Ars Technica reports on research in a paper, “RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis” (pdf), by Daniel Genkin and Eran Tromer of Tel Aviv University and Adi Shamir of the Weizmann Institute of Science, concerning computer security and privacy:
Computer scientists have devised an attack that reliably extracts secret cryptographic keys by capturing the high-pitched sounds coming from a computer while it displays an encrypted message.
The technique, outlined in a research paper published Wednesday, has already been shown to successfully recover a 4096-bit RSA key used to decrypt e-mails by GNU Privacy Guard, a popular open source implementation of the OpenPGP standard. Publication of the new attack was coordinated with the release of a GnuPG update rated as “important” that contains countermeasures for preventing the attack. But the scientists warned that a variety of other applications are also susceptible to the same acoustic cryptanalysis attack. In many cases, the sound leaking the keys can be captured by a standard smartphone positioned close to a targeted computer as it decrypts an e-mail known to the attackers. […]
To be sure, the technique has its limitations. Most obviously, the attackers must have a smartphone, bug, or other microphone-enabled device in close proximity to a computer at the precise moment it’s decrypting a message that was sent by, or otherwise known to, the attackers. Still, the technique represents a solid advance in the field of cryptanalytic side-channel attacks, which target cryptographic implementations that leak secret information through power consumption, electromagnetic emanations, timing differences, or other indirect channels.