There’s an old joke that asks, “how many hackers does it take to change a light bulb?” The correct answer is none as nobody knew the light bulb had even been changed. Joking aside, what if a hacker could use a bulb as part of an exploit? I’m not talking about spying on you using a light bulb, or even a device power LED. But what if I told you hackers have already demonstrated how they can actually steal a cryptographic ‘secret key’ by video-recording power LEDs? What if I told you they have already used an iPhone to steal just such a key from a Samsung Galaxy smartphone?
The use of power LEDs as a hacking tool
The National Security Agency (NSA) has been well aware of a military spying technique known as TEMPEST which focuses on leaking emanations such as sounds, vibrations, and radio or electrical signals. During the Cold War era, such eavesdropping techniques were employed by way of beaming a laser microphone onto a window to listen to the conversations inside.
Fast-forward to 2021 and security researchers used an analysis of optical emanations from LED power indicators of speakers to recover and record sound. Invisible to the naked eye, the minute fluctuations in intensity of the LED could be read by an electro-optical sensor attached to a telescope.
Roll on another couple of years, and now researchers from the Ben-Gurion University of the Negev in Israel have moved the side-channel attack type forwards once more by using the video camera of an iPhone 13 Pro Max to steal a cryptographic key from a Samsung Galaxy S8 smartphone.
Stealing a cryptographic key from a Samsung Galaxy S8 using an iPhone 13 Pro Max
In their research paper entitled Video-Based Cryptanalysis: Extracting Cryptographic Keys from Video Footage of a Device’s Power LED, the researchers put forward video-based cryptanalysis as a “new method used to recover secret keys from a device by analyzing video footage of a device’s power LED.”
The researchers, Ben Nassi, Etay Iluz, Or Cohen, Ofek Vayner, Dudi Nassi, Boris Zadov, and Yuval Elovici, were able to demonstrate how secret keys could be harvested from non-compromised devices using video recorded by consumer-grade video cameras such as found in an iPhone 13 Pro Max. Video, that is, of device power LEDs.
This is explained in the paper as being possible thanks to the fact that “cryptographic computations performed by the CPU change the power consumption of the device which affects the brightness of the device’s power LED.”
Hackers put power LEDs in the frame
Video footage of a full-frame power LED is shot, and the camera’s rolling shutter is then used to increase the sampling rate to 60,000 measurements per second in the case of the iPhone 13 Pro Max. This then allows the video frames to be analyzed “in the RGB space” and associated RGB values derived to “recover the secret key by inducing the power consumption of the device from the RGB values.”
In the case of the Samsung Galaxy S8 target device, which holds a 378-bit Supersingular Isogeny Key Encapsulation (SIKE) secret key, a side-channel exploit was used. This involved analysing video of Logitech Z120 USB speakers attached to the S8, or rather the power LED of those speakers which were connected to the same USB hub as was being used to charge the smartphone.
How realistic is such an attack outside the hacker lab?
You’ve probably already started wondering just how worried you need to be by this type of research. And the truth is that, outside of the hacking lab, it’s not likely something that will be getting used much. Not least as success requires a number of elements that really don’t stand up to real-world usage.
Ben Nassi is a BlackHat board member as well as a frequent speaker at hacker conferences including BlackHat, DEFCON, and Hack-in-the-Box, HITB, as well as being one the researchers involved with this newly-evolved attack methodology. In his research FAQ, Nessi concedes that the ability to exploit those stolen cryptographic keys (a smart-card reader was also targeted) relies on a vulnerability in the cryptographic libraries themselves. The power LEDs are simply the method used to “exploit the vulnerability visually.” Ensuring you are using the most up-to-date libraries would nullify the attack exploiting the HertzBleed and Minerva vulnerabilities here, Nessi states.
Then there’s the line-of-sight requirement. The video camera needs to be able to ‘see’ the power LED in question. For the smart-card attack this meant a camera could be as far as 62 feet away, but for the Samsung Galaxy S8 attack the iPhone had to be in the same room. Not only that, the S8 attack required, erm, 18 days worth of video.
If these weren’t mitigating factors enough, if you are really paranoid about your security and think someone could be using such cutting-edge methods to grab your cryptographic keys, then a bit of sticky tape over all power LEDs would do the trick.
Which isn’t to belittle the research, far from it as it’s just this kind of envelope pushing that ultimately makes us safer from malicious actors, but rather to say it needs to be met with a proportionate response. There really isn’t any need to worry about lab-based research, instead focus on all the bad things that are already out there.
Follow me on Twitter or LinkedIn. Check out my website or some of my other work here.