Slashdot Mirror

← Back to Stories (view on slashdot.org)

Encryption Securing Mobile Money Transfers Can Be Broken

Posted by timothy on from the malware-in-the-middle-attack dept.

An anonymous reader writes: A group of researchers has proved that it is possible to break the encryption used by many mobile payment apps by simply measuring and analyzing the electromagnetic radiation emanating from smartphones. Modern cryptographic software on mobile phones, implementing the ECDSA digital signature algorithm, may inadvertently expose its secret keys through physical side channels: electromagnetic radiation and power consumption which fluctuate in a way that depends on secret information during the cryptographic computation.

3 of 28 comments (clear)

  1. Obviously by Big+Hairy+Ian · · Score: 4, Funny

    Apple will be the 1st to release a mobile phone that is protected by a Faraday Cage

    --

    Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.

    1. Re:Obviously by Anonymous Coward · · Score: 4, Funny

      They already did, it used the customer's hand to shield against signal interception

  2. Re:Not A Broken Encryption. Learn To Language. by kav2k · · Score: 4, Informative

    While true that it doesn't break the encryption algorithm itself - such things are rare.

    But one can argue it breaks an implementation of an algorithm. Which, arguably, doesn't "exist physically" either, it's still a bunch of bytes.

    However, there are software countermeasures to some side channel attacks (like constant-time calculations), so question is whether such mitigation is possible here. Looking at the article - that's exactly what's lacking with some software.

    Notable quote:
    > The OpenSSL's developers notified us that "hardware side-channel attacks are not in OpenSSL's threat model"