Researchers have just described a new vulnerability affecting processor chips, and it’s called Hertzbleed. If it is used to carry out a cybersecurity attackthis vulnerability can help the attacker to steal secret cryptographic keys.
The scale of the vulnerability is somewhat staggering: According to the researchers, most CPUs in Intel and AMD could be affected. Should we worry about Hertzbleed?
The new vulnerability was first discovered and described by a team of Intel researchers as part of their internal investigations. Later, independent researchers from UIUC, UW, and UT Austin also contacted Intel with similar findings. Based on their findings, Hertzbleed could affect most CPUs. The two processor giants, Intel and AMD, have acknowledged the vulnerability, and Intel confirms that it affects all their CPUs.
Intel has published a security notice which provides guidance to crypto developers on how to harden their software and libraries against Hertzbleed. Until now, AMD has not released anything similar.
Hertzbleed is a chip vulnerability that allows side channel attacks. These attacks can be used to steal data from your computer. This is done through monitoring processor power and boost mechanisms and observing the power signature of a cryptographic workload, such as cryptographic keys. The term “cryptographic keys” refers to a piece of information, securely stored in a file, that can only be encrypted and decrypted through a cryptographic algorithm.
In short, Hertzbleed is capable of stealing secure data that normally remains encrypted. By looking at the power information generated by your CPU, the attacker can convert that information into time data, which opens the door for them to steal cryptographic keys. What is perhaps more concerning is that Hertzbleed does not require physical access, as it can be exploited remotely.
It is very likely that modern processors from other vendors are also exposed to this vulnerability, because as the researchers describe, Hertzbleed tracks the power algorithms behind the Dynamic Voltage Frequency Scaling (DVFS) technique. DVFS is used by most modern processors and therefore other manufacturers such as ARM are likely to be affected. Although the research team notified them of Hertzbleed, they have not yet confirmed if their chips are exposed.
Putting all of the above together certainly paints a worrying picture, because Hertzbleed affects a large number of users and, as yet, there is no quick fix to be safe from it. However, Intel is here to reassure you: You are highly unlikely to fall victim to Hertzbleed, even though you are likely exposed to it.
According to Intel, it takes from several hours to several days to steal a cryptographic key. If someone still wanted to try it, they might not even be able to, because it requires advanced, high-resolution energy monitoring capabilities that are difficult to replicate outside of a lab setting. Most hackers wouldn’t bother with Hertzbleed when so many other vulnerabilities are discovered so frequently.
As mentioned above, you’re probably safe even without doing anything in particular. If Hertzbleed is exploited, regular users are unlikely to be affected. However, if you want to play safer, there are a couple of steps you can take, but they come at a severe performance price.
Intel has detailed a number of mitigation methods to be used against Hertzbleed. The company does not appear to be planning to roll out any firmware updates, and the same can be said for AMD. According to Intel guidelines, there are two ways to be completely protected from Hertzbleed, and one of them is very easy to do: you just have to disable Turbo Boost on Intel processors and Precision Boost on AMD CPUs. In both cases, this will require a trip to the BIOS and disabling boost mode. Unfortunately, this is really bad for your processor’s performance.
The other methods listed by Intel will only result in partial protection or are very difficult, if not impossible, for regular users to apply. If you don’t want to adjust the BIOS for this and sacrifice your CPU’s performance, you most likely don’t have to. However, keep your eyes open and stay alert: cybersecurity attacks happen all the time, so it’s always good to be extra careful. If you’re a tech savvy, check out the full white paper on Hertzbleedfirst seen by Tom’s Hardware.