Physical attacks and unwanted data leaks through covert channels

Samo Maček (2011) Physical attacks and unwanted data leaks through covert channels. MSc thesis.

	PDF Download (3242Kb)
	PDF Download (3242Kb)

Abstract

While working with the information and communication technology we are being exposed to a number of risks in the form of various ways and possibilities of an unauthorized disclosure of data. My paper focuses upon an area that has not been usually taken into much consideration. The impact on the environment/s, as a collateral phenomenon in the use of the Information-communication Technology (ICT) may be directly linked to the processed data and those data that are transmitted through communication connections. These data my be flowing off into an unsupervised area through the side channels, by means of electromagnetic (EM) radiation, various forms of parasitic couplings, power lines and conducting infrastructure. It could be also possible to intercept them also on the basis of a long-distance observation control, immage rebound, specific sound effects, enery use analysis and other side channel attacks. Taking into consideration the possibility of data interception through side channels, peripheral units (screen, keyboard), communication links and also other equipment, like smart cards, where there is a risk of intercepting the secret key of cryptographic algorithm, may be enlisted among the exposed ICT components. The paper illustrates, on the basis of an analysis of the results and research carried out in the field, the use of the usual information technology as highly risky from this point of view, mostly because of the impact of the EM on the surroundings. Regulations and standards that regulate this field should be viewed from two points of view. When speaking about the usual personal or business use, these are mostly defined by guaranteeing EM conformity and interference and aimed at minimizing the dangerous impact on the human organism, but they do not guarantee safety against data leakage. On the other hand, provisions for protecting from such threats are prescribed by the law when dealing with confidential or classified data. Misuse of data of the public, national interest can seriously jeopardize the work of the key functions of the State and the public area. Protection against classified data outflow through EM radiation and other side channel attacks is carried out on different levels, while it is impossible to apply the measures in the usual personal or business use sphere due to their complexity. As protection is concerned, in Slovenia we comply with the EU and NATO requirements. Notwithstanding what previously said in regard, there is, however, a number of reccomandations and measures that can be used to also reduce the risk level in the personal and business sphere. To achieve the preset goal, security measures have to bet taken into account through from the very beginning, while planning the information and communication technology process. What I meant to demonstrate in the practical part of the paper was, that there may, however, exist quite some differences between tecnologies that still meet the requirements of the EU technical normative law.

Actions (login required)