{"id":21291,"date":"2023-06-28T19:05:13","date_gmt":"2023-06-28T15:05:13","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/led-data-exfiltration\/21291\/"},"modified":"2023-06-28T19:05:26","modified_gmt":"2023-06-28T15:05:26","slug":"led-data-exfiltration","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/led-data-exfiltration\/21291\/","title":{"rendered":"LED data exfiltration"},"content":{"rendered":"

Researchers from universities in both the U.S. and Israel have published a paper<\/a> describing a \u201cvideo-based cryptanalysis\u201d method. This term is far from easy-to-understand, as is the paper itself. But, as always, we\u2019ll try to explain everything in plain language.<\/p>\n

Video-based cryptanalysis attack<\/h2>\n

\nLet\u2019s imagine a real attack using this technology. It might go as follows. Intruders gain access to the video surveillance system in a corporate building. One of the cameras is pointed at the door of a high-security storage room for, say, secret documents. On the door is a smart card reader. A company employee approaches the door and inserts their card; the lock opens.<\/p>\n

The smart card contains a microchip that talks to the reader. To verify the key encoded in the smart card against the data in the reader, the latter performs a cryptographic algorithm \u2014 that is, a series of calculations. In a normal situation, it\u2019s extremely difficult to make a copy of such a key \u2014 even\u00a0if you manage to get hold of the original. But there\u2019s a vulnerability: the reader\u2019s LED. This indicates that the device is working, changing color from red to green when a visitor is authorized and the door can be opened.<\/p>\n

The brightness of the indicator, which depends on the load on the reader\u2019s systems, changes during the cryptographic operation: for example, when the reader\u2019s processor is busy with calculations, the LED brightness dips slightly. By analyzing these slight alternations, it\u2019s possible to reconstruct the private key and thus create a smart card that opens the door to the secret room. If intruders have access to a video camera and can get video footage of the reader\u2019s LED, in theory, they can then hack into the building\u2019s security system.<\/p>\n

Practical difficulties<\/h2>\n

\nPutting theory in papers such as this one into practice is never easy. The above scenario is unlikely to be implemented in practice any time soon. And for hardware-security pros, this vulnerability is nothing new. It\u2019s a case of a classic side-channel attack: data leakage through some non-obvious process in a device\u2019s operation. A traditional, decades-old method of attacking smart cards and other devices that use data encryption algorithms is to measure the voltage on the device. During the calculations, this voltage changes slightly. By observing these slight changes, an attacker might be able to reverse-engineer the algorithm: for example, by linking a voltage drop with a certain value being processed.<\/p>\n

A feature of this kind of side-channel attack is that the calculations are very fast. To reconstruct the encryption key, one would have to measure the voltage hundreds or even thousands of times per second. But the LED is a part of the overall power-supply circuit of the device, which means that its brightness varies with the voltage. Check out the progress: the attack no longer requires complex and expensive equipment. No need to take the device apart and solder wires to the circuit board. Just point the video camera at the LED, make a recording, analyze it and get the result.<\/p>\n

Video analysis features<\/h2>\n

\nWhen analyzing video footage in practice, the authors of the paper encountered numerous difficulties. A regular camera shoots video at 60 frames per second, while an advanced one \u2014 no more than 120. For an attack on an encryption algorithm, that\u2019s way too low. To improve the method, the researchers exploited an inherent flaw in any digital camera that manufacturers typically struggle to overcome: the so-called rolling shutter. When we press the shutter button, the camera\u2019s image sensor doesn\u2019t take an instantaneous snapshot. What happens is that the sensor\u2019s pixels are scanned sequentially, line by line, from top to bottom. If we photograph an object moving at high speed, this can produce artistic effects. Think of the rotating blades of a helicopter.<\/p>\n

\"Typical

While the digital camera sequentially reads data from the image sensor, the propeller has time to shift. The result is a distorted image. Source<\/a><\/p><\/div>\n

The researchers proceeded as follows: they moved the camera closer to the LED so that it filled almost the entire area of the frame. Then they measured the brightness, not of the whole frame, but of each line. Hence, the \u201cmeasurement frequency\u201d \u2014 and thus the accuracy \u2014 got a massive boost: up to 61,400 times per second in the case of the iPhone 14 camera. Curiously, in this rather atypical camera usage scenario, the iPhone got the better of Samsung in terms of the amount of data recorded.<\/p>\n

\"Testing

Testing smartphones\u2019 ability to capture small changes in LED brightness at a certain frequency. Source<\/a><\/p><\/div>\n

The above screenshot shows the result of this improved configuration: the researchers made the LED blink at a certain frequency, gradually increasing it. The switching on and off of the LED is clearly visible by measuring the power fluctuations (top left). The change in LED brightness can be seen clearly when using a specialized photosensor (top right). The test used two smartphones as video cameras (bottom row). As we can see, they recorded the blinking of the LED at a fairly low frequency; higher frequency changes in brightness were lost. But at the base frame-rate (60 or 120 times per second), even these results would be out of reach. This improvement turned out to be sufficient for a successful attack.<\/p>\n

Attack results<\/h2>\n

\nTo prove the possibility of a \u201cvideo attack\u201d in practice, the researchers showed how a private encryption key can be exfiltrated from various smart card readers. In each of the five experiments, the LED was made to blab its secrets. In theory, it\u2019s not even necessary for the smartphone or video camera to be near the device; under certain conditions, the signal can be recorded from up to 60 meters away. The team also found that the presence of other light sources (a sun-lit room, for example) impacted the measurement accuracy. This complicates the attack by adding noise to the useful signal, but is not critical to the outcome.<\/p>\n

But that\u2019s not all. The researchers attacked a Samsung Galaxy S8, which was running the SIKE data encryption algorithm.<\/p>\n

\"Exfiltrating

Exfiltrating secret data from a smartphone. Source<\/a><\/p><\/div>\n

A smartphone has no LED that lights up when the device is turned on. But the researchers got crafty: they took the phone and connected portable speakers that did have an LED! Because the speakers were powered by the smartphone, the scenario whereby LED brightness depends on processor load was replicated.<\/p>\n

The result was a Hertzbleed attack on the phone (see here<\/a> for details), confirming that processors based on ARM architecture are also at risk of this type of attack (the original paper covered only vulnerabilities in Intel and AMD chips with x86 architecture).<\/p>\n

We\u2019re now talking about a wholly theoretical experiment, not about stealing any actual encryption keys in use. Cryptographic calculations were triggered on the smartphone according to a certain algorithm. By measuring the brightness of the LED on the speakers connected to the phone, the researchers managed to capture the operation of the algorithm and recover the private key. Since a smartphone is far more complex than a smart card reader, the noise level in the measurements was much higher. Nevertheless, the experiment was successful.\n<\/p>\n

On the usefulness of this scientific research<\/h2>\n

\nThis study will unlikely be applied in practice any time soon. The attack is highly complex, and it\u2019s hard to find a realistic use case for it. As is often the case, the interest value of such papers does not lie in the practical exploitation of \u201cdiscovered vulnerabilities\u201d. Perhaps the key takeaway of this study is that the specialized equipment once needed for side-channel attacks has been replaced with off-the-shelf devices.<\/p>\n

We often post about data exfiltration<\/a> through non-obvious channels, such as a desktop PC speaker. But in all these cases, malware must already be installed on the victim\u2019s computer. This paper hints at the possibility of exfiltrating sensitive information without prior hacking, simply by observing a power LED.<\/p>\n

And that makes it an important contribution to our general knowledge of side-channel attacks. We can only hope that manufacturers of vulnerable devices take note and improve the design of new models \u2014 before such security holes become exploitable in practice. After all, as the paper rightly points out, it\u2019s quite simple to make an LED that doesn\u2019t reveal secret information: for example, add a dirt-cheap capacitor to the power supply circuit, and the problem\u2019s solved. And measures to counteract side-channel attacks can be implemented at the software level too. Finally, why not ditch the LED altogether? Would anyone really miss it?<\/p>\n","protected":false},"excerpt":{"rendered":"

Researchers have come up with a way to exfiltrate confidential data by observing LED activity.<\/p>\n","protected":false},"author":665,"featured_media":21294,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1318,1916,1917],"tags":[191,2663],"class_list":{"0":"post-21291","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-smb","10":"tag-data","11":"tag-side-channel"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/led-data-exfiltration\/21291\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/led-data-exfiltration\/25850\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/led-data-exfiltration\/11092\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/led-data-exfiltration\/28548\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/led-data-exfiltration\/26149\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/led-data-exfiltration\/35647\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/led-data-exfiltration\/11659\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/led-data-exfiltration\/48523\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/led-data-exfiltration\/34325\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/led-data-exfiltration\/26464\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/led-data-exfiltration\/32159\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/led-data-exfiltration\/31843\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/data\/","name":"data"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/21291","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/665"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=21291"}],"version-history":[{"count":1,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/21291\/revisions"}],"predecessor-version":[{"id":21293,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/21291\/revisions\/21293"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/21294"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=21291"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=21291"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=21291"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}