New Intel And AMD CPU Vulnerability Lets Hackers Steal Encryption Keys

Share post:

Researchers have discovered that microprocessors from Intel, AMD, and others have a weakness that attackers can exploit to obtain cryptographic keys and other secret data traveling via hardware.

The team discovered that dynamic voltage and frequency scaling (DVFS)—a power and thermal management feature present in every modern CPU—enables attackers to deduce the changes in power consumption by measuring the time it takes for a server to respond to certain carefully made queries. By understanding how the DVFS feature functions, power side-channel attacks become less complex timing attacks that can be performed remotely.

The researchers have named this attack Hertzbleed as it uses the insights into DVFS to bleed out data that is supposedly private. The vulnerability is tracked as CVE-2022-24436 for Intel chips and CVE-2022-23823 for AMD CPUs. The researchers have demonstrated how the exploit technique they developed can be utilized to extract an encryption key from a server running SIKE, a cryptographic algorithm used to create a secret key between two parties over an insecure communications channel.

The team of researchers said they successfully replicated their attack on Intel CPUs from the 8th to the 11th generation of the Core microarchitecture. They also claimed that this attack would work on Intel Xeon CPUs and confirmed that AMD Ryzen processors are vulnerable and also allowed the same SIKE attack used against Intel chips. The researchers also claimed that chips made by other manufacturers may also be vulnerable.

It remains unclear if Hertzbleed represents a clear threat. Hence, developers should keenly study how the findings impact the security of the cryptographic software they design. 

For more information, read the original story in Arstechnica.

Featured Tech Jobs


Related articles

Cyber Security Today, April 24, 2024 – Good news/bad news in Mandiant report, UnitedHealth admits paying a ransomware gang, and more

This episode reports on the danger of using expired open-source packages, a tool used by a Russian hacking group and passw

Google Play introduces new biometric verification with a user warning

Google has recently announced updates to the biometric verification process for Google Play purchases, aiming to bolster security...

Cyber Security Today, Week in Review for week ending Friday April 19, 2024

On this episode Jen Ellis, co-chair of the Ransomware Task Force, talks about ways of fighting one of the biggest cyber threats to IT d

Cyber Security Today, April 19, 2024 – Police bust phishing rental platform, a nine-year old virus found on Ukrainian computers, and more

This episode reports on a threat actor targeting governments in the Middle East with a novel way of hiding malware is going international

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways