Some, yes. A classic example of a side channel attack that doesn't require physical access:

An authentication server which naively compares passwords (or even their hashes). Say they just `if (request.password != expected_password) return Error.403`. This type of naive comparison which will use memcmp or something similar creates a timing side channel. This happens because it compares the passwords one byte at a time, and returns early as soon as it finds a mismatched byte. So the length of time the server spends authenticating the passwords is dependent on how many bytes the passwords have in common. i.e. "password" != "deadbeef" takes 1 comparison, whereas "password" != "peadbeef" takes 2 comparisons.

So an attacker can submit 256 requests to the server, cycling through every possible first byte. Whichever request takes the longest tells the attacker what the first byte of the password is. So they fix the first byte, and then repeat 256 times for the second password. And so forth until the password is cracked.

This takes only O(N) time to crack, where N is the length of the password.

Though this is a simple example, it ends up being a very common attack vector. And as noted, this can be performed remotely.

(In practice things are a bit more complicated, but make attacks like this no less of a threat. You first need to determine the password length (easy, same timing side channel). And then you probably need to submit several times more requests per password attempt so you can average out the "noise" of request times. Rate limiting, etc ameliorate attacks, but are no excuse for not using constant-time algorithms.)

You should check out [Acoustic cryptanalysis](source: http://www.nuclearphynance.com/Show%20Post.aspx?PostIDKey=15...)