Spanish researchers are developing a tool that will scan smartphones for 'electromagnetic emanations' that could be used to obtain encryption keys as part of an attack.
The researchers, José María de Fuentes and Lorena González from the Universidad Carlos III de Madrid (UC3M) Computer Security Lab (COSEC) and Luis Hernández Encinas from the Spanish National Research Council's Institute for Physical and Information Technologies (ITEFI), are aiming to improve mobile device security by seeing if they can extract an encryption key from any electric current producing a magnetic field that is emitted by a smartphone.
Lorena González explains
: "when the devices are on, they use energy and generate electromagnetic fields. We try to capture their traces to obtain the encryption key and at the same time, decipher the data."
This kind of attack methodology is nothing new. The researchers here refer to it as a 'lateral movement attack' although this genre of threat is more widely known as a side-channel attack. In the past, security researchers have been able to extract encrypted data using everything from temperature variations to power consumption. Under lab conditions.
The question being, then, are such side-channel attacks something that CISOs and others out in the real world enterprise need to worry about?
Andy Lilly, CTO at Armour Comms, points out that such attacks that depend on electromagnetic emissions or power fluctuations from a device performing cryptographic functions "typically rely on quite accurate measurements, made at relatively close range, and often over a number of repeated cycles of data." Outside of the lab this usually means that such attacks are "typically going to be performed only by advanced threat actors (with suitably sophisticated equipment) who can obtain reasonably long-term, physical access, to a target device."
And as those actors will only invest to this degree if they can be reasonably confident there is something valuable (however that value might be defined in any given scenario) and they have a starting point for a lateral movement attack such as an idea of the crypto employed. "Use in the real world will be minimal" Lilly concludes "unless you happen to be a spy or drugs baron whose just had their phone grabbed by the NSA..."
Amit Sethi, senior principal consultant at Synopsys, argues that these type of side-channel attacks are "very practical in some scenarios." So, those as outline above, but also things like payment systems and systems that enforce digital rights according to Sethi. Whilst admitting that these attack types are currently less practical, especially in a noisy environment where the attacker has little control over the cryptographic computations being performed, Sethi warns "we cannot wait until an attack becomes practical before we start designing mitigations; by that point, it is too late."
Talking of mitigations, are there any practical ones or are such tightly targeted attacks game over anyway? "Generally no" says Mike Davis, principal research scientist at IOActive "side channels are something that must considered at the hardware and software level at design time, so long as side-channel key extraction is a consideration in your threat matrix."
I'll leave the final word with Ian Trump, chief technology officer at Octopi Research Lab (UK) Ltd who served with the Military Intelligence Branch of the Canadian Forces. "This discussion takes me back to my first military lessons in 1989 regarding TEMPEST protections of computer systems against electronic eavesdropping" Trump told SC Media UK. "Any EM radiation, power consumption, blinking activity lights or mechanical acoustic sounds may provide the enemy with the opportunity to gain information and perhaps insight into the activities of the protected computer system." While Trump admits that these vectors of attack are unlikely to become a commonplace attack, that doesn't mean the research is of no value. "In terms of the encryption backdoor debate" Trump concludes "the research provides yet another opportunity for law enforcement and intelligence agencies (acting under lawful authority) to use their scientific acumen to gain access to an encrypted device – without degrading encryption universally for everyone using encryption..."