Researchers at the University of Tel Aviv have been able to extract the encryption key of an air-gapped laptop placed in another room through a wall using nothing more than normal electronic equipment.
This group of four people used only one antenna, some amplifiers, a software-defined wireless and a classical Lenovo 3000 N200 laptop. Researchers did not break the computer cover, nor did they make any other modifications to its installation.
The laptop ran the latest version of GnuPG 2 and its Libcrypto cryptographic library. GnuPG is an open source implementation of the OpenPGP standard. The researchers targeted Libcrypt and cryptographic algorithm of the Elliptic Curve Diffie-Hellman (ECDH).
During the test, the team sent a specific cryptogram to the laptop and then measured the electromagnetic leak coming from the device. Initial tests were conducted in the same room, but the team was able to carry out the successful tests from an adjacent room through a classic 15 thick reinforced plasterboard.
All the researchers had to do was send the cryptode (a crypto-message) to the 66 laptop and then analyze the surrounding electromagnetic field. After 3,3 seconds, they were able to retrieve the encryption key used by the laptop through a classic side-channel attack.
A side-channel attack occurs when a nearby intruder monitors, records, and then analyzes data from cryptographic operations. Observing the fluctuations in energy use and the energy emitted during these tasks, they can later join together elements or the whole cryptographic key (encryption key).
"Our attack is not adaptive, requiring the decryption of a single, non-adaptively selected cryptogram to extract the entire secret key," the investigators explained, referring to the fact that only specific ciphertexts non-random data can also be used.
In addition, researchers have revealed their research to GnuPG developers (CVE-2015-7511), who released an update to Libgcrypt to protect the library from this kind of side-channel attack.
The whole research work, ECDH Key-Extraction through Low Bandwidth Electromagnetic attacks on computers, is available for you to read online.