Professional Documents
Culture Documents
Abstract—In this paper, we present video-based cryptanalysis, ping [5–7]), little is known about the risks posed by video
a new method used to recover secret keys from a device by cameras to information confidentiality in the digital world.
analyzing video footage of a device’s power LED. We show that In this paper, we present video-based cryptanalysis, a new
cryptographic computations performed by the CPU change the
power consumption of the device which affects the brightness of side-channel cryptanalytic attack that can be performed by
the device’s power LED. Based on this observation, we show how attackers to recover a secret key from a target device by
attackers can exploit commercial video cameras (e.g., an iPhone obtaining video footage of the target device’s power LED
13’s camera or Internet-connected security camera) to recover using a commercial video camera (e.g., the video camera of
secret keys from devices. This is done by obtaining video footage a smartphone or an Internet-connected security camera). We
of a device’s power LED (in which the frame is filled with the
power LED) and exploiting the video camera’s rolling shutter show how attackers can exploit video footage of a device’s
to increase the sampling rate by three orders of magnitude power LED to recover a device’s secret key. This is possible
from the FPS rate (60 measurements per second) to the rolling because the intensity/brightness of the device’s power LED
shutter speed (60K measurements per second in the iPhone 13 correlates with its power consumption, due to the fact that
Pro Max). The frames of the video footage of the device’s power in many devices, the power LED is connected directly to the
LED are analyzed in the RGB space, and the associated RGB
values are used to recover the secret key by inducing the power power line of the electrical circuit which lacks effective means
consumption of the device from the RGB values. We demonstrate (e.g., filters, voltage stabilizers) of decoupling the correlation.
the application of video-based cryptanalysis by performing two We empirically analyze the sensitivity of video cameras
side-channel cryptanalytic timing attacks and recover: (1) a 256- and show that they can be used to conduct cryptanalysis
bit ECDSA key from a smart card by analyzing video footage of because: (1) the limited eight-bit resolution (a discrete space
the power LED of a smart card reader via a hijacked Internet-
connected security camera located 16 meters away from the smart of 256 values) of a single RGB channel of video footage of
card reader, and (2) a 378-bit SIKE key from a Samsung Galaxy a device’s power LED is sufficient for detecting differences
S8 by analyzing video footage of the power LED of Logitech Z120 in the device’s power consumption which are caused by
USB speakers that were connected to the same USB hub (that the cryptographic computations, and (2) the video camera’s
was used to charge the Galaxy S8) via an iPhone 13 Pro Max. rolling shutter can be exploited to upsample the sampling rate
Finally, we discuss countermeasures, limitations, and the future
of video-based cryptanalysis in light of the expected improvements of the intensity/brightness of the power LED in the video
in video cameras’ specifications. footage to the level needed to perform cryptanalysis, i.e.,
increasing the number of measurements (sampling rate) of
the intensity/brightness of the power LED in video footage
I. I NTRODUCTION by three orders of magnitude from the FPS rate (which
produces 60-120 measurements per second) to the rolling
Video cameras have become one of the most ubiquitous shutter rate (which produces 60K measurements per second
types of sensors used, and today they are integrated in a in the iPhone 13 Pro Max), by zooming the video camera
variety of devices/systems (e.g., smartphones, drones, au- on the power LED of the target device so the view of the
tonomous vehicles) and deployed as standalone devices/sys- LED fills the entire frame of the video footage. By doing so,
tems (e.g., surveillance/security cameras, webcams) in smart attackers can use a readily available video camera to perform
cities, houses, offices, businesses, and other settings. The wide cryptanalysis remotely instead of the professional dedicated
deployment of video cameras in devices and systems enabled sensors typically used (e.g., a scope, software-defined radio).
the development of new automatic capabilities/functionality, First, we show that standard video cameras can detect
however it has also created new privacy risks resulting from changes in the power supply to a power LED at a higher
their deployment in residential neighborhoods, urban environ- frequency than their FPS (frames per second) rate (by ex-
ments, etc. While many studies analyzed and discussed the ploiting their rolling shutter). Then, we discuss two potential
risks posed by video cameras to individuals’ privacy in the threat models that attackers can use to apply video-based
physical world (e.g., spying [1–4], sound/speech eavesdrop- cryptanalysis, based on the type of the power LED of the
ii
device: (1) for devices with standard on/off power LEDs, II. R ELATED W ORK
attackers can obtain video footage using their smartphone’s
Cryptanalysis. Cryptanalytic side-channel attacks which
video camera (i.e., attackers must have physical access to the
exploit the correlation between the cryptographic computations
target device), and (2) for devices with indicative power LEDs
performed by a device and its physical emanations have
(in which the color of the power LED changes in response to
been demonstrated in many studies. Those studies exploited
a CPU operation), attackers can obtain the video footage using
the variation in a device’s power consumption to recover
a nearby compromised Internet-connected video camera (i.e.,
secret keys by measuring a device’s power consumption (e.g.,
attackers can apply the attack remotely over the Internet).
[11, 12]) or by measuring other side effects, including EMR
Next, we demonstrate video-based cryptanalysis and apply leakage (e.g., [13–19]) and acoustic noise (e.g., [20]).
two cryptanalytic attacks published in the last few years in In some studies [21–23] cryptanalysis was performed by
order to recover: (1) a 256-bit ECDSA key from a smart capturing near-infrared photons emitted from switching tran-
card (exploiting the vulnerability presented in [8, 9]). The sistors located on the back of field programmable gate ar-
ECDSA key is recovered by analyzing video footage obtained rays (FPGAs) during the execution of a proof-of-concept
via an Internet-connected video camera located sixteen meters implementation of cryptographic algorithms. However, the
away from the smart card, (2) a 378-bit SIKE key from a suggested attacks are ineffective against commercial devices,
Samsung Galaxy S8 (exploiting the vulnerability presented because their electrical circuits are encapsulated in light-
in [10]). The key is recovered by analyzing video footage blocking covers (e.g., in smartphones). Moreover, these attacks
obtained by an iPhone 13 Pro Max’s video camera of a were not demonstrated on a commercial consumer device
power LED of speakers that were connected to the same running a common cryptographic library.
USB hub (which was used to charge the Samsung Galaxy Power LEDs. Discussion regarding the risks posed to infor-
S8). Finally, we raise concern regarding the possibility that mation confidentiality stemming from the correlation between
a greater number of devices will be exposed to video-based the intensity of a power LED to the power consumed by the
cryptanalysis in light of the existing improvements in video device [24] began over 20 years ago [25]. However, prior re-
camera specs (which include: an increased shutter speed, a search demonstrating methods capable of exploiting a device’s
wider RGB space, and improved zoom capabilities) and in power LED for data exfiltration relied on preinstalled malware
light of the expected improvements in video cameras specs [26–28] that actively triggered and controlled a device’s LED
(based on Moore’s Law). (e.g., a keyboard [26], router [27], hard drive [28]) in order
Contributions. (1) We show that the combination of vul- to establish optical covert channels. A more recent study
nerable cryptographic algorithms (i.e., that are vulnerable presented a side-channel attack to recover speech from virtual
to cryptanalytic side-channel attacks) and vulnerable power meetings by exploiting the power LED of speakers used in the
LEDs (i.e., that their color/brightness leak information) can be meeting [29, 30].
exploited by attackers to recover secret keys in a weaker threat Rolling Shutters. A few studies demonstrated sound recov-
model with respect to SOTA works. Video-based cryptanalysis ery from video footage by exploiting a video camera’s rolling
relies on video cameras, which are much more common shutter and analyzing the movements of objects in response to
and readily available than the equipment used to conduct nearby sound [5–7].
cryptanalysis in prior works (e.g., a scope, probe, software-
defined radio) and allow attackers to apply the attack in a non-
III. T HREAT M ODEL & U PSAMPLNG THE S AMPLING R ATE
intrusive manner using video footage. (2) Attack vector - We
demonstrate two non-intrusive attack vectors (with physical A. Threat Model
proximity and over the Internet) to apply video-based crypt- In video-based cryptanalysis, the attacker recovers secret
analysis that can be exploited to perform existing and new keys from a target device using video footage of the power
cryptanalytic side-channel attacks, depending on the type of LED of the target device (i.e., a direct attack) or of the power
device’s power LED. (3) Exposure - We show that at least six LED of a connected peripheral (i.e., an indirect attack) whose
commercial smart card readers (that we bought on Amazon) power consumption is also affected by the power consumption
and a smartphone leak information that can be exploited to ap- of the target device. The attacker exploits the correlation
ply video-based cryptanalysis directly from their power LEDs between the intensity/brightness of a device’s power LED and
or indirectly via the power LEDs of connected peripherals the device’s power consumption (which is affected by the cryp-
(speakers, USB hubs). tographic operations performed); this correlation stems from
Structure. In Section II, we review related work. The threat the fact that in many devices, the power LED is connected
model is presented in Section III. In Section IV, we analyze directly to the power line of the device’s electrical circuit
the bandwidth captured by video cameras of power LEDs. In which lacks effective means (e.g., filters, voltage stabilizers)
Sections V-VI, we demonstrate the application of video-based of decoupling the correlation. This correlation, which can be
cryptanalysis and recover ECDSA and SIKE keys from various detected by analyzing the RGB values of the device’s power
devices. In Section VII, we describe countermeasures, and in LED in video footage, is used by the attacker to perform
Section VIII, we discuss limitations. Finally, in Section IX, cryptanalysis. In order to achieve a sampling rate that can
we discuss our findings and present the responsible disclosure be used for cryptanalysis, the attacker uses the video camera’s
we performed. rolling shutter to upsample the sampling rate by filling the
iii
TABLE I
C OMPARISON OF THE OPTICAL SNR OBTAINED DIRECTLY AND
INDIRECTLY FROM A R ASPBERRY P I RUNNING THE CRYPTOGRAPHIC
LIBRARIES TARGETED BY [8, 10, 36].
Directly Indirectly
Raspberry Connected Connected
Pi 3b+ USB Hub Speakers
Libgcrypt 1.8.4 15.2 dB 16.4 dB 13.2 dB
GnuPG 1.4.13 16.5 dB 17.6 dB 14.5 dB
PQCrypto-SIDH 3.4 18.1 dB 22.4 dB 17.4 dB
Fig. 5. Left: Right: SNR of smart card readers obtained from various
distances.
B. Influence of the Cryptographic Library and Connected
Peripherals
may be vulnerable to video-based cryptanalysis when they are
Next, we examine how the SNR is affected by the crypto- connected to another peripheral with a vulnerable power LED.
graphic library installed on the target device when the video
is acquired directly from its power LED and indirectly from
connected peripherals. C. Influence of Distance
Experimental Setup. We compared the SNR obtained Next, we examine how the SNR is affected by the distance
from the cryptographic computations performed by three between the target device’s power LED and the video camera.
cryptographic libraries installed on a Raspberry Pi 3B+: (1) This experiment was conducted using three smart card readers
Libgcrypt 1.8.4 (during an ECDSA sign operation), (2) GnuPG that we bought from Amazon (to ensure confidentiality as
1.4.13 (during an RSA decrypt operation), and (3) PQCrypto- part of our process of responsible disclosure, we have not
SIDH 3.4 (during a SIKE operation). mentioned the specific models used in this version of the
We conducted three experiments. In the first experiment, we paper; we will include this information in the next version).
obtained video footage of the power LED of the Raspberry Each of the smart card readers contains an indicative power
Pi 3B+ for the three cryptographic libraries. In the second LED (type 2; described earlier in the paper) which makes it
experiment, we obtained video footage of the power LED of easier to detect the changes in their color from a distance (and
a USB hub that we connected to the Raspberry Pi 3B+ for determine the beginning/end of an operation). We note that
the three cryptographic libraries. In the third experiment, we the differences in the RGB values of standard on/off power
obtained video footage of the power LED of Logitech Z120 LEDs (type 1) can be detected from a maximum range of one
USB speakers that were connected to the USB hub that was meter, and they are not vulnerable to video-based cryptanalysis
connected to the Raspberry Pi 3B+ for the three cryptographic performed from a distance (i.e., using remote data acquisition).
libraries. Experimental Setup. We conducted three experiments. In
Results. We applied the Extract − F rames function on each experiment, we connected a smart card reader to a laptop
each video and extracted nine signals. Then, we calculated the and inserted the Athena IDProtect smart card into the reader.
SNR for the signals. As can be seen in the results presented We wrote a script that triggers an ECDSA sign operation
in Table I, the target library under attack greatly affects using the smart card every 200 milliseconds. In response to
the optical SNR: the SNR obtained from a SIKE operation an ECDSA sign operation, color of the power LED of the
executed by the PQCrypto-SIDH 3.4 library yields the highest smart card readers changes. Then, we placed the SUNBA
SNR for the three devices (17.4-22.4 dB); the SNR obtained video camera at five different distances from the smart card
from an ECDSA sign operation executed by the Libgcrypt reader (5, 10, 15, 20, 25 meters) and filmed the power LED
1.8.4 library yields the lowest SNR for the three devices of the smart card reader in two states: idle and sign.
(13.2-15.2 dB); and the SNR obtained from an RSA decrypt Results. We applied the Extract − F rames function and
operation executed by the GnuPG 1.4.13 library yields an extracted the associated signals for the blue channel. We
SNR lower than that of PQCrypto-SIDH 3.4 and higher than compared the SNR, using the values of the idle episode and
Libgcrypt 1.8.4 (14.5-17.6 dB). This is due to the fact that: (1) the RGB values of the ECDSA sign operation (see Fig. 5).
The leakage from the power LED present in the power LED Based on these results, we concluded that the beginning/end
of the connected peripheral to the device (the USB hub) and in of ECDSA sign operations can be detected up to a range of
the connected peripherals (USB speakers) that are connected to 25 meters in one specific case.
the peripheral connected to the target device. The power LED
of a connected peripheral may amplify or reduce the SNR
(depending on the peripheral and the device under attack); in D. Influence of Ambient Light
our case, the USB hub increases the optical SNR by ∼1.1-4.3 Next, we examine how the optical SNR is affected by am-
dB, while the USB speakers decrease the SNR by ∼0.7-2.0 bient light for two types of optical data acquisition: (1) close
dB (compared to the SNR obtained directly from the power data acquisition, in which the video camera of a smartphone
LED of the Raspberry Pi). (4) Even devices that do not consist placed on the device is used to film the power LED, and (2)
of an integrated power LED and devices whose power LEDs remote data acquisition, in which a remote video camera is
do not leak information from their integrated power LEDs used to film the power LED.
vii
Fig. 11. Experimental setup. The video camera of an iPhone 13 Pro Max is
directed (through a lens) at the power LED of Logitech Z120 speakers that
are connected to a USB hub used to charge a Samsung Galaxy S8 (which
contains the SIKE key).
Fig. 12. The RGB values of eight SIKE iterations extracted from a video
(top). Zooming in on the green channel (bottom).
results are presented in Fig. 10). As can be seen from the
results, the error converges to 1% in the seventh iteration.
obtained by an iPhone 13 Pro Max, from the power LED of
Based on this experiment, we concluded that: (1) the be-
USB speakers that were connected to a USB hub that was used
havior (the time difference) reported in the Hertzbleed paper
to charge a Samsung Galaxy S8 (which contains the SIKE key)
[10] on the x86 architecture is also observable on the ARM
in a series of adaptively chosen ciphertext attacks.
architecture at the granularity of a series of 100 consecutive
1) Experimental Setup: We connected the Samsung Galaxy
operations, with a threshold of 36.15 seconds that differentiates
S8 to a USB hub (Gold Touch 8 Ports USB3.0 Slim HUB).
the switch cases from the non-switch cases, and (2) there is
We also connected USB speakers (Logitech Z120) to the USB
a need to employ an error correction algorithm to handle the
hub. We used the video camera of an iPhone 13 Pro Max and
expected 1% of errors.
zoomed it onto the power LED of the USB speakers using a
Algorithm 3 Hertzbleed Attack lens (see Fig. 11). We obtained video footage from the iPhone
1
(resolution: 1920x1080, FPS: 120, rolling shutter speed: 61400 )
Inputs. vid: (fstart , ..., fend ) // a series of frames
of the power LED of the USB speakers while the Samsung
chan: numeric value {0,1,2} for the RGB channel
Galaxy was attacked in a series of adaptive chosen ciphertext
Output. signal: a time series of rows’ average values
attacks.
procedure E XTRACT-I NDEXES ( SIGNAL , THRESH )
The series of adaptively chosen ciphertexts was created as
indexes = [], i = 0
follows: For each index i of the private key we wanted to
signal = Average-Frames (video,1)
recover, we created a dedicated input Mi which was used to
for (j = 0; j < length(signal); j++) do
attack the implementation of SIKE-751 in the PQCrypto-SIDH
if ( thensignal [j] > threshold)
library, as described in the paper presenting Hertzbleed [10]
indexes [i] = signal [j]
(using the i − 1 bits already recovered). We used Mi to trigger
i++
800 SIKE operations, which were divided into eight iterations,
return indexes
where in each iteration 100 consecutive SIKE operations
procedure M IN I TERT IME ( VID , CHAN , THRESH )
were triggered with Mi and executed using 100 threads. This
estimatedTimes = {} , i =0
process was repeated iteratively for all 377 indexes; first we
signal = Average-Frames (vid, chan)
calculated the value of the ith bit, and then we created Mi+1 .
indexes = Extract-Indexes (signal, threshold)
2) Processing the Signal: We processed each video ob-
for (j1 = 0; j1 < length(indexes)-1; j1++) do
tained as we triggered the adaptive chosenly ciphertext attack
for (j2 = j1+1; j2 < length(indexes)-1; j2++) do
as follows:
n = indexes [j2] - indexes [j1])
We applied the M inIterT ime function (see Algorithm
time = n × (1/fps)
3) on the video footage obtained. This function calls to
if (time > 36) then
Average − F rames to extract a signal for the green channel
estimatedTimes [i] = time
of the video footage. An example of the signal extracted from
i++
one of the videos is presented in Fig. 12; as can be seen in
min = minimum (estimatedTimes)
the image presenting the green channel, the eight iterations
return min
can be detected visually, and the indexes associated with the
beginning of the iterations can be detected based on their
values which are greater than a threshold of 205.
B. SIKE Key Recovery Next, M inIterT ime calls to Extarct−Indexes to extract
We now demonstrate the recovery of a full (378-bit) private the indexes of the frames associated with the beginning of the
key from the SIKE-751 implementation using video footage, iterations. This is done by determining whether the values of
xii
Fig. 13. Minimum times used to extract the first 20 bits (1 to 20) and last Fig. 14. The error detection (left) and correction (right) of bit index 33. The
20 bits (358 to 377) of the SIKE key based on eight iterations. graphs for the additional five indexes that were corrected appear in Fig. ??
the indexes of the frames are greater than 204.9. We note that In order to detect such errors, we set the detection algorithm
due to added noise, the Extarct − Indexes function may to raise an alert after 17 consecutive recoveries classified as
return more than eight indexes (i.e., the function may return non-switch cases (whose execution time crossed the threshold
additional errors). Next, M inIterT ime computes the number of 36.15 s). A chain of 17 consecutive non-switch bits is
of frames between every two indexes (due to the errors that expected to be the result of an error in a recovered bit with
may have been added in indexes) and calculates the time of the 99.9992% (except for a negligible error with a probability of
iterations by multiplying the number of frames by (1/fps), the 1
131,072 which is the result of 17 consecutive bits with the same
number of seconds it takes to capture a frame (including the value in the key). Figs. 14 and 17 (in the appendix) present six
transition time). The function filters any result that is lower chains of 17 consecutive non-switch bits that we encountered
than 36 seconds (and caused by the added errors). Finally, during the key recovery. For these chains, we repeated the
M inIterT ime returns min, the shortest iteration time. sampling process from the last index in which we encountered
We determined the value of the i-th index of the key a switch case. The corrected classifications for the chains of
according to the value of min: the six bits are also presented in Figs. 14 and 17.
(
mi−1 if (min > 36.15) VII. C OUNTERMEASURES
mi = (3)
¬(mi−1 ) otherwise In this section, we describe several methods that can be used
on the mi ̸= mi−1 . to mitigate or prevent optical cryptanalysis attacks.
3) Results: First, we note that we guessed that the value We note that the best way to prevent attackers from recov-
of the first index of the key (where j = 0) would be zero. ering secret keys from devices is to ensure the cryptographic
According to Hertzbleed, an incorrect guess/prediction of the library used does not leak any information that can be ex-
value of the key in any index n (where 0 ≤ n ≤ 377) ploited to recover the key. However, hardware manufacturers
will create 377 − n consecutive non-switch cases (i.e., no and users can apply their own mitigations in order to prevent
anomalous zero will appear from this point on). In our case, we attackers from applying video-based cryptanalysis.
verified that our guess for the first index was correct by using Manufacturer Side Methods. We differentiate between
the next bit index (where j = 1) which was predicted as a two types of power LEDs: type 1 power LEDs (standard
switch case. The minimal values among the seven iterations of on/off power LEDs) and type 2 power LEDs (that provide an
the first 20 least significant bit (LSB) positions (bits 1–20) and indication regarding CPU operations by changing their color).
the last 20 most significant bit (MSB) positions (bits 358–377) We would advise manufacturers against integrating type 2
of the key we recovered are presented in Fig. 13. The 378 bits power LEDs in devices, because, as we have shown in this
of the key were recovered with six errors that we encountered work, they expose the device to remote secret key recovery
and corrected during the recovery process. via an Internet-connected video camera; such LEDS enable
4) Error Detection and Correction: We used an error attackers to calculate the execution time of an operation by
detection and correction algorithm to detect and correct the analyzing the video footage from a distance (16 meters) due
six errors we encountered during the recovery process, based to the significant changes in the color of the power LED
on the error correction and detection algorithm suggested in in response to CPU operations. In many devices, the type 1
the original method suggested in the Hertzbleed paper [10]. In power LED is connected directly to the power line of the
the case of an error in the recovery of a bit with an index i, the PCB (see Fig. 15a). As a result, the device’s power LED
phenomenon that causes anomalous zeros (which is expected is affected by the power consumption fluctuations that occur
to happen with a probability of 12 ) will not be triggered in the when cryptographic operations are performed. To counter this
subsequent bits recovered (see the Hertzbleed paper [10] for phenomenon, a few approaches should be considered by hard-
more details). The untriggered anomalous zeros in the recovery ware manufacturers: (1) Using a capacitor: A capacitor can be
of the subsequent indexes will result in a non-switch case and integrated parallel to the power LED indicator; in this case,
a longer execution time (that will cross the threshold used to the capacitor would behave as a low-pass filter (see Fig. 15b).
distinguish between mi = mi−1 and mi ̸= mi−1 ). This will This is an inexpensive solution for reducing the fluctuations in
result in a chain of recovered bits with similar values (the the power consumption. However in devices with high power
result of a chain of non-switches) for the subsequent indexes. consumption, the integrated capacitor’s capacitance must be
xiii
used to obtain timing measurements by directly probing the suggestions provided in Section VII). We are, however, uncer-
CPU (see Is this exploitable remotely? in Minerva’s GitHub tain whether they will choose to do so, as some solutions may
[37]). increase the manufacturer’s overall cost, decreasing revenue
We also raise concern regarding the real potential of video- or requiring the manufacturer to increase the product’s price.
based cryptanalysis in our days, given existing improvements While the cost of our countermeasures might seem negligible,
in video cameras’ specifications. In our research, we focused the addition of a component to prevent the attack could cost a
on commonly used and popular video cameras to demonstrate manufacturer millions of dollars, since such devices are often
video-based cryptanalysis (i.e., 8-bit space for a single RGB mass-produced. Given the cost-driven nature of consumers and
channel, Full-HD resolution, and maximum supported shutter the profit-driven nature of manufacturers, mitigations are not
speed). However, new versions of smartphones already support always applied. This fact may leave many devices vulnerable
video footage of 10-bit resolution (e.g., iPhone 14 Pro MAX to video-based cryptanalysis attacks in the future.
and Samsung Galaxy S23 Ultra). Moreover, professional video For future work, we suggest: (1) testing the potential of
cameras with a resolution of 12-14 bits already exist, 2 Such professional video cameras to recover cryptographic keys,
video cameras may provide much greater sensitivity, which (2) testing the effectiveness of the suggested countermeasures
may allow attackers to perform attacks with the ability to against the application of video-based cryptanalysis, and (3)
detect very subtle changes in the device’s power consumption extending the understanding in privacy risks posed by power
via the intensity of the power LED. In addition, many Internet- LEDs to information confidentiality in the digital domain.
connected security cameras with greater optical-zoom capabil-
ities than the video camera used in our research (25X) already
ACKNOWLEDGMENTS
exist (30X, 36X) and are likely already widely deployed. Such
security cameras may allow attackers to perform video-based This work was partially supported by the Cyber Security
cryptanalysis against target devices from a greater distance Research Center at Ben-Gurion University of the Negev, the
than that demonstrated in this paper. Finally, new professional Jacobs Urban Tech Hub at Cornell Tech, and the Technion’s
video cameras for photographers currently support a shutter Viterbi Fellowship for Nurturing Future Faculty Members.
1
speed of 180,000 (e.g, Fujifilm X-H2.3 ) The use of such video
cameras may allow attackers to obtain measurements at a
R EFERENCES
higher sampling rate which may expose other devices to the
risk of video-based cryptanalysis. [1] B. Nassi, R. Bitton, R. Masuoka, A. Shabtai, and
The existing advancements in video cameras (that were Y. Elovici, “Sok: Security and privacy in the age of
stressed earlier) already raise a question regarding the real commercial drones,” in 2021 2021 IEEE Symposium
potential of video-based cryptanalysis in our days with the on Security and Privacy (SP). Los Alamitos, CA,
use of professional video cameras (instead of the popular USA: IEEE Computer Society, may 2021, pp. 73–90.
and available video cameras that we used in this research). [Online]. Available: https://doi.ieeecomputersociety.org/
Factoring the expected advancements for video cameras in the 10.1109/SP40001.2021.00005
next 20 years (assuming the improvements of video cameras [2] C. Bloom, J. Tan, J. Ramjohn, and L. Bauer, “Self-
will continue to follow Moore’s Law) and the fact that many driving cars and data collection: Privacy perceptions
functional IoT devices with limited CPU capabilities (e.g., of networked autonomous vehicles,” in Symposium on
sensors, and home appliances) are deployed every day, we Usable Privacy and Security (SOUPS), 2017.
expect that the number of devices exposed to video-based [3] A. Schwartz, “Chicago’s video surveillance cameras: a
cryptanalysis will increase every year (unless dedicated pre- pervasive and poorly regulated threat to our privacy,”
cautions will be added to the electrical circuits). Northwestern Journal of Technology and Intellectual
We disclosed our findings to the manufacturers of the Property, vol. 11, no. 2, p. 47, 2013.
devices used in our study via their bug bounty programs and [4] N. H. Tan, R. Y. Wong, A. Desjardins, S. A. Munson,
contact us email addresses (besides one manufacturer that we and J. Pierce, “Monitoring pets, deterring intruders, and
were unable to find any information about it on the web). We casually spying on neighbors: Everyday uses of smart
encouraged the manufacturers to speak to us to ensure that home cameras,” in Proceedings of the 2022 CHI Con-
they understood the problem and assist them in developing a ference on Human Factors in Computing Systems, 2022,
countermeasure. A few manufacturers responded to our email pp. 1–25.
and asked us for more details which we shared with them. [5] A. Davis, M. Rubinstein, N. Wadhwa, G. J. Mysore,
While the origin of the vulnerability that is exploited is the F. Durand, and W. T. Freeman, “The visual microphone:
result of the implementation or execution of the cryptographic passive recovery of sound from video,” 2014.
library and not of the hardware manufacturer, we recommend [6] M. Sheinin, D. Chan, M. O’Toole, and S. G. Narasimhan,
that other hardware manufacturers empirically test whether “Dual-shutter optical vibration sensing,” in Proceedings
their devices are vulnerable to video-based cryptanalysis and of the IEEE/CVF Conference on Computer Vision and
if needed, redesign their electrical circuits (according to the Pattern Recognition, 2022, pp. 16 324–16 333.
[7] Y. Long, P. Naghavi, B. Kojusner, K. Butler, S. Ram-
2 https://www.globalspec.com/ds/39/areaspec/bits_per_pixel_14 pazzi, and K. Fu, “Side eye: Characterizing the limits
3 https://fujifilm-x.com/en-us/products/cameras/x-h2/ of pov acoustic eavesdropping from smartphone cameras
xv
with rolling shutters and movable lenses,” arXiv preprint and Embedded Systems. Springer, 2012, pp. 41–57.
arXiv:2301.10056, 2023. [22] E. Carmon, J.-P. Seifert, and A. Wool, “Photonic side
[8] J. Jancar, V. Sedlacek, P. Svenda, and M. Sys, “Minerva: channel attacks against RSA,” in 2017 IEEE Interna-
The curse of ECDSA nonces (systematic analysis of tional Symposium on Hardware Oriented Security and
lattice attacks on noisy leakage of bit-length of ECDSA Trust (HOST). IEEE, 2017, pp. 74–78.
nonces),” IACR Transactions on Cryptographic Hard- [23] A. Schlösser, D. Nedospasov, J. Krämer, S. Orlic, and J.-
ware and Embedded Systems, vol. 2020, no. 4, pp. 281– P. Seifert, “Simple photonic emission analysis of AES,”
308, 2020. Journal of cryptographic engineering, vol. 3, no. 1, pp.
[9] D. Moghimi, B. Sunar, T. Eisenbarth, and N. Heninger, 3–15, 2013.
“Tpm-fail: Tpm meets timing and lattice attacks,” in [24] S. King, “Luminous intensity of an LED as a function
Proceedings of the 29th USENIX Security Symposium, of input power,” ISB J. Phys, vol. 2, no. 2, 2008.
2020. [25] J. Loughry and D. A. Umphress, “Information leakage
[10] Y. Wang, R. Paccagnella, E. T. He, H. Shacham, C. W. from optical emanations,” ACM Transactions on Infor-
Fletcher, and D. Kohlbrenner, “Hertzbleed: Turning mation and System Security (TISSEC), vol. 5, no. 3, pp.
power {Side-Channel} attacks into remote timing attacks 262–289, 2002.
on x86,” in 31st USENIX Security Symposium (USENIX [26] M. Guri, B. Zadov, D. Bykhovsky, and Y. Elovici, “Ctrl-
Security 22), 2022, pp. 679–697. alt-led: Leaking data from air-gapped computers via key-
[11] P. Kocher, J. Jaffe, and B. Jun, “Differential power board leds,” in 2019 IEEE 43rd Annual Computer Soft-
analysis,” in Annual international cryptology conference. ware and Applications Conference (COMPSAC), vol. 1.
Springer, 1999, pp. 388–397. IEEE, 2019, pp. 801–810.
[12] P. Kocher, J. Jaffe, B. Jun, and P. Rohatgi, “Introduction [27] M. Guri, B. Zadov, A. Daidakulov, and Y. Elovici, “xled:
to differential power analysis,” Journal of Cryptographic Covert data exfiltration from air-gapped networks via
Engineering, vol. 1, no. 1, pp. 5–27, 2011. switch and router leds,” in 2018 16th Annual Conference
[13] J.-J. Quisquater and D. Samyde, “Electromagnetic anal- on Privacy, Security and Trust (PST). IEEE, 2018, pp.
ysis (ema): Measures and counter-measures for smart 1–12.
cards,” in International Conference on Research in Smart [28] M. Guri, B. Zadov, and Y. Elovici, “Led-it-go: Leaking
Cards. Springer, 2001, pp. 200–210. (a lot of) data from air-gapped computers via the (small)
[14] D. Agrawal, B. Archambeault, J. R. Rao, and P. Ro- hard drive led,” in International conference on detection
hatgi, “The em side—channel (s),” in International work- of intrusions and malware, and vulnerability assessment.
shop on cryptographic hardware and embedded systems. Springer, 2017, pp. 161–184.
Springer, 2002, pp. 29–45. [29] B. Nassi, Y. Pirutin, T. C. Galor, Y. Elovici, and B. Zadov,
[15] G. Camurati, S. Poeplau, M. Muench, T. Hayes, and “Glowworm attack: Optical tempest sound recovery via a
A. Francillon, “Screaming channels: When electromag- device’s power indicator led,” Cryptology ePrint Archive,
netic side channels meet radio transceivers,” in Proceed- Report 2021/1064, 2021, https://ia.cr/2021/1064.
ings of the 2018 ACM SIGSAC Conference on Computer [30] B. Nassi, Y. Pirutin, J. Shams, R. Swissa, Y. Elovici,
and Communications Security, 2018, pp. 163–177. and B. Zadov, “Optical speech recovery from desktop
[16] K. Gandolfi, C. Mourtel, and F. Olivier, “Electromag- speakers,” Computer, vol. 55, no. 11, pp. 40–51, 2022.
netic analysis: Concrete results,” in International work- [31] J. Bugeja, D. Jönsson, and A. Jacobsson, “An investi-
shop on cryptographic hardware and embedded systems. gation of vulnerabilities in smart connected cameras,”
Springer, 2001, pp. 251–261. in 2018 IEEE International Conference on Pervasive
[17] D. R. Gnad, J. Krautter, and M. B. Tahoori, “Leaky noise: Computing and Communications Workshops (PerCom
New side-channel attack vectors in mixed-signal iot Workshops), 2018, pp. 537–542.
devices,” IACR Transactions on Cryptographic Hardware [32] J. Bugeja, D. Jönsson, and A. Jacobsson, “An investiga-
and Embedded Systems, pp. 305–339, 2019. tion of vulnerabilities in smart connected cameras,” in
[18] D. Genkin, L. Pachmanov, I. Pipman, and E. Tromer, 2018 IEEE international conference on pervasive com-
“Ecdh key-extraction via low-bandwidth electromagnetic puting and communications workshops (PerCom work-
attacks on pcs,” in Cryptographers’ Track at the RSA shops). IEEE, 2018, pp. 537–542.
Conference. Springer, 2016, pp. 219–235. [33] J. Liranzo and T. Hayajneh, “Security and privacy issues
[19] D. Genkin, N. Nissan, R. Schuster, and E. Tromer, “Lend affecting cloud-based ip camera,” in 2017 IEEE 8th
me your ear: Passive remote physical side channels on Annual Ubiquitous Computing, Electronics and Mobile
{PCs},” in 31st USENIX Security Symposium (USENIX Communication Conference (UEMCON). IEEE, 2017,
Security 22), 2022, pp. 4437–4454. pp. 458–465.
[20] D. Genkin, A. Shamir, and E. Tromer, “Rsa key extrac- [34] M. Antonakakis, T. April, M. Bailey, M. Bernhard,
tion via low-bandwidth acoustic cryptanalysis,” in Annual E. Bursztein, J. Cochran, Z. Durumeric, J. A. Halderman,
Cryptology Conference. Springer, 2014, pp. 444–461. L. Invernizzi, M. Kallitsis et al., “Understanding the
[21] A. Schlösser, D. Nedospasov, J. Krämer, S. Orlic, and J.- mirai botnet,” in 26th {USENIX} security symposium
P. Seifert, “Simple photonic emission analysis of AES,” ({USENIX} Security 17), 2017, pp. 1093–1110.
in International Workshop on Cryptographic Hardware [35] K. Angrishi, “Turning internet of things (iot) into inter-
xvi
Fig. 16. Heatmaps extracted from five smart card readers which present the
estimated execution times of ECDSA sign operations as a function of the
number of leading zero bits in the nonce
Fig. 17. The error detection (left) and correction (right) of bit indexes 76,
149, 199, 235, and 327.