in your facilities,
what they are doing, and why they are there." He also recommends that maintenance
personnel and other visitors be escorted around the facility by trusted staff.
Scholl adds that some vendors are manufacturing security products designed to
shield against "smart cards, RFID items, proximity cards," and other
potential threats, so companies may also be able to take advantage of those
solutions.
Should you be worried right now?
Krikken says that while side channel
attacks are certainly real, they are rare in the SMB world. This means that
small and medium sized enterprises don't have as much to worry about as
governmental agencies and other large targets for side-channel attacks.
Instead, Krikken says that companies should focus on encryption.
"The average SMB should not worry
about side-channel attacks right now," says Krikken "If they do,
it'll be a distraction from all the other things that can go wrong during
encryption. There are much bigger fish to fry that we still need to get right.
It is something where companies can follow rather than lead; and by and large
let product companies take care of this for them."
Still, as with all potential threats, it
doesn't hurt to do your research up front and keep an eye out for emerging
technology with side-channel attack prevention built-in. As encryption
technology continues to grow stronger, it will be more difficult for hackers to
gain access to data through more traditional avenues. It's possible
side-channel attacks will become more common in the future, but as for right
now, it's safe for SMBs to focus on more pressing security matters and leave
side-channel attacks to vendors.
