Security researchers have proved that the encryption used by many mobile payment applications can be broken by simply measuring and analysing the electromagnetic radiation emanating from smartphones.
“We show that modern cryptographic software on mobile phones, implementing the ECDSA digital signature algorithm, may inadvertently expose its secret keys through physical side channels: electromagnetic radiation and power consumption which fluctuate in a way that depends on secret information during the cryptographic computation,” the researchers stated.
“An attacker can non-invasively measure these physical effects using a $2 magnetic probe held in proximity to the device, or an improvised USB adapter connected to the phone’s USB cable, and a USB sound card. Using such measurements, we were able to fully extract secret signing keys from OpenSSL and CoreBitcoin running on iOS devices. We also showed partial key leakage from OpenSSL running on Android and from iOS’s CommonCrypto.”
The so called “Elliptic Curve Digital Signature Algorithm” (ECDSA) is used in many popular applications like Bitcoin wallets and Apple Pay, which is the reason why the security experts wanted to check if such an attack was possible.
“Our methodology includes physical signal acquisition from mobile devices (phones and tablet), signal processing for signal extraction and enhancement using Singular Spectrum Analysis, and a lattice-based algorithm for recovering the secret signing key by aggregating partial information learned from many randomized signing operations,” ECDSA explained.
The attack can be performed cheaply as it doesn’t require any pricy and difficult-to-get equipment – quite the opposite.
“Small loops of wire acting as EM probes can be easily concealed inside various objects that come in proximity with mobile devices, such as tabletops and phone cases. The phone’s power consumption can be easily monitored by augmenting an aftermarket charger, external battery or battery case with the requisite equipment,” they said.
When this research was released, a commenter expressed his doubts about whether this attack can be effectively mounted in a real-world scenario.
“‘Acoustic emanations’ and longer-range measurements, especially ‘across walls’ are useless in an environment with ambient noise or other smartphone users (a cafe). Unless your target is isolated in a room free of electromagnetic radiation and ambient sound, you would need to be right on top of them to take a measurement,” he stated.
However, Eran Tromer, one of the researchers, assured the commenter that’s not true.
“We conducted these electromagnetic attacks in a crowded lab environment with dozens of electronic devices running in the same room (cellphones, laptops, dekstops and assorted lab equipment). Likewise, the acoustic attacks you allude to were done in a noisy lab/office environment,” he explained.
In addition, the experts have notified the developers of the vulnerable libraries about their research.