Security Alerts Hackers Remotely Steal Data From Intel CPUs

Thursday, Sep 12, 2019

Unlike previous side-channel vulnerabilities disclosed in Intel CPUs, researchers have discovered a new flaw that can be exploited remotely over the network without requiring an attacker to have physical access or any malware installed on a targeted computer.

Dubbed NetCAT, short for Network Cache ATtack, the new network-based side-channel vulnerability could allow a remote attacker to sniff out sensitive data, such as someone’s SSH password, from Intel’s CPU cache.

According to the researchers, NetCAT attack works similar to Throwhammer by solely sending specially crafted network packets to a targeted computer that has Remote Direct Memory Access feature enabled.

“In an interactive SSH session, every time you press a key, network packets are being directly transmitted. As a result, every time a victim types a character inside an encrypted SSH session on your console, NetCAT can leak the timing of the event by leaking the arrival time of the corresponding network packet,” researchers explain.

“Now, humans have distinct typing patterns. For example, typing ‘s’ right after ‘a’ is faster than typing ‘g’ after ‘s.’ As a result, NetCAT can operate statistical analysis of the inter-arrival timings of packets in what is known as a keystroke timing attack to leak what you type in your private SSH session.” “Compared to a native local attacker, NetCAT’s attack from across the network only reduces the accuracy of the discovered keystrokes on average by 11.7% by discovering inter-arrival of SSH packets with a true positive rate of 85%”.

NetCAT becomes the new side-channel vulnerability joining the list of other dangerous side-channel vulnerabilities discovered in the past year, including Meltdown, Spectre, TLBleed, Foreshadow, SWAPGS, and PortSmash.

In its advisory, Intel has acknowledged the issue and recommended users to either completely disable DDIO or at least RDMA to make such attacks more difficult, or otherwise suggested to limit direct access to the servers from untrusted networks.