Encryption Securing Mobile Money Transfers Can Be Broken 28
An anonymous reader writes: A group of researchers has proved that it is possible to break the encryption used by many mobile payment apps by simply measuring and analyzing the electromagnetic radiation emanating from smartphones. Modern cryptographic software on mobile phones, implementing the ECDSA digital signature algorithm, may inadvertently expose its secret keys through physical side channels: electromagnetic radiation and power consumption which fluctuate in a way that depends on secret information during the cryptographic computation.
Good! (Score:1)
This means we don't have to fight with Apple every time we need to investigate a terrorist. We'll be safer as a result.
It's called a side channel attack (Score:1)
This place has gone full retard anymore.
https://www.cs.tau.ac.il/~trom... [tau.ac.il]
There is useful link...
Obviously (Score:5, Funny)
Re:Obviously (Score:4, Funny)
They already did, it used the customer's hand to shield against signal interception
Re: (Score:2)
Yeah, and it will come in platinum and rose gold and cost only $199.99
Re: (Score:1)
Not A Broken Encryption. Learn To Language. (Score:3, Informative)
This is *not* a broken encryption (which the idiotic title suggests). Encryption is an algorithm. It doesn't exist physically.
What is measured are side effects of the hardware at work. The hardware is broken then, but only if we assume it should be secure enough not to allow such measurements and analysis.
>by simply measuring and analyzing the electromagnetic radiation emanating from smartphones
This is not simple.
That way you can 'simply' crack passwords by 'simply' looking at the keyboard when it is typed in.
-- Ed
Re: (Score:3)
Intercept isn't impersonation... just only understanding the protocol doesn't allow you to make a duplicate card.
Re:Not A Broken Encryption. Learn To Language. (Score:5, Informative)
While true that it doesn't break the encryption algorithm itself - such things are rare.
But one can argue it breaks an implementation of an algorithm. Which, arguably, doesn't "exist physically" either, it's still a bunch of bytes.
However, there are software countermeasures to some side channel attacks (like constant-time calculations), so question is whether such mitigation is possible here. Looking at the article - that's exactly what's lacking with some software.
Notable quote:
> The OpenSSL's developers notified us that "hardware side-channel attacks are not in OpenSSL's threat model"
Re: (Score:2)
The way I understand it, if code is written in such a way as to reference private information in a predictable way, this allows for the side channel attack described.
It should be possible to minimize, randomize and obfuscate these "calls" so that there is no predictable pattern.
So, no, I don't think it is just a hardware problem. Though, I am sure there are ways to beef this up as well.
Flood the Channel (Score:4, Interesting)
Re: (Score:1)
Efficiency isn't a number on to its self, it's always relative to some task. If the task of an encryption algorithm is to securely transfer data between parties, then actually being secure and not leaking data via side channels is important in measuring the efficiency.
For example. Many people consider old tungsten light bulbs to be inefficient because they convert most of the energy in to heat, which is wasted when lighting a room. If you use the bulb in a situation where the heat produced is important,
Re: (Score:2)
Meh, one could argue that doing all those calculations to encrypt something in the first place adds complexity and is a detriment to efficiency. It comes down to what's acceptable at a system level.
attack requires external power supply (Score:3)
This attack requires that the victim use an external power supply so that you can measure the power usage while they are performing the transfer. An unlikely attack configuration but smartphone makers could thwart all attack of this type by ensuring current draw while charging is consistent as to make it impossible to determine what the phone is doing.
No data-dependant crypto implementations (Score:4, Interesting)
but smartphone makers could thwart all attack of this type by ensuring current draw while charging is consistent as to make it impossible to determine what the phone is doing.
Or simply use implementation of ECDSA, AES or other primitives that are note data-dependent (which behave always the same, no matter what plain-text or what key is submitted to them).
example of a library build around such principles by Daniel J Bernstein [cr.yp.to].
If an implementation makes some jumps or some allocations or some data manipulation, these are points that can be eavesdropped on.
If an implementation does always the exact same step no matter what the data is, you'll have a lot less to spy on.
Acceptable risk (Score:4, Insightful)
Yes, that "security hole" has been known for a while now. Yes. We know. In the end, the complexity of the attack and the circumstances required are so specific that it simply isn't a viable attack vector.
In other words, yes, you can die from a lightning strike. But that doesn't keep you inside, does it?
Re: (Score:1)
Re: (Score:2)
It would be funny if your safe room was upstairs.
Re: (Score:1)
Yes, that "security hole" has been known for a while...
In other words, yes, you can die from a lightning strike. But that doesn't keep you inside, does it?
I thought the same thing but reading the paper the attack scenario seems reasonable. Steps should be taken to guard against this. Another user suggested mandating constant current during charging. First, that may not be desirable for battery longevity (turbo charging when the battery is at low capacity vs charging when it's at high). Second, that's insufficient to stop the attack, as it does not seem to require the phone be charging.
Attack Scenario.
Small loops of wire acting as EM probes can be easily concealed inside various objects (such as tabletops, phone cases (especially those containing an extra battery), or even food items [GPPT15]). See Figure 1. Monitoring the phone’s power consumption can be easily done by augmenting an aftermarket charger, external battery or battery case with the requisite equipment.
In this context, phone cases which contain an additional battery (and therefore are connected to the phone’s charging port) are especially dangerous since these can be augmented to monitor both channels simultaneously, thus obtaining a potentially cleaner signal.
The EM probe does not need to be attached to the charging port, just clos
Re: (Score:2)
Even if its only governments, mil and their contractors that can afford to do it or have the skilled teams in place? Then the ex staff and former staff and anyone who can afford the method via the services of ex and former staff around the world?
Sooner or later every aspect of weak junk crypto is offered for sale on the open market. Best to fix such leaking issues at the design phase.
A free traditional "charger" o
Mittigiating risk (Score:2)
Yes. We know. In the end, the complexity of the attack and the circumstances required are so specific that it simply isn't a viable attack vector.
This *peculiar* form of the attack is complicated: paying attention on the charging port. Possible implementation are quite limited (basically, having a public charging station with hacked USB charging ports).
BUT, the same kind of attack vector (listening on outside signals to try to guess what's happening inside the computer) has had in the past a few quite more usable forms: a group of security researcher has presented guessing the key based on the *noise* produced by the computer. Works even with a smart
Better than... (Score:2)
This is still more secure than the printed raised numbers system. There's already "person wasn't there" schemes in place to detect a copy of a card, and I assume that'll still be in place even if a radiation device can fool the payment sensor.