There’s a newly discovered security flaw in the brains of our computers, the Central Processing Units (CPUs).
Researchers from TU Graz and the Helmholtz Center for Information Security have found this issue.
CPUs, like a multi-tasking superhero, can run multiple programs at the same time, which is great for getting things done. But there’s a downside: this makes them a target for data thieves.
This new security issue involves attackers spying on the energy usage of a computer’s CPU to steal data.
The researchers named this new kind of attack “Collide+Power”. Here’s a quick rundown of how it works:
In a “Collide+Power” attack, the bad guys put a packet of data in a specific place on the CPU. Then, they use harmful code to make this data collide (or clash) with the data they want to steal.
When this clash happens, it uses up energy. The more different the two packets of data are, the more energy gets used up.
By repeating this process thousands of times, changing their data packet slightly each time, the attackers can start to figure out what the targeted data looks like. This is based on the slightly different amounts of energy used each time they run their attack.
You might think that you need to be a computer whiz to read a CPU’s power consumption, and usually, you’d be right. But these crafty attackers found a way around this.
When data packets clash and overwrite, it also causes slight delays in the CPU’s operations. These delays can tell the attackers how much power is being used, and from this, they can work out what the target data is.
“All modern computers with modern CPUs are vulnerable to this security risk,” warns Andreas Kogler from the Institute of Applied Information Processing and Communications (IAIK) at Graz University of Technology. “And it’s a very tough problem to fix.”
Now, before you panic, it’s important to know that a Collide+Power attack is currently a very slow process. Right now, stealing data this way can take anywhere from 16 hours per bit of data, and in some cases, it can even take up to a year.
But technology is advancing all the time, and it’s possible that these kinds of attacks could become quicker and more common in the future.
Scientists have known about potential problems with power usage, or “power side channels,” for a while.
But, this new discovery by Daniel Gruss’ research group at IAIK shows that attackers don’t need fancy hardware or physical access to a computer to measure power. They can do it from software.
The researchers have already alerted major chip manufacturers about the risk, who have updated their guidelines accordingly. The team has also set up a website called collidepower.com to give the public more information about this new security risk.
In summary, this newly found security flaw shows that as technology advances, so do the methods that data thieves use.
Although the current risk of a Collide+Power attack is low due to the time it takes, it’s a reminder that we need to stay one step ahead in the battle for data security.
Follow us on Twitter for more articles about this topic.
Source: Graz University of Technology.
