Skip to Content
Uncategorized

Eavesdropping on Smartphone Secrets

Researchers say that smartphones are vulnerable to an attack used to steal information from smartcards.
October 26, 2009

As cell phones become more like pocket computers, many people are calling for closer scrutiny of their security. Such people usually point out that today’s phones are a lot like the desktop PCs of the mid-1990s. Attackers can apply a huge body of experience from attacking desktop machines when looking for a way into mobile devices.

However, some experts argue that mobile phones are actually simple enough to be vulnerable to attacks originally designed for embedded systems.

“The phone is a very stripped-down environment,” says Benjamin Jun, vice president of technology at Cryptography Research, a security research company based in San Francisco, CA. “Which means that someone who’s trying to attack the device generally has an easier time, because it’s not as complicated as a desktop system.”

To demonstrate this, Cryptography Research adapted a smartcard attack for use against today’s smartphones.

About a decade ago, the company found that a technique called differential power analysis would allow an attacker to extract the cryptographic keys from a smartcard by analyzing its patterns of power consumption. As it turns out, Jun says, the same type of analysis will reveal the cryptographic keys that a phone uses to access a carrier’s network or to secure data stored on the device. In contrast, such an attack would be hard to pull off on a more complicated device, simply because a laptop, for example, would run more programs at the same time and produce a lot more noise.

The smartcard attack called for the attacker to be in possession of the object, but, in adapting it for smartphones, the researchers found a way to do the same types of calculations based on leaked electromagnetic signals picked up with an antenna.

Jun believes attacks on mobile devices are particularly serious because these devices are being used to access high-value corporate data.

But the bad news has a flip side. Jun notes that, just as attackers have experience exploiting vulnerabilities on embedded systems, manufacturers have experience developing countermeasures. Because embedded systems have even more limited memory and processing power than today’s mobile devices, he thinks these countermeasures would be relatively easy to translate to smartphones.

“The main question is whether protections can be done entirely in software or not,” Jun says. Entirely software-based solutions would be cheapest to roll out, he notes. Hardware countermeasures, however, are readily available and have already been shipped in millions of smartcards.

Keep Reading

Most Popular

Geoffrey Hinton tells us why he’s now scared of the tech he helped build

“I have suddenly switched my views on whether these things are going to be more intelligent than us.”

Deep learning pioneer Geoffrey Hinton has quit Google

Hinton will be speaking at EmTech Digital on Wednesday.

Video: Geoffrey Hinton talks about the “existential threat” of AI

Watch Hinton speak with Will Douglas Heaven, MIT Technology Review’s senior editor for AI, at EmTech Digital.

Doctors have performed brain surgery on a fetus in one of the first operations of its kind

A baby girl who developed a life-threatening brain condition was successfully treated before she was born—and is now a healthy seven-week-old.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.