Side channel attack-Telekinesis

Category: Tag:

When learning CISSP cryptography, I learned about side channel attacks. Attackers measure power consumption, radiation emissions, and perform certain data processing, and use this information to reverse the processing process to obtain encryption keys or sensitive data. This article will try a side-channel attack method from a practical perspective, focusing on information leakage methods in special scenarios.

Theoretical basis
Focusing on side-channel attacks requires knowledge of the general model of side-channel information leakage and related knowledge of communication principles.

Side channel information leakage model:

The side channel mainly exists in the information sender and the information receiver. For example, we use mobile phone communication software to chat. Although the transmission process is encrypted, if two people chatting with their mobile phones and attacked by shoulder surfing(on escalators, queuing, etc.), there is a risk of information leakage. Therefore, the leakage of side channel information is essentially the security of the terminal.

Principles of communication
The side channel is usually unstable and faces too many interference and uncontrollable factors. To ensure the stability of the channel, we need to learn the relevant knowledge of communication principles. The basic process of communication is as follows:

Source: the sender of the message

Sink: the recipient of the message

Source encoder: message recombination unit

Channel encoder: the unit of message invulnerability

Channel: The transmission medium of the message

Interference source: various factors that destroy the transmission channel

Channel decoder: message destruction detection unit

Source decoder: the restoration unit of the message

Seeing the key process of establishing a communication channel, our theoretical knowledge is basically complete, and the next step is how to try a side channel attack in a specific scenario.

Practical application
Simulation scene
Here we assume the scenario is: access to a terminal computer in some way, only retain basic peripheral devices, complete operating system security patches, normal user permissions, and external communication functions (usb copy, network card, Bluetooth, infrared) are all disabled, The hard disk is physically protected and fully encrypted, so how to get the confidential files on this computer?

Selected side channel
We can try to establish a side channel to bypass the security protection system. Analyze the available peripherals. Mouse, keyboard, speaker, monitor, the data that can transmit information to the outside is the monitor and speaker. First consider taking pictures. Taking pictures can obtain image data. Relying on vision to identify part of the information, complete files cannot be obtained, and information transmission is seriously distorted. Secondly, think of Morse code, and translate the corresponding code through the receiving device. In theory, it is feasible to convert the file stream information encoding into the corresponding Morse code, distinguish the long and short codes according to the decibel value, and then translate the corresponding original text. Examples are as follows:

However, this approach has two limitations:

1. Interference source: Once you encounter noise when receiving sound signals, the signal will be severely distorted

2. Slow speed: Only one character can be transmitted at a time, and a few M files will be transmitted for a very long time, which further increases the uncertainty.

Therefore, it is necessary to find a side channel with strong anti-interference ability and large amount of information in a single transmission. At this time, considering the two-dimensional code, the first is the single transmission information capacity: two-color single-layer (such as black and white) generally has a capacity of several K, and color (8-color) single-layer can reach a capacity of several hundred K, but two-dimensional The more information the code carries, the worse the anti-interference ability.

Considering the color gamut, resolution, brightness, and calibration accuracy of ordinary display devices, as well as the pixel problem of the camera of the scanning device, the common two-color single-layer (black and white) QR code is most suitable. Even with a low-end 720p resolution display, a 5-megapixel smartphone can easily establish a side channel.

The following needs to design a stable communication channel based on the knowledge of communication principles. The communication process is as follows:


Source: any format file

Source encoder: 7z compression + base64 encoding

Channel encoder: data packet to generate two-dimensional code

Channel: Dynamic QR code

Interference source: repeated reception + signal misalignment

Channel decoder: two-dimensional code analysis group data

Source decoder: base64 decoding +7z decompression

Lodging: sdcard

At the sending side, the original file is converted into a two-dimensional code picture set by encoding and dividing it. The QR code is changed and displayed at a fixed time interval. The receiving end sets the same sampling time interval, and finally combines the sampled fragment information to decode the original file, so that a stable side channel can be established.

Implement coding
The first is to implement the source encoder, by converting the data stream of the compressed file to base64, and then segmenting the base64 message, each message is then passed through the channel encoder to form a continuous dynamic two-dimensional code gif to complete the channel encoding process . This is implemented in python language, and the key code is as follows:

The receiver needs to use a two-dimensional code recognition device, and the most common android mobile phone can be used, then an apk needs to be developed, which is implemented in java language here.

First, the dynamic QR code is converted into a base64 message by the channel decoder to complete the channel decoding process. The key code is as follows:


Then the base64 message gets the file stream through the source decoder, and the file stream is saved to the SD card to complete the source decoding process. The key code is as follows:


The following are the problems and corresponding solutions found during testing after coding:

1. Message packet loss: camera focus failure caused by hand shaking can be solved by reducing the sampling frequency and choosing a camera with anti-shake function.

2. Repeated packet sending: Repeat scanning the code multiple times, which can be solved by deduplicating the message of the same sampling interval

3. The package sequence is out of order: because the QR code cannot identify the message sequence number, it cannot be accurately synchronized when starting transmission. By scanning the code cyclically, identifying the header information of the compressed package file, and arranging the correct package sequence to solve the problem of package sequence disorder.

The final effect is shown in the figure below, which realizes “fetching from the air” through continuous code scanning:

To sum up
In this article, by simulating a side-channel attack in a specific scenario, it can realize non-network transmission and non-hardware cracking of “Telekinesis” Side channel information leakage is very concealed, and the existing security tool DLP for preventing information leakage is difficult to defend against side channel attacks. Therefore, it is recommended that people in some sensitive positions are prohibited from carrying smart devices, and at the same time, adjustments should be made on the terminal monitoring tools to detect potential side channel transmission carriers such as device audio and images in real time to protect key confidential information.



There are no reviews yet.

Be the first to review “Side channel attack-Telekinesis”

Your email address will not be published. Required fields are marked *