“Side-Channel” attacks generally refer to a type of criminal cyber attacker activity that exploits vulnerabilities so that the attacker can collect and analyze “leakage” of data from a device, as a means to identify certain operations occurring within the device. While the attackers perpetrating these types of exploits remain sophisticated, certain technologies now used by attackers make such activities much easier. Entities should consider whether they could fall victim to these types of attacks, particularly for entities that must comply with HIPAA, NIST, ISO or other compliance requirements, including those observing FIPS 140-3. 

How These Attacks Work

As noted, Side-Channel attacks refer to attacks that exploit vulnerabilities related to the data “leakage” from an electronic device.  The data “leakage” may be information about acoustics, optical, cache or memory table read operations, power analysis, or other artifacts resulting from the functions of the device. 

For these purposes, think of Hollywood’s portrayal of safecracking.  In those movies, the master safe-cracker does not need to know the combination to open the safe; rather, they listen for movement within the mechanisms of the lock itself. When they hear the audible “click” of a tumbler (or more realistically, a certain “pattern” of clicks), they can deduce the combination to the lock based on acoustic “leakage” from the safe. Similarly, in Side-Channel attacks, instead of listening for tumbler clicks, the attacker might “listen” for changes in device functions.

For example, an attacker could feasibly observe small changes in power consumption or electromagnetic field analysis and use such information to make certain inferences about what the device may doing. In a more famous context, certain consumer desktop processors contained a flaw that allowed an attacker to use speculative computing data to access the contents of privileged memory (i.e., “Spectre” and “Meltdown” attacks). 

Why Side-Channel Attacks Are in the News

As noted, Side-Channel attacks are not novel. However, certain technologies are making them more viable for a determined attacker. For example, the writers of a 2020 paper used pattern recognition to break a fairly strong encryption. If attackers can obtain certain tools, they can undertake similar and more sophisticated attacks, as well. Unfortunately, most current encryption methods are not designed to resist these types of attacks.

Will this Affect Your Entity?

To date, we have not yet seen malicious “Exploitation-as-a-Service” options offered by cyber attackers, as we have seen with ransomware and other types of cyber-attacks. However, sophisticated cyber attackers may begin to leverage these tools more in the near future.  Relatedly, as these tools improve, cyber attackers may begin to offer their services to other criminals as well, to proliferate these types of attacks, including through “man-in-the-middle” attacks and those involving transmitters. 

Entities involved in essential or critical infrastructure industries (including organizations involved in communications, energy, emergency services, commercial facilities, financial services, health care and information technology) should understand these types of threats, and their vulnerability to them. For example, from a risk management perspective, organizations should identify risk to appropriately mitigate, outsource, or accept it. NIST identified “Side-Channel resistance” as one of the primary criteria by NIST for cryptography standardization. 

The renewed interest in Side-Channel attacks through machine learning and mid to long range communication technologies should serve as an early warning for organizations that have a low tolerance for cyber risk. As is common with new exploits, we expect that the most interesting applications will affect the victims of advanced persistent threats (“APTs”) first and will advance to the general stream of private industry and criminality as accessibility and profitability improve.