SECURITY

Side Channel Attacks Explained

2/9/2013 10:35:56 AM

How hackers use IT to break through encryption barriers

Side-channel attacks are the result of hacking techniques that allow out­siders to "watch" or analyze seemingly unimportant aspects of equipment or power consumption to gather data. Side-channel attacks are designed to get past encryption measures in order to either gain access to data or corrupt a system from the outside. To help you understand side-channel attacks and determine how much of a threat they might be to your business, we'll walk you through how these attacks are car­ried out and by whom, and discuss how you can put yourself in a better position to prevent them.

How hackers use IT to break through encryption barriers

How hackers use IT to break through encryption barriers

How are they perpetrated?

Ramon Krikken, research vice pres­ident at Gartner (www.gartner.com), compares the side-channel attacker's point of view to that of someone who is locked out of a house. "Maybe you sit in the chair outside and you hear sounds, and they give you an idea of what they're doing," says Krikken. "Maybe you can see whether the light is on or off and that gives you an idea of what they're doing. All of those things don't directly tell you what it is, but they give you a really good idea or an exact idea of what is going on inside that black box."

The particularly scary thing about side-channel attacks is that they can be carried out in a variety of ways. Using side-channel attack methods, attackers can gather information about "power use, computer clock cycles, and elec­trical emanations, which could be used to determine important security information," says Matthew Scholl, deputy division chief of the com­puter security division of the National Institute of Standards and Technology (www.nist.gov). Scholl adds that the end goal for these hackers is to get "crypto­graphic," or encryption, keys that give outsiders the ability to access protected data or "corrupt a system that depends on those keys to protect data."

Side channel attacks are a method hackers can use to extract information such as password by examining the physical workings of a system.

Side channel attacks are a method hackers can use to extract information such as password by examining the physical workings of a system.

But monitoring power and electric­ity isn't the only way for side-channel attackers to gather information. In fact, according to Krikken, data thieves can simply watch the "patterns of packets that go back and forth" during a VoIP call and "under very specific situations" be able to figure out what is being talked about; even something as in­consequential as a key press can lead to an opening for hackers. "You type something on the keyboard and when­ever you press a key is when one com­puter sends an encrypted message to another," says Krikken. "You press another key and it does it again. Just a pat­tern of how those packets go over the network can give you an idea of what words and sentences a user is typing."

Who is responsible?

As you can already tell, side-channel attacks are much more complicated than more well-known alternatives, which means the culprits of these attacks are knowledgeable in advanced cryptology and other en­cryption-breaking techniques. This in­cludes people trying to gain access to personal information, such as medical records, as well as other potentially compromising data. "I could imagine intelligence agencies and foreign gov­ernments being very much interested in perpetrating these kinds of attacks," says Krikken. Although he doesn't have any specific data or research on the matter, Krikken does foresee the possibility of rival companies using "these attacks for their espionage ca­pabilities," as well.

Other people using side channel attacks, for a much less nefarious reason, are researchers trying to il­luminate the presence of holes in encryption technology as well as for other purposes. Scholl says re­searchers attempt to perform side-channel attacks in order to "alert security communities of issues, seek solutions, and improve our overall cyber ecosystems." The goal is to help put better measures in place to pre­vent not only more traditional hacks, but these newer, more complex side channel attacks, as well.

What can you do to prevent them?

Unfortunately, there is some bad news and some good news when it comes to preventing side channel at­tacks. The bad news is that "you can't prevent all of them under all circumstances," says Krikken. He adds that the only way to protect against all side channel attacks would be to "lock your­self in a lead room and do no business." The good news is that Krikken believes that some encryption solution vendors are building side-channel attack preven­tion technologies into their products in to head attackers off at the pass.

The only way to protect against all side channel attacks would be to "lock yourself in a lead room and do no business."

The only way to protect against all side channel attacks would be to "lock your­self in a lead room and do no business."

Scholl has a few tactics that should help companies minimize the poten­tial for side-channel attacks, if not stop them completely. He points out that perpetrators would need to be in close proximity of their target, so he says you should "know who is in your facilities, what they are doing, and why they are there." He also recommends that main­tenance personnel and other visitors be escorted around the facility by trusted staff. Scholl adds that some vendors are manufacturing security products designed to shield against "smart cards, RFID items, proximity cards," and other potential threats, so companies may also be able to take advantage of those solutions.

Should you be worried right now?

Krikken says that while side channel attacks are certainly real, they are rare in the SMB world. This means that small and medium sized enterprises don't have as much to worry about as governmental agencies and other large tar­gets for side-channel attacks. Instead, Krikken says that companies should focus on encryption.

"The average SMB should not worry about side-channel attacks right now," says Krikken "If they do, it'll be a dis­traction from all the other things that can go wrong during encryption. There are much bigger fish to fry that we still need to get right. It is something where companies can follow rather than lead; and by and large let product companies take care of this for them."

Still, as with all potential threats, it doesn't hurt to do your research up front and keep an eye out for emerging technology with side-channel attack prevention built-in. As encryption technology continues to grow stronger, it will be more difficult for hackers to gain access to data through more traditional avenues. It's possible side-channel at­tacks will become more common in the future, but as for right now, it's safe for SMBs to focus on more pressing security matters and leave side-channel attacks to vendors.

Other  
 
Top 10
Review : Sigma 24mm f/1.4 DG HSM Art
Review : Canon EF11-24mm f/4L USM
Review : Creative Sound Blaster Roar 2
Review : Philips Fidelio M2L
Review : Alienware 17 - Dell's Alienware laptops
Review Smartwatch : Wellograph
Review : Xiaomi Redmi 2
Extending LINQ to Objects : Writing a Single Element Operator (part 2) - Building the RandomElement Operator
Extending LINQ to Objects : Writing a Single Element Operator (part 1) - Building Our Own Last Operator
3 Tips for Maintaining Your Cell Phone Battery (part 2) - Discharge Smart, Use Smart
REVIEW
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
VIDEO TUTORIAL
- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 1)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 2)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 3)
Popular Tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8