New exploit steals secret cryptographic keys from mobile devices

A group of security researchers has devised a new attack scheme to steal cryptographic keys from both Android and iOS devices.

A team of security researchers from Tel Aviv University, Technion and The University of Adelaide has elaborated a new attack scheme to steal cryptographic keys from both Android and iOS devices.

Last month, the same team has demonstrated hot to steal sensitive information from targeted air-gapped systems, in June 2015, the group demonstrated that encryption keys can accidentally leak from a PC via radio waves by using a cheap consumer-grade kit.

This new attack allows the researchers to steal any kind of cryptographic keys including Bitcoin wallets and Apple Pay accounts.

“An attacker can non-invasively measure these physical effects using a $2 magnetic probe held in proximity to the device, or an improvised USB adapter connected to the phone’s USB cable, and a USB sound card. Using such measurements, we were able to fully extract secret signing keys from OpenSSL and CoreBitcoin running on iOS devices.” states a blog post published by the experts. “We also showed partial key leakage from OpenSSL running on Android and from iOS’s CommonCrypto.”

The researchers explained that their hacking technique is a non-invasive Side-Channel Attack. The attackers are able to extract the crypto key from a targeted device by analyzing the pattern of memory utilization or the electromagnetic outputs that are emitted during the decryption process.

The exploit devised by the researchers works against the Elliptic Curve Digital Signature Algorithm (ECDSA) used in the majority of applications based on cryptographic algorithms, including Bitcoin wallets and Apple Pay.

The researchers used a $2 magnetic probe placed near an iPhone 4 while the mobile devices were performing cryptographic operations in order to measure enough electromagnetic emanations and extract the secret cryptographic keys used by many different applications.

Another possible attack scenario sees a home-made USB pass-through adapter connected to the USB cable of the smartphone and a USB sound card to capture the signal.

Obviously, the attacker needs a physical access to the device to place a probe or cable in proximity, the attack also needs the targeted device will perform enough crypto operations to measure a few thousand of ECDSA signatures.

The team also successfully tested the attack on a Sony-Ericsson Xperia X10 Phone running Android.

“OpenSSL’s ECDSA running on Android phones is also vulnerable to our attacks. For example, here is a Sony Xperia 10s being measured, with our lab-grade measurement equipment:”

The group of researchers also cited a study conducted by another team of security experts that devised a similar Side-Channel attack exploiting a flaw in the Android version of the BouncyCastle crypto library. In this attack scenario, an attacker could analyze electromagnetic emissions to extract cryptographic keys.

All the iOS versions from 7.1.2 to 8.3 are vulnerable to the side-channel attack, only exception is the last iOS 9.x version that implements security countermeasures against side-channel attacks.

The experts highlighted that hackers can exploit vulnerabilities affecting mobile applications running on mobile devices. The researchers demonstrated how to hack the iOS app CoreBitcoin that is used to protect Bitcoin wallets on Apple mobile devices.

If you want more details give a look to the paper published by the researchers.

Pierluigi Paganini

(Security Affairs – cryptographic keys, hacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.