CVE-2019-14356
Description
On Coldcard MK1 and MK2 devices, a side channel for the row-based OLED display was found. The power consumption of each row-based display cycle depends on the number of illuminated pixels, allowing a partial recovery of display contents. For example, a hardware implant in the USB cable might be able to leverage this behavior to recover confidential secrets such as the PIN and BIP39 mnemonic. In other words, the side channel is relevant only if the attacker has enough control over the device's USB connection to make power-consumption measurements at a time when secret data is displayed. The side channel is not relevant in other circumstances, such as a stolen device that is not currently displaying secret data. On Coldcard MK1 and MK2 devices, a side channel for the row-based OLED display was found. The power consumption of each row-based display cycle depends on the number of illuminated pixels, allowing a partial recovery of display contents. For example, a hardware implant in the USB cable might be able to leverage this behavior to recover confidential secrets such as the PIN and BIP39 mnemonic. In other words, the side channel is relevant only if the attacker has enough control over the device's USB connection to make power-consumption measurements at a time when secret data is displayed. The side channel is not relevant in other circumstances, such as a stolen device that is not currently displaying secret data. NOTE: At Coinkite, we’ve already mitigated it, even though we feel strongly that it is not a legitimate issue. In our opinion, it is both unproven (might not even work) and also completely impractical—even if it could be made to work perfectly
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Side-channel attack on Coldcard MK1/MK2 OLED display via power consumption, potentially leaking PIN and mnemonic, but considered impractical and mitigated in firmware v2.1.2.
Vulnerability
The Coldcard MK1 and MK2 hardware wallets use a row-based OLED display where power consumption per display cycle depends on the number of illuminated pixels. This creates a side channel that could allow an attacker with physical access to the USB power line to infer displayed content. The vulnerability affects all Coldcard MK1 and MK2 devices. [1]
Exploitation
An attacker would need to install monitoring hardware into the USB cable or power source used to power the Coldcard during initial seed setup or any time secret data (such as the PIN or BIP39 mnemonic) is displayed. The attacker must make precise power-consumption measurements while the display is active. The attack is considered impractical because it requires physical tampering with the power supply and the secret data is only shown briefly during setup. [1]
Impact
If successfully exploited, an attacker could partially recover confidential secrets displayed on the screen, including the PIN and BIP39 mnemonic. This could lead to loss of funds. However, the attack is unproven and requires a high degree of control over the device's power source. [1]
Mitigation
Coinkite has released firmware version v2.1.2 which includes mitigations for this side channel. Users are advised to update to the latest firmware. The vendor considers the attack unlikely and impractical, but the fix is provided as a precaution. [1]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Coldcard/Coldcard MK1 and MK2description
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Power consumption of each row-based OLED display cycle depends on the number of illuminated pixels, creating a side channel that leaks displayed content."
Attack vector
An attacker must have physical control over the device's USB connection to make power-consumption measurements while secret data is displayed. The power consumption of each row-based display cycle varies with the number of illuminated pixels, allowing a partial recovery of display contents through power analysis. This could be leveraged by a hardware implant in the USB cable to recover confidential secrets such as the PIN and BIP39 mnemonic seed words. The side channel is only relevant when secret data is actively displayed, not on a stolen device that is powered off or not showing secrets [ref_id=1].
Affected code
The vulnerability is in the row-based OLED display driver of Coldcard MK1 and MK2 devices. The power consumption of each row-based display cycle depends on the number of illuminated pixels, creating a side channel that can leak displayed content. No specific function or file names are provided in the advisory [ref_id=1].
What the fix does
Coldcard firmware version 2.1.2 introduced two mitigations. First, when entering the PIN, digits are no longer echoed on screen; instead an "X" is shown (except on Mk1 devices with fine-touch interface, which still require echo for feedback). Second, during the brief moments when seed words are displayed, masking noise is added along the right-hand side of the screen to swamp any leaked signal. The advisory notes that no proof-of-concept was provided, so the effectiveness of these mitigations cannot be conclusively proven [ref_id=1].
Preconditions
- networkAttacker must have physical access to the device's USB connection to perform power-consumption measurements
- inputSecret data (PIN digits or BIP39 seed words) must be actively displayed on the OLED screen
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- blog.coinkite.com/noise-troll/mitrex_refsource_MISC
- github.com/someone42/hardware-bitcoin-wallet/blob/master/pic32/ssd1306.cmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.