Encryption Securing Mobile Money Transfers Can Be Broken

An anonymous reader writes: A group of researchers has proved that it is possible to break the encryption used by many mobile payment apps by simply measuring and analyzing the electromagnetic radiation emanating from smartphones. Modern cryptographic software on mobile phones, implementing the ECDSA digital signature algorithm, may inadvertently expose its secret keys through physical side channels: electromagnetic radiation and power consumption which fluctuate in a way that depends on secret information during the cryptographic computation.

Obviously

[Big+Hairy+Ian]

Apple will be the 1st to release a mobile phone that is protected by a Faraday Cage

Re:Obviously

They already did, it used the customer's hand to shield against signal interception

Not A Broken Encryption. Learn To Language.

This is *not* a broken encryption (which the idiotic title suggests). Encryption is an algorithm. It doesn't exist physically.
What is measured are side effects of the hardware at work. The hardware is broken then, but only if we assume it should be secure enough not to allow such measurements and analysis.

>by simply measuring and analyzing the electromagnetic radiation emanating from smartphones
This is not simple.
That way you can 'simply' crack passwords by 'simply' looking at the keyboard when it is typed in.

-- Ed

Re:Not A Broken Encryption. Learn To Language.

[kav2k]

While true that it doesn't break the encryption algorithm itself - such things are rare.

But one can argue it breaks an implementation of an algorithm. Which, arguably, doesn't "exist physically" either, it's still a bunch of bytes.

However, there are software countermeasures to some side channel attacks (like constant-time calculations), so question is whether such mitigation is possible here. Looking at the article - that's exactly what's lacking with some software.

Notable quote:
> The OpenSSL's developers notified us that "hardware side-channel attacks are not in OpenSSL's threat model"

Flood the Channel

[necro81]

One potential countermeasure is to have the phone and receiver send back and forth lots of additional, random, and irrelevant chatter across the channel. This decreases the signal-to-noise ratio, and makes it harder for the potential attacker to figure out what the real key in all that communication and what is chaff.

Acceptable risk

[Opportunist]

Yes, that "security hole" has been known for a while now. Yes. We know. In the end, the complexity of the attack and the circumstances required are so specific that it simply isn't a viable attack vector.

In other words, yes, you can die from a lightning strike. But that doesn't keep you inside, does it?

No data-dependant crypto implementations

[DrYak]

but smartphone makers could thwart all attack of this type by ensuring current draw while charging is consistent as to make it impossible to determine what the phone is doing.

Or simply use implementation of ECDSA, AES or other primitives that are note data-dependent (which behave always the same, no matter what plain-text or what key is submitted to them).
example of a library build around such principles by Daniel J Bernstein.

If an implementation makes some jumps or some allocations or some data manipulation, these are points that can be eavesdropped on.
If an implementation does always the exact same step no matter what the data is, you'll have a lot less to spy on.