Apple Pay launch in China
Apple Pay is one of the apps that is highly vulnerable to this hack Getty Images

Digital data, mainly financial, may be at risk for Android, iOS and other device users as cryptographic keys used in mobile wallets as Bitcoin wallet and Apple Pay can be stolen according to new research. A cryptographic key is the core part of cryptographic operations used commonly in digital asset transactions where a variable data is provided as input to a cryptographic algorithm to execute a specific operation.

The attack, in fact, in so non-invasive that it can be conducted by merely placing a magnetic probe in the proximity of the device, or using a power tap on its USB charging cable. It does not require any malicious software to be installed on the device or opening the device's case to tamper with hardware. The attack may seem far-fetched but if carried out will expose the victims to low-cost physical attacks resulting in theft of signing credentials and subsequent unauthorised transactions or false authentication in digital payments.

"An attacker can measure these physical effects using a $2 magnetic probe held in proximity to the device, or an improvised USB adapter connected to the phone's USB cable, and a USB sound card. Using only such measurements, one can fully extract secret signing keys," said the researchers in a blog post.

The attacked cryptographic algorithm in this case is ECDSA (Elliptic Curve Digital Signature Algorithm), a common digital signature algorithm used in many applications such as Bitcoin wallets, Apple Pay and many others that rely on vulnerable versions of OpenSSL, CoreBitcoin or iOS. The only way for users to be careful and make the hack impractical is for them to take care to closely inspect USB cables before plugging them in and look for probes near their phones.

The researchers stopped short of fully extracting the key on a Sony-Ericsson Xperia X10 Phone running Android. They believe such an attack is feasible and cited recently published research by a separate team that found a similar side-channel vulnerability in Android's version of the BouncyCastle crypto library.

The research also lists what are highly vulnerable:

  • Older versions of iOS—specifically, 7.1.2 through 8.3
  • The current 9.x version of iOS may not be at risk in general but when using vulnerable apps they can be attacked
  • CoreBitcoin is vulnerable which is used to protect Bitcoin wallets on iPhones and iPads
  • 1.0.x and 1.1.x versions of the OpenSSL code library are also susceptible except when compiled for x-86-64 processors with a non-default option selected or when running a special option available for ARM CPUs
  • Android's version of BouncyCastle