A new computer chip vulnerability, discovered last year but only recently announced publicly, is able to leak information from remote servers previously thought to be secure. Its name: Hertzbleed – and it’s a hack unlike any seen before.
“Hertzbleed is a new family of side-channel attacks: frequency side channels,” explain the research group responsible for finding the hack. Their results have been published in a paper, found on their website, and the source code for the attack is also available “for full reproducibility.”
“[It] is a real, and practical, threat to the security of cryptographic software,” they add.
So how worried should we be?
Well, first, let’s get to the bottom of what this means. Hertzbleed is a side-channel attack – that is, a way to hack a system without actually hacking the system. Every time you set your computer to run an operation – say, encrypting or decrypting sensitive data – it creates a certain, very specific, physical signature. Your CPU ramps up the amount of power it’s using, for example; a certain amount of electromagnetic radiation is emitted; even the particular sounds that come out of the process can be part of it.
Unlike more traditional ways to hack information, side-channel attacks rely on these signatures to try to infer what information was being processed. You can think of it kind of like guessing your presents before your actual birthday: a stereotypical “hacker” would think of ever-more sneaky ways to simply open the wrapping paper, but someone using a side-channel attack would be giving it a shake, feeling the edges, and estimating the weight.
Hertzbleed is not by any means the first such attack to be discovered – side-channel attacks have been around for more than two decades at this point – it has a few extra capabilities that haven’t been seen before. It can be deployed remotely, making it much easier to use than previous side-channel attacks, and it also works on “constant time” mechanisms – that is, code specifically designed to eliminate one of the biggest clues for a would-be hacker, the length of time a process takes to complete.
And the really bad news is, you’re almost certainly affected. Certainly, all Intel processors are susceptible to Hertzbleed, as are dozens of AMD chips. And even if your personal computer, laptop, tablet or phone doesn’t use those affected processors, thousands of servers across the planet do – servers which, as a matter of course, store your data, process your information, and run the services we depend on every day.
There is one good thing, though: for now, it's a slow, small attack. Hertzbleed would take “hours to days” to steal even small amounts of data, Intel said, so it's unlikely to be used for any large-scale information theft just yet. And while less gung-ho about it, the researchers behind Hertzbleed echo this appraisal: “Despite its theoretical power, it is not obvious how to construct practical exploits through the frequency side channel,” they write. Nevertheless, they add, “the security implications ... are significant.”
“The takeaway is that current cryptographic engineering practices for how to write constant-time code are no longer sufficient to guarantee constant time execution of software on modern, variable-frequency processors,” the paper explains.
So what should we do about it? Well, unfortunately, there isn’t much we can do – despite being alerted to the existence of Hertzbleed months ago, and even requesting an extended embargo on the information in order to come up with a security fix, neither Intel nor AMD has released any patches to mitigate Hertzbleed.
“To our knowledge, Intel and AMD do not plan to deploy any microcode patches to mitigate Hertzbleed,” the researchers note.
“Why did Intel ask for a long embargo, considering they are not deploying patches? Ask Intel,” they add.