Researchers from UC3M Computer Security Lab and Instituto de Tecnologías Físicas y de la Información (Institute for Physical and Information Technologies, ITEFI) want to improve smartphone security of electronic devices.
The team focused on "lateral movement attacks," which happen when "someone tries to take advantage of a circumstance (in this case, any electric current producing a magnetic field) for illicit purposes (in this case, the attacker tries to extract the private password from the encryption, to which he theoretically should not have access)," explained one of the researchers, José María de Fuentes.
In previous methods, the researchers tried to attack the encrypted algorithm, the process to protect data, which typically has a complicated mathematical base. In later attempts, this type of lateral movement attacks has been developed to seek other ways of breaching security without having to “break” the math it is based on.
"When the devices are on, they use energy and generate electromagnetic fields. We try to capture their traces to obtain the encryption key and at the same time, decipher the data," explained another of the researchers, Lorena González, who is also from the UC3M COSEC.
"We want to make it known that these types of devices have vulnerabilities, because if an adversary attacks them, that is, if someone calculates the password that you are using on your cell phone, it will make you vulnerable, and your data will no longer be private," affirmed one of the other researchers, Luis Hernández Encinas. Hernández Encinas is from CSIC's ITEFI.
The basic goal of this research is to detect and specify the known vulnerabilities of electronic devices and that of their chips so the software and hardware developers can implement appropriate countermeasures in order to protect user security.
"Our work then will be to verify if this has been carried out correctly and try to attack again to check if there is any other type of vulnerability," added Hernández Encinas.
The most significant aspect of the project is that an architecture and work environment is being developed in which this type of lateral movement attack can continue to be explored. It is possible to extract encrypted information from other data, like variations in temperature of the device, the power consumption and the time it takes a chip to process a calculation.
The main objective of this research is to develop technological tools aimed at making cyberspace a safe, secure and trustworthy environment for public administrations, citizens and companies. For this reason, the research pursues three broad areas: massive analysis of data networks, cooperative cybersecurity and support systems for this area.
To read more about this research, visit the Universidad Carlos III de Madrid site.