Paper 2025/559
Is Your Bluetooth Chip Leaking Secrets via RF Signals?
Abstract
In this paper, we present a side-channel attack on the hardware AES accelerator of a Bluetooth chip used in millions of devices worldwide, ranging from wearables and smart home products to industrial IoT. The attack leverages information about AES computations unintentionally transmitted by the chip together with RF signals to recover the encryption key. Unlike traditional side-channel attacks that rely on power or near-field electromagnetic emissions as sources of information, RF-based attacks leave no evidence of tampering, as they do not require package removal, chip decapsulation, or additional soldered components. However, side-channel emissions extracted from RF signals are considerably weaker and noisier, necessitating more traces for key recovery. The presented profiled machine learning-assisted attack can recover the full encryption key from 90,000 traces captured at a one-meter distance from the target device, with each trace being an average of 10,000 samples per encryption. This is a twofold improvement over the correlation analysis-based attack on the same AES accelerator.
Metadata
- Available format(s)
-
PDF
- Category
- Attacks and cryptanalysis
- Publication info
- Published elsewhere. the 55th International Symposium on Multiple-Valued Logic (ISMVL 2025)
- Keywords
- Symmetric-key cryptographyAESCCMside-channel attackCPA
- Contact author(s)
-
yanning @ kth se
dubrova @ kth se
ruize @ kth se - History
- 2025-03-28: approved
- 2025-03-26: received
- See all versions
- Short URL
- https://ia.cr/2025/559
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2025/559,
author = {Yanning Ji and Elena Dubrova and Ruize Wang},
title = {Is Your Bluetooth Chip Leaking Secrets via {RF} Signals?},
howpublished = {Cryptology {ePrint} Archive, Paper 2025/559},
year = {2025},
url = {https://eprint.iacr.org/2025/559}
}
