Latest WireTap Attack Trespass Server SGX To Exfiltrate Sensitive Data -

Post Views: 171

“A cyberattack case came up involving the latest WireTap Attack trespassing Server SGX To Exfiltrate Sensitive Data.”

An attacker with physical access can breach the security of Intel’s Software Guard eXtensions (SGX) on contemporary server CPUs and collect confidential data thanks to a recently discovered vulnerability known as the WireTap attack.

According to a research report published in October 2025, this technique challenges the fundamental confidence put in these hardware-based security environments by utilizing a low-cost setup to extract cryptographic keys from purportedly secure SGX enclaves.

Even from privileged software, the attack compromises the confidentiality and integrity assurances of SGX, a mechanism commonly used to safeguard sensitive data and computation.

Once thought to need costly and specialist equipment, the researchers showed that physical attacks may now be carried out by hobbyists on a budget of less than $1,000.

Attack via WireTap

A specially designed memory interposition probe that physically taps into the DRAM bus is the basis of the WireTap attack, which enables the attacker to watch data flow between the CPU and the system’s memory.

The researchers built this instrument with easily accessible parts from used electrical markets, such as a soldering iron, tweezers, and a basic DIMM riser board.

Slowing down the system’s fast DDR4 memory bus was a significant advance. By altering the DIMM’s metadata, the researchers made the machine run at a significantly reduced frequency.

This important step allowed the data stream to be captured using cheap, antiquated logic analyzers that weren’t intended for contemporary technology.

The long-held belief that physical memory attacks on server-grade systems were only possible for the most well-funded attackers is disproved by this method.

The attack primarily targets Scalable SGX, which is based on the deterministic memory encryption technique AES-XTS and is utilized in Intel’s Xeon server processors.

Every time the same data is written to the same physical memory address, this scheme generates the same ciphertext, in contrast to previous SGX implementations.

Attackers can watch these encrypted memory transactions in real time with the WireTap configuration. The researchers developed a ciphertext side-channel attack by carefully manipulating an SGX enclave and making it execute cryptographic operations.

When creating an ECDSA signature, a procedure used for SGX attestation, they watched the encrypted memory flow. They were able to retrieve the secret nonce used in the signing process and create a dictionary of ciphertexts as a result.

In less than 45 minutes, they were able to retrieve the machine’s secret DCAP attestation key from a completely trustworthy server using the nonce and the public signature.

Extracting an SGX attestation key has serious repercussions, especially for Web3 and blockchain ecosystems that depend on SGX for security.

SGX is used by numerous decentralized networks with market values in the hundreds of millions of dollars to guarantee the integrity of computation and private transactions.

The researchers used a number of actual SGX deployments to demonstrate end-to-end attacks. A compromised key would enable an attacker to operate malicious enclaves, steal master keys, and forge quotes on privacy-preserving smart contract networks like Phala and Secret. This would allow the decoding of private transactions throughout the network.

An attacker could falsify proofs of storage on decentralized storage networks like Crust in order to obtain financial incentives without actually saving any data, violating the system’s integrity guarantees. The impacted blockchain projects and Intel have been informed of the researchers’ findings.

The Author

Suraj Koli is a content specialist in technical writing about cybersecurity & information security. He has written many amazing articles related to cybersecurity concepts, with the latest trends in cyber awareness and ethical hacking. Find out more about “Him.”

Data Breach on Discord: Hackers Gain Access to IDs, Billing Information, and Support Chats