Side Channel Signal/Attacks

Question

1) What type of information is leaked through side-channel signals from a laptop? List all types where possible. (i.e. keyboard input? the application used on the computer, like google chrome?)

2) What tools/devices are used to pick up the side channel signal from a laptop? (i.e. Can an attacker use his laptop or his smartphone to pick up side-channel signals?)

3) Does the information leaked through the side channel signal only involves the activities that are currently in use in the laptop? or does it involve data that are not currently in use? (example: can something that you type in the laptop 1 month ago be leaked through side-channel signal although it is not in use?)

4) How revealing a side-channel signal can be, in terms of an example: if I type a confidential document consisting of 10 pages with 1000 words, how many words can be leaked through side-channel signal? Can I have a rough estimate like 20%, 50%, 80% etc?

5) How easy or reliable to pick up a side channel signal from a laptop? How long does it take to analyze the information from a side-channel signal?

6) What is the typical distance/range can a side-channel signal be picked up? i.e. how many kilometers? Can it be picked up through a wall although it is a weak signal?

Extra question: can you find out what information is being typed in the scientific calculator using a side-channel attack?

Answer 1

I know this is a bit old, but in case other people are curious about these answers I thought I would post. I have performed side channel testing professionally for PCI-PTS compliance

1) Virtually anything can be obtained from a side channel attack. It is really just monitoring EM emission from a CPU for long wire.

2) a simply EM probe is typical, but monitoring power to a cpu can be used as well. A typical cell phone/laptop does not have the hardware to perform a side channel

3) side channel only involves data currently in use. When the CPU is operating on a key, for example, it emits small amounts of EM radiation. Used enough times ~30k you can begin to do statistical analysis to start to uncover the information.

4)This is entirely Dependant on the Signal to Noise ratio of the EM /power. I have personally tested about a dozen cpus professionally and I would commonly start to see leakage around 30k, and by 100k uses, I would be able to derive an entire aes 128 key.

5) The EM probe needs to be within a few centimeters of the wire or cpu, or the SNR drops off to fast to be feasible. It would commonly take anywhere from 1 day to 1 week to obtain enough data from the machine, and about 2-20 hours of analysis.

6) It needs to be within a few cm for a probe. If using power we typically had to be on the downstream side of a good power supply to pickup any leakage meaning between the power supply and the CPU

Answer 2

Although I'm not that professional in this area, but I think I could help you a bit.

1) Usually hardware based information such as keyboard, IoT devices, computer screen etc...it is done by observing power consumption, EM signals, temperature, timing and so on. It would be hard to achieve application used on computer since there's no clues emitted from the use.

2) EM probe, signal generator, oscilloscope and signal analyzer.

3) Since it observes changes occurred during the use of device, it has to be the current events.

4) It really depends on the performance of devices. Expensive and state of the art devices offer faster and nicer data (which means more sensitive and have many setting options) while cheap and old devices perform worse. Also, the noise (unwanted and disturbing analyzing data) must be taken into account in order to get clean data.

5) It depends on experiment set up but it is well described on the above answer.

6) The range can be various. for example if you use an antenna to send / receive signals, the range can be extended tremendously. When I played with a side channel attack, I used to collect a radio signal from broadcast channel by using antenna.