> The video must be captured for 65 minutes, during which the reader must constantly perform the operation.
So not only must you be using a compromised brand of smart card (which number in the low single digits), you have to use a cheap Chinese reader and the camera must be focused on card activity for 65 minutes (which would never happen). You have to compromise the camera first.
It would be more effective to use what I term the "Walter Sobchak method" which is during that 65 minute window you "grab the smart card and beat the PIN out of him".
Xylakant
This attack enables something else: quietly and unobtrusively recovering the private key of the card, effectively cloning it without the owner’s knowledge. It would be interesting to know whether the 65 minutes must be continuous or whether 13 times 5 minutes would be sufficient. The latter may be achievable.
housemusicfan
The attack claims to recover the private key of an already known compromised make and model of smart card that is known to have side channel leaking mechanisms. The models of which are known susceptible are in the low single digits. It is not an all purpose attack as the clickbait headline would have you believe.
Xylakant
At the moment, this is a theoretical attack using a known to be broken card. But it’s unlikely that this is the only card that is broken. And attacks only get better, never worse, until the theoretical attack graduates to a practical attack. Spectre and Meltdown were long considered theoretical attacks with no practical implications - until they no longer were.
amluto
As I understand it, serious smart cards have been explicitly designed and audited to resist power monitoring attacks. There are fancy consultants who specialize in this sort of thing, and I think the major players use their services.
Xylakant
In 2018, Lithuania replaced a chunk of their ID cards because of a (theoretical) vulnerability in the esignature. Fancy consultants certainly help, but they’re not an invulnerability potion.
hinkley
Or a camera pointed through a door or a blinded window that gets a few moments here and there over a month long period.
the8472
It's unlikely that this is the only device in existence that has a power side-channel. And attacks get better with time.
There are lots of engineers who go "nah, too many conjunctions, this will NEVER happen" when designing some hardware until reality hits them over the head.
Also, the standard for cryptographic security tends to be "better than brute force". 65 minutes to extract a key is orders of magnitude better.
nocsi
> Also, the standard for cryptographic security tends to be "better than brute force". 65 minutes to extract a key is orders of magnitude better.
That's why certain agencies prioritizing collection over real-time cracking. Collect first, worry about the content later. An adversary just need 65 minutes of footage taken at some point - and we live in an age where there are plenty of devices that can passively capture w/ their cameras.
65 minutes is pretty bad. That's several orders of magnitude less than it takes to crack password hashes.
revolvingocelot
I prefer the term "5 dollar wrench attack" [0], per the relevant xkcd.
that comic is an ugly pimple on computer security's ass that keeps coming back.
there's a massive difference between giving away your keys and being compromised without your knowledge.
not to mention that are ways to secure data in a way that different keys yield different valid results with plausible deniability.
ccooffee
The "rolling shutter" graphic in this article is great and I appreciate the details provided.
> Activating a rolling shutter can upsample the sampling rate to collect roughly 60,000 measurements per second. By completely filling a frame with the power LED that’s present on or connected to a device while it performs cryptographic operations, the researchers exploited the rolling shutter, making it possible for an attacker to collect enough detail to deduce the secret key stored on a smart card, phone, or other device.
Enginerrrd
One of the craziest things I've seen is that by using this technique, you can look at things in the background, like leaves on a houseplant and reconstruct sound at sufficient fidelity to recover human speech!
0cVlTeIATBs
LEDs causing a side channel isn't on its own new. Aside from showing your activity, some old modems (think 2400 baud) flashed activity with each 1 or with each 0, so that an attacker only needed to see its light reflected off a wall when the room is dark, through a window, to sniff traffic.
hinkley
Ethernet cards also used to run the LED off a transistor that keyed off of the data on the TX and RX lines which would reveal some of the bits as well.
I don’t recall how they fixed that, but it was a big deal at the time. Capacitor? Optical diode?
I believe I recall people using white-out or paint on the LEDs they couldn’t afford to replace.
Edit: if you think about it, wire protocols have error correction built in. Most of them don’t negotiate the amount to use, it’s baked into the spec. When you’re eavesdropping you lose signal to noise ratio. When the input signal is very clean, there’s plenty of SnR to spare. It’s easier to listen to a loud argument than a quiet conspiracy.
egberts1
TEMPEST, anyone?
Faraday Cage is not just a mesh of wires but a solid wall/floor/ceiling cladding of copper.
> Some Blue LEDs contain sapphire, which is apparently macrostate entangleable.
I’ve studied quantum cryptography rather extensively, and I have no idea what you’re trying to say.
You could have a power LED that contains an actual magical quantum computer running attacker controlled software and with unlimited entanglement with the attacker, and it would not have a qualitatively greater ability to exfiltrate information to the attacker than a plain old LED would have. At best you would get a bandwidth increase by a small constant factor, improved tolerance to noise, and the ability to prevent anyone else from decoding the transmission.
westurner
Is there a published way to cause nonlocal entanglement between (blue, sapphire) LEDs; with just high/low voltage regulation, and/or with better or different control of the electron lepton particle properties other than just voltage on or off (i.e. spin,)?
westurner
What is the maximum presumed distance over which photon emissions from blue LEDs can be entangled? What about with [time-synchronized] applied magnetic fields? Could newer waveguide approaches - for example, dual beams - improve the distance and efficiency of transceivers operating with such a quantum communication channel?
> What is also remarkable: Plane electromagnetic waves like a light beam normally cannot cause permanent velocity changes of electrons in vacuum, because the total energy and the total momentum of the massive electron and a zero rest mass light particle (photon) cannot be conserved. However, having two photons simultaneously in a wave traveling slower than the speed of light solves this problem (Kapitza-Dirac effect).
> For Peter Baum, physics professor and head of the Light and Matter Group at the University of Konstanz, these results are still clearly basic research, but he emphasizes the great potential for future research: "If a material is hit by two of our short pulses at a variable time interval, the first pulse can trigger a change and the second pulse can be used for observation—similar to the flash of a camera."
What Hz rate is necessary to do CPA Chirped Pulse Amplification with laser, or with a [blue] LED? FWIU lasers have a repetition rate between 0.1Hz and 1Mhz, and a pulse width between 1 picosecond and 1 millisecond?
Looks like there are already commercial LED CPA systems.
Aren't there also weird signal effects with e.g. PWM and a blue led connected to a Pi with a sufficient clock rate? What are the maximum binary data transmission distances for [blue] LEDs?
How to fade an LED in and out when you can only vary 5volts on and off? PWM: Pulse Width Modulation; you vary the duty cycle:
Manufacturers MUST stick a giant decoupling capacitor feeding LEDs to debounce any possible side-channel down to undetectable ripple. If you want an activity indicator, make it a separate simple, air-gapped circuit rather than something directly adjacent to cryptographic operations.
It's also imperative to minimize all sort of other EMF from a Van Eck perspective.
eternityforest
Or they could put the LED under software control (Why do you have LEDs the MCU can't control anyway?) and turn it off during operations, or blink at 1/20 duty cycle to increase the time.
But in practice it doesn't matter that much for most of us.
jagger27
For the LED side channel threat model, how expensive would it be to mitigate? Is it simply a matter of putting a few (more?) capacitors in the circuit?
A roll of electrical tape also seems like a reasonable mitigation in the field for the truly paranoid.
junon
If you're modding, replacing it with a 1k-10k resistor should work just fine. Realistically speaking, simply gouging the LED out with a knife should also work. Those sorts of circuits rarely need a real circuit for LEDs coming out of a constant current controller.
adastra22
Switch to a constant time crypto algorithm / implementation, like ed25519 instead of RSA.
benlivengood
I'm not sure if ed25519 is constant-power on every architecture and implementation.
The cost should be zero. Just turn the LED off during crypto operations. No extra part needed, just connect the led to the MCU instead of actually connecting to power.
Of course, there could still be some LED attack not connected to actually doing crypto operations, but this should mitigate the known attack.
> The video must be captured for 65 minutes, during which the reader must constantly perform the operation.
So not only must you be using a compromised brand of smart card (which number in the low single digits), you have to use a cheap Chinese reader and the camera must be focused on card activity for 65 minutes (which would never happen). You have to compromise the camera first.
It would be more effective to use what I term the "Walter Sobchak method" which is during that 65 minute window you "grab the smart card and beat the PIN out of him".
Also, the standard for cryptographic security tends to be "better than brute force". 65 minutes to extract a key is orders of magnitude better.
That's why certain agencies prioritizing collection over real-time cracking. Collect first, worry about the content later. An adversary just need 65 minutes of footage taken at some point - and we live in an age where there are plenty of devices that can passively capture w/ their cameras.
65 minutes is pretty bad. That's several orders of magnitude less than it takes to crack password hashes.
[0] https://xkcd.com/538/
there's a massive difference between giving away your keys and being compromised without your knowledge.
not to mention that are ways to secure data in a way that different keys yield different valid results with plausible deniability.
> Activating a rolling shutter can upsample the sampling rate to collect roughly 60,000 measurements per second. By completely filling a frame with the power LED that’s present on or connected to a device while it performs cryptographic operations, the researchers exploited the rolling shutter, making it possible for an attacker to collect enough detail to deduce the secret key stored on a smart card, phone, or other device.
I don’t recall how they fixed that, but it was a big deal at the time. Capacitor? Optical diode?
I believe I recall people using white-out or paint on the LEDs they couldn’t afford to replace.
Edit: if you think about it, wire protocols have error correction built in. Most of them don’t negotiate the amount to use, it’s baked into the spec. When you’re eavesdropping you lose signal to noise ratio. When the input signal is very clean, there’s plenty of SnR to spare. It’s easier to listen to a loud argument than a quiet conspiracy.
Faraday Cage is not just a mesh of wires but a solid wall/floor/ceiling cladding of copper.
Takes care of LEDs too.
https://www.nsa.gov/portals/75/documents/news-features/decla...
Some Blue LEDs contain sapphire, which is apparently macrostate entangleable.
https://en.wikipedia.org/wiki/Sapphire
I’ve studied quantum cryptography rather extensively, and I have no idea what you’re trying to say.
You could have a power LED that contains an actual magical quantum computer running attacker controlled software and with unlimited entanglement with the attacker, and it would not have a qualitatively greater ability to exfiltrate information to the attacker than a plain old LED would have. At best you would get a bandwidth increase by a small constant factor, improved tolerance to noise, and the ability to prevent anyone else from decoding the transmission.
From "Experiment demonstrates continuously operating optical fiber made of thin air" (2023) https://www.hackerneue.com/item?id=35812168 :
> Electrons turn piece of wire into laser-like light source" (2022) https://www.hackerneue.com/item?id=33490730
> What is also remarkable: Plane electromagnetic waves like a light beam normally cannot cause permanent velocity changes of electrons in vacuum, because the total energy and the total momentum of the massive electron and a zero rest mass light particle (photon) cannot be conserved. However, having two photons simultaneously in a wave traveling slower than the speed of light solves this problem (Kapitza-Dirac effect).
> For Peter Baum, physics professor and head of the Light and Matter Group at the University of Konstanz, these results are still clearly basic research, but he emphasizes the great potential for future research: "If a material is hit by two of our short pulses at a variable time interval, the first pulse can trigger a change and the second pulse can be used for observation—similar to the flash of a camera."
Chirped Pulse Amplification: https://en.wikipedia.org/wiki/Chirped_pulse_amplification
What Hz rate is necessary to do CPA Chirped Pulse Amplification with laser, or with a [blue] LED? FWIU lasers have a repetition rate between 0.1Hz and 1Mhz, and a pulse width between 1 picosecond and 1 millisecond?
Looks like there are already commercial LED CPA systems.
Aren't there also weird signal effects with e.g. PWM and a blue led connected to a Pi with a sufficient clock rate? What are the maximum binary data transmission distances for [blue] LEDs?
How to fade an LED in and out when you can only vary 5volts on and off? PWM: Pulse Width Modulation; you vary the duty cycle:
PWM: https://en.wikipedia.org/wiki/Pulse-width_modulation
"Learn PWM signal using Wokwi Logic Analyzer" https://blog.wokwi.com/explore-pwm-with-logic-analyzer/
Wokwi > New (Pi Pico w/ Micropython) LED project: https://wokwi.com/projects/300504213470839309
It's also imperative to minimize all sort of other EMF from a Van Eck perspective.
But in practice it doesn't matter that much for most of us.
A roll of electrical tape also seems like a reasonable mitigation in the field for the truly paranoid.
https://eprint.iacr.org/2017/985.pdf is an example of power analysis relying on ed25519's deterministic behavior.
Of course, there could still be some LED attack not connected to actually doing crypto operations, but this should mitigate the known attack.