Threat Category: Physical Access
ID: PHY-5
Threat Description: Side channel attacks allow adversaries to extract information or perform malicious actions via the implmentation of the system itself, rather than algorithmic weaknesses.1
Threat Origin
ECDSA Key Extraction from Mobile Devices Via Nonintrusive Physical Side Channels
Exploit Examples
New Attack Steals Secret Crypto Keys from Android and iOS Phones 2
Evolving differential power analysis targets SIM cards 3
CVE Examples
Not Applicable
Possible Countermeasures
To increase the difficulty of this attack, use devices that implement mitigations in their cryptograhic functions against side-channel attacks, such as iOS 9.x and later devices.
EnterpriseTo increase the difficulty of this attack, use devices that implement mitigations in their cryptograhic functions against side-channel attacks, such as iOS 9.x and later devices.
Avoid the use of apps that may implement their own cryptographic functions without validation that appropriate mitigations against side-channel attacks have been implemented.
Educate users to be mindful of their physical surroundings when using mobile devices, and to report the appearance of unexpected hardware components to IT security immediately.
Educate users to not directly connect their mobile devices to untrusted systems or docking stations, and to maintain strong physical security for innocent components such as USB charging cables
References
Wikipedia, Side-channel attack; https://en.wikipedia.org/wiki/Side-channel_attack [accessed 12/09/2019] ↩
D. Goodin, “New Attack Steals Secret Crypto Keys from Android and iOS Phones”, Ars Technica, 3 Mar. 2016; http://arstechnica.com/security/2016/03/new-attack-steals-secret-crypto-keys-from-android-and-ios-phones/ [accessed 8/25/2016] ↩
“Evolving differential power analysis targets SIM cards,” Rambus, 23 Sept. 2015; https://www.rambus.com/blogs/security-evolving-differential-power-analysis-targets-sim-cards/ [accessed 07/18/2017] ↩