Most Intel, AMD Processors Vulnerable to New Hertzbleed Attack

pcmag.com:

Bad news everyone: The majority of desktop, laptop, and server processors are vulnerable to a new type of attack called Hertzbleed(Opens in a new window) that's extremely hard to mitigate against.

Hertzbleed is a power side-channel attack and works by taking advantage of the dynamic frequency scaling of x86 processors. As Tom's Hardware explains(Opens in a new window), a program can run at different CPU frequencies when carrying out a computing task and the power signature varies accordingly. An attacker can capture the power information, convert it to timing data, and use that to steal cryptographic keys.

As the Hertzbleed research paper(Opens in a new window) (PDF) neatly summarizes, "Power side-channel attacks exploit data-dependent variations in a CPU's power consumption to leak secrets."

Hertzbleed impacts all 8th to 11th Generation Intel Core desktop and laptop processors, as well as several AMD desktop, mobile, and server processors, including Ryzen Zen 2 and Zen 3 desktop and laptop chips.

The only effective mitigation techniques have "an extreme system-wide performance impact" because they involve either disabling Turbo Boost on Intel chips and Precision Boost on AMD chips, or use modeled power instead of actual power throttling control algorithms.

The reason Hertzbleed is so serious is because it opens the door for an attacker to steal secure information by extracting AES cryptographic keys from remote servers. Neither Intel nor AMD have revealed plans to release microcode to patch the exploit, which means it remains a threat unless mitigated in software. And as the workarounds mentioned above are so detrimental to performance, it seems very unlikely they will be implemented.

Now for a bit of good news: