Intel and AMD Hertzbleed CPU Vulnerability Uses Boost Speed to Steal Crypto Keys

Gandalf_The_Grey

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,585
Content source
https://www.tomshardware.com/news/intel-amd-hertzbleed-cpu-vulnerability-boost-clock-speed-steal-crypto-keys
Intel and researchers from UT Austin, UIUC, and UW published papers today outlining the 'Hertzbleed' chip vulnerability that allows side-channel attacks that can steal secret AES cryptographic keys by observing the CPU's boost frequency/power mechanisms. According to external researchers, both Intel and AMD CPUs are impacted, but AMD hasn't issued an advisory yet. The vulnerability doesn't impact all cryptographic code, but some mitigation techniques for impacted systems come with as-yet-undefined performance penalties. Intel says it had found this vulnerability via internal security investigations, but external research teams later disclosed their findings to the company. Today's coordinated disclosure brings the issue into the public eye, but it is likely that CPUs from other vendors are also impacted.

Like all side-channel attacks, a Hertzbleed-based attack steals data by observing or exploiting a secondary effect of an operation on a system. In this case, by observing the power signature of any given cryptographic workload. As with most workloads, the power signature of a cryptographic workload varies due to the CPU's dynamic boost clock frequency adjustments during the workload. An attacker can convert that power information to timing data, allowing them to steal cryptographic keys. Cryptographic implementations that are already hardened against power side-channel attacks aren't susceptible to the Hertzbleed vulnerability.

The vulnerability impacts all Intel processors, and AMD Zen 2 and Zen 3, and can be exploited remotely — it doesn't require physical access. It has only been proven on Intel and AMD silicon. However, it should theoretically apply to almost all modern CPUs because it works by observing the power algorithms behind the Dynamic Voltage Frequency Scaling (DVFS) technique, a staple of modern processors. As such, this isn't a microarchitecture-specific attack — any processor with dynamic power and thermal management is potentially impacted. Intel says this has prompted it to share its findings with other chipmakers so they can assess any potential impact.

Intel says that it doesn't think this attack is practical outside of a lab environment, partially because it takes "hours to days" to steal a cryptographic key. Additionally, an exploit based on this attack would require sophisticated high-resolution power monitoring capabilities.
Click to expand...
 
  • Wow
  • Like
  • +Reputation
Reactions: [correlate], upnorth, mkoundo and 3 others
You must log in or register to reply here.

Similar threads

vtqhtr413
    • +Reputation
    • Like
    • Applause
Security News Vulnerability in Apple M-series chips leak encryption keys
Replies
1
Views
1,942
Security News
vtqhtr413
vtqhtr413
silversurfer
    • +Reputation
    • Like
New Flaw in AMD Zen 2 Processors Puts Encryption Keys and Passwords at Risk
Replies
1
Views
1,151
News Archive
JustInTime
JustInTime
CyberTech
    • Like
Security News Intel Sued Over ‘Downfall’ CPU Vulnerability
Replies
0
Views
1,275
Security News
CyberTech
CyberTech

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top