A Bit On The Side
Bernard Foot, Strategy Analyst at Payment HSM as a Service provider MYHSM, looks at Side-Channel attacks and their relevance to HSM users.
A recent post on LinkedIn drew me to an article on The Hacker News called Exfiltrating Data from Air-Gapped Computers Using Screen Brightness, which discussed a technique developed at a university in Israel to extract information from an air-gapped computer (i.e. one that has no connections to the outside world) in a secure room.
This method uses malware to find secret information stored on the computer and then display it a bit at a time on the screen. It does this by modulating the brightness or colour balance of the screen; this would last only for a screen refresh cycle and be so small as to be invisible to the human eye. However, if the computer screen is captured by a digital camera (such as a mobile phone or a security camera) the modulation can be detected.
Now, this may seem an unlikely risk to you. Somehow, that malware needs to be installed on the computer, and perhaps you search your operators for USB memory sticks or have disabled the USB ports on the computer. Perhaps you prohibit your operators from carrying mobile phones and, in compliance with security standards like PCI PIN, you have made sure that your security cameras cannot see the computer screen.
But as the article points out, this is just one of many known Side-Channel (or Non-Invasive) attack techniques on electronic data devices such as computers, payment terminals, and HSMs. These attacks do not require any modification to the device or insertion of a component (although some need the insertion of malware). The techniques include monitoring power consumption to see whether a 1 or 0 is being processed or whether an RSA key validation has failed, detecting electro-magnetic emissions from microprocessors, turning a video card into a transmitter, and listening to the sound coming from fans or mechanical disk drives.
It all sounds far-fetched and theoretical to most of us, but these attacks constitute a real threat and have captured the attention of the standards bodies. For example, requirement A4 in version 3 of PCI’s standards for HSMs relates to this, as does the new FIPS 140-3. However, the reality is that these standards and their test requirements will always be playing catch-up – in the years that it takes for a standard to be agreed, the bad guys will have upped their game to by-pass the holes that the standards have plugged and will have dug new ones. The resources available to criminals are virtually unlimited, thanks to the market forces unleashed by the huge amounts of money in the payments system and the involvement of state players.
Organisations can at least reduce the risks by designing and operating data centres appropriately and keeping them up to date against the evolving threat landscape. They need to ensure that their Payment HSMs are housed in such data centres, even where the PCI approval for the HSM does not demand it. But this just adds to the difficulty and cost of having their own data centres. As a result, it increases the benefits that can be achieved by moving to a cloud-based architecture and using someone else’s data centre.
Eve Aretakis, Group President of ACI On Demand, puts it very nicely in PYMNTS 2021 Time Capsule saying: “Risk-averse banks… are warming to the fact that the big cloud providers can spend more on security in a month than any bank could spend in a decade.”