In one, they say they were able to hijack an Internet-connected security cam and capture footage of the power LED of a smart card reader 16 meters away. After processing and analyzing the footage, the team was able to recover the 256-bit key.
Wow! That’s incredibly impressive.
In another study, they were able to take iPhone footage of the power LED of Logitech speakers that were hooked up to an USB hub that was also charging a Samsung Galaxy S8 smart phone. From looking at the speakers’ power LED and analyzing its colors and brightness, the team says they were able to uncover the 378-bit key for the Samsung Galaxy — a remarkable scenario because the key was solved indirectly by looking at another connected device.
Holy shit! That’s unbelievable! By which I mean: I don’t believe you.
With the help of this video I found their paper. So: In order to compromise the smart card reader, they hooked up their own hardware to it and caused it to perform 10,500 signature operations while they carefully measured the brightness of the LED. For the Samsung private key attack, they’re applying in a novel way an already-known timing attack caused by an interaction between the crypto library and the power-saving features of the processor. They threw large numbers of carefully crafted cryptographic operations at the CPU to cause it to change its voltage and power characteristics in ways it’s not supposed to, which they then detected at a distance by observing the speaker’s LED, which led them to be able to deduce the private key.
It’s still extremely impressive and 100% valid research. But, I feel that “if we have access to the hardware / ability to attack the software at length, and in addition we can watch the LEDs, the LEDs can help with the attack operation we conduct” is a little different than what the article made it sound like.
Yeah, I pulled the paper as well since I was curious. As far as I understand it, for the card reader, they use the data they get from the LED to help with solving the key. The LEDs leak crucial information about each encryption calculation and some specific calculations give away more info than others so they had to capture many key exchanges. Not super useful in most cases but it demonstrates a novel way to observe leaked info.
I’ll add a link to the paper to the post for easier access.
Sounds good to me. Like I say it’s still extremely impressive; there’s no need to omit the “and they also did a conventional attack at the same time which the LED helped with” part for it to be a great story.
Wow! That’s incredibly impressive.
Holy shit! That’s unbelievable! By which I mean: I don’t believe you.
Power fluctuations on a USB hub indicate power draw and can be directly related to data sent over the bus. I can totally believe this.
This video explains the method in more detail: https://youtu.be/ITqBKRZvS3Y
With the help of this video I found their paper. So: In order to compromise the smart card reader, they hooked up their own hardware to it and caused it to perform 10,500 signature operations while they carefully measured the brightness of the LED. For the Samsung private key attack, they’re applying in a novel way an already-known timing attack caused by an interaction between the crypto library and the power-saving features of the processor. They threw large numbers of carefully crafted cryptographic operations at the CPU to cause it to change its voltage and power characteristics in ways it’s not supposed to, which they then detected at a distance by observing the speaker’s LED, which led them to be able to deduce the private key.
It’s still extremely impressive and 100% valid research. But, I feel that “if we have access to the hardware / ability to attack the software at length, and in addition we can watch the LEDs, the LEDs can help with the attack operation we conduct” is a little different than what the article made it sound like.
Yeah, I pulled the paper as well since I was curious. As far as I understand it, for the card reader, they use the data they get from the LED to help with solving the key. The LEDs leak crucial information about each encryption calculation and some specific calculations give away more info than others so they had to capture many key exchanges. Not super useful in most cases but it demonstrates a novel way to observe leaked info.
I’ll add a link to the paper to the post for easier access.
Sounds good to me. Like I say it’s still extremely impressive; there’s no need to omit the “and they also did a conventional attack at the same time which the LED helped with” part for it to be a great story.