A Wireless Covert Channel on Smart Cards (Short Paper)

  • Geir Olav Dyrkolbotn
  • Einar Snekkenes
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4307)


Microprocessor devices, such as smart cards, are used more and more to store and protect secret information. This development has its advantages, but microprocessor devices are susceptible to various attacks. Much attention has been devoted to side-channel attacks, exploiting unintentional correlation between internal secret information, such as cryptographic keys, and the various side channels. We present a wireless covert channel attack (WCCA) that intentionally correlates secret information with the electromagnetic side channel. WCCA exploits subversive code hidden on all cards during manufacture, to launch an attack, without physical access, when infected cards are used. Experiments on modern smart cards confirm that an insider with the opportunity to hide subversive code can potentially broadcast the card’s internal secrets to a nearby receiver. Security features against side-channel attacks will limit the range but not prevent the attack.


Smart Cards EMSide-Channel Subversion Wireless Covert Channel 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Giancoli, D.C.: Physics for Scientists and Engineers. Prentice-Hall, Englewood Cliffs (1989)Google Scholar
  2. 2.
    van Eck, W.: Electromagnetic radiation from video display units: An eavesdropping risk. Computers & Security 4, 269–286 (1985)CrossRefGoogle Scholar
  3. 3.
    Anderson, R., Kuhn, M.: Tamper resistance-a cautionary note. In: USENIX E-Commerce Workshop, pp. 1–11. USENIX Press (1996) ISBN 1-880446-83-9Google Scholar
  4. 4.
    Kocher, P.: Timing attacks on implementations of diffie-hellman, rsa, dss, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
  5. 5.
    Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)Google Scholar
  6. 6.
    Quisquater, J.-J., Samyde, D.: A new tool for non-intrusive analysis of smart cards based on electromagnetic emissions:the sema and dema methods. In: Eurocrypt rump session (2000)Google Scholar
  7. 7.
    Quisquater, J.-J., Samyde, D.: Electromagnetic analysis (ema): Measures and counter-measures for smart cards. In: Attali, S., Jensen, T. (eds.) E-smart 2001. LNCS, vol. 2140, pp. 200–210. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  8. 8.
    Chari, S., Rao, J.R., Rohatgi, P.: Template attack. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 13–28. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  9. 9.
    Agrawal, D., Archambeault, B., Rao, J.R., Rohatgi, P.: The em side-channel(s):attacks and assessment methodologies. In: CHES 2003. LNCS. Springer, Heidelberg (2003)Google Scholar
  10. 10.
    Agrawal, D., Archambeault, B., Rao, J.R., Rohatgi, P.: The em side-channel(s). In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 29–45. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  11. 11.
    Agrawal, D., Archambeault, B., Chari, S., Rao, J.R., Rohatgi, P.: Advances in side-channel cryptanalysis, electromagnetic analysis and template attacks. CryptoBytes 6(1), 20–32 (2003)Google Scholar
  12. 12.
    Agrawal, D., Rao, J.R., Rohatgi, P.: Multi-channel attack. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 2–16. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  13. 13.
    Rao, J.R., Rohatgi, P.: Empowering side-channel attacks. IACR ePrint, vol. 037 (2001)Google Scholar
  14. 14.
    Quisquater, J.-J., Samyde, D.: Automatic code recognition for smart cards using a kohonen neural network. In: 5th Smart Card Research and Advanced Application Conference, USENIX (2002)Google Scholar
  15. 15.
    Anderson, R., Kuhn, M.: Soft tempest: Hidden data transmission using electromagnetic emanations. In: Aucsmith, D. (ed.) IH 1998. LNCS, vol. 1525, pp. 124–142. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  16. 16.
    Myers, P.A.: Subversion: The neglected aspect of computer security. Master’s thesis, Naval Postgraduate School (1980)Google Scholar
  17. 17.
    Peebles Jr., P.Z.: Digital Communication Systems. Prentice Hall, Englewood Cliffs (1987)Google Scholar
  18. 18.
    Couch II, L.W.: Digital and Analog Communication Systems. Macmillan, Basingstoke (1993)Google Scholar
  19. 19.
    Shannon, C.E., Weaver, W.: The Mathematical Theory of Communication. University of Illinois Press, US (1998)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Geir Olav Dyrkolbotn
    • 1
  • Einar Snekkenes
    • 1
  1. 1.Norwegian Information Security Lab, Department of Computer Science and Media TechnologyGjovik University CollegeGjovikNorway

Personalised recommendations