this post was submitted on 17 Jun 2023
38 points (95.2% liked)

Cybersecurity

5677 readers
134 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Community Rules

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]

Notable mention to [email protected]

founded 1 year ago
MODERATORS
 
top 12 comments
sorted by: hot top controversial new old
[–] [email protected] 19 points 1 year ago (1 children)

In one, they say they were able to hijack an Internet-connected security cam and capture footage of the power LED of a smart card reader 16 meters away. After processing and analyzing the footage, the team was able to recover the 256-bit key.

Wow! That's incredibly impressive.

In another study, they were able to take iPhone footage of the power LED of Logitech speakers that were hooked up to an USB hub that was also charging a Samsung Galaxy S8 smart phone. From looking at the speakers' power LED and analyzing its colors and brightness, the team says they were able to uncover the 378-bit key for the Samsung Galaxy — a remarkable scenario because the key was solved indirectly by looking at another connected device.

Holy shit! That's unbelievable! By which I mean: I don't believe you.

[–] [email protected] 5 points 1 year ago* (last edited 1 year ago) (1 children)

Power fluctuations on a USB hub indicate power draw and can be directly related to data sent over the bus. I can totally believe this.

This video explains the method in more detail: https://youtu.be/ITqBKRZvS3Y

[–] [email protected] 9 points 1 year ago* (last edited 1 year ago) (1 children)

With the help of this video I found their paper. So: In order to compromise the smart card reader, they hooked up their own hardware to it and caused it to perform 10,500 signature operations while they carefully measured the brightness of the LED. For the Samsung private key attack, they're applying in a novel way an already-known timing attack caused by an interaction between the crypto library and the power-saving features of the processor. They threw large numbers of carefully crafted cryptographic operations at the CPU to cause it to change its voltage and power characteristics in ways it's not supposed to, which they then detected at a distance by observing the speaker's LED, which led them to be able to deduce the private key.

It's still extremely impressive and 100% valid research. But, I feel that "if we have access to the hardware / ability to attack the software at length, and in addition we can watch the LEDs, the LEDs can help with the attack operation we conduct" is a little different than what the article made it sound like.

[–] [email protected] 3 points 1 year ago (1 children)

Yeah, I pulled the paper as well since I was curious. As far as I understand it, for the card reader, they use the data they get from the LED to help with solving the key. The LEDs leak crucial information about each encryption calculation and some specific calculations give away more info than others so they had to capture many key exchanges. Not super useful in most cases but it demonstrates a novel way to observe leaked info.

I'll add a link to the paper to the post for easier access.

[–] [email protected] 2 points 1 year ago

Sounds good to me. Like I say it's still extremely impressive; there's no need to omit the "and they also did a conventional attack at the same time which the LED helped with" part for it to be a great story.

[–] [email protected] 5 points 1 year ago (1 children)
[–] [email protected] 2 points 1 year ago

I think I recall reading about this one too. There are all kinds of ways processors and devices leak information. If you have the time and access you can correlate a lot of things to specific hardware and software operations.

I remember hearing something about a typewriter bug that is tuned to determine the key pressed by the particular acoustic signature of each key press. These kinds of outside-the-box solutions really interest me.

EMI and crosstalk is another area where information can leak and there are already snooping devices that work using that.

[–] [email protected] 4 points 1 year ago

This is like using visible vibrations in a plant to figure out the sounds in that room from far away. Very cool

[–] [email protected] 3 points 1 year ago

The part about hacking Galaxy S8 keys by looking at a speaker connected to same usb.. I think it's very far fetched.

S8 has a battery that is constantly charged by usb cable. When you unlock the phone, power draw doesn't change except maybe for a brief second when key is entered.

[–] [email protected] 2 points 1 year ago

I've read the paper, it's really very cool. However there is nothing to worry about in real life. They captured thousands of uses of a smartcard and then used statistical analysis to gleen data used to attack a protocol with known vulnerabilities. In another setup they had a phone right up against the power led, using the roller shutter effect to collect a single point of data at really high speed. The whole thing also depends on a shitty power supply with a led in the main path. Most power supplies these days don't have such a led and if they do it's not always the case they leak data like this.

The circumstances that allow this to work aren't likely to occur in real life. Even if everything is just right, it still requires a way to collect thousands of samples to do the statistical analysis. And then also requires a scheme with known specific vulnerabilities to work.

Very cool research, but don't worry about taping off al your power leds for security reasons.

[–] [email protected] 1 points 1 year ago

There was a story like this in Zalewsky's book Silence on the Wire. Not as technically sophisticated, of course. Great read if you're into side channel attacks.

[–] [email protected] 1 points 1 year ago

The concept of this is cool, but it feels strictly academic. When I read about this from another article it said the smart card had to be filmed for 60+ minutes of key exchange time. A normal key exchange is a fraction of a second. The ideal circumstances needed for this just don't exist in the real world...

load more comments
view more: next ›