Researchers Discover A Startling Side-Channel Exploit On All GPUs, Even Integrated
Side channel attacks are always fascinating to see how they are executed, such as the recent discovery that encryption keys could be stolen by recording power LEDs on various devices. Researchers have found that malicious websites might be able to see usernames and other sensitive information by leaking it from another embedded website in an iframe.
On Tuesday, a team of security researchers from around the United States led by Yingchen Wang published research into the “Side-Channel Implications of Hardware-Based Graphical Data Compression.” This research outlines a side-channel attack that can expose visual information by exploiting graphical data compression done by GPUs. The attack was demonstrated by a proof-of-concept exploit wherein a cross-origin iframe had pixels “stolen” by measuring rendering time differences on both iGPUs and discrete graphics cards. This can be somewhat simplified down to using image compression to see whether a pixel is white or black based on the amount of time it takes to draw that pixel.
You can see what this attack looks like in the image above with an attack against Wikipedia done in Chrome, but as the researchers note, this is not an instant transaction. It took 215 minutes for an Intel Core i7-8700 to run the attack with 98% accuracy, and it took 30 minutes on an AMD Ryzen 7 4800U with 97% accuracy.
While it sounds like this attack vector is not limited to iframe attacks, alternative exploits remain undiscovered, though they are entirely feasible. Regardless, the researchers disclosed findings to all major GPU vendors and the proof-of-concept Chrome attack to Google. Per the report, “The GPU vendors largely declined to act; one said the side channel was outside their threat model, another that it was the responsibility of software to mitigate.”
As startling as it is, this iframe issue is not an immediate concern as the attack seems more theoretical than practical overall. It requires several conditions to met before it can take place, making it a high bar for even a motivated attacker. As such, you can enjoy the research without fearing your accounts and passwords being stolen because that's probably not going to happen.