Imagine sitting with your laptop at the student center, one of the campus computer clusters, or even your own dorm room with the window open. So far you have been good with protecting your information, you take a class on information security, you have the most recent anti-virus, your passwords contain many digits and characters, and you only connect to WPA2 wifi points if necessary. Nevertheless, you are at risk to lesser known threats known as side-channel attacks.
According to a fairly recent article in Scientific American, a side channel attack, “exploit[s] the unprotected area where the computer meets the real world: near the keyboard, monitor or printer, at a stage before the information is encrypted or after it has been translated into human readable form.” Essentially, the signals your computer emits, the sounds of a keyboard or printer, and the images displayed on a monitor.
In class, a recent case study focused on a very high tech form of this known as TEMPEST, where electromagnetic waves from the monitor are received and reconstructed on another monitor. Though this attack requires operators and some-what sophisticated equipment, there are even lower tech side-channel attacks. Simple microphones paired with special software have been proven to accurately reconstruct information from dot-matrix printers, and new advances are making it possible to predict the information printed by inkjet printers. Also, a webcam with software can track the motion of your fingers and quickly identify passwords and other sensitive input. A scientist in Germany, Michael Backes, recently developed a project to reconstruct monitor images by simply looking the reflection of nearby objects, such as a teapot and even the user’s eyes to record the exact information on the monitor. He used a telescope paired with a digital camera. Using even higher-powered equipment and editing techniques used by astronomers, he could reconstruct reflections on people’s eyes from 30 ft away.
Though seldom mentioned or reported as a cause of an attack, side-channel attacks are proven methods that should not be neglected. They cannot be mass distributed over the web or easily automated, but nevertheless can beat all encryption to gain your information. They are difficult to adequately defend against. In the case of reflections, even privacy monitor filters do not work, as they intensify the light projected onto your eyes. Essentially, we must all be more careful where and how we access information. Despite the convenience of mobile devices, avoid reading bank statements and other records in public view. Refrain from using public wifi zones or computer cafes for sensitive information, where malevolent attackers can set up listening devices, webcams, or telescopes across the street beforehand. Know that side-channel attacks are limited in range and information to access and vigilance to suspicious surroundings is the key to protecting yourself.
Source(s):
Gibbs, W. W. (2009, April 27). How Hackers Steal Secrets From Reflections. Retrieved October 31, 2009, from Scientific American Magazine: http://www.scientificamerican.com/article.cfm?id=hackers-can-steal-from-reflections
Sunday, November 1, 2009
Subscribe to:
Post Comments (Atom)
Posts
I thought that the information presented in the case study and in this article to be very interesting. Specifically the portion that talked about using telescopes to see the reflection on the computer screen off your eye. That blew my mind. This will sound random but for this same reason I always wondered why poker players wear reflective glasses. After reading articles like this it makes me want to use my computer in the closet with the lights off and the door locked. It is ridiculous to find out the means people are willing to take to steal information. What's next...reading peoples minds and getting passwords that way? It is scary to imagine.
ReplyDeleteIt's pretty depressing to me that pretty much no matter how careful you are, there are always ways to get around it. The one good thing with this is that it can't be done automatically, a person actually has to focus on an individual computer. Odds are, given my limited place in the world, no one would ever pick me to attack with something like TEMPEST. However, the fact that they could pick me is still disturbing. At this point I really see no way to ever win the war against hackers because no matter how careful people are, the bad guys just come up with new ways to get around our defenses.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteIt really is amazing how far a person would go to get someone's information for whatever crazy reason. If their goal is to gain access to bank accounts, by spending all that money on expensive equipment you would have to be really good at the side-channel attacks in order to pay those charges back. I think it is actually pretty cool to watch people that work for the FBI and to see other people in that sort of field use their expertise to help investigate rather than try and steal money or gain access to private information. If something is that easy to access for us it can be even easier for hackers to access. Lesson one for somewhat secure security: Don't be ignorant and protect what you can.
ReplyDeleteI think that it's true that a lot of people don't may any mind to these kind of more subtle attacks, and I don't blame them. Whenever I'm in Lafun and logging into a site that requires a password, I'm not thinking about how someone may be listening to my keystrokes or trying to get sensitive data by analyzing the reflections from my eyes with a really high-tech camera. I guess that people are usually more trusting that others are not going to be so malicious like that, but it's a sad reality that there are always people trying to exploit others. It's kind of like going to an ATM and someone is waiting in line behind you -- sometimes you may forget to try to keep your pin # discrete, and you may even think that it's not likely that people in this community would try to steal your information. If only we could be so secure like that, though.
ReplyDelete