Side-Channel Attacks via Power LEDs: A New Reality for Physical Security

TLDR: Researchers have demonstrated that standard video cameras can extract sensitive cryptographic keys by recording the optical fluctuations of a device's power LED. By exploiting the rolling shutter effect in modern CMOS sensors, they can capture high-frequency power consumption signals that correlate with internal CPU operations. This technique allows for remote key recovery from non-compromised hardware, including smartcard readers and IoT devices, without requiring physical access to the target's power lines.

Security researchers have long known that power consumption is a goldmine for side-channel analysis. If you can measure the current draw of a CPU while it performs cryptographic operations, you can often derive the secret keys through differential power analysis. Historically, this required physical access—soldering probes onto a PCB or using an oscilloscope to monitor a shunt resistor. The research presented at Black Hat 2023 by Ben Nassi and Etay Iluz changes the game by moving the sensor from the circuit board to the lens of a standard video camera.

The Mechanics of Optical Cryptanalysis

The core of this research lies in the fact that many electronic devices, particularly IoT hardware and smartcard readers, use power LEDs that are directly connected to the device's power line. Because these LEDs are not properly decoupled from the power supply, their light intensity fluctuates in direct correlation with the device's power consumption. When the CPU performs a power-intensive operation, such as an RSA or ECDSA signing process, the LED's brightness shifts.

While the human eye perceives these shifts as a constant light, a high-speed camera can capture the variations. The researchers took this a step further by exploiting the rolling shutter mechanism found in almost all modern CMOS sensors. Instead of capturing an entire frame at once, a rolling shutter sensor scans the image row by row. By focusing the camera tightly on the LED and using an extra lens to fill the frame with the light source, the researchers effectively turned the camera into a high-frequency sampling device. This allows them to capture signals at a much higher effective frequency than the camera's nominal frame rate, enabling the recovery of signals that would otherwise be lost to aliasing.

From Pixels to Private Keys

The attack flow is surprisingly straightforward for a researcher with the right setup. First, the attacker identifies a target device with a visible power LED. Using a camera—even a smartphone camera—they record the LED while the device performs cryptographic operations. The researchers demonstrated this by targeting a Raspberry Pi 4B and various off-the-shelf smartcard readers.

Once the video is captured, the analysis involves processing the frames to extract the intensity values of the LED over time. By averaging the pixel values of the LED across the rows of the rolling shutter, they reconstruct a power trace. This trace is then fed into existing side-channel analysis tools, such as those used in the Minerva attack, to recover the private key. In their experiments, they successfully extracted 256-bit ECDSA keys and 378-bit SIKE keys from devices located up to 16 meters away.

The technical barrier here is not the complexity of the math, but the precision of the optical setup. The researchers used an extra lens to ensure the LED occupied the entire frame, maximizing the signal-to-noise ratio. For a pentester, this means that any environment where you can maintain a line of sight to a device's status indicator is a potential attack vector.

Real-World Applicability and Risk

For those of us conducting physical security assessments or red team engagements, this research highlights a massive blind spot. We often focus on network-level vulnerabilities or physical access to ports, but we rarely consider the light emitted by a device as a data exfiltration channel. If you are testing a secure facility, a data center, or even an office environment, you must now account for the possibility that a camera—whether a security camera or a hidden device—could be used to sniff cryptographic secrets.

The impact is most severe for devices that perform frequent signing operations, such as smartcard readers used for physical access control or hardware security modules (HSMs) that might have exposed status LEDs. If an attacker can trigger the device to perform enough operations, they can collect the necessary traces to reconstruct the key. The OWASP Cryptographic Failures category is the relevant framework here, as this attack essentially turns a side-channel leak into a full compromise of sensitive data.

Defending Against Optical Side-Channels

Defending against this is difficult because it requires changes at the hardware design level. The most effective mitigation is to isolate the power supply of the LED from the power supply of the CPU. By using a separate, regulated power source for the LED, the fluctuations caused by the CPU's workload are dampened or eliminated entirely.

If you are a developer or hardware engineer, consider implementing software-based countermeasures that mask the power consumption of cryptographic operations. Techniques like constant-time execution and blinding are essential, as they ensure that the power trace remains uniform regardless of the secret key being processed. For those of us on the offensive side, the lesson is clear: the next time you are scoping a target, look at the LEDs. They might be telling you more than the manufacturer intended.