ECDSA Key Extraction from Mobile Devices via Nonintrusive Physical Side Channels

We show that elliptic-curve cryptography implementations on mobile devices are vulnerable to electromagnetic and power side-channel attacks. We demonstrate full extraction of ECDSA secret signing keys from OpenSSL and CoreBitcoin running on iOS devices, and partial key leakage from OpenSSL running on Android and from iOS's CommonCrypto. These non-intrusive attacks use a simple magnetic probe placed in proximity to the device, or a power probe on the phone's USB cable. They use a bandwidth of merely a few hundred kHz, and can be performed cheaply using an audio card and an improvised magnetic probe. * The authors thank Noam Nissan for programming and lab support during the course of this research. 1 This paper focuses, instead, on the Elliptic Curve Digital Signature Algorithm (ECDSA) [NIS13], a very popular signature scheme that is especially pertinent and critical in mobile devices due to its use in mobile payment apps such as Bitcoin wallets and Apple Pay. Attacking ECDSA raises new challenges: • ECDSA signatures are computed faster than RSA, and thus the attacker gets less physical information at a given sampling rate. Increasing the sampling rate increases costs and runs into frequency-limited physical effects. • More fundamentally, ECDSA signatures are randomized. When attacking deterministic operations, such as RSA decryption, attackers can rely on triggering numerous identical decryptions and then aggregating their recorded traces in order to improve signal-to-noise ratio and cope with transient events such as interrupts. But with ECDSA, one has to make deductions from individual traces that are noisy and frequently interrupted. We raise the following questions: 1. How vulnerable are implementations of ECDSA, running on mobile phones, to physical side channel attacks? 2. Are these vulnerabilities common across different implementations and across different phone models? 3. What physical channels can be used for the attacks? 4. How expensive are such attacks, both in terms of complexity and in terms of financial outlay? Can they be conducted with concealed, portable equipment? Do they require high-grade lab equipment or can they be implemented using cheap, over-the-shelf equipment? A concurrent and independent work of Belgarric et al. [BFMRT16a] provides a valuable insight on some of these questions, demonstrating full key extraction from BouncyCastle's ECDSA implementation on a phone. That attack used an electromagnetic probe placed invasively inside the open case of a phone. It relied on triggering measurement via the USB interface, and (even though essentially relying on low-frequency signals) used an expensive oscilloscope. This leaves unexplored much of the space posed by the aforementioned questions. Our Results In this paper we demonstrate the first side channel attack on Elliptic Curve Cryptography (ECC) running on a smartphone which simultaneously achieves the following properties: 1. Real-World Implementations. We attacked the ECDSA implementation of OpenSSL running on iOS devices (iPhone and iPad) as well as Android devices. In particular, we attacked the CoreBitcoin library, based on OpenSSL, which is used by popular Bitcoin wallets on iOS devices. We also attacked the built-in ECDSA implementation of iOS's CommonCrypto library.