Side Channel Vulnerability in Common SSD1306 OLED Screen Types
Important notice: Since BC Vault uses the SSD1309 OLED controller instead of the SSD1306, the text below assumes that the former controller is also similarly exploitable – to be confirmed with the submitter of the CVE.
On the 8. May. 2019 we were made aware of a side channel vulnerability present in all devices that use the SSD1309 OLED controller. This was discovered by Mr. Christian Reitter, who communicated with us in a coordinated responsible disclosure effort and submitted the CVE.
The vulnerability is based on the fact that SSD1309 OLED controllers which are often used in embedded security devices only display one pixel row at a time instead of all rows at once, and requires a comparably large amount of energy to do so. It was found that there is a direct correlation between the number of illuminated pixels on each row and the total power consumption of the device at a particular moment.
An attacker with the ability to perform a power consumption analysis of the device while it is displaying secrets on the screen can conceivably use this partial information of the pixel distribution of each row to recover confidential information through statistical analysis.
The attack can be carried out as follows:
- Obtain physical access to the usb cable or usb port.
- Install a shunt resistor to measure voltage at a sufficient accuracy (this was achieved using bulky laboratory equipment such as an oscilloscope or a software defined radio)
- Convince the victim to enter their credentials while connected to the setup.
At the present time we are not aware of any possibility to carry out this attack remotely or in a way that is completely invisible to the victim.
We investigated the issue and came to the following conclusions:
BC Vault uses SSD1309 OLED controller and is susceptible to having its screen contents read via this attack.
BC Vault intentionally NEVER displays any confidential information on the OLED screen, excluding transaction information which may impact privacy. We do not use seed words, nor do we ever show the actual PIN on the device itself. The only information that could be obtained by an attacker interested in the private keys via this method is the length of the PIN itself. This is insufficient information to gain access to the private keys as they are also protected by the device and wallet passwords.
Cryptowallets using BIP39-44 that display the seed words to the user during initialization could pose a greater risk to the individuals using them as an attacker can fully compromise all wallets past present and future on the device should they succeed in reading the words from the display.
Planned or active mitigations:
Due to the nature of this vulnerability we deem it to be an insignificant risk to users of the BC Vault hardware cryptowallet. We may reevaluate this at a later point, but are not currently planning any mitigations.
By hooking on the USB cable or connector it is possible to read the display of most hardware wallets (see CVEs below)
The OLED in BC Vault is susceptible but never displays any confidential information on the display besides the length of the PIN.
Wallets using BIP39-44 seed words are vulnerable during initialization.
CVE-2019-14353 – Trezor One
CVE-2019-14354 – Ledger Nano S, Ledger Nano X
CVE-2019-14355 – KeepKey
CVE-2019-14356 – Coldcard MK1 and MK2
CVE-2019-14357 – Mooltipass Mini
CVE-2019-14358 – Archos Safe-T
CVE-2019-14359 – BC Vault
CVE-2019-14360 – additional vendor (**)