
ECDSA smartphone key extraction using $2 magnetic probe - pizza
https://www.cs.tau.ac.il/~tromer/mobilesc/
======
p4bl0
Previous exciting works by the same research group (already discussed on HN):

\- Acoustic cryptanalysis :
[https://www.cs.tau.ac.il/~tromer/acoustic/](https://www.cs.tau.ac.il/~tromer/acoustic/)

\- Get Your Hand Off My Laptop :
[http://www.tau.ac.il/~tromer/handsoff/](http://www.tau.ac.il/~tromer/handsoff/)

I saw a live demo of the latter at the CHES 2014 conference in Busan, it was
really impressive.

Now to be honest, I'm less impressed by this new one because I already saw a
very similar attack on a smartphone using an EM probe (except maybe it was on
the RSA cryptosystem). I'm not entirely sure but it may have been at the CRI
demo stand at the CARTES convention in Paris in either 2012 or 2013.

~~~
schoen
CRI had a demo like that at RSA (the conference) around that time, so I think
your recollection is right.

------
weinzierl
This is impressive, especially given how cheaply the attack can be realized.
If you can get near the device you only need a coil and a sound card.

That being said:

> After observing the elliptic-curve double and add operations during a few
> thousand signatures, the secret signing key can be completely reconstructed.

This is probably the biggest obstacle for pulling this off in reality. I have
no idea what that means in minutes or hours you have to be near a phone doing
encryption though.

~~~
goalieca
A few thousand might be a lot of negotiations. Often the assymetric keys like
EC or RSA are only used once to negotiate a smaller/faster key for aes.

------
liotier
"The attack requires measuring a few thousand ECDSA signatures" \- so not
quite feasible by bumping into the target in a crowded subway.

~~~
digi_owl
And this is the kind of context i find often missing from security
discussions.

It will still protect against anything short of a determined attacker with
direct access to the hardware for an extended period.

Very little is secure against such a scenario, even less so if the attacker
don't care about the defender knowing after the fact.

But all too often security research seems to consider anything that can be
broken, even with the most complicated and time intensive of processes, as
insecure.

~~~
atonse
Correct – the fact that there exists a possible way to extract these secrets
is a chink in the armor. It's like how SHA1 started getting out of favor as
soon as they started finding a couple of collisions.

Interesting that Apple already fixed this in iOS 9. Makes me wonder what kinds
of crazy tests their security team must be doing, that they can mitigate such
things.

~~~
JonathonW
These sorts of side channel vulnerabilities aren't some sort of new
revelation-- the notion dates at least back to 2002 (per the authors' cited
references). For example, one of the design goals of DJB's NaCl [1] is to
mitigate side-channel vulnerabilities, specifically calling out data flow from
secrets to load addresses (which has been used to break AES via a timing
attack) and data flow from secrets to branch conditions (which is the sort of
thing that's happening here-- where you can see secret-dependent patterns in
the number and timing of operations in ECDSA computations) [2].

What's novel here is just how cheaply they're able to carry out these side-
channel attacks.

[1] [https://nacl.cr.yp.to/](https://nacl.cr.yp.to/)

[2]
[http://cr.yp.to/highspeed/coolnacl-20120725.pdf](http://cr.yp.to/highspeed/coolnacl-20120725.pdf)
\-- see section 3, Core security features and their impact

------
TimPrice
Only koblitz curves (secp256k1) seem to be secure?

On a related note, the Bernstein team designed Ed25519 with side channels
attacks in mind.
[https://en.wikipedia.org/wiki/EdDSA#Features](https://en.wikipedia.org/wiki/EdDSA#Features)

~~~
erichocean
It would have been nice if the paper had discussed Ed25519. Anyone else know
what the status is relative to this (and other, similar) work?

~~~
floodyberry-
The paper attacks implementations, not algorithms. As far as I know, all of
the of the major Ed25519 implementations are side channel protected and safe
(no branches on secret data, no array indexing with secret data)

------
ikeboy
HN discussion of the paper:
[https://news.ycombinator.com/item?id=11223266](https://news.ycombinator.com/item?id=11223266)

------
silent90
Capturing the CPU instructions by a side-channel is indeed possible but the
"real-life, working" use of the method described here is questionable for me.
CPU in modern phones runs above 1GHz. USB sound card they're using provides
max 192kHz which allows max 96kHz signal. 4 orders of magnitude less. There's
also a lot of noise from different circuitry (GPU, display, wireless comm.)
and laptop's noise as well which will obfuscate the signal.

~~~
korethr
It still strikes me as plausible. Sub-harmonics are a thing; it is entirely
possible to leak data about what the CPU is or isn't doing down into the
ultrasonic or audible bands.

As an example, one of my computers leaks a _ton_ of noise into the onboard
audio that quickly becomes audible with a moderate amount of gain. So much so,
that I've learned to recognize changes in the noise pattern from various
activities (shuffling windows around the gui, launching a program, compiling a
program, etc).

How practical a real-life, working use of the method described here will
depend in no small part how much noise the device being attacked casts off.
There's some pretty bad devices out there.

------
corradio
Would like to know where to get those $2 magnetic probes :o

~~~
Dwolb
Honestly, just strip coax away the outer sheath to expose the inner conductor.
Make a loop with the exposed inner conductor and solder back onto the sheath.
Increase the loop size or turns for lower frequencies.

~~~
friendzis
Stripped probe is electric. Looped probe is magnetic. Stripped/looped probe is
mixed probe. If you use coax - leave the shielding, just make sure to leave a
gap. Just look at this picture [1] from this quite good article [2]. Depending
on the design/equipment, you might need balancing/symmetrization.

Also directivity/sensitivity. While turn count will improve overall
sensitivity, loop size will increase directivity. Keep in mind that both loop
size and turn count affect probe filtering characteristics (it IS a filter),
so I highly recommend experimenting with several designs. Have a look at my
attempt at making magnetic probe from RG174 [3]. It is fat because of two
layers of thermal shrink tube, which made it stiff enough for my experiments
:)

It is hard to tell from a picture, but it should be that this probe uses two
wires exactly for this purpose: one acts as a central conductor, other as a
shield.

[1]: [http://www.compliance-
club.com/archive/old_archive/030718b.j...](http://www.compliance-
club.com/archive/old_archive/030718b.jpg) [2]: [http://www.compliance-
club.com/archive/old_archive/030718.ht...](http://www.compliance-
club.com/archive/old_archive/030718.htm) [3]:
[http://imgur.com/hiRUJl6](http://imgur.com/hiRUJl6)

------
PretzelPirate
One of my favorite articles on how someone extracted the private key from a
Trezor wallet: [http://johoe.mooo.com/trezor-power-
analysis/](http://johoe.mooo.com/trezor-power-analysis/)

------
rosege
I'm surprised that security researchers use Lenovo - at least apart from
researching/testing their devices.

~~~
omgtehlion
I suppose they have enough qualification to wipe clean those machines and
install linux or at least a clean copy of windows.

~~~
beagle3
On the contrary. They are qualified enough to know that there's not much they
can do, whether it is Lenovo, Apple or Dell.

------
devy
It's time for smartphone manufacturers to improve smartphone's EMI shielding
and improve key entropy!

~~~
lvs
Well, wideband EMI can't be fully shielded if you intend your phone to be a...
phone.

------
pbrumm
very interesting angle of attack. I wonder if you could use this avenue to get
something off of a yubikey?

------
TickleSteve
Is this how the FBI are going to get into the iPhone maybe??

~~~
nly
Not specifically. ECDSA is a signing algorithm. Unless there's some really
fancy asymmetric authentication protocol between components within the phone,
which perform curve operations, it's most unlikely. Of course, there's no
saying a hardware side-channel isn't a possible attack vector.

~~~
TickleSteve
There is a dedicated authentication coprocessor, to which the communications
will be authenticated, so yes.

~~~
ctz
The thing you're talking about ("secure enclave") is not present in the phone
the FBI are trying to attack.

Also, the Secure Enclave co-processor is on-die, so there will be no need to
authenticate or encrypt communications with it.

