Hertzbleed is a new attack that could be used by hackers to steal information from computer chips. This has caught the attention of security researchers and technology news websites. This is what you need to know.
What is Hertzbleed?
This hack uses a power-saving feature found in modern computers to steal sensitive data. It was demonstrated in the laboratory and could be used in the wild by hackers.
To increase or decrease the speed at which they execute instructions, most chips use dynamic frequency scaling or CPU throttle. The CPU can be truncated to increase or decrease its power according to demand, making them more efficient.
Hackers have demonstrated that they are able to read power signatures and gain information about data being processed. This could give hackers a leg up on a computer.
Hertzbleed’s team discovered that it was possible to do something similar remotely. They watched carefully how fast a computer completed certain operations and then used that information to determine the current CPU throttle. This makes it more dangerous to try and attack the CPU remotely. Hackers are far more likely to be able do this.
What does this mean for you?
Intel stated in a security advisory that all its chips were vulnerable to the attack. According to the company, such an attack could allow for “parts of the information to be inferred through sophisticated analysis”.
AMD, which shares a chip architecture with Intel issued a security alert naming several of its server, mobile and desktop chips as susceptible to the attack. The company did not respond to a request to comment.
Chipmaker ARM didn’t respond to questions about whether or not it was trying to avoid similar problems using its own chips.
Hertzbleed can still affect your personal hardware, which is a major problem. There are thousands of servers all over the world that will store and process your data, archive it and provide the services you use every day. These services may run on hardware susceptible to Hertzbleed.
Intel claims that it can take up to days to steal any amount of data. Hertzbleed is more likely than large files to leak data. If that tiny bit of data is a cryptographic key, it can have a significant impact. According to researchers , “Hertzbleed” is a serious and practical threat to cryptographic software security.
How did it get there?
Hertzbleed was developed by researchers from the University of Texas at Austin and the University of Illinois Urbana-Champaign. They claim that they discovered Hertzbleed in the third quarter last year. However, Intel requested that it be kept secret until May. This is a common request to allow companies to correct a flaw before it becomes widespread.
Intel then allegedly asked for an extension until 14 June. However, Intel has not yet released a fix. AMD was informed about the problem during the first quarter.
Details about the vulnerability are now available in a paper from the researchers. They will also be presented at the USENIX Security Symposium later in the summer.
“Side channel power attacks are something that has been known for a long time, but this is an alarming evolution of the art,” states Alan Woodward from the University of Surrey, UK. “The story of its discovery and how it was kept secret is a cautionary tale about what else might be out.”
Is it possible to fix it?
Researchers claim that neither AMD nor Intel currently offers patches to address the problem. We know this as New Scientist recently confirmed they asked questions of both companies.
In the late 1990s, attacks that monitored changes in chip speed or frequency were discovered. There was a common solution: code that only used “time-invariant” instructions. This means that instructions that are the same regardless of the data being processed takes the same amount of time. This prevented an observer from gaining information that could be used to read data. Hertzbleed is able to bypass this strategy and can do it remotely.
This attack is not due to a bug but normal operation of a chip feature. It could be difficult to fix. Researchers suggest that all chips worldwide should be turned off CPU throttling. However, they warn that this could have a significant impact on performance and may not be able to stop frequency changes in some chips.
