Side-channel radio attacks just got a whole lot worse: a group of researchers from Eurecom's Software and Systems Security Group has extracted crypto keys from the noise generated by ordinary communications chips.
Unlike more esoteric side-channels, which often need physical access to a target machine or some kind of malware implant, this leak comes from radio devices working as intended by the maker.
If an SoC packs analogue and digital operations on the same die, the CPU's operations inevitably leak to the radio transmitter, and can be traced from a distance.
As Tom Hayes of Eurecom wrote to El Reg in an email: “This type of leak is carried by the device's intended radio signal, and thus broadcast over a potentially longer distance” [than previous side-channel attacks].
“In our work we have demonstrated over-the-air extraction of AES keys from a consumer-grade bluetooth device over a distance of 10 meters”, Hayes continued.
The paper describing their work, “Screaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers”, explains that the physical mechanism involved is very simple.