Hertzbleed can use Intel/AMD processor frequency increase vulnerability to steal encryption keys

After being shocked by the "Spectre" and "Meltdown" side-channel attack vulnerabilities that affected modern Intel, AMD and ARM processors in 2017, security researchers have now exposed a more advanced vulnerability that uses CPU boost frequencies to steal encryption keys - it is Hertzbleed.

(Source: Hertzbleed website)

The attack works by monitoring the power signature of any cryptographic workload for a side-channel vulnerability, and like everything else in a CPU, processor power adjusts as workloads change.

But after observing this power information, the Hertzbleed attacker can convert it into timing data and steal the encryption keys of the user process.

● Currently, both Intel and AMD have announced systems that are vulnerable to the Heartzbleed vulnerability attack, which affects the entire Intel series and AMD Zen 2 / Zen 3 processors.

● The former was assigned the vulnerability IDs Intel-SA-00698 and CVE-2022-24436, while the latter was CVE-2022-23823.

Principle diagram (Image from: Intel website)

Worse still, the Hertzbleed vulnerability can be exploited remotely without the need for an attacker to have physical access to the device.

The two chip companies will then provide microcode-based patch mitigations to prevent such vulnerabilities from being further exploited by attackers.

Fortunately, Intel claims that such attacks are not very practical outside of laboratory research, as stealing encryption keys is said to take hours to days.

As for the CPU performance loss that may be caused by the vulnerability patch, it still depends on the specific application scenario.