Your iPhone Broadcasts All Your Encrypted Secrets, For Anyone To Read [MWC 2012]


Using just a cheap TV antenna, hackers could decrypt all of the secrets on your iPhone. Photo Jens Rost/Flickr (CC BY-SA 2.0)
Using just a cheap TV antenna, hackers could decrypt all of the secrets on your iPhone. Photo Jens Rost/Flickr (CC BY-SA 2.0)

BARCELONA, MOBILE WORLD CONGRESS 2012 — Last night I was treated to a security demonstration. Cryptography Research director Pankaj Rohatgi pointed a cheap, standard TV antenna at an iPod Touch several feet away, running standard RSA encryption operations.

On the screen of his oscilloscope was a sound-wave generated by his custom software showing distinct troughs at semi-regular intervals. These troughs, and their accompanying flattish peaks, represented the ones and zeroes of the private keys used in every secure communication we make today, sucked right from the iPod. With no further cracking required, all of your private operations can be read as if in plain text.

How is this done? From the electronic noise generated by every microchip as it goes about its processing duties.

It’s called a side-channel attack, and unless your software defends against it, every computing device is vulnerable. There is one ray of light, though: The hacker needs to be very close. The Radio-Shack-style antenna used by Rohatgi can sniff patterns from a few feet away. Using more expensive, specially-tuned equipment could extend that range. Not enough for remote cracking, but enough to steal your details in a largish room.

Side-channel attacks work thanks to a weakness in ECC and RSA private key operations. These are at the heart of encryptions like the SSL connections between you and your bank’s website, for example. When they crunch together the numbers in your keys to perform encryptions, RSA software typically uses a sequence of multiplications only, or multiplications and square operations combined. Each of these causes the chip it is running on to emit a different electrical signal. And these signals show the ones and zeros of the key, so plain that even I could see it on the screen.

Just by measuring the signals, you can break a key almost instantly. Scary. And it will crack a notebook or an iPhone: they’re all the same.

So how can this be fixed? The software has to be re-written to hide these peaks and troughs, doing the math in a way that doesn’t reveal the key through the act of processing it. This can be done by individual developers, or it can be done at the OS level. Clearly it would be better to have Apple bake this into iOS, protecting everything.

Don’t worry too much, though. The majority of crypto hacking goes on over the internet, sniffing at the transactions you make every day. That makes you feel a lot better, right?

  • Evgen Bodunov

    lol. it shows waves and those was secret key bytes definetly! :)) cold anyone decrypt one signle sms using TV antenna? or pick up my twitter password? no, because this article is bullshit.

  • ??nD ??os??A

    “running standard RSA encryption operations” is the problem…if all the device is doing is running RSA then maybe, just maybe you could discern keying data from radiated noise. But in a real system the RSA operation is only one of many threads running and to be able to identify exactly when it is running, based purely on the EM noise that is generated sounds like a long shot. This looks like a company just trying to get some press. Cryptography Research is a division of Rambus. I rest my case. 

  • Shaunathan Sprocket

    don’t send sensitive data around anyone carrying a large TV antenna.  Got it.