How to perform RSA Key extraction with a mobile phone

This paper is serious business

Get ready for the real work. In this guide you will learn how you can hack any computer with a mobile phone. The proof of concept has been demonstrated by the 3 security researchers which found a way to extract RSA keys via Low-Bandwidth acoustig cryptanalysis. The researchers Daniel Genkin, Adi Shamir and Eran Tromer explain that many computer emit a high-pitched noise. This noise is caused by their electronic components.

They have found that while computers are processing information, they will make a acoustic emanation. The acoustic emanation will hold information about the software that is running on the computer.

The security experts demonstrate in their ‘RSA Key extration via Low-Bandwidth Acoustic Cryptanalysis‘ paper, how they are able to extract full 4096-bit RSA decryption keys from computers and laptops.

The RSA Key extraction attack would allow them to extract the full RSA keys within one hour.

 


They have tested this attack with a simple mobile phone. To show that they are able to perform this attack in the public, they also demonstrated how they are able to perform this attack from 4 meters away from the designated target computer.

Attack scenarios:

  • Set up a meeting with the victim and place the phone on the desk next to his laptop
  • Install the attack app, and wait until the victim inadvertently places his phone next to the target laptop
  • Construct a web page use the microphone of the computer running the browser (using Flash or HTML Media Capture, under some excuse such as VoIP chat). When the user permits the microphone access, use it to steal the user’s secret key.

The Check Point Institute for Information Security, The Israeli Ministry of Science and Technology, Israeli Centers of Research Excellence I-CORE program and the NATO’s Public Diplomacy Division have acknowledged the report which has been published by the 3 security experts.

Shamir thinks that persistent attackers, like intelligence agencies, will always be able to collect our information if we use devices with these vulnerabilities.