Your PC or laptop is a disloyal little traitor. She (or he, if you prefer) is happily sitting there chattering away, revealing your RSA keys to anyone who cares to listen. Yes, my friend, even RSA isn’t good enough anymore.
No, it’s not April first, and no, I’m not making this up. A Debian Security Advisory, DSA-2821-1, CVE ID, CVE-2013-4576, issued December 18, 2013, gives the scoop:
Genkin, Shamir and Tromer discovered that RSA key material could be extracted by using the sound generated by the computer during the decryption of some chosen ciphertexts.
The Shamir is Adi Shamir, the S in RSA.
Those of you who have been around for awhile will recall that “listening” to the emissions of CRT screens — known as “Van Eck phreaking” — was once used as a way to eavesdrop. (The link points to a fascinating video. Check it out.) The researchers’ approach is similar, but exists in the acoustic rather than the electromagnetic realm.
I admit my lead is a bit over the top. For someone to pull off such an attack requires physical access to the equipment and a whole lot of tinkering as detailed in their report. But it works, and if the obstacles can be overcome, it’s a real threat. I highly recommend you study the paper. You’ll learn why data security isn’t as simple as you think.
For those of you who may be super paranoid about such things, here are some ways to interfere and, perhaps, thwart such an attack as presented in the Naked Security blog post:
1. Disabling auto-decryption of received emails.
2. Putting your mobile phone in your pocket or bag before reading encrypted emails.
3. The presence of background noise.
4. “Decoy processes” running on other CPU cores at the same time.