hngopher.com

       [HN Gopher] Recovering secret keys from devices using video foot...
       ___________________________________________________________________
        
       Recovering secret keys from devices using video footage of their
       power LED
        
       Author : jedisct1
       Score  : 98 points
       Date   : 2023-06-14 19:40 UTC (3 hours ago)
        
 (HTM) web link (www.nassiben.com)
 (TXT) w3m dump (www.nassiben.com)
        
       | local_crmdgeon wrote:
       | God damn that's impressive.
        
       | valleyer wrote:
       | Here is why they claim this is possible. Basically, it's a form
       | of timing attack.
       | 
       | > As observed in the papers presenting the Minerva [8] and TPM-
       | FAIL [9] attacks, many common cryptographic libraries optimize
       | the computation time of ECDSA signing by truncating any leading
       | zeros. This optimization results in a variable number of loop
       | iterations that is associated with a variable execution time for
       | the entire main loop, which is determined by the number of
       | leading zeros in the randomly generated nonce.
       | 
       | > Thus, by measuring the signing time, attackers can detect the
       | number of loop iterations and determine the number of leading
       | zeros in the nonce k, which can be used to extract the target's
       | private key using lattice techniques, in which the signatures
       | whose nonces have many leading zeros are used to construct a
       | hidden number problem, which is reduced to a shortest vector
       | problem and solved using lattice reduction (see [8] for details).
        
       | daneel_w wrote:
       | A suitable Anti-Spying(r) decoupling capacitor costs 5 cents.
        
         | miohtama wrote:
         | These are likely to be present also because of non-
         | cryptographic reasons
        
       | eclipticplane wrote:
       | Another point in the endless war against useless always-on LEDs.
       | (My least favorite was a night light with a switch. It had an
       | always-on LED when plugged in even if you switched the night
       | light off. Instant e-waste.)
        
         | JohnFen wrote:
         | And it's a thousand times worse if those LEDs are blue.
         | 
         | I've taken to just cutting the leads or traces to those power
         | LEDs. Problem solved.
        
         | danudey wrote:
         | Working from home with my desk in my bedroom, I grew to hate
         | the always-on, bright blue LED on my USB-C laptop dock. I get
         | it, you're plugged in, go away and take your light pollution
         | with you.
        
       | jcpham2 wrote:
       | Wow that's an extremely interesting side channel
        
       | willis936 wrote:
       | My first question was answered by the first answer in the FAQ:
       | 
       | > This is caused by the fact that the power LED is connected
       | directly to the power line of the electrical circuit which lacks
       | effective means (e.g., filters, voltage stabilizers) of
       | decoupling the correlation with the power consumption.
       | 
       | The solution is simple: don't have crap power trees.
        
         | fragmede wrote:
         | But as the device is in the attacker's hands, even a good power
         | supply could be compromised by replacing or removing capacitors
         | that are used to smooth out the power rails. You'd have to open
         | the device up to do it, but eg to get at the keys inside the
         | secure enclave on an iphone, a couple devices could be
         | sacrificed for the cause.
        
           | LordDragonfang wrote:
           | I mean, at that point just read the key directly from the
           | ram. The TLDR does emphasize this is for _non-compromised
           | devices_
        
       | greyface- wrote:
       | > Q: Why do attackers need to obtain video footage filled with
       | the LED of the target device?
       | 
       | > A: Cryptanalysis requires a high sampling rate.
       | 
       | > By filling the frame with the LED, attackers exploit the
       | rolling shutter to increase the number of measurements of the
       | color/intensity of the LED by three orders of magnitude from the
       | FPS rate (60 measurements per second) to the rolling shutter's
       | speed (60K measurements per second in iPhone 13 Pro Max). A
       | sampling rate of 60k can provide the needed sampling rate to
       | attack functional IoT devices (smartphones, smartcards, TV
       | streamers, etc.).
       | 
       | Using a single frame captured with rolling shutter as a 1-bit
       | high-framerate video. Very cool technique!
        
         | detrites wrote:
         | This is very cool, but I can't understand how 60khz is enough
         | resolution to usefully discern what would be happening inside a
         | CPU, etc, that's running way faster than that? (Disclaimer: I
         | can't read the article as it says "browser not supported".)
         | 
         | EDIT - Answered here:
         | https://news.ycombinator.com/item?id=36332352
        
           | dfox wrote:
           | The idea is that in typical assymetric cryptosystem you do
           | some variant of bitwise exponentation of "large values" (ie.
           | slow) and both the power envelope and timing is directly
           | related to individual bit values of the private key. This
           | trivially works for RSA and also anything involving integer-
           | like groups and then even for "classic" ECC, things like
           | 25519 are intentionally designed to mitigate this kind of
           | side channel.
        
         | gugagore wrote:
         | http://people.csail.mit.edu/mrub/VisualMic/ uses the rolling
         | shutter to get audio from regular-framerate video of a bag of
         | chips.
        
         | hyperthesis wrote:
         | enhance!
        
       | jesse__ wrote:
       | This is the most ridiculous and awesome thing I've read in quite
       | some time.
        
         | lunatuna wrote:
         | It's dated now, but 'Silence on the Wire' was a fun read.
         | Chapter 5 is even available for download:
         | https://nostarch.com/silence.htm
        
         | TechBro8615 wrote:
         | There have been a number of these side channel attacks, and
         | they're all equally cyberpunk and hard to believe, e.g. this
         | one [0] from 2014:
         | 
         | > We describe a new acoustic cryptanalysis attack which can
         | extract full 4096-bit RSA keys from the popular GnuPG software,
         | within an hour, using the sound generated by the computer
         | during the decryption of some chosen ciphertexts. We
         | experimentally demonstrate such attacks, using a plain mobile
         | phone placed next to the computer, or a more sensitive
         | microphone placed 10 meters away
         | 
         | [0]
         | https://www.iacr.org/archive/crypto2014/86160149/86160149.pd...
        
       | gnabgib wrote:
       | Some discussion yesterday: [0](120pts, 1 day ago, 25 comments).
       | Seems like the dupe detector isn't happy.. [1](4pts, 1 day ago, 1
       | comment), [2](4pts, 14 hours ago, 1 comment)
       | 
       | [0]: https://news.ycombinator.com/item?id=36310594 [1]:
       | https://news.ycombinator.com/item?id=36315148 [2]:
       | https://news.ycombinator.com/item?id=36322522
        
       ___________________________________________________________________
       (page generated 2023-06-14 23:00 UTC)