Cameras Watching a Device's Power LED Prove Enough to Snaffle Cryptographic Secrets
Watching for fluctuations in color and brightness, this clever attack exploits rolling shutters to dramatically boost its resolution.
Researchers from Cornell Tech and Ben-Gurion University of the Negev have come up with an unusual way to snaffle a supposedly secure system's cryptographic secrets: having a look at the device's power LED through a rolling-shutter camera.
"Video-based cryptanalysis [is] a new method used to recover secret keys from a device by analyzing video footage of a device's power LED," the researchers explain of their work. "We show that cryptographic computations performed by the CPU change the power consumption of the device which affects the brightness of the device's power LED. Based on this observation, we show how attackers can exploit commercial video cameras (e.g. an iPhone 13's camera or internet-connected security camera) to recover secret keys from devices."
Normally, pointing a smartphone camera or webcam at the power LED of a computer, smart card reader, or other device won't get you far: any fluctuations in its brightness or color caused by varying system load occur at too rapid a rate for a 60 frames per second (FPS) video to offer much information. The trick, then: sampling not at the rate of the recorded video but the rate at which the camera's rolling shutter, which captures the image in rows or columns over a period of time, operates — offering up to 60,000 measurements per second.
"The frames of the video footage of the device's power LED are analyzed in the RGB [color] space," the researchers explain of the post-capture portion of their attack, "and the associated RGB values are used to recover the secret key by inducing the power consumption of the device from the RGB values."
To prove the concept, the team took a pair of seemingly-secure and not known to be compromised gadgets — a selection of six commercial smart card readers connected to a laptop and a Samsung Galaxy S8 smartphone — and proceeded to capture their private cryptographic keys, entirely over-the-air. The first attack used a network security camera located more than 50 feet away from the target; the second an iPhone 13 Pro Max, working around the Galaxy S8's lack of power LED by instead watching the LED on a set of USB speakers connected to the same USB hub as the smartphone.
"We disclosed our findings to the manufacturers," the researchers note. "A few manufacturers responded to our email and asked us for more details, which we shared with them. While the origin of the vulnerability that is exploited is the result of the implementation or execution of the cryptographic library and not of the hardware manufacturer, we recommend that other hardware manufacturers empirically test whether their devices are vulnerable to video-based cryptanalysis and if needed, redesign their electrical circuits."
In a potential saving grace, though, the attack requires the underlying cryptosystem to be vulnerable to power-based side-channel attacks in the first place — with the team using the already-disclosed HertzBleed and Minerva attacks in their proofs of concept. "The origin of the vulnerabilities in the cryptographic libraries," they explain. "Use the most updated cryptographic libraries available [to prevent such attacks.]"
More information on the attack, including the full paper, can be found on first author Ben Nassi's website.