Android smartphone and iPhone can be hacked using side channel attack

Researchers use Side-Channel attack to steals Encryption keys from Android and iOS Devices

Side-channel attack has been used earlier to hack into air gapped computers but this is the first time researchers have used this vector to steal encryption keys from Android smartphones and iOS devices. Five researchers from universities in Tel Aviv and Adelaide have devised a new crypto side-channel attack that can extract encryption keys from electromagnetic emanations coming out of Android and iOS devices that are running cryptographic operations.

For the uninitiated, in cryptography, a side-channel attack is any attack based on information gained from the physical implementation of a cryptosystem, rather than brute force or theoretical weaknesses in the algorithms (compare cryptanalysis). For example, timing information, power consumption, electromagnetic leaks or even sound can provide an extra source of information, which can be exploited to break the system.

Android smartphone and iPhone can be hacked using side channel attack

Earlier this method was demonstrated by researchers from Tel Aviv University to hack into air gapped computers using electromagnetic pulses.

The five researchers have used a similar technique to hack into iPhone and Android smartphone which they have described in ECDSA Key Extraction from Mobile Devices via Nonintrusive Physical Side Channels research paper.

Using the attack, the researchers could accurately reconstruct the original encryption key. The attack is carried out against the Elliptic Curve Digital Signature Algorithm (ECDSA), used by many Bitcoin wallets, Apple Pay, and even OpenSSL.

Researchers have successfully tested their attack by extracting encryption keys from devices running cryptographic operations for applications such as CoreBitcoin, Bitcoin Core, OpenSSL, and iOS apps implementing the iOS CommonCrypto library.

The potential hacker needs to place a $2 magnetic probe in a phone’s proximity so that the radiation from the target device can be recorded. Once this is achieved, the radiation thus collected, is converted into an electric current and sent via a USB cable to a nearby computer running signal processing software.

Because of the way the ECDSA algorithm works with data, CPUs will emit electromagnetic waves in a certain pattern for DOUBLE (x2) and ADD operations. By being able to recognize these two operations, the scientists would then be able to reconstruct how the algorithm works by guessing the other mathematical computations. By knowing the outputted data (encrypted traffic), the algorithm’s inner working ( via recorded operation logs), and the two hints (the position of DOUBLE and ADD operations), researchers are then able to reconstruct the encryption key.

The attack, though successful is pretty impractical. For a successful attack, hackers need to have lot of encryption operations logged to determine the initial encryption key. This may also require machines which can do complex calculations easily which run of the mill hackers can’t afford.

Leave a Reply