Video-based Cryptanalysis

We were able to recover secret keys from non-compromised devices using video footage of their power LED obtained by commercial video cameras.

:what:

5 Likes

As a hint for those who didn’t read the full text:

It’s not about just any old power LED on a pc or notebook.

This is specifically about the power LED on certain external smart card readers. It’s bad enough, but not as universally bad as it looked to me initially.

4 Likes

What about a background job doing random read/writes continuously, to add noise?

1 Like

I find this a little hard to believe. Maybe they read Cryptomonicon (in which a character uses the computer power light to surreptitiously transmit information) :slight_smile:

2 Likes

I bet pretty soon we can actually read human thoughts remotely using the electromagnetic field generated by the human brain. Similar to sniffing RFID chips when standing only a few feet away. What an exciting time we live in! Thought Police incoming.

But seriously, this can be easily mittigated by sticking a piece of tape over the led, right next to the piece of tape already put on the camera :sweat_smile:

1 Like

It’s real enough, people noticed external modems could be eavesdropped on using the front-panel LEDs back in the 90s, this is basically the same thing. What I find most interesting is that it could be done using security camera footage, even at the highest frame rates you’re still going to drop some bits, but if you’re not missing too many you can brute-force what’s missing I guess? :man_shrugging:

I don’t get it. What are the possible variances in light output of an LED and how can they possibly correlate to specific values of a string?

This is exactly what they are doing. Gain information from the LED leaking state. Then use that to reduce possible combinations to an amount that can brute forced in a manageable time.
What would take thousands of years on a usual computer to crack can be done in days or hours.

1 Like

The power consumption of the CPU by doing computations is reflected in the LED intensity. The camera picks up the reduction in the RGB values between the video frames.
They can identify the beginning of a encryption cycle and can extract the part where the key is used. From that they can estimate possible keys depended on the power consumption of the CPU.

They combined several techniques that were developed over the years of research in that space.

3 Likes

Does some additional information have to be somehow obtained to provide context? Even if you had a detailed timed record of power consumption it’s hard for me to see how that alone would be sufficient.

This is just another kind of Side-channel attack - Wikipedia

Here more about

2 Likes

I don’t know how in-depth they get (I haven’t watched the video), but i know at least this much:

Magic part 1
Each frame from the camera will have multiple pixels that make up the image of the LED, but since digital cameras don’t capture all the pixels simultaneously the image data relating to each pixel actually has a slight time offset from the adjacent pixels.

Magic part 2
This means even though you miss all the values between frames, the frames you do have actually capture a period of time.

Magic part 3
Even if the camera’s frame processing speed is itself not fast enough for the pixels to be truly consecutive values, nonetheless the difference in LED color change rate and values vs the camera’s scan/store rate can be used to build tables to allow comparison of the relative deltas of adjacent pixels so as to interpolate additional values in between.

Magic part 4
And then there’s s shit-ton of math that’s way over my head! :joy:

1 Like

Another side channel attack: the vibrations in a room (speaking, keystrokes on a computer, etc.) get transmitted down optical fibers and can be deciphered >1km away from the acoustic source.

Here’s the reference:
https://opg.optica.org/oe/fulltext.cfm?uri=oe-30-20-36774&id=505939

The optical fiber network has become a worldwide infrastructure. In addition to the basic functions in telecommunication, its sensing ability has attracted more and more attention. In this paper, we discuss the risk of household fiber being used for eavesdropping and demonstrate its performance in the lab. Using a 3-meter tail fiber in front of the household optical modem, voices of normal human speech can be eavesdropped by a laser interferometer and recovered 1.1 km away. The detection distance limit and system noise are analyzed quantitatively. We also give some practical ways to prevent eavesdropping through household fiber.

1 Like

Any intersection of sound and light can result in exfiltration of data. Most folks know about the old laser against a windowpane trick, but not as many realize that any light bulb in the room is also “broadcasting” the same way.

If you ever see a bluetooth-enabled electric toothbrush (they exist), realize that in theory the app for it on your phone could use it as a listening device.

How?

The head mechanism is magnetically driven. If the driver circuit can be reversed (many general purpose i/o chips have bi-directional lines) then the control chip can potentially read the small current variations from the head picking up sound vibrations.
This could be turned on at will by the app, or the chip could store locally and forward next time the app connects.

Now, how likely is this? Not frickin’ very, most control chips would have some additional driver electronics to boost the power to move the head, and those aren’t likely to be reversible, (transistors are really diodes with features), but if one wanted to have a listening device that could pass the closest inspection for hidden mics, that would be one way to do it.

(Though as onboard FETs get ever more powerful and SOCs get ever more features added, the potential for such a thing gets ever more possible - when you see it in the news 10 years from now just remember you read it here first! :grin: )

1 Like