What is a side-channel attack?
A side-channel attack is a cybersecurity exploit that aims to gather information from or influence a system's program execution. It does this by measuring or exploiting indirect effects of the system or its hardware rather than directly targeting the program or its code.
These attacks usually try to exfiltrate sensitive information, including cryptographic keys, by measuring coincidental hardware emissions. A side-channel attack can also be called a sidebar attack or an implementation attack.
As an illustration, imagine determining where a person has driven their car. A typical attack channel would be to follow the vehicle or use a Global Positioning System tracker. Alternatively, a side-channel attack would use the car measurements to try and determine how it's used. For example, measuring changes in the amount of gas in the tank, the car's weight, engine or cabin heat, tire wear and paint scratches could reveal information about the car's use, places or distances it has traveled, or what is stored in the trunk -- all without directly affecting the car or alerting its owner that they're being investigated.
Historically, side-channel attacks have been difficult to use, but several factors are making them more common. Increasing measuring equipment sensitivity has made it possible to gather highly detailed data about a system while it is running. In addition, greater computing power and machine learning enable attackers to understand the raw data they extract better. This deeper understanding of targeted systems improves how attackers exploit subtle system changes.
Attackers can also focus on high-value targets, such as secure processors, Trusted Platform Module chips and cryptographic keys. Even partial information can help a traditional attack vector, such as a brute-force attack, have a greater chance of success.
Side-channel attacks can be tricky to defend against. They are challenging to detect in action, often do not leave any trace and might not alter a system while running. Side-channel attacks can even prove effective against air-gapped systems physically segregated from other computers or networks. They might also be used against virtual machines and in cloud computing environments where an attacker and a target share the same physical hardware.
How does a side-channel attack work?
A side-channel attack differs from most other cybersecurity threats in that it doesn't attack a program or its code. Instead, it harvests information about the program's execution and operation within a system for exploitation, commonly to break cryptography. This enables timing attacks, power analysis attacks, and other system assaults that indirectly provide a hacker with the necessary information to invade a system.
Types of side-channel attacks
Bad actors can implement side-channel attacks in several ways, including the following.
Electromagnetic
An attacker measures the electromagnetic radiation, or radio waves, the target device gives off to reconstruct the device's internal signals. The earliest side-channel attacks were electromagnetic. Both van Eck phreaking and the National Security Agency's Tempest system were used to reconstruct the entirety of a computer's screen. Attackers focus modern side-channel attacks on measuring a system's cryptographic operations to try and derive secret keys. Software-defined radio devices have lowered the barrier of entry for electromagnetic attacks, which can be performed through walls without any contact with the target device.
Acoustic
Attackers measure the sounds a device produces. By performing proof of concept (POC) attacks, they can reconstruct a user's keystrokes from an audio recording of the user typing. Hackers can also obtain some information by listening to the sounds emitted by electronic components.
Power
A hacker measures or influences a device's or subsystem's power consumption. By monitoring the amount and timing of power a system or one of its subcomponents uses, an attacker can infer the activity of that system. Some attacks might cut or lower power to cause a system to behave in a way beneficial to the attacker, similar to Plundervolt attacks.
Optical
An attacker uses visual cues to gain information about a system. Although rarely used against computers, in some POC attacks, attackers have used video to reconstruct the audio for an object's vibration in relation to sounds. Simple shoulder surfing attacks may also fall into this category.
Timing
A bad actor uses the length of time an operation takes to gain information. The total time can provide data about a system's state or the type of process it's running. In a timing attack, the attacker can compare the length of time of a known system to the victim system to make accurate predictions.
Memory cache
An attacker abuses memory caching to gain additional access. Modern systems use data caching and pre-fetching to improve performance. An attacker can abuse these systems to access information that should be blocked. The Spectre and Meltdown vulnerabilities discovered in 2018, which primarily affected Intel processors, exploited this channel.
iLeakage
An Apple-specific side-channel attack, iLeakage, is one of the newer variations. Disclosed in October 2023, it gathers information from an Apple device's Safari browser. Armed with this information, a hacker could examine a user's viewing history, email and credentials. It uses a technique called speculative execution, in which a device's CPU executes a series of tasks before being prompted to, anticipating that they will be called. Both MacOS and iOS products have been susceptible.
Hardware weaknesses
Hackers can use a system's physical characteristics to induce a behavior, cause a fault or exploit data remanence, which is data that persists after deletion. Row hammering attacks happen when an attacker alters a restricted memory area by quickly flipping or hammering another memory area located close by on the physical random access memory (RAM) chip. Error correction code memory can help prevent this attack. In a cold boot attack, the attacker quickly lowers the RAM temperature, causing the system to retain some information after power is removed so the attacker can read it back.
Preventing side-channel attacks
Organizations can implement a few best practice mitigations that might help protect against side-channel attacks. These attacks usually require detailed system knowledge to execute; therefore, an organization should keep details related to implementation and vendors a trade secret.
Address space layout randomization can prevent some memory- or cache-based attacks. Using business-grade equipment can also help to prevent systems from being exploited. Physical access to systems should also be restricted. Businesses can also keep sensitive systems in shielded Faraday cages, and power conditioning equipment can protect against power attacks.
As extreme mitigations, increasing the amount of noise in a system makes it more difficult for an attacker to gain useful information. Furthermore, while the following ideas are often wasteful and not generally recommended, they might be helpful in specific circumstances.
First, while performing a cryptographic process, some systems simultaneously perform unrelated and worthless similar processes to camouflage the ones of interest to the attacker. A system might likewise run needless processes or components to hide the power or computational use so it's uncorrelated with the actual use. Turning on an additional source of electromagnetic field radiation might hide radio signals from attackers as well, and users can set the font color and text background to a similar color to make reconstructing it hard using a van Eck phreaking or casual shoulder surfing.
Other practical countermeasures include confusing the attacker by randomizing the execution order of instructions in a process when they are not sequential. Another way to protect against side-channel attacks is to identify all potential routes of unpreventable information leakage and use cryptographic algorithms to render the leakage impossible for the attacker to understand.
As quantum computing becomes a reality, so does the potential for cybersecurity threats. Learn what steps organizations can take to prepare for quantum cybersecurity.
