I'm aware of attacks extracting information via timing and volume. But none that care or attack the actual cryptographic algorithm implementation or end up extracting the key.
Seeking examples if any for such attacks which happened outside the lab, Or evidence where we suspect this was the means of attack used.
Any side channel: timing, sound, power, something else?
None that recover the key?
- Osvik, Shamir, Tromer, 2006: Recover AES-256 secret key of Linux’s dmcrypt in just 65 ms
- AlFardan, Paterson, 2013: “Lucky13” recovers plaintext of CBC-mode encryption in pretty much all TLS implementations
- Yarom, Falkner, 2014: Attack against RSA-2048 in GnuPG 1.4.13: “On average, the attack is able to recover 96.7% of the bits of the secret key by observing a single signature or decryption round.”
- Benger, van de Pol, Smart, Yarom, 2014: “reasonable level of success in recovering the secret key” for OpenSSL ECDSA using secp256k1 “with as little as 200 signatures”
Those are all examples of timing attacks that were usable in the wild. Also, they're all timing attacks. Nevermind Spectre, Meltdown, and the plethora of other predictive branching vulnerabilities that followed suit. There's also the RSA "exponent 3" attack (which I may or may not have exploited myself one or 2 times against web servers' TLS certificates)
(edit: The exponent 3 attack isn't really a side-channel attack but it's so hilarious I couldn't resist.)
In short, most timing attacks can be performed in the wild. There was even an issue with Amazon AWS instances that allowed someone to steal encryption keys from other instances simply by creating an AWS free tier account.
The good news is, usually researchers find them before bad actors and there's time to develop a fix before it gets too crazy. But these attacks are very real and usually crippling; both on paper and in practice.
I might suggest reading this document [PDF] which outlines the nature of such attacks in slightly more detail.
