Secret keys in a mobile phone can be revealed simply by monitoring its power consumption

01 June 2010

Cryptography Research are warning that a closer scrutiny of the security of smartphones is now required, particularly against attacks that involve the monitoring of the power consumption of the phone.

There is a class of attacks that can reveal the secret keys and other stored information in a mobile phone by the simple monitoring of its power consumption, thereby leaving an opportunity for fraudsters to exploit.

Cryptography Research discovered this vulnerability, Differential Power Analysis (DPA), in the mid-1990s in its developments with smart cards. The payment card industry worked alongside Cryptography Research to implement countermeasures to make sure that the chips it uses in payment cards are safe. Today, there are about 4.5 billion cards shipped annually that use Cryptography Research’s countermeasures against DPA attacks.

Cryptography Research says the DPA attack story is unfinished. Today, smartphones offer more applications and use more power to operate these functions. Yet, unlike a complicated desktop system, the phone is a very stripped-down environment, which means the job of an attacker is easier. By using simple equipment, an attacker can plot the amount of power consumed while your mobile phone is operating. After running some statistics, the fraudster can compromise the entire security of your phone.

Cryptography Research says that financial institutions and businesses involved in mobile commerce should be very careful. It is risky for them to take an existing piece of infrastructure designed for one purpose and try to use it for something else, unless they are very aware of where security might be jeopardized.

Print version | email this to a friend Email to a friend | View other articles