CVE-2019-14359
Description
On BC Vault devices, a side channel for the row-based SSD1309 OLED display was found. The power consumption of each row-based display cycle depends on the number of illuminated pixels, allowing a partial recovery of display contents. For example, a hardware implant in the USB cable might be able to leverage this behavior to recover a data value. In other words, the side channel is relevant only if the attacker has enough control over the device's USB connection to make power-consumption measurements at a time when secret data is displayed. The side channel is not relevant in other circumstances, such as a stolen device that is not currently displaying secret data. NOTE: the vendor's position is that there is no security impact: the only potentially leaked information is the number of characters in the PIN
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
BC Vault devices with SSD1309 OLED display leak pixel row power consumption, enabling partial recovery of displayed data via physical USB power analysis.
Vulnerability
The vulnerability is a side channel in the SSD1309 OLED controller used in BC Vault devices. The display updates one pixel row at a time, and the power consumption during each row cycle correlates with the number of illuminated pixels. This allows an attacker with power measurement capabilities to infer the pixel distribution of each row, potentially recovering displayed information. The affected devices are BC Vault hardware wallets using the SSD1309 controller. The vendor notes that BC Vault intentionally never displays confidential information beyond the number of characters in the PIN [1].
Exploitation
To exploit, an attacker must have physical access to the USB cable or port of the device. They install a shunt resistor to measure voltage with sufficient accuracy, using laboratory equipment like an oscilloscope or software-defined radio. The victim must then enter their credentials while connected to the attacker's setup. The attack cannot be carried out remotely or invisibly [1].
Impact
The attacker can partially recover the contents of the OLED display. According to the vendor, the only potentially leaked information is the number of characters in the PIN, not the PIN itself. This reduces the entropy of the PIN but does not directly reveal the full secret [1].
Mitigation
The vendor's position is that there is no security impact because BC Vault never displays secret data beyond the PIN length. No software or hardware fix has been released. Users concerned about physical attacks should ensure the device is not connected to untrusted USB ports during PIN entry. The vulnerability is not listed in CISA's KEV [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- BC Vault/BC Vaultdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- bc-vault.com/2019/08/our-response-to-cve-2019-14359mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.