A novel side-channel exploit that allows remote attackers to obtain entire cryptographic keys has been discovered. They do so by detecting changes in CPU frequency, which Dynamic Voltage and Frequency Scaling allows them to accomplish (DVFS).
A novel side-channel attack has been discovered
The Hertzbleed attack in current Intel and AMD CPUs was discovered by a group of researchers from several institutions.
The attack takes use of Intel (CVE-2022-24436) and AMD (CVE-2022-24436) weaknesses (CVE-2022-23823).
It demonstrates that power side-channel attacks on current x86 CPUs can be transformed into remote timing assaults with no need for a power measurement interface.
Furthermore, the Hertzbleed attacks demonstrated that even when cryptographic code is designed correctly as “constant time,” it may still be exposed by remote timing analysis.
For the time being, no patch?
Microcode updates to combat this new category of side-channel assaults are unlikely to be released by Intel or AMD.
This flaw, according to Intel, affects all of their chips and may be exploited remotely in high-complexity attacks without the need for human input.
Hertzbleed impacts multiple AMD devices, including desktop, mobile, Chromebook, and server CPUs based on the Zen 2 and Zen 3 microarchitectures, according to AMD.
Hertzbleed might also harm ARM processors that use the frequency scaling capability. The researchers have yet to check if their proof-of-concept code works on these processors.
Mitigation
For the time being, there is no fix for the Hertzbleed attack. AMD and Intel, on the other hand, offer advice on how developers may safeguard their programme against frequency throttling data leakage. Experts also recommend removing the frequency increase option to protect against Hertzbleed attacks.
