> Q: Why do attackers need to obtain video footage filled with the LED of the target device?
> A: Cryptanalysis requires a high sampling rate.
> By filling the frame with the LED, attackers exploit the rolling shutter to increase the number of measurements of the color/intensity of the LED by three orders of magnitude from the FPS rate (60 measurements per second) to the rolling shutter's speed (60K measurements per second in iPhone 13 Pro Max). A sampling rate of 60k can provide the needed sampling rate to attack functional IoT devices (smartphones, smartcards, TV streamers, etc.).
Using a single frame captured with rolling shutter as a 1-bit high-framerate video. Very cool technique!
In that paper they use a "regular" high framerate camera. Those cameras are usually low resolution.
I guess what could be more interesting or practical: Low-res very high FPS, or very high resolution, and regular/high FPS (having more pixels would give you more sampling opportunities...).
Reality check: what features do current budget-level Android phones have that weren't present on, say, a Galaxy S9 from 2018?
I do assume that you were talking in jest, but overestimations of technological progress are to much a pet peeve of mine that I had to bite. What will technology look like 40 years in the future? No idea. 40 years in the past we built a pretty cool maglev train (TR 06, best looking version of them all)
I compared [0] the Galaxy S9+ to the Google Pixel 6a, the first Google result I got for "budget Android phone 2023" on [1]. Obviously you can go further downmarket.
As far as I can tell, they're comparable in features and specs. The Galaxy has better screen resolution, the Pixel has better networking... The only thing I could identify as a feature missing in the Galaxy is "dual LED flash" which was obviously technically possible in 2018.
So yeah, I was being a bit facetious. Considering the lifetime of phones, it probably takes 10 years rather than 5 for a farmer in Kenya to have a more powerful phone than a Bay Area programmer does today.
At present that means ~2/4GB RAM, 4G, slow CPU, 50mpix, very laggy camera processing (because pixels are a metric buyers don't understand), slow storage I/O, no fancy comms like SOS beacons, UWB, limited security (no separate security enclave chip), and of course, old android and slow patching that stops quickly.
But you can at least get a headphone jack on the E7.
Plenty of reasons. Biggest one is diminishing returns of increasing top speed in ground transport. (or any transport - when was the last time a new airliner was advertised as being faster than its predecessor?)
GP was certainly referring to the Shanghai line, which feels much closer to put into service and to never put into service than one should reasonably consider possible at the same time.
Probably didn't see much modernization in the 20 years since it was opened. The trains in operation are two prototype iterations more advanced than the TR 06 from 1983, but differences to the TR 08 aren't bigger than differences between variations of the same high speed trains stools to different countries.
I'm not super convinced about that. The (raw) quality in the phones sensors hasn't climbed as quickly as on dedicated cameras this last years. The secret sauce for today's phone's cameras is a lot of processin, and if you get an unprocessed photo from a current day phone-size sensor is almost as bad as one from yeeears ago.
And that's OK for regular photos, but I guess is not that good if you want to do image or signal processing and your data has already gone through some other processing and a "IA".
Raw sensor size in cell phones has massively increased compared to years ago, and improvements in sensor technology (BSI, for instance) has improved performance of sensors of similar size. These did not exist before.
Obviously processing is getting more powerful, but I think you're discounting the improvements in the space. There's a few notable exceptions (e.g., Pixel phones used the same kinda crappy sensor for many generations), but largely people keep using the newer, better sensor on flagship devices.
This is very cool, but I can't understand how 60khz is enough resolution to usefully discern what would be happening inside a CPU, etc, that's running way faster than that? (Disclaimer: I can't read the article as it says "browser not supported".)
The idea is that in typical assymetric cryptosystem you do some variant of bitwise exponentation of “large values” (ie. slow) and both the power envelope and timing is directly related to individual bit values of the private key. This trivially works for RSA and also anything involving integer-like groups and then even for “classic” ECC, things like 25519 are intentionally designed to mitigate this kind of side channel.
Here is why they claim this is possible. Basically, it's a form of timing attack.
> As observed in the papers presenting the Minerva [8] and TPM-FAIL [9] attacks, many common cryptographic libraries optimize the computation time of ECDSA signing by truncating any leading zeros. This optimization results in a variable number of loop iterations that is associated with a variable execution time for the entire main loop, which is determined by the number of leading zeros in the randomly generated nonce.
> Thus, by measuring the signing time, attackers can detect the number of loop iterations and determine the number of leading zeros in the nonce k, which can be used to extract the target’s private key using lattice techniques, in which the signatures whose nonces have many leading zeros are used to construct a hidden number problem, which is reduced to a shortest vector problem and solved using lattice reduction (see [8] for details).
Schnorr-like (including DSA and ECDSA) signature schemes use a parameter "k" that has to be uniformly random, secret and non repeating for the security of the system, calling that a "nonce" is slightly weird.
Edit: the intuitive reasoning for why it has to be secret and uniformly random is that half of the resulting signature is essentially an linear function of private key, k and the other half of the signature. So if attacker knows k he can trivially recover the whole private key. (EC)DSA uses slightly different representation of the signature, but it is only about shuffling stuff around (presumably to sidestep Schnorr's patent on the scheme) and the same attack still works.
DJB cipher suites do that, but a lotta people have no idea how to select cryptographic primitives so they go for something that was popular 30 years ago.
Some fun slides with examples of timing attacks: https://cr.yp.to/talks/2014.10.18/slides-djb-20141018-a4.pdf. Old standards like RFC 5246 often say shit like "it is not believed to be large enough to be exploitable, due to the large block size of existing MACs and the small size of the timing signal" and then get exploited 5 years later.
My first question was answered by the first answer in the FAQ:
> This is caused by the fact that the power LED is connected directly to the power line of the electrical circuit which lacks effective means (e.g., filters, voltage stabilizers) of decoupling the correlation with the power consumption.
The solution is simple: don't have crap power trees.
Good advice in general. I hate turning off the lights to go to bed and seeing LEDs glaring everywhere. I've banished most such devices from my bedroom for that reason.
Honest question: is that a crap power tree because it's electrically unsound or because it exposes these attack channels? In the first case, it's really crap. In the second one, the extra cost (cents or dollars?) should be part of the the security risk evaluation made by the customer. Maybe that attack was an unknown unknown until now.
Electrically unsound. Having a LED flicker enough purely because you're adding load to the device is just poor engineering. There should be enough decoupling on the LED supply so that it doesn't flicker visibly when another system nearby is loaded.
LEDs almost never have decoupling caps. I've literally never seen a design where there was more decoupling than the minimum necessary to stabilize the power supply's control loop
But as the device is in the attacker's hands, even a good power supply could be compromised by replacing or removing capacitors that are used to smooth out the power rails. You'd have to open the device up to do it, but eg to get at the keys inside the secure enclave on an iphone, a couple devices could be sacrificed for the cause.
> But as the device is in the attacker's hands, even a good power supply could be compromised by replacing or removing capacitors that are used to smooth out the power rails.
slightly improving the argument, while keeping the device non-compromised, is that whatever info is coming out of the LED is probably coming out in RF, also. so getting the LED further away from the CPU's power rail(s) probably isn't going to help. they're already emitting the data.
if you can stick a camera this close to the LED, you can probably surround the device with antennae, as well.
> Q: What is the best way to prevent the two demonstrated attacks?
> A: Use the most updated cryptographic libraries available.
Or what about covering the LED(s) with something so that the camera filming the top secret computer non-stop doesn't have a chance to exploit the side channel?
(excuse the sarcasm; but they were such low-hanging fruits I couldn't resist. The awareness is indeed important, as there are countless other side channels such as USB-cabled mice and keyboards with LEDs...
Also: I'm writing this from a hotel room with a TV illuminating the darkness with its bright standby blue melatonin killer LED - about to hang a towel over it)
There are a number of LED tape options on Amazon, etc., that offer both extreme dimming and full blackout and they are game-changers for mitigating or removing the scourge of insanely bright blue LEDs in a dark bedroom.
Another point in the endless war against useless always-on LEDs. (My least favorite was a night light with a switch. It had an always-on LED when plugged in even if you switched the night light off. Instant e-waste.)
Working from home with my desk in my bedroom, I grew to hate the always-on, bright blue LED on my USB-C laptop dock. I get it, you're plugged in, go away and take your light pollution with you.
For desktops, a nice solution is to hook up the power led to the speaker connection. At some point, pc speakers stopped coming with cases as they did in the past. And power leds have been mostly useless for a long time.
The cheap bunch of LED stickers that I bought 3 years ago has been so good with this. They were sold as "6mm Round 10 Colour Dot Sticker Circle Sticky Self Adhesive Label" on ebay.
LEDs on the electric toothbrush shining brigher than a thousand suns? Put stickers on them.
LEDs on the dog water fountain illuminating the whole living room at night? Put stickers on them.
The funny thing is that the LEDs are so bright that they still shine through the stickers. Except that now it's at the brightness level they should have had in the first place.
I did that to LED fans that came with a case one time.
I like LightDims a lot. I realize I could just use tape, but I can always find the right size and shape that way on smaller devices, plus a little light comes through. It just doesn't shine.
The last time I cutout a blue power LED, it was so bright that it not only would light up the room the device (speakers) was in, but it would also light the hallway outside the room if the door was left open.
It was so bright that even two layers of gaff tape didn't resolve the situation.
It's crazy. I often wonder about the reasoning behind choosing to use these LEDs is. Does nobody actually use these device in the real world during development?
I built a fun hack back in college that used a laser microphone to listen to keypresses - the timing and sound of which is relatively straightforward to extract letter pairing heuristics from, and from that, given some time, you can build pretty strong guesses on people's passwords.
The next step I was going to take it was to use to microphones on different windowpanes and be able to triangulate multiple keyboards in a room - never quite got there because my DSP skills were garbage, but it's in the back of the mind someday to pick back up if I ever take a sabbatical.
I find that solar panels have very fine time resolution as well. When illuminated by the light coming from a CRT monitor and plugged into a 192khz motherboard audio interface, they were able to clearly resolve individual scanlines at 31.5 KHz, each with a sharp illumination peak falling off over microseconds to milliseconds. And IMO plugging a solar panel into an audio jack or cxadc (cheap high-speed 1-channel capture card) is about as realistic as filling a camera sensor frame with a LED's direct light (unsure if indirect reflections are bright enough).
In terms of cameras, I suspect my Pixel 4a's rolling shutter isn't truly continuous, but has blocks of 4 or so "scanlines" (haha) which start and stop recording light simultaneously.
There have been a number of these side channel attacks, and they're all equally cyberpunk and hard to believe, e.g. this one [0] from 2014:
> We describe a new acoustic cryptanalysis attack which can extract full 4096-bit RSA keys from the popular GnuPG software, within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. We experimentally demonstrate such attacks, using a plain mobile phone placed next to the computer, or a more sensitive microphone placed 10 meters away
With acoustic access, attacking the human directly is more advantageous. You can log the sound of every key press and differentiate between them. Then solve the resultant primitive substitution cipher - each key will have a distinct sound signature, solve the mapping. Don't need physical access to the keyboard at any point.
This is why I believe there is absolutely no need for laws against public use of strong encryption. A great number of side-channel attacks exist to defeat encryption, that state actors can employ against high value targets. The state is massively more powerful than non-state actors, and that advantage does not need to be added to with laws restricting the public's access to strong encryption.
Next up, capturing private keys by monitoring the slight power differences in wifi broadcasts. (effectively the same thing, just different wave-lengths of light and you don't need to be as close to it)
The joke was that you're not parsing the wifi frames, you're just looking at infinitesimal changes in the broadcast power/frequency. Of course I don't think this is viable in the real world but in a perfect environment it should work.
It's also just called tempest, it's mostly a nsa thing. They can eavesdrop on crypto from across the street, well that was in the 50s, thats what we learned about 40 years later, god only knows what they can do today.
I would link something, but there isnt even anything useful about it on the internet, that google can find anyway.
... which guarantees they won't be used by the vast majority of the devices that could benefit from them. There are a lot of manufacturers for whom 5 cents is about 5 cents too much if 0 cents is an option.
This idea is straight out of Cryptonomicon. I remember being fascinated by my first modem's LEDs, and being mindblown when I realized that what seemed like different levels of green were actually the shape of a pseudo-random binary step function.
I learned about this exact exploit in my computer security class at University circa 1999 or 2000: "power LED is connected directly to the power line of the electrical circuit"
Should I be worried about this? How easy is it for someone to put a high-resolution video camera close enough to the power LED on my computer for this to be a problem?
Resolution is not needed, even high FPS is not really needed if the camera has a rolling shutter. An iPhone might be enough. But the recording needs to be done when your machine is decoding something using your private key, and doing nothing else.
Ironically, you can always keep open a few pages infested with multiple video ads or other doodads that switch unpredictably, sap power, and thus add noise to your power consumption. Or run a CPU miner for some coin.
Unironically, you can just put a bit of adhesive tape over your power LED if you're really concerned that someone cares enough to stage an attack like that against you.
> A: Cryptanalysis requires a high sampling rate.
> By filling the frame with the LED, attackers exploit the rolling shutter to increase the number of measurements of the color/intensity of the LED by three orders of magnitude from the FPS rate (60 measurements per second) to the rolling shutter's speed (60K measurements per second in iPhone 13 Pro Max). A sampling rate of 60k can provide the needed sampling rate to attack functional IoT devices (smartphones, smartcards, TV streamers, etc.).
Using a single frame captured with rolling shutter as a 1-bit high-framerate video. Very cool technique!