Welcome to the new 93 cyber warriors who joined us last week. š„³ Each week, we'll be sharing insights from the Black Hat MEA community. Read exclusive interviews with industry experts and key findings from the #BHMEA23 keynote stage.
Keep up with our weekly newsletters on LinkedIn, Subscribe here.
Computer chip hacks. And specifically, a vulnerability discovered in 2022: Hertzbleed.
Because at Black Hat MEA 2022, Daniel Weber (PhD Student, CISPA HelmHoltz Center for Information Security) said:
āSince 2018, weāve known that security flaws in computer chips can affect billions of devices ā meaning that hackers can leak sensitive information directly by abusing the hardware instead of relying on any software vulnerability.ā
And over the last year, itās become even more apparent that computer chips are vulnerable to attack.
Itās an attack type identified by security researchers at the University of Texas in 2022. And it could be used to pull information from computer chips. It exploits a power-saving feature thatās common across modern computer chips, which means it could affect many millions of users.
CPU throttling, or dynamic frequency scaling, is a technique that increases or reduces the speed with which computer chips carry out instructions. It means that chips can adapt their power usage to meet demand.
And while hackers have long demonstrated the ability to gather information about the data being processed by observing when a chipās power is scaled up or down, researchers have now found that you can achieve similar observations remotely.
As detailed in their 2022 paper, the Hertzbleed researchers demonstrated that itās possible to watch how quickly a computer completes operations ā and then use that information to measure how itās throttling the CPU.
If an attack like this can be executed remotely, thereās much more scope for breaches. Itās easier, more cost-effective, and less risky to stage a remote attack.
Due to the amount of time it takes for Hertzbleed to steal any data, chip makers have reassured the public that itās unlikely to be used to obtain large data files. But it could be used for smaller, yet critical pieces of data theft ā like cryptographic keys.
On their website, the researchers cautioned that āHertzbleed is a real, and practical, threat to the security of cryptographic software.ā
And in a 2023 follow-up paper they expanded the scope of Hertzbleedās threat potential ā stressing that the āeffects are wide ranging, extending beyond SIKE, beyond cryptography and beyond CPU-only secrets.ā
They demonstrated this larger scope with case study attacks on ECDSA (a complex public key cryptography encryption algorithm) and Classic McEliece.
āHertzbleed attacks will get better with each new generation of hardware and power-saving techniques. Our results suggest that, similarly to Spectre attacks, Hertzbleed may continue to haunt us for some time to come.ā
Do your security operations protect against chip vulnerabilities?
1. YES š vote
2. NOPE š© vote
Read the blog: Automated tools to detect microarchitectural attacks
Do you have an idea for a topic you'd like us to cover? We're eager to hear it! Drop us a message and share your thoughts. Our next newsletter is scheduled for 30 August 2023.
Catch you next week,
Steve Durning
Exhibition Director
P.S. - Mark your calendars for the return of Black Hat MEA from š 14 - 16 November 2023. Want to be a part of the action?
Join the newsletter to receive the latest updates in your inbox.