Hot Pixel Attack steals data from Apple, Intel, Nvidia, and AMD chips through frequency, power, and temperature information

A team of security researchers partially funded by DARPA and the US Air Force demonstrated tactics that enabled them to steal data from Apple and Qualcomm Arm processors as well as discrete Nvidia and AMD GPUs and integrated graphics in Intel and Apple chips by monitoring temperature, power, and frequency of the chip during normal operation. The attack requires data from the PC's internal energy, temperature, and frequency sensors, but this information is accessible from user accounts that do not have administrator access. The researchers' current attack methods serve as proof of concept, but thankfully data exfiltration rates are very low with the current method. However, the researchers note that more work could speed up the process.

The researchers' paper, 'Hot Pixels: Frequency, Power and Temperature Channel Attacks on GPU and Arm SoC [PDF],' illustrates the use of a side-channel attack, which is a type of attack that allows data to be leaked by measuring certain physical emissions of a computer.

In this case, the researchers exploited information exposed by the dynamic voltage and frequency scaling (DVFS) mechanism that is present in almost all modern chips. DVFS modulates frequency and power in real-time to keep heat and TDP at acceptable levels, unlocking the best energy efficiency or best performance for the task running on the CPU. This is controlled by the chips' P state, which the researchers used to collect data.

By forcing one of the three DVFS variables (heat, power, or frequency) to become a constant, the researchers can then monitor the other two variables to distinguish which instructions are being executed, even with enough accuracy to determine different operands of the same command.

Ultimately, this favors other attacks, such as website fingerprinting. Additionally, by monitoring acceleration rate via JavaScript code running in a browser, the researchers used pixel-stealing attacks and history tracking with the latest versions of Chrome and Safari despite having all mitigations enabled in secondary channels.

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *