Should users be worried about computer chip hacks?

Welcome to the new 93 cyber warriors who joined us last week. 🥳 Each week, we'll be sharing insights from the Black Hat MEA community. Read exclusive interviews with industry experts and key findings from the #BHMEA23 keynote stage.

This week we’re focused on… 📣

Computer chip hacks. And specifically, a vulnerability discovered in 2022: Hertzbleed.

Why? 🤔

Because at Black Hat MEA 2022, Daniel Weber (PhD Student, CISPA HelmHoltz Center for Information Security) said:

“Since 2018, we’ve known that security flaws in computer chips can affect billions of devices – meaning that hackers can leak sensitive information directly by abusing the hardware instead of relying on any software vulnerability.”

And over the last year, it’s become even more apparent that computer chips are vulnerable to attack.

The proof is in the Hertzbleed 📜

It’s an attack type identified by security researchers at the University of Texas in 2022. And it could be used to pull information from computer chips. It exploits a power-saving feature that’s common across modern computer chips, which means it could affect many millions of users.

CPU throttling, or dynamic frequency scaling, is a technique that increases or reduces the speed with which computer chips carry out instructions. It means that chips can adapt their power usage to meet demand.

And while hackers have long demonstrated the ability to gather information about the data being processed by observing when a chip’s power is scaled up or down, researchers have now found that you can achieve similar observations remotely.

As detailed in their 2022 paper, the Hertzbleed researchers demonstrated that it’s possible to watch how quickly a computer completes operations – and then use that information to measure how it’s throttling the CPU.

What’s the worry here? 😨

If an attack like this can be executed remotely, there’s much more scope for breaches. It’s easier, more cost-effective, and less risky to stage a remote attack.

Due to the amount of time it takes for Hertzbleed to steal any data, chip makers have reassured the public that it’s unlikely to be used to obtain large data files. But it could be used for smaller, yet critical pieces of data theft – like cryptographic keys.

On their website, the researchers cautioned that “Hertzbleed is a real, and practical, threat to the security of cryptographic software.”

And in a 2023 follow-up paper they expanded the scope of Hertzbleed’s threat potential – stressing that the “effects are wide ranging, extending beyond SIKE, beyond cryptography and beyond CPU-only secrets.”

They demonstrated this larger scope with case study attacks on ECDSA (a complex public key cryptography encryption algorithm) and Classic McEliece.

“Hertzbleed attacks will get better with each new generation of hardware and power-saving techniques. Our results suggest that, similarly to Spectre attacks, Hertzbleed may continue to haunt us for some time to come.”

Read the blog: Automated tools to detect microarchitectural attacks

Do you have an idea for a topic you'd like us to cover? We're eager to hear it! Drop us a message and share your thoughts. Our next newsletter is scheduled for 30 August 2023.

P.S. - Mark your calendars for the return of Black Hat MEA from 📅 14 - 16 November 2023. Want to be a part of the action? Register Now