[HN Gopher] Recovering secret keys from devices using video foot... ___________________________________________________________________ Recovering secret keys from devices using video footage of their power LED Author : jedisct1 Score : 98 points Date : 2023-06-14 19:40 UTC (3 hours ago) (HTM) web link (www.nassiben.com) (TXT) w3m dump (www.nassiben.com) | local_crmdgeon wrote: | God damn that's impressive. | valleyer wrote: | Here is why they claim this is possible. Basically, it's a form | of timing attack. | | > As observed in the papers presenting the Minerva [8] and TPM- | FAIL [9] attacks, many common cryptographic libraries optimize | the computation time of ECDSA signing by truncating any leading | zeros. This optimization results in a variable number of loop | iterations that is associated with a variable execution time for | the entire main loop, which is determined by the number of | leading zeros in the randomly generated nonce. | | > Thus, by measuring the signing time, attackers can detect the | number of loop iterations and determine the number of leading | zeros in the nonce k, which can be used to extract the target's | private key using lattice techniques, in which the signatures | whose nonces have many leading zeros are used to construct a | hidden number problem, which is reduced to a shortest vector | problem and solved using lattice reduction (see [8] for details). | daneel_w wrote: | A suitable Anti-Spying(r) decoupling capacitor costs 5 cents. | miohtama wrote: | These are likely to be present also because of non- | cryptographic reasons | eclipticplane wrote: | Another point in the endless war against useless always-on LEDs. | (My least favorite was a night light with a switch. It had an | always-on LED when plugged in even if you switched the night | light off. Instant e-waste.) | JohnFen wrote: | And it's a thousand times worse if those LEDs are blue. | | I've taken to just cutting the leads or traces to those power | LEDs. Problem solved. | danudey wrote: | Working from home with my desk in my bedroom, I grew to hate | the always-on, bright blue LED on my USB-C laptop dock. I get | it, you're plugged in, go away and take your light pollution | with you. | jcpham2 wrote: | Wow that's an extremely interesting side channel | willis936 wrote: | My first question was answered by the first answer in the FAQ: | | > This is caused by the fact that the power LED is connected | directly to the power line of the electrical circuit which lacks | effective means (e.g., filters, voltage stabilizers) of | decoupling the correlation with the power consumption. | | The solution is simple: don't have crap power trees. | fragmede wrote: | But as the device is in the attacker's hands, even a good power | supply could be compromised by replacing or removing capacitors | that are used to smooth out the power rails. You'd have to open | the device up to do it, but eg to get at the keys inside the | secure enclave on an iphone, a couple devices could be | sacrificed for the cause. | LordDragonfang wrote: | I mean, at that point just read the key directly from the | ram. The TLDR does emphasize this is for _non-compromised | devices_ | greyface- wrote: | > Q: Why do attackers need to obtain video footage filled with | the LED of the target device? | | > A: Cryptanalysis requires a high sampling rate. | | > By filling the frame with the LED, attackers exploit the | rolling shutter to increase the number of measurements of the | color/intensity of the LED by three orders of magnitude from the | FPS rate (60 measurements per second) to the rolling shutter's | speed (60K measurements per second in iPhone 13 Pro Max). A | sampling rate of 60k can provide the needed sampling rate to | attack functional IoT devices (smartphones, smartcards, TV | streamers, etc.). | | Using a single frame captured with rolling shutter as a 1-bit | high-framerate video. Very cool technique! | detrites wrote: | This is very cool, but I can't understand how 60khz is enough | resolution to usefully discern what would be happening inside a | CPU, etc, that's running way faster than that? (Disclaimer: I | can't read the article as it says "browser not supported".) | | EDIT - Answered here: | https://news.ycombinator.com/item?id=36332352 | dfox wrote: | The idea is that in typical assymetric cryptosystem you do | some variant of bitwise exponentation of "large values" (ie. | slow) and both the power envelope and timing is directly | related to individual bit values of the private key. This | trivially works for RSA and also anything involving integer- | like groups and then even for "classic" ECC, things like | 25519 are intentionally designed to mitigate this kind of | side channel. | gugagore wrote: | http://people.csail.mit.edu/mrub/VisualMic/ uses the rolling | shutter to get audio from regular-framerate video of a bag of | chips. | hyperthesis wrote: | enhance! | jesse__ wrote: | This is the most ridiculous and awesome thing I've read in quite | some time. | lunatuna wrote: | It's dated now, but 'Silence on the Wire' was a fun read. | Chapter 5 is even available for download: | https://nostarch.com/silence.htm | TechBro8615 wrote: | There have been a number of these side channel attacks, and | they're all equally cyberpunk and hard to believe, e.g. this | one [0] from 2014: | | > We describe a new acoustic cryptanalysis attack which can | extract full 4096-bit RSA keys from the popular GnuPG software, | within an hour, using the sound generated by the computer | during the decryption of some chosen ciphertexts. We | experimentally demonstrate such attacks, using a plain mobile | phone placed next to the computer, or a more sensitive | microphone placed 10 meters away | | [0] | https://www.iacr.org/archive/crypto2014/86160149/86160149.pd... | gnabgib wrote: | Some discussion yesterday: [0](120pts, 1 day ago, 25 comments). | Seems like the dupe detector isn't happy.. [1](4pts, 1 day ago, 1 | comment), [2](4pts, 14 hours ago, 1 comment) | | [0]: https://news.ycombinator.com/item?id=36310594 [1]: | https://news.ycombinator.com/item?id=36315148 [2]: | https://news.ycombinator.com/item?id=36322522 ___________________________________________________________________ (page generated 2023-06-14 23:00 UTC)