Listening In On Encryption
ExtremeTech covers this in detail, and there's certainly some reasons to be concerned, but I don't see it as something to lose sleep over.
In summary, by listening to the noise generated by the voltage regulator in a modern CPU, you can make a pretty good guess as to what bits are being processed. Get it right, and you have the decryption key, which unravels the entirety of the GPG algorithm.
I can think of a few ways around this, some more elegant than others.
- Generate white noise that might confuse the eavesdropper.
- Disable the CPU scaling capabilities, thus removing much of the noise from the voltage regulator.
- Junk math. Run some parallel decryption-like operations on a random data source.
I'm a bigger fan of the third method: You don't compromise overall system behavior, and you don't need to rely on speakers being active.
The real reason I'm not worried in this particular case is that the encryption that was cracked is GPG. Once someone comes up with a fix and submits a patch, it will be officially rolled into an upcoming release, and in the meantime, the patch will be out there for those who want it.
Overall, really cool stuff, and just another example of why security is a process, and not a product: It's never enough to own a lock, you also have to use it properly and maintain it over time.