A new computer chip weakness, identified last year but just recently made public, can leak data from previously thought-to-be secure distant servers. Hertzbleed is its name, and it’s a hack unlike any other. The researchers that discovered the exploit say, “Hertzbleed is a new category of side-channel attacks: frequency side channels.” Their findings were published in a document that can be read on their website, and the attack’s source code is also accessible “for complete replication.”
They go on to say, “[It] is a genuine and practical danger to the security of cryptographic software.” So, should we be concerned? Let’s start by getting to the bottom of what this entails. Hertzbleed is a side-channel attack, which means it may be used to hack a system without really hacking it. Every time you instruct your computer to perform a task – such as encrypting or decrypting sensitive data – it generates a unique physical signature. For example, your CPU increases the amount of electricity it uses; a certain quantity of electromagnetic radiation is emitted; and even the sounds produced by the process might be part of it.
Unlike more typical methods of data hacking, side-channel attacks use signatures to try to figure out what data was being processed. You might compare it to predicting your birthday presents before the big day: a traditional “hacker” would think of ever-more cunning methods to just open the wrapping paper, but someone utilizing a side-channel assault would shake it, feel the edges, and estimate the weight. Hertzbleed isn’t the first side-channel attack to be found – side-channel assaults have been around for more than two decades at this time – but it does have a few unique features.
It works on “constant time” mechanisms, which are code specifically designed to eliminate one of the biggest clues for a would-be hacker: the length of time it takes for a process to complete. It can be deployed remotely, making it much easier to use than previous side-channel attacks, and it also works on “constant time” mechanisms, which are code specifically designed to eliminate one of the biggest clues for a would-be hacker: the length of time it takes for a process to complete and, worst of all, you’re virtually probably affected. Hertzbleed affects all Intel CPUs, as well as dozens of AMD processors. Even if your personal computer, laptop, tablet, or phone doesn’t utilize the impacted CPUs, hundreds of servers do — servers that store your data, analyze your information, and run the services we rely on every day.
However, there is one advantage: for the time being, it is a sluggish, tiny strike. According to Intel, Hertzbleed would take “hours to days” to steal even tiny quantities of data, thus it’s unlikely to be utilized for large-scale data theft just yet. The researchers behind Hertzbleed, while less enthusiastic, agree with this assessment: “Despite its theoretical strength,” they add, “it is not evident how to create actual exploits using the frequency side channel.” Nonetheless, “the security ramifications… are severe,” they say. The study states, “The lesson is that conventional cryptography engineering approaches for writing constant-time code are no longer sufficient to ensure constant-time execution of software on newer, variable-frequency CPUs.”
So, what are we going to do about it? Despite being notified to the existence of Hertzbleed months ago, and even requested an extended embargo on the material in order to develop a security remedy, neither Intel nor AMD have provided any patches to counteract Hertzbleed. The researchers state, “To our knowledge, Intel and AMD have no plans to deliver any microcode updates to prevent Hertzbleed.” “Why would Intel request such a long embargo when they aren’t even deploying patches?” They add, “Ask Intel.”