The Threat is Real: ‘Hot Pixels’ Attack Steals Data Through CPU Readings

‘Hot pixels’ attack steals data through CPU readings

In a new report published on May 31, 2023, researchers from Georgia Tech, the University of Michigan, and Ruhr University Bochum in Germany have discovered a new form of side-channel attack that steals private information from computers and other electronic devices by exploiting power and speed management methods that are used to regulate heat and energy use. The research team demonstrated how they could compromise data released by the Dynamic Voltage and Frequency Scaling (DVFS) mechanisms found on most modern chips. The attack involves monitoring data leaked by sensors embedded in the processors, which display patterns that emerge as processors continuously balance power demands.

The “Hot Pixel” Attack

The attackers force one variable to remain constant to track the other two variables that are changing. This tracking method is called the “hot pixel” attack. The researchers tested the attack on various electronics, including Apple MacBook Air, Google Pixel 6 Pro, OnePlus 10 Pro, Nvidia GeForce RTX 3060, AMD Radeon RX 6600, and Intel Iris Xe (i7-1280P), and all the devices leaked data. The AMD Radeon RX 6600 had the worst rating, with 94% data retrieval accuracy rate, whereas Apple devices had data retrieval accuracy rates of between 60% and 67%, which were the least affected devices.

Implications and Recommendations

Such an attack could significantly impact individuals and businesses that rely on electronic devices that store sensitive information. Attackers can use the data to redirect users to phishing sites and steal login credentials for bank accounts, emails, or other sensitive information. The researchers have advised manufacturers to tighten security measures by enforcing hardware-based thermal limitations, limiting device access to sensor readings, and reducing thermal-controlled devices. The researchers alerted all of the affected manufacturers to the vulnerabilities, but no preventive actions have yet been announced.

Philosophical Discussion

This new form of side-channel attack illuminates once more how vulnerable our information systems are. The research shows that electronic devices have many potential vulnerabilities that have not yet been discovered, and manufacturers must conduct even more thorough security checks to address such threats. Every organization must ensure that it secures its systems and that the data it collects is protected from outsiders in the best possible way, with the highest safety standards.

Editorial

The “Hot Pixel” attack reveals the illusions of security that most computer and technology experts have sought to provide; there is no absolute security. Attackers keep developing new methods and techniques for accessing critical data, proving that there is a continuous need for security improvement and preparedness. Manufacturers must address this issue with a sense of urgency to protect their customers and prevent the loss or theft of sensitive data.

Advice

To keep electronic devices secure, experts recommend that manufacturers, businesses, and private individuals should:

• Conduct security checks frequently to identify vulnerabilities, including those discussed in this report.
• Enforce hardware-based thermal limitations.
• Update software routinely to improve security measures.
• Limit unprivileged access to sensor readings and device data.
• Purchase or download reputable antivirus software and firewalls.
• Never click on suspicious links, even if they come from familiar sites. Instead, copy the address and paste it in a new browser to check its authenticity.