The NetCAT is out of the bag: Intel chipset exploited to sniff SSH passwords as they're typed over the network

The NetCAT is out of the bag: Intel chipset exploited to sniff SSH passwords as they're typed over the network

Cunning data-snooping side-channel technique is tough to exploit, says Chipzilla


Video It is possible to discern someone's SSH password as they type it into a terminal over the network by exploiting an interesting side-channel vulnerability in Intel's networking technology, say infosec gurus.


In short, a well-positioned eavesdropper can connect to a server powered by one of Intel's vulnerable chipsets, and potentially observe the timing of packets of data – such as keypresses in an interactive terminal session – sent separately by a victim that is connected to the same server.


These timings can leak the specific keys pressed by the victim due to the fact people move their fingers over their keyboards in a particular pattern, with noticeable pauses between each button push that vary by character. These pauses can be analyzed to reveal, in real time, those specific keypresses sent over the network, including passwords and other secrets, we're told.


The eavesdropper can pull off this surveillance by repeatedly sending a string of network packets to the server and directly filling one of the processor's memory caches. As the victim sends in their packets, the snooper's data is pushed out of the cache by this incoming traffic. As the eavesdropper quickly refills the cache, it can sense whether its data was still present or evicted from the cache, leaking the fact its victim had sent over some data. This ultimately can be used to determine the timings of the victim's incoming packets, and thus the keys pressed and transmitted by the victim.


The attack is non-trivial to exploit, and Intel doesn't think this is a big deal at all, though it is nonetheless a fascinating technique that you may want to be aware of. Bear in mind, the snooper must be d ..