Cyber Security

New Hertzbleed Side-Channel Attack Affects All Modern AMD and Intel CPUs

A newly discovered security vulnerability in modern Intel and AMD processors could let remote attackers steal encryption keys via a power side channel attack.

Dubbed Hertzbleed by a group of researchers from the University of Texas, University of Illinois Urbana-Champaign, and the University of Washington, the issue is rooted in dynamic voltage and frequency scaling (DVFS), power and thermal management feature employed to conserve power and reduce the amount of heat generated by a chip.

“The cause is that, under certain circumstances, periodic CPU frequency adjustments depend on the current CPU power consumption, and these adjustments directly translate to execution time differences (as 1 hertz = 1 cycle per second),” the researchers said.


This can have significant security implications on cryptographic libraries even when implemented correctly as constant-time code to prevent timing-based side channels, effectively enabling an attacker to leverage the execution time variations to extract sensitive information such as cryptographic keys.

Both AMD (CVE-2022-23823) and Intel (CVE-2022-24436) have issued independent advisories in response to the findings, with the latter noting that all Intel processors are affected by Hertzbleed. No patches have been made available.

“As the vulnerability impacts a cryptographic algorithm having power analysis-based side channel leakages, developers can apply countermeasures on the software code of the algorithm. Either masking, hiding, or key-rotation may be used to mitigate the attack,” AMD stated.

While no patches have been made available to address the weakness, Intel has recommended cryptographic developers follow its guidance to harden their libraries and applications against frequency throttling information disclosure.

This is not the first time novel methods have been uncovered to siphon data from Intel processors. In March 2021, two co-authors of Hertzbleed demonstrated an “on-chip, cross-core” side-channel attack targeting the ring interconnect used in Intel Coffee Lake and Skylake processors.

“The takeaway is that current cryptographic engineering practices for how to write constant-time code are no longer sufficient to guarantee constant time execution of software on modern, variable-frequency processors,” the researchers concluded.

Products You May Like

Articles You May Like

HP Omen 16 (2022), Omen 17 (2022), Victus 15 (2022), Victus 16 (2022) Gaming Laptops Launched in India
New ToddyCat Hacker Group on Experts’ Radar After Targeting MS Exchange Servers
DDA Approves Proposal to Set Up Eco Park for E-Waste Management in Narela
WhatsApp Partners With RazorpayX to Power Seamless Cashback Transactions via UPI
Google Researchers Detail 5-Year-Old Apple Safari Vulnerability Exploited in the Wild

Leave a Reply

Your email address will not be published.