To get to his office, Jun Han has to walk down a long windowless corridor. There are office rooms on either side, but the doors are often closed, making the whole thing “quite hollow.” One day, as Han was unlocking his door and his key made a droop sound when it entered the lock, a thought crossed his mind: “Wow, this is really loud.”
Because every key has distinct ridges (the bumps on the long edge that allow it to align precisely with the inside of a matching lock), it makes a characteristic sound — called a click pattern — when inserted. Could someone eavesdrop on this click pattern, duplicate his key, and break into his office, Han wondered.
Attacks of this nature are called side channel attacks — those that exploit a system by reading the signals it inadvertently reveals so as to extract information and pry out its secrets. “They exploit certain properties of a system that was not designed to leak information,” says Han, an assistant professor at NUS Computing, who studies how sensing systems and security are interlinked.
“Side channel attacks are dangerous because they’re attacking you where you don’t expect it. Most people don’t pay attention to these parts of the system, because they are usually designed for a different purpose,” adds Han’s colleague, Professor Mun Choon Chan and deputy head of NUS Computing. “But it turns out that there is a lot of information available and this can turn into a security risk.”
Unwitting sources of information are manifold — the click-clacking of a keyboard or tones of an ATM cash machine keypad (which can reveal your passwords); patterns of encrypted data sent to a web browser (what Netflix or YouTube videos you’re watching); and even the vibrations of a hanging lightbulb in a room (what conversations you’re having).
Studying side channel attacks and how perpetrators might carry them out is important because it allows us to figure out safeguards against them, says Han.
Breaking and Entering
The lock and key scenario is one type of side channel attack Han and his team at the Sensing, Embedded, and Network Security Group (SENSG), the NUS lab he heads, is studying.
Previously, a burglar wanting to pick a lock would require physical access to it, which naturally increased his chances of getting caught. A slightly more sophisticated burglar might take a picture of the desired key and try to replicate it. The image, however, has to be crystal-clear and high-resolution, with the key placed at a specific angle — prerequisites that aren’t always easy to meet.
But Han, struck by inspiration in the corridor, thought audio could be a great asset. “When a person inserts a physical key into a door lock, it makes a sound that is inherent to the design of the physical locks and keys,” he explains. “If you record this sound, then the attacker can infer information about the key and reconstruct it using 3D printing.”
Combine this with a video of the victim using the key and you get something that “constructively complements each other to get further information,” says Han. He and his team, together with collaborators Assistant Professors Anindya Maiti at the University of Oklahoma and Murtuza Jadliwala at the University of Texas at San Antonio in the U.S., named this stealthy offline attack Keynergy.
“No one else has ever thought to look at sound before,” he says.
To test the effectiveness of the Keynergy attack, Han’s team built a fake wooden door, complete with a pin tumbler lock (the main type of lock found in homes and offices today). In experiments spanning the course of three months, they tested 75 keys, performing more than 3,600 insertions and recording their accompanying click patterns.
“We tested it with different people inserting the keys, with different microphones — smartphone ones and those satellite parabolic microphones used for spying — at varying distances from the lock,” says Han. “Although each of these parameters changed the results, we found that the trend still remains.”
The trend he refers to is this: Keynergy significantly reduces the overall keyspace required. Or in other words, the number of possible keys a burglar needs to try to make before obtaining the correct one is now much smaller.
“Without our attack, it’s like a one in 75,000 chance, a very large number” says Han. But with Keynergy, that figure is reduced by roughly 75% using acoustics alone. Combine that with video information and that number drops to 10 for 8% of total keys tested.
“What we were able to do is to allow the attacker to have high-level granularity information,” he says.
Homing in on a target
The second type of side channel attack Han studied is those involving the latest telecom networks. The work was initiated by his collaborator Professor Min Suk Kang from the Korea Advanced Institute of Science and Technology (KAIST).
“We wanted to see if there were any potential vulnerabilities in 5G networks and also in existing LTE systems,” says Han.
5G, which is already available in more than 60 countries, promises a new era of mobile technology: full-length movies that download in roughly 15 seconds, zero lag time during video calls, no pesky issues connecting to the network in a crowded stadium, augmented reality that is ubiquitous, fleets of well-supported autonomous vehicles and robots, and so on.
A feature that makes this possible is called carrier aggregation. Traditionally, cellular network users are served by a single base station (the primary cell). But carrier aggregation allows users to connect to one or more additional base stations (secondary cells) in order to achieve higher data rates.
“Think of the network as a road with many different lanes,” says Chan. “You use one lane but during congestion, you can use multiple lanes to support more traffic. It’s the same with 5G — you have more lanes, so you can send and receive more data.”
Because of this, people are increasingly streaming music and movies on the go, leading to the new catchphrase ‘Netflix and Stroll’. But herein lies a security risk: attackers can exploit carrier aggregation and figure out a target’s location.
Chan, Han, and their team have now proven such an attack — which they call SLIC (short for Stealthy Location Identification attack exploiting Carrier Aggregation) — is possible.
“It turns out that as you are utilising the full bandwidth of your wireless network, the transmission of data between your phone and the base station allows someone who is studying the network traffic to notice variations along a certain route,” says Han.
As a person walks from point A to B, the cellular frequency he experiences varies due to the buildings and infrastructure around him (“Those things really affect the dynamics of wireless networks,” says Han.) This changing frequency creates a unique ‘path fingerprint’ for each route taken. An attacker can map out these path fingerprints beforehand, then use them as a basis for comparison when the victim is en route.
To test the accuracy of SLIC, the researchers got volunteers to walk along 100 paths in a large office building. The paths, which each averaged 56 metres, were situated in different environments (corridors, staircases, open spaces, and shared floors). Various phone models were also tested.
Despite the varying parameters, SLIC demonstrated an overall accuracy of up to 98.4% in identifying the target’s path. Additionally, the method does not require the attacker to install any special malware on the victim’s phone.
Next up, the researchers hope to study faster-moving mobile phone users, such as those in cars. Apart from location identification, they are also interested in finding out how you can exploit side channels to determine what video someone is streaming. “This could be useful for the police who might want to identify if someone is watching video content that’s related to terror, for example,” says Han.
For now, his research on lock-and-key side channel attacks and those using cellular networks has been published. His students will be presenting them at the upcoming USENIX Security 2021 conference, which will be held in August.