Hertzbleed Winkles Secret Keys out of Modern CPUs, But Microcode Fixes Aren't on the Roadmap

Researchers from the University of Texas at Austin, the University of Illinois Urbana-Champaign, and the University of Washington have outlined a new family of side-channel attacks, dubbed Hertzbleed, which they say allows for cryptographic key extraction entirely remotely — and that can be successfully executed against remote servers previously considered secure.

"Hertzbleed is a real, and practical, threat to the security of cryptographic software," the researchers claim. "We have demonstrated how a clever attacker can use a novel chosen-ciphertext attack against SIKE [Supersingular Isogeny Key Encapsulation, a decade-old well-studied and thought-secure post-quantum standard for secure cryptography] to perform full key extraction via remote timing, despite SIKE being implemented as 'constant time'."

Side-channel attacks gained notoriety with Spectre and Heartbleed, the latter providing inspiration for this latest vulnerability's moniker. By monitoring aspects of the system that are not secured, researchers found, it was possible to infer the contents of parts which are secured — made easier by flaws in modern processors introduced to boost performance, like speculative execution.

Hertzbleed, like Spectre and Heartbleed before it, targets modern processors — in this case x86 chips from Intel and AMD with dynamic frequency scaling capabilities, reducing their clock speeds during idle time to lower power draw or boost the clock speed during heavier processing to improve performance. "This means that, on modern processors, the same program can run at a different CPU frequency (and therefore take a different wall time) when computing, for example, 2022 + 23823 compared to 2022 + 24436," the researchers explain.

"Hertzbleed shows that on modern x86 CPUs, power side-channel attacks can be turned into (even remote!) timing attacks — lifting the need for any power measurement interface. The cause is that, under certain circumstances, periodic CPU frequency adjustments depend on the current CPU power consumption, and these adjustments directly translate to execution time differences (as 1 hertz = 1 cycle per second)."

The vulnerability was reported to Intel in the third quarter of 2021 and AMD earlier this year, but neither company is issuing microcode patches. Instead, workarounds are being implemented in software — though those particularly concerned about the problem are advised to disable frequency boosting, which the team warns "has an extreme system-wide performance impact."

While the researchers only investigated Intel and AMD x86 processors, the attack is theoretically compatible with any processor supporting frequency boosting — something that is relatively uncommon at the microcontroller and ultra-low power microprocessor level but which may apply to edge AI and other power-hungry Internet of Things (IoT) devices.

More information on the vulnerability is available on the Hertzbleed website, along with a link to the research paper; full source code has been published to GitHub under the permissive NCSA license.