Slashdot Mirror

← Back to Stories (view on slashdot.org)

Encryption Securing Mobile Money Transfers Can Be Broken

Posted by timothy on from the malware-in-the-middle-attack dept.

An anonymous reader writes: A group of researchers has proved that it is possible to break the encryption used by many mobile payment apps by simply measuring and analyzing the electromagnetic radiation emanating from smartphones. Modern cryptographic software on mobile phones, implementing the ECDSA digital signature algorithm, may inadvertently expose its secret keys through physical side channels: electromagnetic radiation and power consumption which fluctuate in a way that depends on secret information during the cryptographic computation.

28 comments

  1. Good! by Anonymous Coward · · Score: 1

    This means we don't have to fight with Apple every time we need to investigate a terrorist. We'll be safer as a result.

  2. It's called a side channel attack by Anonymous Coward · · Score: 1

    This place has gone full retard anymore.

    https://www.cs.tau.ac.il/~trom...

    There is useful link...

  3. Obviously by Big+Hairy+Ian · · Score: 4, Funny

    Apple will be the 1st to release a mobile phone that is protected by a Faraday Cage

    --

    Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.

    1. Re:Obviously by Anonymous Coward · · Score: 4, Funny

      They already did, it used the customer's hand to shield against signal interception

    2. Re:Obviously by The-Ixian · · Score: 1

      Yeah, and it will come in platinum and rose gold and cost only $199.99

      --
      My eyes reflect the stars and a smile lights up my face.
    3. Re:Obviously by wanfuse123 · · Score: 1

      I wonder how this will be affected by IoT connected homes using fusebox monitors and electric socket monitors and things. Seems an easy leap for a remote attacker to access a home network and get encryption keys from power draw information from the IoT devices!

  4. Not A Broken Encryption. Learn To Language. by Anonymous Coward · · Score: 3, Informative

    This is *not* a broken encryption (which the idiotic title suggests). Encryption is an algorithm. It doesn't exist physically.
    What is measured are side effects of the hardware at work. The hardware is broken then, but only if we assume it should be secure enough not to allow such measurements and analysis.

    >by simply measuring and analyzing the electromagnetic radiation emanating from smartphones
    This is not simple.
    That way you can 'simply' crack passwords by 'simply' looking at the keyboard when it is typed in.

    -- Ed

    1. Re: Not A Broken Encryption. Learn To Language. by Anonymous Coward · · Score: 0

      Yeah, what Ed said.... If the only way that's been found to get around the encryption is by analysis of electromagnetic radiation, that kind of means your phone is really freaking secure. This is interesting none the less, but an alarmist article as written.

    2. Re:Not A Broken Encryption. Learn To Language. by kav2k · · Score: 4, Informative

      While true that it doesn't break the encryption algorithm itself - such things are rare.

      But one can argue it breaks an implementation of an algorithm. Which, arguably, doesn't "exist physically" either, it's still a bunch of bytes.

      However, there are software countermeasures to some side channel attacks (like constant-time calculations), so question is whether such mitigation is possible here. Looking at the article - that's exactly what's lacking with some software.

      Notable quote:
      > The OpenSSL's developers notified us that "hardware side-channel attacks are not in OpenSSL's threat model"

    3. Re: Not A Broken Encryption. Learn To Language. by The+New+Guy+2.0 · · Score: 2

      Intercept isn't impersonation... just only understanding the protocol doesn't allow you to make a duplicate card.

    4. Re:Not A Broken Encryption. Learn To Language. by The-Ixian · · Score: 1

      The way I understand it, if code is written in such a way as to reference private information in a predictable way, this allows for the side channel attack described.

      It should be possible to minimize, randomize and obfuscate these "calls" so that there is no predictable pattern.

      So, no, I don't think it is just a hardware problem. Though, I am sure there are ways to beef this up as well.

      --
      My eyes reflect the stars and a smile lights up my face.
    5. Re:Not A Broken Encryption. Learn To Language. by Anonymous Coward · · Score: 0

      This is *not* a broken encryption (which the idiotic title suggests).

      Yeah:

      Several years ago I was talking with an NSA employee about a particular exploit. He told about how a system was broken; it was a sneaky attack, one that I didn't think should even count. "That's cheating," I said. He looked at me as if I'd just arrived from Neptune.

      * https://www.schneier.com/essays/archives/1999/10/risks_of_relying_on.html

  5. Flood the Channel by necro81 · · Score: 3, Interesting

    One potential countermeasure is to have the phone and receiver send back and forth lots of additional, random, and irrelevant chatter across the channel. This decreases the signal-to-noise ratio, and makes it harder for the potential attacker to figure out what the real key in all that communication and what is chaff.

    1. Re:Flood the Channel by Anonymous Coward · · Score: 0

      What happened to been efficient?? That just adds complexity.

    2. Re:Flood the Channel by BradleyUffner · · Score: 1

      Efficiency isn't a number on to its self, it's always relative to some task. If the task of an encryption algorithm is to securely transfer data between parties, then actually being secure and not leaking data via side channels is important in measuring the efficiency.

      For example. Many people consider old tungsten light bulbs to be inefficient because they convert most of the energy in to heat, which is wasted when lighting a room. If you use the bulb in a situation where the heat produced is important, like an Easy Bake Oven, the efficiency goes WAY up. When you use a "more efficient" halogen bulb in the same situation it isn't nearly as efficient as the old bulb.

    3. Re:Flood the Channel by necro81 · · Score: 1

      What happened to been efficient?? That just adds complexity.

      Meh, one could argue that doing all those calculations to encrypt something in the first place adds complexity and is a detriment to efficiency. It comes down to what's acceptable at a system level.

  6. attack requires external power supply by Gravis+Zero · · Score: 2

    This attack requires that the victim use an external power supply so that you can measure the power usage while they are performing the transfer. An unlikely attack configuration but smartphone makers could thwart all attack of this type by ensuring current draw while charging is consistent as to make it impossible to determine what the phone is doing.

    --
    Anons need not reply. Questions end with a question mark.
  7. Acceptable risk by Opportunist · · Score: 3, Insightful

    Yes, that "security hole" has been known for a while now. Yes. We know. In the end, the complexity of the attack and the circumstances required are so specific that it simply isn't a viable attack vector.

    In other words, yes, you can die from a lightning strike. But that doesn't keep you inside, does it?

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Acceptable risk by Gr8Apes · · Score: 1

      I'm in my basement, do I need to head to my safe room?

      --
      The cesspool just got a check and balance.
    2. Re:Acceptable risk by Anonymous Coward · · Score: 0

      Wasn't this the same exact attack used on SSL (timing) and smartcards (power consumption) like... amm... a really really long time ago? Measuring EM that leaks the same is just another venue for the same attack...

    3. Re:Acceptable risk by The-Ixian · · Score: 1

      It would be funny if your safe room was upstairs.

      --
      My eyes reflect the stars and a smile lights up my face.
    4. Re:Acceptable risk by bobo_1968 · · Score: 1

      Yes, that "security hole" has been known for a while...

      In other words, yes, you can die from a lightning strike. But that doesn't keep you inside, does it?

      I thought the same thing but reading the paper the attack scenario seems reasonable. Steps should be taken to guard against this. Another user suggested mandating constant current during charging. First, that may not be desirable for battery longevity (turbo charging when the battery is at low capacity vs charging when it's at high). Second, that's insufficient to stop the attack, as it does not seem to require the phone be charging.

      Attack Scenario.

      Small loops of wire acting as EM probes can be easily concealed inside various objects (such as tabletops, phone cases (especially those containing an extra battery), or even food items [GPPT15]). See Figure 1. Monitoring the phone’s power consumption can be easily done by augmenting an aftermarket charger, external battery or battery case with the requisite equipment.

      In this context, phone cases which contain an additional battery (and therefore are connected to the phone’s charging port) are especially dangerous since these can be augmented to monitor both channels simultaneously, thus obtaining a potentially cleaner signal.

      The EM probe does not need to be attached to the charging port, just close to touching the body of the phone. This is not an unreasonable attack, and even the harder modified USB charger scenario is feasible. Think airport charging stations with those little tables to rest the phone on, could potentially get both vectors.

      Or say you're a federal agency specializing in intercepting shipments and tampering with the hardware. Then you could hack aftermarket battery packs, for example. This is a real concern and should be taken seriously.

    5. Re:Acceptable risk by Anonymous Coward · · Score: 0

      I can DIE from a lightning strike?!?

      I'm never going outside again!

      (Dies of heart-attack due to combination of stress, drugs taken to combat stress, and sedentary lifestyle secondary to paranoia-induced agoraphobia.)

    6. Re:Acceptable risk by AHuxley · · Score: 1

      Re "I thought the same thing but reading the paper the attack scenario seems reasonable."
      Even if its only governments, mil and their contractors that can afford to do it or have the skilled teams in place? Then the ex staff and former staff and anyone who can afford the method via the services of ex and former staff around the world?
      Sooner or later every aspect of weak junk crypto is offered for sale on the open market. Best to fix such leaking issues at the design phase.
      A free traditional "charger" offered in a hotel room to a interesting guest who just arrived and has questions about their own hardware and the local power supply? Any nations security services could set up and hide a few devices in a hotel room for just that ability if a guests phone is placed in an expected location to charge :)
      Free chargers at locations expecting a larger flow of international guests or daily use. Altered to try and be within the distance.

      --
      Domestic spying is now "Benign Information Gathering"
  8. No data-dependant crypto implementations by DrYak · · Score: 3, Interesting

    but smartphone makers could thwart all attack of this type by ensuring current draw while charging is consistent as to make it impossible to determine what the phone is doing.

    Or simply use implementation of ECDSA, AES or other primitives that are note data-dependent (which behave always the same, no matter what plain-text or what key is submitted to them).
    example of a library build around such principles by Daniel J Bernstein.

    If an implementation makes some jumps or some allocations or some data manipulation, these are points that can be eavesdropped on.
    If an implementation does always the exact same step no matter what the data is, you'll have a lot less to spy on.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  9. Better than... by The+New+Guy+2.0 · · Score: 1

    This is still more secure than the printed raised numbers system. There's already "person wasn't there" schemes in place to detect a copy of a card, and I assume that'll still be in place even if a radiation device can fool the payment sensor.

  10. Mittigiating risk by DrYak · · Score: 1

    Yes. We know. In the end, the complexity of the attack and the circumstances required are so specific that it simply isn't a viable attack vector.

    This *peculiar* form of the attack is complicated: paying attention on the charging port. Possible implementation are quite limited (basically, having a public charging station with hacked USB charging ports).

    BUT, the same kind of attack vector (listening on outside signals to try to guess what's happening inside the computer) has had in the past a few quite more usable forms: a group of security researcher has presented guessing the key based on the *noise* produced by the computer. Works even with a smartphone's mic.

    And that's much more easy to put into practice.

    In other words, yes, you can die from a lightning strike. But that doesn't keep you inside, does it?

    It doesn't keep you inside, but it asks for minimal caution: you won't be waving a long metal rod, while completely wet and standing on the top of a high hill during a big thunder storm either.

    Or to go back to TFA: this won't necesserily stop you from using online payment, but would maybe prompt the OS and hardware manufacturer of smartphones not to use implementation of the crypto algorithms that have data-dependent bahaviour (conditional jumps, memory data manipulation or memory allocation that are dependant on the clear-text data or the key data). From the outside (and that means even to the eyes of another process running on the same CPU), the smartphone should behave the same no matter what sensitive data it is handling. Even if such implementation are slightly less efficient and slower thant the data-dependent variations (that's the case with AES, for example).

      There are such exemples, see Daniel J Bernstein's NaCl library

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]