ECDSA Key Extraction from Mobile Devices via Nonintrusive Physical Side Channels

Daniel Genkin Lev Pachmanov Itamar Pipman Eran Tromer Yuval Yarom
Technion and Tel Aviv University Tel Aviv University Tel Aviv University Tel Aviv University The University of Adelaide and NICTA
This research was conducted at Tel Aviv University's Laboratory for Experimental Information Security (LEISec), in collaboration with The University of Adelaide.

Paper

Summary

We show that modern cryptographic software on mobile phones, implementing the ECDSA digital signature algorithm, may inadvertently expose its secret keys through physical side channels: electromagnetic radiation and power consumption which fluctuate in a way that depends on secret information during the cryptographic computation. An attacker can non-invasively measure these physical effects using a $2 magnetic probe held in proximity to the device, or an improvised USB adapter connected to the phone's USB cable, and a USB sound card. Using such measurements, we were able to fully extract secret signing keys from OpenSSL and CoreBitcoin running on iOS devices. We also showed partial key leakage from OpenSSL running on Android and from iOS's CommonCrypto.

The attacked cryptographic algorithm is ECDSA (Elliptic Curve Digital Signature Algorithm), a standard digital signature algorithm used in many applications such as Bitcoin wallets and Apple Pay. Thus, such applications, especially those that rely on vulnerable versions of OpenSSL, CoreBitcoin or iOS, may expose their users to low-cost physical attacks leading to theft of signing credentials and subsequent unauthorized transactions or false authentication.

Our methodology includes physical signal acquisition from mobile devices (phones and tablet), signal processing for signal extraction and enhancement using Singular Spectrum Analysis, and a lattice-based algorithm for recovering the secret signing key by aggregating partial information learned from many randomized signing operations.

Here is an example of an electromagnetic attack setup (underneath the glass tabletop), that can be used to attack a mobile phone placed on the table.

Electromagnetic measurement
Mounting a cheap EM attack on an iPhone 4 using an improvised EM probe. The target (top right) is measured by the improvised probe (taped to the underside of a glass table). The signal is captured by a Tracker Pre sound card connected to a laptop (under the table).
Improvised electromagnetic probe
Improvised probe (view from under the glass table).

Q&A

Q1: What is the status of the vulnerable libraries?

Practicing responsible disclosure, we have worked with the vendors of all targeted software to convey our findings and coordinate response, prior to public disclosure.

Application-level status is as follows:

Q2: What does the measured electromagnetic signal look like?

The electromagnetic signal is measured using a magnetic probe, and digitized by a sound card, a software-defined radio, or a lab-grade sampling card. After some digital filtering, the raw signal looks like this:
Processed signal
A segment of the electromagnetic signal obtained during a single signature (after filtering).
In order to obtain a clearer trace, we applied singular spectrum analysis (SSA). The resulting trace trace looks like this:
Aggregate signal
A segment of the electromagnetic signal, after singular spectrum analysis.
The information required for successful key extraction is the sequence of double and add operations done on the elliptic curve (marked D and A respectively). These operations can be gleaned above, but we can detect them much more reliably by analyzing the frequency components of the trace:
Detecting additions
(top) A denoised trace with add operations marked as A.
(middle) Zoomed-in view of the spectrogram of the trace. The energy of add operations is clearly visible.
(bottom) Energy as a function of time of the visible part of the spectrogram (after enhancement and smoothing).
Peaks approximate the location of add operations.

After observing the elliptic-curve double and add operations during a few thousand signatures, the secret signing key can be completely reconstructed.

Q3: You attacked ECDSA on phones. What about other cryptographic schemes? How about PCs?

Other cryptographic schemes, running on laptop computers, are also vulnerable to non-invasive physical side-channel key-extraction attacks. In prior works we attacked:
Ongoing works evaluates the security of additional cryptographic schemes.

Q4: Why did you attack ECDSA? Is it any different from the prior works on RSA, ElGamal and ECDH?

We focused on extracting secrets keys of the ECDSA (Elliptic Curve Digital Signature Algorithm), for two reasons:

Q5: What if I can't get physically close enough to the target device?

For RSA and ElGamal, similar attacks have been demonstrated from large distances, including across walls:

Power analysis measurements
Mounting a cheap power analysis attack on an iPhone 4 through its charging port. This setup includes a portable battery (bottom, left), a power monitoring probe (bottom, middle) and an iPhone 4 (bottom, right). The power probe is then connected to the Tracker Pre sound card (top, middle) and the attacker's laptop (top, left).

Q6: How realistic is the attack? What is its cost in practice?

We showed that the signal can be measured and analyzed using cheap and readily-available equipment: a USB sound card hooked to a laptop, some wires, and a $2 probe (that can also be made out of plain wires).

Small loops of wire acting as EM probes can be easily concealed inside various objects that come in proximity with mobile devices, such as tabletops and phone cases. The phone's power consumption can be easily monitored by augmenting an aftermarket charger, external battery or battery case with the requisite equipment. Phone cases which contain an additional battery (and therefore are connected to the phone's charging port) can even be augmented to monitor both channels simultaneously.

The attack requires measuring a few thousand ECDSA signatures. How this may be done depends on the particular application being attacked. For example, in Bitcoin micropayment channels, which allow making lightweight out-of-blockchain automated payments for an ongoing service, each payment requires an ECDSA signature.

Q7: Most of your pictures are of iPhones. What about Android phones?

OpenSSL's ECDSA running on Android phones is also vulnerable to our attacks. For example, here is a Sony Xperia 10s being measured, with our lab-grade measurement equipment:
Electromagnetic measurements
Attacking a Sony-Ericsson Xperia x10 phone. Left to right: analysis laptop,  power supply, ZPUL 30P amplifier (gray box), Ettus N200 (white box), and phone being attacked using the Langer LF-R 400 probe (blue).
A concurrent and independent work, Side-Channel Analysis of Weierstrass and Koblitz Curve ECDSA on Android Smartphones, also studied the vulnerability of Android's BouncyCastle's ECDSA implementation, and found it vulnerable to (intrusive) electromagnetic key extraction attacks.

Acknowledgments