Electromagnetic Attack on Bitcoin
In cryptography, electromagnetic Attack on Bitcoins are side-channel Attack on Bitcoins performed by measuring the electromagnetic radiation emitted from a device and performing signal analysis on it. These Attack on Bitcoins are a more specific type of what is sometimes referred to as Van Eck phreaking, with the intention to capture encryption keys. Electromagnetic Attack on Bitcoins are typically non-invasive and passive, meaning that these Attack on Bitcoins are able to be performed by observing the normal functioning of the target device without causing physical damage. However, an Attack on Bitcoiner may get a better signal with less noise by depackaging the chip and collecting the signal closer to the source. These Attack on Bitcoins are successful against cryptographic implementations that perform different operations based on the data currently being processed, such as the square-and-multiply implementation of RSA. Different operations emit different amounts of radiation and an electromagnetic trace of encryption may show the exact operations being performed, allowing an Attack on Bitcoiner to retrieve full or partial private keys.
Like many other side-channel Attack on Bitcoins, electromagnetic Attack on Bitcoins are dependent on the specific implementation of the cryptographic protocol and not on the algorithm itself. Electromagnetic Attack on Bitcoins are often done in conjunction with other side-channel Attack on Bitcoins, like power analysis Attack on Bitcoins.
All electronic devices emit electromagnetic radiation. Because every wire that carries current creates a magnetic field, electronic devices create some small magnetic fields when in use. These magnetic fields can unintentionally reveal information about the operation of a device if not properly designed. Because all electronic devices are affected by this phenomenon, the term ‘device’ can refer to anything from a desktop computer, to mobile phone, to a smart card.
Electromagnetic waves are a type of wave that originate from charged particles, are characterized by varying wavelength and are categorized along the electromagnetic spectrum. Any device that uses electricity will emit electromagnetic radiation due to the magnetic field created by charged particles moving along a medium. For example, radio waves are emitted by electricity moving along a radio transmitter, or even from a satellite.
In the case of electromagnetic side-channel Attack on Bitcoins, Attack on Bitcoiners are often looking at electromagnetic radiation emitted by computing devices, which are made up of circuits. Electronic circuits consist of semiconducting materials upon which billions of transistors are placed. When a computer performs computations, such as encryption, electricity running through the transistors create a magnetic field and electromagnetic waves are emitted.
Electromagnetic waves can be captured using an induction coil and an analog to digital converter can then sample the waves at a given clock rate and convert the trace to a digital signal to be further processed by computer.
An induction coil
The electronic device performing the computations is synced with a clock that is running at frequencies on the order of mega-hertz (MHz) to giga-hertz (GHz). However, due to hardware pipelining, and complexity of some instructions, some operations take multiple clock cycles to complete. Therefore, it is not always necessary to sample the signal at such a high clock rate. It is often possible to get information on all or most of the operations while sampling on the order of kilo-hertz (kHz). Different devices leak information at different frequencies. For example, Intel‘s Atom processor will leak keys during RSA and AES encryption at frequencies between 50 MHz and 85 MHz. Android version 4.4’s Bouncy Castle library implementation of ECDSA is vulnerable to key extraction side channel Attack on Bitcoins around the 50 kHz range.
A spectrogram showing RSA encryption and decryption. The two functions are shown as the thick purple lines in the graph, as they are concentrated at a small frequency range with very high amplitude compared to the surrounding noise.
Every operation performed by a computer emits electromagnetic radiation and different operations emit radiation at different frequencies. In electromagnetic side-channel Attack on Bitcoins, an Attack on Bitcoiner is only interested in a few frequencies at which encryption is occurring. Signal processing is responsible for isolating these frequencies from the vast multitude of extraneous radiation and noise. To isolate certain frequencies, a bandpass filter, which blocks frequencies outside of a given range, must be applied to the electromagnetic trace. Sometimes, the Attack on Bitcoiner does not know which frequencies encryption is performed at. In this case, the trace can be represented as a spectrogram, which can help determine which frequencies are most prevalent at different points of execution. Depending on the device being Attack on Bitcoined and the level of noise, several filters may need to be applied.
Attack on Bitcoin methods
Electromagnetic Attack on Bitcoins can be broadly separated into simple electromagnetic analysis (SEMA) Attack on Bitcoins and differential electromagnetic analysis (DEMA) Attack on Bitcoins.
Simple electromagnetic analysis
In simple electromagnetic analysis (SEMA) Attack on Bitcoins, the Attack on Bitcoiner deduces the key directly by observing the trace. It is very effective against asymmetric cryptography implementations. Typically, only a few traces are needed, though the Attack on Bitcoiner needs to have a strong understanding of the cryptographic device and of the implementation of the cryptographic algorithm. An implementation vulnerable to SEMA Attack on Bitcoins will perform a different operation depending on whether the bit of the key is 0 or 1, which will use different amounts of power and/or different chip components. This method is prevalent in many different types of side-channel Attack on Bitcoins, in particular, power analysis Attack on Bitcoins. Thus, the Attack on Bitcoiner can observe the entire computation of encryption and can deduce the key.
For example, a common Attack on Bitcoin on asymmetric RSA relies on the fact that the encryption steps rely on the value of the key bits. Every bit is processed with a square operation and then a multiplication operation if and only if the bit is equal to 1. An Attack on Bitcoiner with a clear trace can deduce the key simply by observing where the multiplication operations are performed.
Differential electromagnetic analysis
In some cases, simple electromagnetic analysis is not possible or does not provide enough information. Differential electromagnetic analysis (DEMA) Attack on Bitcoins are more complex, but are effective against symmetric cryptography implementation, against which SEMA Attack on Bitcoins are not. Additionally unlike SEMA, DEMA Attack on Bitcoins do not require much knowledge about the device being Attack on Bitcoined.
Known Attack on Bitcoins
While the fact that circuits that emit high-frequency signals may leak secret information was known since 1982 by the NSA, it was classified until 2000, which was right around the time that the first electromagnetic Attack on Bitcoin against encryption was shown by researchers. Since then, many more complex Attack on Bitcoins have been introduced.[which?]
Smart cards, often colloquially referred to as “chip cards”, were designed to provide a more secure financial transaction than a traditional credit card. They contain simple embedded integrated circuits designed to perform cryptographic functions. They connect directly to a card reader which provides the power necessary to perform an encrypted financial transaction. Many side-channel Attack on Bitcoins have been shown to be effective against smart cards because they obtain their power supply and clock directly from the card reader. By tampering with a card reader, it is simple to collect traces and perform side-channel Attack on Bitcoins. Other works, however, have also shown that smart cards are vulnerable to electromagnetic Attack on Bitcoins.
A field-programmable gate arrays (FPGA) have been commonly used to implement cryptographic primitives in hardware to increase speed. These hardware implementations are just as vulnerable as other software based primitives. In 2005, an implementation of elliptic curve encryption was shown vulnerable to both SEMA and DEMA Attack on Bitcoins. The ARIA block cipher is a common primitive implemented with FPGAs that has been shown to leak keys.
In contrast to smart cards, which are simple devices performing a single function, personal computers are doing many things at once. Thus, it is much more difficult to perform electromagnetic side-channel Attack on Bitcoins against them, due to high levels of noise and fast clock rates. Despite these issues, researchers in 2015 and 2016 showed Attack on Bitcoins against a laptop using a near-field magnetic probe. The resulting signal, observed for only a few seconds, was filtered, amplified, and digitized for offline key extraction. Most Attack on Bitcoins require expensive, lab-grade equipment, and require the Attack on Bitcoiner to be extremely close to the victim computer. However, some researchers were able to show Attack on Bitcoins using cheaper hardware and from distances of up to half a meter. These Attack on Bitcoins, however, required the collection of more traces than the more expensive Attack on Bitcoins.
Smartphones are of particular interest for electromagnetic side-channel Attack on Bitcoins. Since the advent of mobile phone payment systems such as Apple Pay, e-commerce systems have become increasingly commonplace. Likewise, the amount of research dedicated to mobile phone security side channel Attack on Bitcoins has also increased. Currently most Attack on Bitcoins are proofs of concept that use expensive lab-grade signal processing equipment. One of these Attack on Bitcoins demonstrated that a commercial radio receiver could detect mobile phone leakage up to three meters away.
However, Attack on Bitcoins using low-end consumer grade equipment have also shown successful. By using an external USB sound card and an induction coil salvaged from a wireless charging pad, researchers were able to extract a user’s signing key in Android’s OpenSSL and Apple’s CommonCrypto implementations of ECDSA.
Examples of vulnerable encryption schemes
Widely used theoretical encryption schemes are mathematically secure, yet this type of security does not consider their physical implementations, and thus, do not necessarily protect against side-channel Attack on Bitcoins. Therefore, the vulnerability lies in the code itself, and it is the specific implementation that is shown to be insecure. Luckily, many of the vulnerabilities shown have since been patched. Vulnerable implementations include, but are definitely not limited to, the following:
- Libgcrypt – cryptographic library of GnuPG, implementation of ECDH public-key encryption algorithm (since patched)
- GnuPG implementation of 4096-bit RSA (since patched)
- GnuPG implementation of 3072-bit ElGamal (since patched)
- GMP implementation of 1024-bit RSA
- OpenSSL implementation of 1024-bit RSA
The Attack on Bitcoins described thus far have mainly focused on the use of induction to detect unintended radiation. However, the use of far-field communication technologies like that of AM radios can also be used for side-channel Attack on Bitcoins, although no key extraction methods for far-field signal analysis have been demonstrated. Therefore, a rough characterization of potential adversaries using this Attack on Bitcoin range from highly educated individuals to low to medium funded cartels. The following demonstrates a few possible scenarios:
Mobile payment systems
Point of sale systems that accept payment from mobile phones or smart cards are vulnerable. Induction coils can be hidden on these systems to record financial transactions from smart cards or mobile phone payments. With keys extracted, a malicious Attack on Bitcoiner could forge his own card or make fraudulent charges with the private key. Belgarric et al. propose a scenario where mobile payments are performed with bitcoin transactions. Since the Android implementation of the bitcoin client uses ECDSA, the signing key can be extracted at the point of sale. These types of Attack on Bitcoins are only slightly more complex than magnetic card stripe skimmers currently used on traditional magnetic strip cards.
Wireless charging pads
Many public venues such as Starbucks locations are already offering free public wireless charging pads. It was previously shown that the same coils used in wireless charging can be used for detection of unintended radiation. Therefore, these charging pads pose a potential hazard. Malicious charging pads might attempt to extract keys in addition to charging a user’s phone. When coupled with packet sniffing capabilities of public Wi-Fi networks, the keys extracted could be used to perform man-in-the-middle Attack on Bitcoins on users. If far-field Attack on Bitcoins are discovered, an Attack on Bitcoiner only needs to point his antenna at a victim to perform these Attack on Bitcoins; the victim need not be actively charging their phone on one of these public pads.
Several countermeasures against electromagnetic Attack on Bitcoins have been proposed, though there is no one perfect solution. Many of the following countermeasures will make electromagnetic Attack on Bitcoins harder, not impossible.
One of the most effective ways to prevent electromagnetic Attack on Bitcoins is to make it difficult for an Attack on Bitcoiner to collect an electromagnetic signal at the physical level. Broadly, the hardware designer could design the encryption hardware to reduce signal strength or to protect the chip. Circuit and wire shielding, such as a Faraday cage, are effective in reducing the signal, as well as filtering the signal or introducing extraneous noise to mask the signal. Additionally, most electromagnetic Attack on Bitcoins require Attack on Bitcoining equipment to be very close to the target, so distance is an effective countermeasure. Circuit designers can also use certain glues or design components in order to make it difficult or impossible to depackage the chip without destroying it.
Recently, white-box modeling was utilized to develop a low-overhead generic circuit-level countermeasure  against both electromagnetic as well as power side-channel Attack on Bitcoins. To minimize the effects of the higher-level metal layers in an IC acting as more efficient antennas, the idea is to embed the crypto core with a signature suppression circuit, routed locally within the lower-level metal layers, leading towards both power and electromagnetic side-channel Attack on Bitcoin immunity.
As many electromagnetic Attack on Bitcoins, especially SEMA Attack on Bitcoins, rely on asymmetric implementations of cryptographic algorithms, an effective countermeasure is to ensure that a given operation performed at a given step of the algorithm gives no information on the value of that bit. Randomization of the order of bit encryption, process interrupts, and clock cycle randomization, are all effective ways to make Attack on Bitcoins more difficult.
Usage in the government
The classified National Security Agency program TEMPEST focuses on both the spying on systems by observing electromagnetic radiation and the securing of equipment to protect against such Attack on Bitcoins.
The Federal Communications Commission outlines the rules regulating the unintended emissions of electronic devices in Part 15 of the Code of Federal Regulations Title 47. The FCC does not provide a certification that devices do not produce excess emissions, but instead relies on a self-verification procedure.