Wave Systems Corp. (fka WAVXQ)

[Genz2]

New attack intercepts keystrokes via graphics libraries

https://www.zdnet.com/article/new-attack-intercepts-keystrokes-via-graphics-libraries/

Attack can guess text input from both hardware and on-screen keyboards alike.

A team of academics says they can determine user key presses by watching for data leaks in how a processor computes code from standard graphics libraries.

The general idea behind this research is that the code that renders text on screen via the standard graphics libraries included in modern operating systems leaks clues about the information it is processing, even if the text is hidden behind a password's generic dots.

This type of vulnerability --known as a side-channel attack-- isn't new, but it's been primarily utilized for recovering cleartext information from encrypted communications.

However, this new side-channel attack variation focuses on the CPU shared memory where graphics libraries handle rendering the operating system user interface (UI).

In a research paper shared with ZDNet and that will be presented at a tech conference next year, a team of academics has put together a proof-of-concept side-channel attack aimed at graphics libraries.

They say that through a malicious process running on the OS they can observe these leaks and guess with high accuracy what text a user might be typing.

Sure, some readers might point out that keyloggers (a type of malware) can do the same thing, but the researcher's code has the advantage that it doesn't require admin/root or other special privileges to work.

The attack code can be hidden inside legitimate apps and recover keystrokes with a much lower chance of getting detected by antivirus products.

But the researchers' attack isn't something to worry about just yet. This attack is only theoretical, for now, and would be very hard to pull off by a low-skilled attacker.

Preparing a side-channel attack of this type requires studying how an operating system interacts with its graphics library on specific hardware architectures. An attacker would need to have precise hardware specs of a victim's computer, but also of the software the target uses, from where it intends to steal text (most likely login passwords).

But there are also advantages for this attack. For starters, compared to classic keylogging malware, this attack also works with on-screen keyboards and is not solely limited to collecting key presses from hardware keyboards.

Furthermore, the attack can be tailored to work on any OS, including mobile operating systems. During their tests, researchers captured keystrokes from an Ubuntu and Android OS

In addition, as the attack collects more key presses from graphics libraries, it also gets better at guessing the correct key presses.

The proof-of-concept attack researchers devised for their paper was coded to intercept only numerical and lowercase characters, but researchers say that an attacker can switch to a different prediction model to take into account uppercase letters and special characters if needed.

The research team has also recorded a demo of their attack, embedded below. They also plan to release the source code of their attack in the future.

More details about this attack will be available next year in a research paper entitled "Unveiling your keystrokes: A Cache-based Side-channel Attack on Graphics Libraries," authored by academics from the University of California, Riverside, Virginia Tech, and the US Army Research Lab.

The research team is scheduled to present their work at the Network and Distributed System Security Symposium (NDSS) that will take place in San Diego in late February 2019.
==================================================================
What would happen if a RSA Securid user lost their Securid? (and that is easy to do; see link below) The fill in for the lost Securid token would be very susceptible to this new attack along with the password. One compromised token and password could result in security failure for a company network. Wave VSC 2.0 - better security at less than half the cost.
==================================================================
https://www.wavesys.com/products/wave-virtual-smart-card

Excerpt:

One helpdesk call you'll never get: "I lost my virtual smart card again..."

There are so many ways to lose a token – couch cushions, street drains, curious toddlers. In fact, up to 30% of all tokens are eventually lost. It’s much harder to lose a laptop, and you notice a lot faster when you do.

The user experience with a virtual smart card is simple: he or she logs in with a PIN (authentication factor number one). The TPM (authentication factor number two) then transparently identifies the device to the network and connects the user to all the approved services. It’s one less thing for users to carry around.

What will you do with >50% TCO savings?*

Tokens and smart cards require an additional hardware purchase, plus the time and money to ship to remote users. Use something that’s already in the users’ hands (the TPM), and your acquisition and deployment costs are lower.

Then consider the management savings in not having to replace lost and stolen tokens. That means fewer helpdesk calls, less interruption of user productivity, and fewer acquisition and shipping costs.