There’s another vulnerability in Intel chips, with another catchy name: NetCAT. The researchers who discovered it say that attackers could use it to find out what other users on a server are typing. Don’t recoil in horror yet, though – exploiting it would be a challenge.
The attack revolves around a technology called Data Direct I/O (DDIO). Intel embedded it in all its server processors since 2012, and turned it on by default. It writes data from peripherals directly into the server CPU’s cache memory, bypassing system RAM to speed up processor communications in latency-sensitive applications.
According to the research from scientists at VU Amsterdam, a weakness in the technology means that an attacker can indirectly snoop on what others are typing in secure shell (SSH) sessions. SSH is an encrypted telnet replacement that lets people log into servers using a command-line interface.
When another user types a character in an SSH session, it goes directly to the server in a network packet, dislodging a piece of data in the server cache. The attacker can watch that happening.
Now, here’s the part that takes us into Hollywood movie territory. A hacker wouldn’t be able to read the characters that you type directly. Instead, they’d have to time the replacement of the data to work out the time between the user’s keystrokes. Then, they’d have to guess at the words you’re typing by analysing keyword patterns. They said:
… humans have distinct typing patterns. For example, typing ‘s’ right after ‘a’ is faster than typing ‘g’ after ‘s’. As a result, NetCAT can operate statistical analysis of the inter-arrival timings of packets in what is known as a keystroke timing attack to leak what you type in your private SSH session.
Should you set the sirens off in your server room and declare a company-wide emergency? That’s what people did with two other side-channel attacks on Intel hardware, Spectre and Meltdown. This isn’t anywhere near as serious, though. For one thing, the attacker has to connect to the server directly using another feature called remote direct memory access (RDMA) over a high-speed InfiniBand network. It’s a pretty specialist piece of infrastructure which would already need to be set up, and they’d have to gain access to it.
Predicting your typing is also a stretch. We’ve certainly seen researchers claim this before, on smartphones, so perhaps it’s technically possible to guess some typed words. But you’d hope that any developer or admin typing in an SSH password wouldn’t be using a dictionary-listed word in the first place. You might have a chance of predicting “password1234”, but you’d find it far more difficult to guess “3X6ACpK8ohhvrW”.
Intel responded:
This issue has a low CVSS base score of 2.6. In scenarios where Intel DDIO and RDMA are enabled, strong security controls on a secured network are required, as a malicious actor would need to have read/write RDMA access on a target machine using Intel DDIO to use this exploit. In the complex scenarios where Intel DDIO and RDMA are typically used, such as massively parallel computing clusters, malicious actors typically don’t have direct access from untrusted networks.
There’s no patch for this but Intel said that if you’re worried you could use software modules that regulate timing using constant-time code. The researchers responded that this won’t stop NetCAT because it operates at the network card level, but that it might stop similar “NetCAT-like” attacks.
Instead, they recommend disabling DDIO if you don’t use it, and/or switching off RDMA.
Paul Ducklin
Good luck predicting the characters *I* just typed via nanometric timing analysis. I have one of the original ‘new style’ MacBooks – the 2015 12″ model that was the very first one where the apple doesn’t light up. It is quite truly the most beautiful piece of computing equipment ever made. But it also has the original, first-model “butterfly keyboard”, which gets its name from the chaos theory saying that “if a butterfly flaps its wings in New Zealand, will my next keystroke appear 0, 1 or 7 times?”
NetCAT 0 – Butterfly 1.
Tim Howard
If an attacker already has RDMA access to the target server, it seems like there should be far easier vulnerabilities to exploit than trying to guess keypresses based on timing.
Mark Stockley
Exactly.
Roger
When the attacker has access to RDMA, then if the machine is running Unix, Linux, using syscall tracer, it’s far more easy to capture the whole session.
Alien
Intel = intrinsically insecure