Technology security researchers are sort of like the virus scientists in every zombie movie: their work, while certainly important in a theoretical sense, seems indefinably nefarious when you get around to actually explaining it. “We poke at computers to find new ways to attack them” smacks of hubris in a “things man was not meant to wot of” kind of way. So it is with the Hertzbleed vulnerability, now making headlines all over the technology world. In short: It’s not much to worry about for most people.
Hertzbleed is a discovery of several cooperative university security research teams, published as a standalone website before an upcoming security symposium. The general idea is that it’s possible to observe the way modern CPUs dynamically adjust their core frequencies to “see” what they’re computing, allowing a program to theoretically steal cryptographic keys. This “side-channel attack” could be performed without the kind of invasive installed programs usually associated with viruses, ransomware, and other scary stuff. Potentially it could be used to steal everything from encrypted data to passwords to (of freakin’ course) cryptocurrency.
Because it uses the extremely common frequency scaling feature as a method of attack, Hertzbleed is so innocuous and effective that it’s extremely wide-reaching. It potentially affects all modern Intel processors, as well as “several” generations of AMD processors, including desktop and laptops running Zen 2 and Zen 3 chips. Theoretically it might work on more or less any CPU made in the last decade or so.
But should you worry about it? Unless you’re handling some kind of extremely valuable corporate or government data on a regular laptop or desktop, probably not. While Hertzbleed is an ingenious and effective means of stealing access data, it’s not a particularly efficient one. Observing CPU scaling in order to identify and then steal a cryptographic key could take “hours or days” according to Intel, even if the theoretical malware necessary to pull off this kind of attack could replicate the kind of sophisticated power monitoring demonstrated in the paper.
While it’s certainly possible that someone will use Hertzbleed to steal data in the future, the extremely specific targetting and technical prowess required means that the danger is reserved mostly for those who are already targets of sophisticated campaigns of attack. We’re talking government agencies, mega-corportations, and cryptocurrency exchanges, though more everyday employees of these entities might also be at risk for their access credentials.
Between the widely applicable nature of side-channel attack and the complexity required for it to succeed, neither Intel not AMD are issuing patches to address the physical vulnerabilities in their chips. (Patching this kind of extremely basic and universal CPU feature might, in fact, be impossible.) On Intel’s Chips & Salsa blog (get it?), Senior Director of Security Communications Jerry Bryant said, “While this issue is interesting from a research perspective, we do not believe this attack to be practical outside of a lab environment.” The nature of these kinds of attacks, if not this specific method, are already known and accounted for in some high-security environments. Bryant added, “cryptographic implementations that are hardened against power side-channel attacks are not vulnerable to this issue.”
There are a few other ways to mitigate the attack. Disabling Intel’s Turbo Boost or AMD’s Precision Boost effectively turns off frequency scaling, though it also comes with a huge hit to performance. It’s also possible to fool a potential observer by adding randomized adjustments to power scaling, or inserting “artificial noise” to cryptographic sequences. Software makers with a high need for security will undoubtedly be exploring these options in the future.
But the actual danger to the average end-user for the moment is pretty near zero. As a newly-discovered attack vector it’s almost certain that Hertzbleed isn’t being used in the wild yet, and when it does pop up, your average consumer running Windows or MacOS simply won’t be the most effective target.