New Encryption Attack Can Steal Android and iOS Data

by Tracy Knauer •

The newest threat to data privacy on mobile devices enables attackers to break the encryption keys of data stored on Android phones and tablets and iPhones. That’s according to recently published academic research.

As the Register reports, the attack involves using a probe to collect a phone or tablet’s electromagnetic emissions while it is encrypting or decrypting data. The probe has to be within a few feet of the device.

The attack works by exploiting a vulnerability in the Elliptic Curve Digital Signature Algorithm cryptography system. Researchers say the attack could currently be used against Android devices, as well as iPhones and iPads running iOS version 7.1.2 through 8.3.

iOS 9.x devices are not vulnerable at the operating system level. However, apps running on them that use their own encryption libraries, rather than the one provided by iOS, could be affected if their code is subject to the same vulnerability.

This attack may sound more like the stuff of science-fiction movies or spy novels than a real-world threat. And the fact that an attacker would need to be physically close to a device in order to break its encryption might make the threat seem insignificant.

However, while there have been no reports of this attack being used in the wild to steal data, it would be easier to execute than it might seem. The probe device needed to carry it out costs only $2. The probe could also be hidden easily — under a table, for example — in order to steal data from a targeted device.

Now that this vulnerability has been reported, the software libraries in which it exists will surely be updated to prevent it. But if you have an unpatched Android or iOS device, it’s worth keeping in mind to protect data privacy.

Leave a Reply

Your email address will not be published.