Problem: Over this last week, I was blown away by the research of Ben Nassi and his team (it was also posted on and went viral on Hacker News). In short, his paper and research provides a way to “recover secret keys from non-compromised devices using video footage of their power LED obtained by commercial video cameras.” What are the implications of this new form of digital espionage AKA side-chain attachs?
Below is the paper’s abstract:
In this paper, we present video-based cryptanalysis, a new method used to recover secret keys from a device by analyzing video footage of a device’s power LED. We show that cryptographic computations performed by the CPU change the power consumption of the device which affects the brightness of the device’s power LED. Based on this observation, we show how attackers can exploit commercial video cameras (e.g., an iPhone 13’s camera or Internet-connected security camera) to recover secret keys from devices. This is done by obtaining video footage of a device’s power LED (in which the frame is filled with the power LED) and exploiting the video camera’s rolling shutter to increase the sampling rate by three orders of magnitude from the FPS rate (60 measurements per second) to the rolling shutter speed (60K measurements per second in the iPhone 13 Pro Max). The frames of the video footage of the device’s power LED are analyzed in the RGB space, and the associated RGB values are used to recover the secret key by inducing the power consumption of the device from the RGB values. We demonstrate the application of video-based cryptanalysis by performing two side-channel cryptanalytic timing attacks and recover: (1) a 256- bit ECDSA key from a smart card by analyzing video footage of the power LED of a smart card reader via a hijacked Internet-connected security camera located 16 meters away from the smart card reader, and (2) a 378-bit SIKE key from a Samsung Galaxy S8 by analyzing video footage of the power LED of Logitech Z120 USB speakers that were connected to the same USB hub (that was used to charge the Galaxy S8) via an iPhone 13 Pro Max. Finally, we discuss countermeasures, limitations, and the future of video-based cryptanalysis in light of the expected improvements in video cameras’ specifications.
Subscribe here to get access to the first 500 ideas from our blog. For just one coffee a month, you can have access to more than $500 billion dollars of ideas. What's not to love?
Solution: The type of vulnerability which Nassi explores in his research is an example of a side-channel attack. This is a type of attach that takes advantage of the “exhaust” of computer processing in order to understand original processes from the device. As Wikipedia describes, it is based on extra information such as “timing information, power consumption, electromagnetic leaks, and sound.” The entire field has been pioneered by Paul Kocher.
These sorts of attacks almost seem like magic. By understanding leaked electromagnetic radiation, hackers can interpret plaintexts or other information. Based on the sound produced during computation, you an estimate what a user is doing. And in Nassi’s research, based on the flashing of an LED light you can understand what one’s secret keys might be.
There are 3 extremely clear examples of side-chain attacks to highlight:
A timing attack watches data movement into and out of the CPU or memory on the hardware running the cryptosystem or algorithm. Simply by observing variations in how long it takes to perform cryptographic operations, it might be possible to determine the entire secret key. Such attacks involve statistical analysis of timing measurements and have been demonstrated across networks
A power-analysis attack can provide even more detailed information by observing the power consumption of a hardware device such as CPU or cryptographic circuit. These attacks are roughly categorized into simple power analysis (SPA) and differential power analysis (DPA).
A deep-learning-based side-channel attack, using the power and EM information across multiple devices has been demonstrated with the potential to break the secret key of a different but identical device in as low as a single trace.
So what does this mean? Should we do all of our future computing work in a locked room?
Anecdotally in the industry, there tend to be two forms of mitigation. First, limiting the amount of data that is leaked or exhausted unknowingly. Second, disrupting the relationship between leaked information and secret data (aka the device itself). Perhaps even decentralized computing with secrets spread across multiple devices could be a solution as well (which falls into the second bucket).
This business would focus on consulting either as an attack deferrer or provider to master the science and art of side-chain attacks. Through consulting with government agencies, financial institutions, corporations with significant secrets, and more it would serve as a “Palantir for side-chain.” Focusing on creating products and services designed to mitigate this, the business would begin as a niche player in the $173.5 billion cybersecurity market. According to markets and markets, this number is expected to grow at a compound annual growth rate (CAGR) of 8.9% to reach $266.2 billion by 2027.
Monetization: Sales of services.
Contributed by: Michael Bervell (Billion Dollar Startup Ideas)