Leaking crypto keys from mobile devices

Security researchers have discovered a way to steal cryptographic keys that are used to encrypt communications and authenticate users on mobile devices by measuring the amount of electricity consumed or the radio frequency emissions.

The attack, known as differential power analysis (DPA), can be used to target an unsuspecting victim either by using special equipment that measures electromagnetic signals emitted by chips inside the device or by attaching a sensor to the device's power supply, Benjamin Jun, vice president of technology at Cryptography Research, said on Tuesday. Cryptography Research licenses technology that helps companies prevent fraud, piracy, and counterfeiting.

An oscilloscope can then be used to capture the electrical signals or radio frequency emissions and the data can be analyzed so that the spikes and bumps correlate to specific activity around the cryptography, he said.

An oscilloscope and simple antenna can capture electromagnetic emissions from mobile devices. The large spikes correspond to secret keys used during cryptographic activity.

(Credit: Cryptography Research)

"While the chip performs cryptography it is massaging the secret key around in various ways. This processing causes information about the key to leak through the power consumption itself," said Jun.

For instance, someone with the proper equipment could steal the cryptographic key from a device three feet away in a cafe in as short a time as a few minutes, he said. An attacker could replicate the key with the information and use it to read a victim's e-mail or pretend to be the user in sensitive online transactions.

Smartphones and PDAs have been found to leak data unless they have countermeasures in place to protect against it, which Cryptography Research offers, according to Jun.

He would not say exactly which devices could be snooped on in this manner and said he did not know of any attacks in the wild using this method.

"I think we're about to start seeing it on smartphones," he said. "These attacks are not theoretical."

This type of attack first surfaced about 10 years ago on cash register terminals and postage meters. Similar data leakage was found with smartIDs, secure USB tokens, smart cards, and cable boxes, he said.

Countermeasures can involve randomizing to throw noise into the measurements or changing the way the computation is done, Jun said.

Asked to comment on how threatening this type of attack could be, cryptography expert Bruce Schneier said the basic question is who stands to lose?

"Honestly, I don't care if someone hacks a cable box--it's not my money. Similarly, I don't care how often a bank gets robbed as long as the bank doesn't deduct the losses out of my personal account," he said in an e-mail. "But if someone hacks my phone and either steals service that I am charged for, or causes me enough hassle to change my phone number, that's bad."

[01Phyxius]

Wasn't there something like this about keyboards, too?
Come on guys, figure out how to keep these things safe already!

[dhavleak]

http://en.wikipedia.org/wiki/Van_Eck_Phreaking

Or to summarize -- securtiy is a hard problem. The length you go to (and the price you pay in actual money and in convenience) depends on the value of the information you're securing.

[dacopper]

It used to be all I had to do was to sit next to a cell phone user with a simple receiver and catch the moment when he initiates a call to intercept his key. Now, I have to use an oscilloscope??? What a jip!

[heulenwolf]

Not sure I get the threat. So the o-scope tells you when the phone is sending keys. If the phones are so poorly-designed that they transmit the keys in the clear then that's the real problem. It can be solved with PKI and other secure key exchange approaches. Sure, it would be a massive project to agree on the specific solution and then update every cell tower in the world, but its doable. If the value of the key, itself, is somehow readable from the strength of the RF transmissions or the device's power draw, that's another problem entirely and it requires some explanation to seem reasonable. The article implies that its the latter but only shows evidence that its the former.

[elinormills]

This is from researcher Ben Jun:

In this case, the problem is indeed the latter.

It is possible to recover the secret key being used by the phone by analyzing the variations in the EM emissions or power draw during cryptographic operations. This is an instance of a side-channel attack, a major vulnerability that was discovered by Cryptography Research.

A side-channel attack extracts the secret key by analyzing sources of information beyond just the inputs and outputs of the operation. These additional sources of information, or side-channels, can include the device's power consumption, EM emissions, timing, etc. There are two broad categories of side channel attacks using power consumption: Simple Power Analysis ("SPA"), where the entire key is recoverable from the power/EM emission during a single cryptographic operation, and Differential Power Analysis ("DPA") where the key is recovered using statistical analysis of multiple side-channel traces collected over several cryptographic operations with the same key. Using basic tools such as an oscilloscope and computer, these side channel attacks are inexpensive and relatively straightforward to replicate.

Unless specific countermeasures are employed, all devices performing cryptography are vulnerable to side-channel analysis if the adversary can collect the necessary power consumption traces. Many devices, such as smart cards that use cryptography to enable sensitive financial transactions, already deploy countermeasures against side-channel attacks. For cell phones and other devices where security was previously only a minor afterthought, sensitive keys are now often present, making side channel attacks (and countermeasures) increasingly important.

You can find additional information on DPA and other side-channel attacks in the following white paper:
http://www.cryptography.com/resources/whitepapers/DPA-technical.html . A multi-media video describing the attacks and the various countermeasures can be found here (see the "Technology" section): http://www.cryptography.com/Video/DPA/index.html.