This article was originally published on January 22, 2015.
The risks of using an unprotected, unencrypted Wi-Fi network are well-documented. Anything you transmit becomes fair game for hackers — if you decide to access a banking website, make a large purchase or fill out healthcare forms you’ve put yourself in the line of fire. Of course, there are several easy ways to solve this problem. One is to only use trusted home or work networks that offer enhanced protection, another is to choose a secure VPN service and mask your activities from prying eyes anywhere, anytime.
But the ultimate standard of protection has always been to go without Wi-Fi — turn off your wireless receiver, unplug from the Internet and rest assured that no one can steal your information unless they take your computer by brute force. As reported by Discovery News, however, a team from Georgia Tech has now found that electronic devices have a bad habit of “leaking” information even when they’re completely offline. Here’s what you need to know.
Side by Side
How are hackers getting your information if they can’t intercept wireless transmissions? Some kind of tiny recording device, perhaps, or bio-enhanced tracking chip that monitors your every movement? Sadly, it’s nothing so sophisticated. Instead, hackers rely on what’s called “side channel information” to steal your data.
What’s the most obvious way to capture electronic information? Pick up any plaintext transmitted over unsecure wireless networks. Another choice is to grab encrypted data in hopes of cracking the code or convincing users to give up their access key. But there’s a third, more sinister choice: Side channel attacks. These attacks occur when hackers analyze how information is being processed, rather than going after the information itself, and then interpret this data to produce an actionable result.
Sounds complicated, right? Luckily, Crypto Fails offers an easy example. Imagine you’re getting a gift from someone and can’t wait to discover what they’ve bought, so you start asking questions: is it a book? A game? A hat? If they couldn’t keep a secret they’d be like a public wireless network and spill the plaintext beans, saying “yes” when you hit the right answer. Chances are, however, that they’ll give nothing away by saying “no” to every question. End of story, right? Wrong. By looking at their facial expression and body language after you ask each question, it’s possible to get a sense of which “no” is really “yes”. In other words, they’re offering a host of side channel information, if you know where to look.
While laptops and mobile devices don’t have facial expressions, that doesn’t mean they’re unreadable. As noted by a Discretix white paper, there are several ways to discover what computers are doing based on how they’re doing it. For example, attackers can monitor the time it takes to perform specific operations, the amount of power consumed by particular tasks or by examining faults that occur naturally in a system. Using this information, it’s possible for malicious actors to narrow down what kind of operation is being performed and what type of data is being sent. In other words, your computer never really shuts up.
So what does this have to do with Georgia Tech’s research? The team discovered that laptops and smartphones continuously “leak” a new kind of side channel information: Electronic emissions. They’ve also shown that it’s possible for someone sitting nearby in a coffeeshop as you work offline to steal your password using AM radios, hidden antennas or even tiny microphones. Some emissions are produced whenever a computer is running while others occur only when you’re typing, meaning that determined hackers can “keylog” you even when you’re offline. More worrisome? There’s no electronic fingerprint, making it almost impossible to find out who stole your information.
There is some good news, however. Assistant professor Alenka Zajic says that “if you are comparing this to Internet attacks, it is less of a problem.” That’s because hacking a few computers in the coffee shop or library using side channel attacks isn’t nearly so lucrative as compromising hundreds of Internet-enabled devices at once. Zajic also hopes that by notifying software and hardware manufacturers about this problem now, they can find ways to mask or eliminate these side channel signals.
Bottom line? If you’re visiting the local cafe, maybe leave the laptop in its case and just enjoy the coffee.