3 min read

'Hertzbleed' Side-Channel Attack Threatens Cryptographic Keys for Servers

A novel timing attack allows remote attackers with low privileges to infer sensitive information by observing power-throttling changes in the CPU.

A side-channel timing attack dubbed "Hertzbleed" by researchers could allow remote attackers to sniff out cryptographic keys for servers. It affects most Intel processors, as well as some chipsets from AMD and likely others.

The issue is a timing side-channel flaw (tracked as CVE-2022-24436 for Intel and CVE-2022-23823 for AMD) found in the CPU-throttling technology known as dynamic voltage and frequency scaling (DVFS). DVFS regulates power consumption and electrical current use so that a CPU doesn't overheat when processing large amounts of data, and it conserves battery power during low-activity times.

As Intel explains in guidance published this week, observing these regulation changes can allow attackers to infer sensitive information.

"CPU frequency throttling is triggered when one of these limits is reached, which results in CPU frequency," according to Intel. "This frequency change and derived behavior may be correlated with information being processed by the CPU, and it may be possible to infer parts of the information through sophisticated analysis of the frequency change behavior."

"In the worst case, these attacks can allow an attacker to extract cryptographic keys from remote servers that were previously believed to be secure," according to a technical research paper (PDF) by the team who discovered the attack, from the University of Texas at Austin, the University of Illinois Urbana-Champaign, and the University of Washington.

Hertzbleed – its name a take on the infamous "Heartbleed" timing attack from 2014 – is significant because it allows remote attacks without the need to subvert a power-measurement interface, the researchers note, thus widening the attack surface.

"Software-based power-analysis attacks can be mitigated and easily detected by blocking (or restricting [10]) access to power-measurement interfaces," according to the paper. "Up until today, such a mitigation strategy would effectively reduce the attack surface to physical power analysis, a significantly smaller threat."

Actual Threat or Not?

While the researchers acknowledge that any real-world attacks would require a high level of complexity, they demonstrated successful proofs of concept for extracting keys as remote attackers authenticated with low privileges and no user interaction requires. This makes "Hertzbleed is a real, and practical, threat to the security of cryptographic software," they say.

Intel begs to differ. 

"While this issue is interesting from a research perspective, we do not believe this attack to be practical outside of a lab environment," said Jerry Bryant, Intel's senior director of security communications and incident response, in a recent posting. "Also note that cryptographic implementations that are hardened against power side-channel attacks are not vulnerable to this issue."

However, he also explained that the issue may extend past Intel and AMD.

"CVE-2022-24436 is not architecture-specific and any modern CPU that has dynamic power and thermal management is potentially affected," he said. "Intel shared its findings with other silicon vendors so they could assess their potential impact."

Neither Intel nor AMD are issuing microcode to address the issue; instead, they recommend that developers achieve mitigation through masking and blinding techniques that would hide the timing changes from observation.