Hertzbleed: A Looming data threat

A new threat, Hertzbleed, can make Intel 8th to 11th generation CPUs and AMD processors vulnerable to data leak

Design: Ibrahim Yahya

KARACHI:

There is a potential security threat to all the Intel 8th to 11th generation CPUs and AMD processors with Zen 2 or Zen 3 architecture. It is no secret that hackers have been known to search and exploit vulnerabilities in the past. The famous 2013 breach of Yahoo’s system led a hacker to steal customer data of over three billion accounts. Last year in March, hackers exploited a vulnerability within Facebook that had been previously patched in 2019. This hack led to the records of 533 million users across 106 countries getting stolen and being posted onto a hacking forum.

Specifically, in the case of Intel 8th to 11th generation CPUs and AMD processors with Zen 2 or Zen 3, hackers can use a side-channel attack to obtain the key to cryptographic data that is considered a secure communication between two devices over a network. Researchers are calling this new data vulnerability ‘Hertzbleed’. The word consists of two parts Hertz (Hz) and Bleed. The frequency at which a CPU operates is commonly measured in Hz, and Bleed is the data leakage—hinting that the modern CPUs' inherent feature of changing speed can lead to data leakage. The technique is easy to understand but requires some basic background knowledge, which this article will attempt to explain in detail.

Cryptography

Cryptography studies techniques to establish publicly unintelligible communication between sender and receiver, but the parties exchanging messages have the key to understanding the messages being shared. For example, if you speak Urdu with your friend in a crowd that only speaks English, the crowd won't understand the communication being carried out. Your messages will remain confidential. There is even a movie named ‘Imitation Game’ based on a real-life event about this subject. A mathematician from Cambridge, Alan Turing (Benedict Cumberbatch), is recruited by MI6 to crack the cryptographic messages used by Nazis for communication. The ‘Enigma’ text was considered unbreakable, but Alan's team used a decipher machine to achieve the key that breaks the code down. Alan played the role of a cryptanalyst breaking a ciphertext.

 

A cryptographer is a person who develops security systems to protect data from hackers. They use complex algorithms and ciphers to establish an encryption system. Any person with a bachelor's degree in mathematics, information technology, computer science, or cybersecurity can become a cryptographer. There is a difference between a cryptographer and a hacker. However, a cryptographer has enough knowledge to become a hacker as he understands communication between computers easily — everything from how the encryption key is produced and how to access it if required.

Encryption: The art of communicating unintelligibly

As an example, IFMMP is a cipher text which translates to HELLO in plain text. What is done here is each letter in the word HELLO is replaced by one after it. So the key to deciphering the text is +1. We demonstrated the easiest way to encrypt your data by using a single bit to define a key, but computers are fast. They can encrypt and decrypt messages faster than a human, so their encryption keys are more complex and based on 128-bit encryption.

AES 128-bit encryption is the latest and most widely accepted technique to convert simple data to cryptographic data. The method has been approved by the National Security Agency (NSA) to protect confidential data but not top-secret government information. Data storage devices are now rapidly adopting 128-bit encryption, which is very complex to crack. Solid State portable devices and USB Flash Drives are currently protected with encryption and self-destruct techniques to secure vital data of organisations. Side-channel attacks use the vulnerabilities in the cryptographic algorithm to achieve the cryptographic key.

The easiest way to secure your data is by making it hard for the hacker to read. Softwares like BitLocker encrypt all the data on your drive. It is kept ON from Windows 10 onwards by default. The processor accesses the specific data required by the user and decrypts it to turn it into understandable data for a user. Cloud storage like CloudFare, Google Drive, and Microsoft OneDrive also use cryptographic techniques to keep your data safe.

AES-128 bit is exceptionally complex for a computer to crack with the traditional brute force technique. We can explain Brute Force through the briefcase analogy. Suppose you want to open up a briefcase, but you do not know the combination of numbers. The first thing that comes to mind is trying different combinations to find the right combination that unlocks the briefcase. A computer does a similar thing to break the cryptographic key. It tries different combinations of keys to unlock the encrypted message.

Commonly a briefcase has four combinations of numbers, and each column can have 10 digits from 0-9. To calculate the total number of possible combinations, you can use the formula: (Total Possible Digits per Column)Total Number of Columns

In our case total, possible digits per column are 10 (0-9). The number of columns is four, with four digits in a row. For a typical four-number combination briefcase, you will have to try 10x10x10x10 or, as per formula 104, combinations to open the suitcase. Assuming it takes two seconds to change one digit for each trial. The total time required would be 5.55 hours to try all the possible combinations, assuming we remembered the varieties we have tried. It means that you cannot leave your briefcase unattended for more than 5 hours and 30 minutes at maximum. For a computer to try these 10,000 combinations to break a passcode to your Windows login, it's just a matter of seconds.

 

Moving back to 128-bit encryption, government organisations and businesses with secret data rely on AES encryption despite having certain flaws. Currently, Quantum computers are the fastest and rapidly improving computations system on earth, but it is still in their early stages and not stable. In contrast, supercomputers are reliable and currently have practical applications in space and time. How long will it take for a supercomputer to decrypt 128-bit data encryption?

A supercomputer with 10.51 petaflops can perform 10636 Penta combination checks per second. If we calculate the number of seconds in a year, that figure sits around 31536000 seconds. Now the amount of time required to crack an AES 128-bit encryption key would be 1 billion billion years, which is beyond any way practical for even the top secret organisations with high-tech equipment to crack the code with brute-force technique alone. It's practically impossible unless we somehow find certain digits of the encryption key, then the time would reduce drastically. It is achieved through using a side-channel attack to obtain enough information to reduce the time required to try all the combinations within a feasible period.

To explain this, using the briefcase analogy somehow, you get information that the last digit of the combination is 4. Then the number of combinations you need to try will reduce to 103=1000, which is a massive reduction in the number of tries, and eventually, the time required to try all the combinations will reduce to just 30 minutes. The risk of somebody unlocking your briefcase becomes large if someone somehow finds the one digit in your combination. It's amazing! A side-channel attack attempts to find a pattern in your data which leads to unlocking certain digits of your encryption key.

Hacking Technique: Side-Channel Attacks

Side channel attacks are an indirect way of gathering data from a machine that is going through a decryption process. There are mainly three ways to attack a system.

Cache Attack: The hacker monitors the cache (temporary storage) of your system through which data is accessed during the software process.

Timing Attack: The attacker monitors the time it takes for your computer to perform a computation, which gives indirect hints of data under progress.

Power-Monitoring Attack: Monitor the power consumption to create patterns leading to data.

The attack we will focus on is Timing Attack, which monitors the time taken by the processor to perform a specific task to extract certain parts of the encryption key. In some cases, a hacker can obtain the complete key through these attacks. If the hacker unlocks parts of the encryption key, the time required to get the correct key will reduce by using the brute force technique. Side-channel attacks impose a threat to cryptographic security systems.

Again, we would like to take you back to the real-life event of Enigma. The code was sophisticated, and the key for the encryption code changed daily, but after months of hard work by the team of cryptographers, something came to their mind. After every message, Nazis used the phrase ‘Heil Hitler.’ Cryptographers used the stock phrase to crack the setting of the day.

Essential CPU Feature: Dynamic Frequency

Intel and AMD have been manufacturing processors for decades and perfected the art of reducing power while increasing performance. Traditionally processors consumed a lot of energy as they operated on a fixed frequency. Buying a 3GHz frequency processor will result in all data being processed at a fixed 3GHz speed. It was not an energy-efficient way to process data.

Intel introduced dynamic frequency scaling in their processors efficiently in the 3rd generation. They called it the ‘Intel® Turbo Boost Technology’. Some programs depend on the memory speed for fast operation, while some software requires fast processors to reduce operational times. Processors are usually under massive load while gaming, encoding videos, or iteratively solving an equation for fluid dynamics. Otherwise, if you are watching cat videos on YouTube, the processor doesn't have much work to do. The processor reduces cycles per second when there is a low load on the processor; this leads to a lower power consumption and heat production. For laptops, it's an essential feature as it drastically improves the battery draining time.

With time, Intel has perfected its art of changing frequencies, and in the 8th generation, it's much more aggressive and efficient. A processor changes frequency with the help of transforming the voltages of the CPU. Higher voltages are required to achieve higher frequencies from the CPU. Overclocking is a technique that increases the processor's speed by increasing the applied voltages via the motherboard VRM (Voltage Regulating Module). AMD also has the identical replica for their Zen2 and Zen3 architecture known as the ‘Precision Boost 2.’

Hertzbleed and how does it work?

Researchers are continuously working to find ways to hack commercially available processors. Recently, a paper titled ‘Hertzbleed: Turning Power Side-Channel Attacks Into Remote Timing Attacks on x86’ was published as a result of a collaborative effort between the researchers Yingchen Wang (University of Texas at Austin), Riccardo Paccagnella (University of Illinois Urbana-Champaign), Elizabeth Tang He (University of Illinois Urbana-Champaign), Hovav Shacham (University of Texas at Austin), Christopher Fletcher (University of Illinois Urbana-Champaign), and David Kohlbrenner (University of Washington).

The paper discusses in detail how side-channel attacks can be carried out to obtain cryptographic keys from x86-based Intel and AMD system. They have shown how a clever hacker can use a novel chosen ciphertext against SIKE. SIKE is a post-quantum cryptography algorithm. Despite SIKE being ‘constant time,’ the changing frequencies changed the time required for the code to process the text. If the attacker sends specific data with known information across two end communication devices and observes the time it takes to decrypt the data, they can decipher the key. The hacker can detect the key as different keys take different times to execute with the processor's changing frequency. If the processor remains at a constant frequency, the hacker will observe data being processed at a similar time every attempt, thus making deciphering impossible.

Can my PC be affected? What did we learn from Enigma Code?

Yes, your PC is likely affected by this vulnerability. Once again, lt’s circle back to the real-life event shown in the movie ‘Imitation Game,’ which demonstrates how hacking does not have to be announced necessarily. Alan and his team successfully built the Engima breaking machine (Christopher). Now, they wanted to share the top-secret information of ongoing Nazis plans with their security agencies. However, the MI6 agent stopped them from announcing the Enigma code's breaking. It was surprising for the whole team.

The intent was to use the information smartly so that the enemy did not know that their foes had broken the Enigma code. If the Nazis received any hint that their enemy had discovered the key to breaking the code, they would have immediately changed the encryption technique or key. Through controlled attacks and sacrificial measures, the information regarding the Enigma code being deciphered was kept top secret by the MI6 agency. Eventually, this helped in winning the war against the Nazis. Today, big companies and agencies apply similar techniques. They use the data collected so that the affected person doesn't know they have been affected and remains connected to the protocol. Hackers can collect information through the protocol in an undetectable way.

Big companies with technological secrets do not release their latest developments over the Internet. Manufacturers that work on technological advancement have to protect their precious data from leaking. Therefore, any vulnerability must be openly discussed so that organisations can take necessary measures to avoid it. Data is like Gold in this technological age. Anything from a medical report to your bank statement stored over your storage device on the computer is useful statistical information for the organisation.

Are Intel and AMD aware?

To make sure that such attacks with hidden ways to extract data from computers are kept in check, Intel and AMD both have Security advisories. The team of researchers disclosed their findings through the proof-of-concept code to Microsoft, Intel, and Cloudflare in the third quarter of 2021. They released similar information to AMD in the first quarter of 2022. Intel initially wanted to keep the research under embargo. However, finally, the findings were disclosed to the general public on June 14, 2022.

Intel security advisory has now publicly accepted that all the processors from the 8th generation to the 11th generation can be affected, including desktop and laptop-based microchips. Intel conducted various experiments on their processors to conclude that the hacking technique was indeed a vulnerability in their processors. AMD security advisory followed by performing tests on their Zen2 and Zen3 architecture, and later reported that their processors were also vulnerable to these threats. CVE is a program aimed at tracking and cataloging publicly disclosed cybersecurity vulnerabilities. They have named the Hertzbleed attack as a system vulnerability for Intel under ID CVE-2022-24436. Whereas AMD they have given it the CVE-2022-23823.

Intel security advisory has given it the Intel ID: INTEL-SA-00698, which categorises the advisory under hardware. They define the impact of vulnerability as information disclosure. The severity rating is at MEDIUM, with the CVSS base score at 6.3. As per Intel's website, all the Intel processors are affected by the vulnerability.

AMD security advisory gives the vulnerability AMD-SB-1038 identification. It gives a similar potential impact of information disclosure and sets the severity of the vulnerability at MEDIUM. To simplify the processes that this vulnerability can impact, keep in mind that all the AMD Ryzen 2000-5000 series processors, 2nd and 3rd Gen Threadrippers, and even the AMD Athlon X4 will be affected by this vulnerability. To ensure that your processor is included or not on the list, you can search for the advisory using the AMD ID for this new hacking technique.

Should you be worried?

 

After going through the complete article, you might be thinking about whether or not you should be worried about keeping your data secure. An average user does not have top secret data that can be significant to others, but if you work in an organisation where secrets need to be kept. You must share the information with your organisation and follow the possible ways to plug the loopholes in your organisational structure security system.

Intel is asking for an embargo and still not deploying any patches. AMD and Intel have no plan of releasing microcode patches to mitigate against HertzBleed. However, they do provide guidelines to make your data secure.

How can I secure my data?

Usually, all the data on Windows 10 is encrypted with BitLocker 128-bit encryption. Cloudflare and Microsoft have already mitigated the attack on SIKE. Since there are ways to crack the key, users should take care of the data themselves. According to the researcher's guidelines in their paper, the “workaround”. There are ways to avoid such an attack, but it significantly impacts our system performance.

The main feature that changes the frequency(Hz) of your computer namely “Turbo Boost” by Intel and “Precision Boost” by AMD. They can be disabled from the BIOS of your motherboard or in runtime by using the software that is used to scale the frequency to a constant value. If you disable the feature, it will return the processor to its base frequency which is significantly low in the modern gaming CPUs. Performing this action will lead to significant performance degradation that you might feel while using your PC. Consider saying goodbye to your gaming or video encoding.

As an average PC user, I do not have any important data stored on my PC. So I am not overly worried about the attacks. A skilled hacker with skills to remotely carry a side-channel attack will not waste time hacking into my PC, but some industries might be affected. The remote attack is dangerous, and you can remain disconnected from the network if you have potentially high-risk data. The best strategy for an average household PC is to use a good registered Spyware, Anti-Virus, and register Windows. Users should regularly update the windows to keep up with the security patches. Overall, security vulnerabilities will continue to be discovered and plugged. Our job is to keep you updated so that your employer's data can be safe from falling into the wrong hands.

 

Haroon Ismail is a freelance writer and an engineer. All information and facts provided are the sole responsibility of the writer.

Load Next Story