[silent90]

Capturing the CPU instructions by a side-channel is indeed possible but the "real-life, working" use of the method described here is questionable for me. CPU in modern phones runs above 1GHz. USB sound card they're using provides max 192kHz which allows max 96kHz signal. 4 orders of magnitude less. There's also a lot of noise from different circuitry (GPU, display, wireless comm.) and laptop's noise as well which will obfuscate the signal.

[korethr]

It still strikes me as plausible. Sub-harmonics are a thing; it is entirely possible to leak data about what the CPU is or isn't doing down into the ultrasonic or audible bands.

As an example, one of my computers leaks a ton of noise into the onboard audio that quickly becomes audible with a moderate amount of gain. So much so, that I've learned to recognize changes in the noise pattern from various activities (shuffling windows around the gui, launching a program, compiling a program, etc).

How practical a real-life, working use of the method described here will depend in no small part how much noise the device being attacked casts off. There's some pretty bad devices out there.

[mrb]

You misunderstand the attack. You don't need to sample at 1GHz. Each 0 and each 1 in private key material leads to calculations taking thousands of tens of thousands of clock cycles. So you only need to sample EM radiations at around 100 kHz or 1 MHz.