submitted to PRL
Practical quantum communication (QC) protocols are assumed to be secure provided implemented devices are properly characterized and all known side channels are closed. We show that this is not always true. We demonstrate a laser-damage attack capable of modifying device behaviour on-demand. We test it on two practical QC systems for key distribution and coin-tossing, and show that newly created deviations lead to side channels. This reveals that laser damage can be a potential security risk to existing QC systems, and necessitates extensive countermeasure testing to guarantee security.