Side channel attacks

by Simon Biles
Founder of Thinking Security Ltd., an Information Security and Risk Management consultancy firm based near Oxford in the UK

Forensics is all about evidence, but the trick is knowing where to find it! Locard’s exchange principle effectively states that whenever a criminal comes into contact with his environment, a cross-transfer of evidence occurs (Edmund Locard, 1877–1966, was the founder and director of the Institute of Criminalistics at the University of Lyons in France). This is generally true in computing: there is evidence on both sides of any network connection client and server side, certainly in any action taking place with regard to the creation of documents or viewing of images (I’ve just had the fun of spending a week at Cranfield doing the Network Forensics course – so I know this to be true!) However, what if it was possible for a crime to take place on a network with evidence only being present on one side of the equation? [At this point, the reader may be pointing at bootable CD distributions and the like. However, the evidence in these cases is still created, it is just more fleeting – if you could do a live capture on the machine, you’d still obtain evidence.]

How can this be possible? Well, let’s take the most well known example of a side channel attack – TEMPEST. Contrary to popular belief, TEMPEST doesn’t actually stand for _anything_ (although there are countless suggestions of what it does stand for!), it is simply a codename relating to the prevention and detection of radio frequency emissions from computer systems. The actual UK Government documentation on the matter is protectively marked, and possession of equipment capable of detecting TEMPEST emissions is an offence in its own right, much as going about equipped for burglary is! However, there is so much independent work out there on the internet that you can quite easily construct your own – please note: you’ve been warned ! (For those of you who fearlessly seek knowledge – have a look at the following – http://www.erikyyy.de/tempest/ – this doesn’t mean you need anything other than a radio.) TEMPEST also crops up in “Cryptonomicon” by Neal Stephenson, a book that I rather enjoyed, but then again, I’m not a literary critic so I wouldn’t count that as necessarily a great recommendation – this was in fact the first time that I’d heard of it and yet another thing that made my career choice more of a foregone conclusion. I digress though, back to TEMPEST – and the principals behind it.

So here we go – an introduction to Physics … (I know that there are a bunch of radio frequency engineers on the forum, so feel free to jump in the discussion on this and correct me!) Basically, as a current moves through a wire, it acts like an aerial pumping out radio waves around it. A computer is a lot of wires, with a lot of electricity flowing around it throwing out a lot of radio frequency emanations. Given the right receiving equipment these radio waves can be collected and turned back into information. (To be honest, the biggest emitter used to be the old CRT tubes – which shunt out so much radio traffic you can’t pick up the BBC standing next to them! Although CPUs and other internal components do shunt out RF, it is much more limited and harder to work with.) This is a universal problem with all computers to a greater or lesser extent – and if you want to deal with it you are left either with ye olde Faraday cage (http://en.wikipedia.org/wiki/Faraday_cage) or six inches of lead.

That, however, is probably not news to a lot of you. How’s about these other side channel attacks though? The sounds that can be recorded from a printer (dot-matrix works best ) [http://www.usenix.org/events/sec10/tech/full_papers/Backes.pdf]? The sounds of a keyboard [http://personal.ie.cuhk.edu.hk/~kwwei/FYP/keyboard_acoustic_attack/Eric_Thesis2_final.pdf]? Screen reflections (in a _wide_ variety of objects)[http://www.infsec.cs.uni-saarland.de/projects/reflections/]? And, my own personal favourite, das blinkenlights [http://en.wikipedia.org/wiki/Blinkenlights]. Sadly, much as I searched, I couldn’t find a reference to this one, however, to quickly summarise it seems that in many systems the lights indicating activity are, somewhat unsurprisingly, coordinated with the movement or writing of data in such a way that watching the lights flashing on and off allows for the reconstruction of the data being written.

In all of the above cases though, there is no indication that the originating, emanating machine has been compromised in any way – these are forensically clean scenarios. And as we move forward, with the prevalence of wireless networks of many types (3G, Bluetooth, Wi-Fi) these kinds of sniffing and snooping attacks could well be a great source for credit-card numbers, login details and the like – with no evidence on the source machine. At the same time, the issues presented to security professionals are becoming more complex too, particularly as mobile devices are used everywhere for everything these days (a good lens on a digital camera can easily pull a reflection or a direct image from a significant distance, for example). User education becomes more and more of an issue just to get people to be sensible with their data given the potential risks.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

So, as a parting shot, I want all of you to think the next time you are typing in your password how well you are protected against these attacks – is your screen visible through the window, is there a big mirror behind you and are you needlessly broadcasting more information than you need to be? Be careful, there might be someone watching or listening …

Click here to discuss this article.

Read Simon’s previous columns

Simon Biles is one of the founders of Thinking Security Ltd., an Information Security and Risk Management consultancy firm based near Oxford in the UK. He has worked on security projects for commercial, charity and government organizations for over 10 years. Simon is studying Forensic Computing at Cranfield University, although very slowly because of work commitments! He posts on the forum as Azrael and you can read an interview with him here.

Leave a Comment

Latest Videos

Throughout the past few years, the way employees communicate with each other has changed forever.

69% of employees note that the number of business applications they use at work has increased during the pandemic.

Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.

Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.

Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.

With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.

Join Monica Harris, Product Business Manager, as she showcases how investigators can:

- Manage multiple cloud collections through a web interface
- Cull data prior to collection to save time and money by gaining these valuable insights of the data available
- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box
- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee
- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

Throughout the past few years, the way employees communicate with each other has changed forever.

69% of employees note that the number of business applications they use at work has increased during the pandemic.

Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.

Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.

Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.

With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.

Join Monica Harris, Product Business Manager, as she showcases how investigators can:

- Manage multiple cloud collections through a web interface
- Cull data prior to collection to save time and money by gaining these valuable insights of the data available
- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box
- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee
- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_g6nTjfEMnsA

Tips And Tricks Data Collection For Cloud Workplace Applications

Forensic Focus 8 hours ago

In this episode of the Forensic Focus podcast, Si and Desi explore the cutting-edge technology of deepfake videos and image manipulation. In addition to discussing the latest technological developments and efforts being made to detect manipulated media, they also examine the associated legal and ethical implications.

Show notes:

Boris Johnson image - https://www.theguardian.com/politics/2023/jan/10/spot-the-difference-boris-johnson-appears-scrubbed-from-photo-posted-by-grant-shapps

Deep Fake Neighbour Wars - https://m.imdb.com/title/tt21371376/

Stalin image - https://www.history.com/news/josef-stalin-great-purge-photo-retouching

Nvidia eye contact AI - https://www.polygon.com/23571376/nvidia-broadcast-eye-contact-ai and https://www.youtube.com/watch?v=xl87WTDrReo

Birthday problem - https://en.wikipedia.org/wiki/Birthday_problem

Same frightening woman in AI images - https://petapixel.com/2022/09/09/the-same-frightening-woman-keeps-appearing-in-ai-generated-images/

Inherent mysogeny of AI portraits - https://www.theguardian.com/us-news/2022/dec/09/lensa-ai-portraits-misogyny

Midjourney - https://www.midjourney.org/

Deepfake porn legality - https://www.theverge.com/2022/11/25/23477548/uk-deepfake-porn-illegal-offence-online-safety-bill-proposal and https://www.technologyreview.com/2021/02/12/1018222/deepfake-revenge-porn-coming-ban/

AIATSIS - https://aiatsis.gov.au/cultural-sensitivity

Fake tiger porn story - https://www.dailydot.com/unclick/tiger-porn-britain-law/

Group photo with no blinking - https://www.countrylife.co.uk/comment-opinion/curious-questions-group-photo-179102

Emma Watson deefake audio - https://www.thetimes.co.uk/article/ai-4chan-emma-watson-mein-kampf-elevenlabs-9wghsmt9c

Domestika - https://www.domestika.org/en/courses/981-introduction-to-interviewing-the-art-of-conversation

Investigative Interviewing - https://www.amazon.co.uk/dp/0199681899?ref=ppx_pop_mob_ap_share

Forensic Focus events calendar - https://www.forensicfocus.com/events/

Si Twitter - https://twitter.com/si_biles

In this episode of the Forensic Focus podcast, Si and Desi explore the cutting-edge technology of deepfake videos and image manipulation. In addition to discussing the latest technological developments and efforts being made to detect manipulated media, they also examine the associated legal and ethical implications.

Show notes:

Boris Johnson image - https://www.theguardian.com/politics/2023/jan/10/spot-the-difference-boris-johnson-appears-scrubbed-from-photo-posted-by-grant-shapps

Deep Fake Neighbour Wars - https://m.imdb.com/title/tt21371376/

Stalin image - https://www.history.com/news/josef-stalin-great-purge-photo-retouching

Nvidia eye contact AI - https://www.polygon.com/23571376/nvidia-broadcast-eye-contact-ai and https://www.youtube.com/watch?v=xl87WTDrReo

Birthday problem - https://en.wikipedia.org/wiki/Birthday_problem

Same frightening woman in AI images - https://petapixel.com/2022/09/09/the-same-frightening-woman-keeps-appearing-in-ai-generated-images/

Inherent mysogeny of AI portraits - https://www.theguardian.com/us-news/2022/dec/09/lensa-ai-portraits-misogyny

Midjourney - https://www.midjourney.org/

Deepfake porn legality - https://www.theverge.com/2022/11/25/23477548/uk-deepfake-porn-illegal-offence-online-safety-bill-proposal and https://www.technologyreview.com/2021/02/12/1018222/deepfake-revenge-porn-coming-ban/

AIATSIS - https://aiatsis.gov.au/cultural-sensitivity

Fake tiger porn story - https://www.dailydot.com/unclick/tiger-porn-britain-law/

Group photo with no blinking - https://www.countrylife.co.uk/comment-opinion/curious-questions-group-photo-179102

Emma Watson deefake audio - https://www.thetimes.co.uk/article/ai-4chan-emma-watson-mein-kampf-elevenlabs-9wghsmt9c

Domestika - https://www.domestika.org/en/courses/981-introduction-to-interviewing-the-art-of-conversation

Investigative Interviewing - https://www.amazon.co.uk/dp/0199681899?ref=ppx_pop_mob_ap_share

Forensic Focus events calendar - https://www.forensicfocus.com/events/

Si Twitter - https://twitter.com/si_biles

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_i41eg24YGZg

Deepfake Videos And Altered Images - A Challenge For Digital Forensics?

Forensic Focus 13th February 2023 10:30 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...