CVE-2019-14356 Explained : Impact and Mitigation

Coldcard MK1 and MK2 devices have a side channel vulnerability in the row-based OLED display, potentially exposing sensitive data like PIN and BIP39 mnemonic.

Understanding CVE-2019-14356

Coldcard MK1 and MK2 devices are susceptible to a side channel vulnerability in the row-based OLED display, allowing attackers to potentially retrieve confidential information.

What is CVE-2019-14356?

The vulnerability in the OLED display of Coldcard MK1 and MK2 devices enables attackers to exploit power consumption during display cycles to recover sensitive data like PIN and BIP39 mnemonic.

The Impact of CVE-2019-14356

Attackers with control over the USB connection can exploit power consumption to retrieve confidential information.
The vulnerability is only relevant when attackers can measure power consumption during the display of secret data.

Technical Details of CVE-2019-14356

Coldcard MK1 and MK2 devices are affected by a side channel vulnerability in the row-based OLED display.

Vulnerability Description

Power consumption during display cycles depends on the number of illuminated pixels, allowing partial recovery of displayed information.

Affected Systems and Versions

Coldcard MK1 and MK2 devices are affected.

Exploitation Mechanism

Attackers with USB control can measure power consumption to retrieve sensitive data.

Mitigation and Prevention

Steps to address and prevent the vulnerability.

Immediate Steps to Take

Ensure USB connections are secure and monitored.
Implement additional security measures on the device.

Long-Term Security Practices

Regularly update device firmware and security patches.
Conduct security audits and assessments periodically.

Patching and Updates

Coinkite has implemented measures to address the vulnerability.