A new side-channel attack known as Hertzbleed allows remote attackers to steal full cryptographic keys by observing variations in CPU frequency enabled by dynamic voltage and frequency scaling (DVFS).
This is possible because, on modern Intel (CVE-2022-24436) and AMD (CVE-2022-23823) x86 processors, the dynamic frequency scaling depends on the power consumption and the data being processed.
DVFS is a power management throttling feature used by modern CPUs to ensure that the system doesn’t go over thermal and power limits during high loads, as well as to reduce overall power consumption during low CPU loads.
Hertzbleed was disclosed by a team of researchers from the University of Texas at Austin, the University of Illinois Urbana-Champaign, and the University of Washington.
“In the worst case, these attacks can allow an attacker to extract cryptographic keys from remote servers that were previously believed to be secure. [..] Hertzbleed is a real, and practical, threat to the security of cryptographic software,” the security researchers explain.
“First, Hertzbleed shows that on modern x86 CPUs, power side-channel attacks can be turned into (even remote!) timing attacks—lifting the need for any power measurement interface.
“Second, Hertzbleed shows that, even when implemented correctly as constant time, cryptographic code can still leak via remote timing analysis.”
We found a way to mount *remote timing* attacks on *constant-time* cryptographic code running on modern x86 processors. How is that possible? With #hertzbleed! Here is how it works (with @YingchenWang96).https://t.co/SRUgBRQpu2
—Riccardo Paccagnella (@ricpacca) June 14, 2022
Intel and AMD are not planning to release patches
Intel says this weakness affects all its processors and can be exploited remotely in high-complexity attacks that don’t require user interaction by threat actors with low privileges.
AMD also revealed that Hertzbleed affects several of its products, including desktop, mobile, Chromebook, and server CPUs using the Zen 2 and Zen 3 microarchitectures.
Processors from other vendors such as ARM that also use the frequency scaling feature might also be affected by Hertzbleed, but the researchers are yet to confirm if their proof-of-concept code also applies to these CPUs.
According to the research team behind Hertzbleed, Intel and AMD have no plans to release microcode patches to address this new family of side-channel attacks described as frequency side channels.
“While this issue is interesting from a research perspective, we do not believe this attack to be practical outside of a lab environment,” Intel’s Senior Director of Security Communications and Incident Response Jerry Bryant said.
However, both vendors provide guidance [1, 2] on how developers can harden their software against frequency throttling information disclosure.
Per AMD’s guidance, developers can use masking, hiding, or key-rotation to mitigate power analysis-based side-channel leakages in Hertzbleed attacks.
The researchers also say that disabling the frequency boost feature can mitigate Hertzbleed attacks in most cases. The frequency boost feature is named “Turbo Boost” on Intel and “Turbo Core” or “Precision Boost” on AMD CPUs.
Even though disabling frequency boost may prevent information leakage via Hertzbleed, the security researchers don’t recommend this approach since “it will very significantly impact performance.”
However, according to Intel, the attack can occur regardless of whether the Turbo Boost feature is enabled or not and has shared alternate guidance.
“The throttling side-channel (Hertzbleed) is caused by throttling when system power/current hits certain reactive limit, regardless of whether turbo boost is enabled or not,” Intel said in a statement shared with BleepingComputer.
“Please refer to Intel’s recommended software guidance for cryptographic implementations to address this issue.”
The “Hertzbleed: Turning Power Side-Channel Attacks Into Remote Timing Attacks on x86” paper will be presented during the 31st USENIX Security Symposium (Boston, 10–12 August 2022), and a preprint version is available here [PDF].