Clive Robinson • August 14, 2019 2:38 PM
Side channels are an issue for three basic reasons,
1, They tend to be covert, thus easy to miss during testing.
2, They tend to be very difficult to design out of a system, especially consumer products.
3, Unless the design engineers both hardware and software have a lot of experience in this area their solutions will tend to be expensive.
However a fundemental reason why they exist is “bandwidth” the more of it you have the easier it is to find ways to build and hide covert channels, over and above those that arise due to inapropriate design. One especially bad design choice for side channels is “efficiency” primarily designing for minimum time or fastest response.
As I’ve noted in the past there os the rule of thumb of “Security-v-Efficiency” in general the more efficient you make something the less secure it is.
We have power supply units that are well up in the 90% range, in part they do this in two ways. The first is to have a very low impedence high voltage source, the second is to very rapidly switch this into an energy storage component such as a capacitor or inductor with as little “Effective Series Resistance” as possible (parallel resistance can be mathmatically transformed into an equivalent series resistance).
Thus you have very high speed thus wide bandwidth pulses that are directly related to load. Such signals due to the low source impedence are easily seen as proportional to power consumption by the load circuit. Which is why the press of a key on a keyboard shows up on the power supply lines. That is the press of any key causes an interrupt which then causes the keyboard to be scanned in the X and Y directions. To try and improve efficiency many keyboard scan algorithms stop at first active wire detection in both the X and Y wires.
Thus when the Interupt occures the microcontroler wakes up or switches into interupt mode which generates the equivalent of a stat signal. It then scans for a pressed wire, which means that there is a time delay dependent on which key is pressed. Thus there is a visable power signiture related to which key is pressed. Other “regular functions” generate their own specific power signiture. In general the more efficient the power supply the clearer these signals are. Worse perhaps is the output of High Level Language Compilers, each standard library function will in effect have it’s own power signature. Thus it is possible to “reverse engineer” code via the effect the compiled functions have on the power supply, it was something I was doing back in the 1980’s and I gather that back when “old iron mainframes” running “batch jobs” had CPU cycle times below 0.5MHz “operators” would leave a Mediumwave AM radio tuned to an appropriate frequency and listen to the code executing and know roughly what it was doing by the type of noise.
Unfortunately many people designing electronic hardware these days are not realy engineers, and nor for the most part do they need to be. Component manufacturers provide “suggested circuits” that can with fairly minimal electronics knowledge be bolted together into a system. It is after all what we are seeing with IoT devices from “no name” design houses getting things built in China. Mostly these people find that their circuits function as desired but often have Electromagnetic Compatability (EMC) issues. Few of them realise that those signals causing EMC fails are “side channels” carrying away into the EM Spectrum for all to hear the secrets from within their “knock-together” designs.
One sure way to tell the design engineers are not realy engineers with any kind of security knowledge, is when they solve their EMC issues by use of “jittering / whitening” the main system clock. Whilst it might get the averaged signal inside the EMC Mask, it actually decreases system security. Because what it does is turn the the “side channel signals” into “Spread Spectrum” signals, which actually make life easier for an EM Spectrum eavesdropper…
I could go on but there are way to many people designing “security electronics” that realy realy should not be doing so…
Likewise those who write the “firmware” or “application” that runs on some OS they bought in that likrwise was not even remotely designed for security on the Power and EM domains…
Unfortunatly “security locks” especially battery powered electronic locks realy are a “snake oil peddling” paradise… You would have thought people who’s job is security would have “wised up by now” but apparently not.