As cell phones become more like pocket computers, many people are calling for closer scrutiny of their security. Such people usually point out that today’s phones are a lot like the desktop PCs of the mid-1990s. Attackers can apply a huge body of experience from attacking desktop machines when looking for a way into mobile devices.
However, some experts argue that mobile phones are actually simple enough to be vulnerable to attacks originally designed for embedded systems.
“The phone is a very stripped-down environment,” says Benjamin Jun, vice president of technology at Cryptography Research, a security research company based in San Francisco, CA. “Which means that someone who’s trying to attack the device generally has an easier time, because it’s not as complicated as a desktop system.”
To demonstrate this, Cryptography Research adapted a smartcard attack for use against today’s smartphones.
About a decade ago, the company found that a technique called differential power analysis would allow an attacker to extract the cryptographic keys from a smartcard by analyzing its patterns of power consumption. As it turns out, Jun says, the same type of analysis will reveal the cryptographic keys that a phone uses to access a carrier’s network or to secure data stored on the device. In contrast, such an attack would be hard to pull off on a more complicated device, simply because a laptop, for example, would run more programs at the same time and produce a lot more noise.
The smartcard attack called for the attacker to be in possession of the object, but, in adapting it for smartphones, the researchers found a way to do the same types of calculations based on leaked electromagnetic signals picked up with an antenna.
Jun believes attacks on mobile devices are particularly serious because these devices are being used to access high-value corporate data.
But the bad news has a flip side. Jun notes that, just as attackers have experience exploiting vulnerabilities on embedded systems, manufacturers have experience developing countermeasures. Because embedded systems have even more limited memory and processing power than today’s mobile devices, he thinks these countermeasures would be relatively easy to translate to smartphones.
“The main question is whether protections can be done entirely in software or not,” Jun says. Entirely software-based solutions would be cheapest to roll out, he notes. Hardware countermeasures, however, are readily available and have already been shipped in millions of smartcards.
How a Russian cyberwar in Ukraine could ripple out globally
Soldiers and tanks may care about national borders. Cyber doesn't.
Meet Altos Labs, Silicon Valley’s latest wild bet on living forever
Funders of a deep-pocketed new "rejuvenation" startup are said to include Jeff Bezos and Yuri Milner.
A horrifying new AI app swaps women into porn videos with a click
Deepfake researchers have long feared the day this would arrive.
Meta’s new learning algorithm can teach AI to multi-task
The single technique for teaching neural networks multiple skills is a step towards general-purpose AI.
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.