Researchers have recently outlined a new vulnerability that affects processor chips – and it’s called Hertzbleed. When used to carry out a cyber security attack, this vulnerability can help the attacker steal secret cryptographic keys.
The scale of vulnerability is somewhat staggering: According to the researchers, most Intel and AMD CPUs could be affected. Should we care about Hertzbleed?
The new vulnerability was first discovered and described by a team of Intel researchers as part of its internal research. Later, independent researchers from UIUC, UW, and UT Austin also contacted Intel with similar findings. According to their findings, Hertzbleed could affect most CPUs. The two processor giants, Intel and AMD, have both acknowledged the vulnerability, and Intel confirms that it is influencing. all of its CPUs.
Intel released a safety advice which provides guidance to cryptographic developers on how to strengthen their software and libraries against Hertzbleed. So far, AMD has not released anything like this.
Hertzbleed is a chip vulnerability that allows side-channel attacks. These attacks can then be used to steal data from your computer. This is done by tracking the processor’s power and acceleration mechanisms and observing the power signature of a cipher workload, such as cipher keys. The term “cryptographic keys” refers to a piece of information that is securely stored in a file that can only be encrypted and decrypted by an encryption algorithm.
In short, Hertzbleed is capable of stealing secure data that usually remains encrypted. By observing the powerful information generated by your CPU, the attacker can convert that information to time data, which opens the door for them to steal cryptocurrencies. What may be more critical is that Hertzbleed does not require physical access – it can be exploited remotely.
It is quite likely that modern processors from other vendors are also exposed to this vulnerability, because as outlined by the researchers, Hertzbleed tracks the powerful algorithms behind the Dynamic Voltage Frequency Scaling (DVFS) technique. DVFS is used in most modern processors, and thus, other manufacturers such as ARM are likely to be affected. Although the research team informed them of Hertzbleed, they have yet to confirm whether their chips are exposed.
Putting it all together certainly makes for a critical picture, because Hertzbleed affects such a large number of users and so far, there is no quick fix to be safe against it. However, Intel is here to calm your mind about this account – it is very unlikely that you will be the victim of Hertzbleed, even though you are probably exposed to it.
According to Intel, it takes anywhere from several hours to several days to steal a cipher key. If someone still wants to try, they may not even be able to, as it requires high-resolution high-power monitoring capabilities that are difficult to reproduce outside of the laboratory environment. Most hackers would not bother Hertzbleed when many other vulnerabilities are discovered so often.
As mentioned above, you are probably safe even without doing anything in particular. If Hertzbleed is exploited, it is unlikely that regular users will be affected. However, if you want to play it safer, there are a few steps you can take – but they are priced severely.
Intel has detailed a few mitigation methods to be used against Hertzbleed. The company does not seem to plan to deploy any firmware updates, and the same can be said about AMD. According to Intel’s guidelines, there are two ways to be fully protected against Hertzbleed, and one of them is very easy to do – you just need to disable Turbo Boost on Intel processors and Precision Boost on AMD CPUs. In both cases, this will require a trip to the BIOS and disable acceleration mode. Unfortunately, this is really bad for your processor performance.
The other methods listed by Intel will either only result in partial protection or are very difficult, if not impossible, for regular users to apply. If you don’t want to tweak the BIOS for this and sacrifice your CPU performance, you probably shouldn’t. However, keep your eyes open and be sharp – cybersecurity attacks happen all the time, so it’s always good to be extra careful. If you are technical, check the full paper Hertzbleedfirst spotted by Tom’s Hardware.