Skip to Content
Uncategorized

Eavesdropping on Smartphone Secrets

Researchers say that smartphones are vulnerable to an attack used to steal information from smartcards.
October 26, 2009

As cell phones become more like pocket computers, many people are calling for closer scrutiny of their security. Such people usually point out that today’s phones are a lot like the desktop PCs of the mid-1990s. Attackers can apply a huge body of experience from attacking desktop machines when looking for a way into mobile devices.

However, some experts argue that mobile phones are actually simple enough to be vulnerable to attacks originally designed for embedded systems.

“The phone is a very stripped-down environment,” says Benjamin Jun, vice president of technology at Cryptography Research, a security research company based in San Francisco, CA. “Which means that someone who’s trying to attack the device generally has an easier time, because it’s not as complicated as a desktop system.”

To demonstrate this, Cryptography Research adapted a smartcard attack for use against today’s smartphones.

About a decade ago, the company found that a technique called differential power analysis would allow an attacker to extract the cryptographic keys from a smartcard by analyzing its patterns of power consumption. As it turns out, Jun says, the same type of analysis will reveal the cryptographic keys that a phone uses to access a carrier’s network or to secure data stored on the device. In contrast, such an attack would be hard to pull off on a more complicated device, simply because a laptop, for example, would run more programs at the same time and produce a lot more noise.

The smartcard attack called for the attacker to be in possession of the object, but, in adapting it for smartphones, the researchers found a way to do the same types of calculations based on leaked electromagnetic signals picked up with an antenna.

Jun believes attacks on mobile devices are particularly serious because these devices are being used to access high-value corporate data.

But the bad news has a flip side. Jun notes that, just as attackers have experience exploiting vulnerabilities on embedded systems, manufacturers have experience developing countermeasures. Because embedded systems have even more limited memory and processing power than today’s mobile devices, he thinks these countermeasures would be relatively easy to translate to smartphones.

“The main question is whether protections can be done entirely in software or not,” Jun says. Entirely software-based solutions would be cheapest to roll out, he notes. Hardware countermeasures, however, are readily available and have already been shipped in millions of smartcards.

Deep Dive

Uncategorized

Uber Autonomous Vehicles parked in a lot
Uber Autonomous Vehicles parked in a lot

It will soon be easy for self-driving cars to hide in plain sight. We shouldn’t let them.

If they ever hit our roads for real, other drivers need to know exactly what they are.

stock art of market data
stock art of market data

Maximize business value with data-driven strategies

Every organization is now collecting data, but few are truly data driven. Here are five ways data can transform your business.

Cryptocurrency fuels new business opportunities

As adoption of digital assets accelerates, companies are investing in innovative products and services.

Mifiprex pill
Mifiprex pill

Where to get abortion pills and how to use them

New US restrictions could turn abortion into do-it-yourself medicine, but there might be legal risks.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.