[Cryptography] Useless side channels

Perry E. Metzger perry at piermont.com
Mon Feb 12 08:49:33 EST 2018 

On Sun, 11 Feb 2018 10:11:43 +0000 Alexander Klimov via cryptography
<cryptography at metzdowd.com> wrote:
> On Fri, 9 Feb 2018, Perry E. Metzger wrote:
> > I mean, in an era where the average large corporation seems to
> > patch its systems every other leap year, and in which they never
> > put any of their machines inside faraday cages in the first
> > place, they should *clearly* worry about people walking up within
> > 1.5 meters of said non-existent faraday cage enclosed machines in
> > their colocation facility carrying sensitive equipment with which
> > to exfiltrate a few bits a second from software they already
> > somehow planted on the target machine.  
> 
> A nitpick: Figure 9 (page 11) of <https://arxiv.org/pdf/1802.02317> 
> shows a more realistic situation, where it is the smartphone that
> is put inside a Faraday cage (bag) next to an air-gapped computer.
> 

I don't consider that particularly realistic either I'm afraid.

If you can get software running on the target's phone, why are you
bothering with this method of exfiltration when the thing has an LTE
modem?

How often do people put their phones into Faraday cages while they're
still turned on (why not turn it off!?) as a method to prevent data
exfiltration? If you're worried, why wouldn't you just turn the phone
off? But if you're worried in this instance, you're never going to be
able to turn the phone on again, are you, because you're going to have
to expect someone installed hostile software.

If you're within one meter of the phone that has had hostile software
installed on it and which has been left on while being put into a
Faraday cage, is it really the case that no one is going to notice you
lugging around a lot of test equipment with which to get a low
bandwidth channel out? I mean, under what circumstances will you be
doing that? "Pardon me, madam, I hope you don't mind my getting within
three feet of you with this mysterious backpack while you eat dinner,
I have a need to demonstrate a side channel attack against your
phone. Could you turn a bit to the right? You left the phone in a
pocket and I'm having some trouble with the signal."

Note that an anti-static bag isn't a realistic Faraday cage anyway, as
would be demonstrated if they had bothered to test it with real
equipment.

Perry
-- 
Perry E. Metzger		perry at piermont.com

More information about the cryptography mailing list