SlideShare una empresa de Scribd logo

Hacking Smartcards & RFID

Devnology
Devnology

Presentation for the Devnology Back to School program at the Radboud University Nijmegen

Tecnología
1 de 46
Descargar para leer sin conexión
Hacking smartcards & RFID Erik Poll Digital Security Radboud University Nijmegen 1
What are smartcards & RFID tags? Micro-controller with contact interface or contactless interface Erik Poll – Digital Security 2
Why use them? Convenience • more convenient than username/password Security • more secure than username/password Also more convenient & secure than barcodes and magstripes Erik Poll – Digital Security 3
What makes them secure? • Tamper-resistant and tamper-evident – to some degree, but never tamper-proof • no way to remove or access the “hard disk” • therefore – any access to data - say the credit on your ov-chipcard - is under control of the card’s functionality – the same goes for adding or changing code on the card • if possible at all Erik Poll – Digital Security 4
What can they do ? 1. stupid card just reports some data card shouts out a (unique) serial number on start-up 2. stupid smartcard aka memory card provides configurable file system with some access control by means of PIN code/passwords or crypto keys or even simpler: irreversible writes (OTP or WORM memory) 3. smart smartcard aka microprocessor card provides programmable CPU that can implement any functionality Erik Poll – Digital Security 5
Smartcard hardware for microprocessor cards • CPU (usually 8 or 16, but now also 32 bit) • possibly also – crypto co-processor & random number generator (RNG) • memory: RAM and ROM & EEPROM – EEPROM serves as the smartcard's hard disk • no power, no clock! A modern card may have 512 bytes RAM, 16K ROM, 64K EEPROM and operate at 13.5 MHz Erik Poll – Digital Security 6
Do-it-Yourself • Buy a card reader or NFC mobile phone • Buy some tags and cards • Programming you own smartcards is possible using JavaCard or MULTOS smartcards • Check • www.ru.nl/ds/smartcards • libnfc • proxmark • rfidiot.org Erik Poll – Digital Security 7
Attacking smartcards and RFID • logical attacks – find flaw in the functionality, targeting eg • the crypto – ie the cryptographic algorithms • the protocol • the key management • any other functionality • physical attacks – physically mess with the card • combinations – abuse functionality while you mess with the card Erik Poll – Digital Security 8
The simplest physical attack External power supply and external clock • Vcc: orignally 5 V, now also 3V or 1.8V • Vpp: higher voltage for writing EEPROM (13 V) Vpp no longer used: painting over this contact is a major security threat Erik Poll – Digital Security 9
Logical attacks: tools of the trade for passive eavesdropping or active Man-in-the-Middle
Logical attacks: A very weak RFID tag Erik Poll – Digital Security 11
Mifare Ultralight • Used in disposable ov-chipkaart • No keys to protect memory access • Relies on read-only and write-once memory for security • Memory organised in 16 pages of 4 bytes – first part is read-only • includes 7 byte serial number – second part is One Time Programmable (OTP) • you can write 1's, not 0's • includes data for locking – third part is readable & writable Erik Poll – Digital Security 12 12
MIFARE Ultralight memory layout Page byte 0 byte 1 byte 2 byte 3 read 0 UID0 UID1 UID2 checksum serial number only UID 1 2 checksum lock 0 lock1 OTP 3 OTP 0 OTP 1 OTP 2 OTP 3 4 5 application read/ 6 data write 7 8 9 10 Erik Poll – Digital Security 13 13 11
Flaw in disposable ov-chipcard • wo lock bytes initially 0x00F0 • set to 0xF8FF to invalidate tag • we can change an invalid tag so that terminals fail to recognize it as invalid... • remaining 3 lock bits can still be set to one, so that lock bytes become 0xFFFF • flaw in terminals: tags with lock bytes 0xF8FF are recognized as invalid, but tags with 0xFFFF are not • flaw since fixed by patching terminals [Source "Security Evaluation of the disposable OV chipkaart", by UvA students Pieter Siekerman and Maurits van der Schee , July 2007] Erik Poll – Digital Security 14 14
More fundamental limitation: replay attack • Mifare Ultraright can store signed or encrypted data, but cannot do any processing, or offer any access control to reading the data • No way to protect against spoofing of tags • Only mitigation: serial number (UID) cannot be overwritten, so spoofing requires special hardware if UID is used Erik Poll – Digital Security 15 15
Logical attacks: Attacking the crypto Erik Poll – Digital Security 16
Challenge-response secret CPU challenge c key K response encryptK(c) • If the card can do encryption, the secret key K never leaves the card • Card issuer does not have to trust card holder, terminal, or network • This is how you bank card works: it uses a 3DES key that only the bank knows Erik Poll – Digital Security 17
Breaking this? secret CPU challenge c key K response encryptK(c) 1. Figuring out which encryption function is used – maybe this is known & published – otherwise: reverse engineering, experimenting to figure out how encryption works 2. For poor encryption: by trying out few challenges, you may be able to reconstruct key For good crypto – 3DES, AES, RSA,... – this is hopeless Erik Poll – Digital Security 18
Proprietary crypto broken in DS group • Mifare Classic • ATMEL SecureMemory, CryptoMemory and CryptoRF • HID iClass and iClass Elite • Hitag2 • Moral of the story: use established, crypto primitives – publicly studied according to Kerckhoffs principle Erik Poll – Digital Security 19
Crypto 1 in Mifare Classic Erik Poll – Digital Security 20
Logical attacks: Attacking the key management Erik Poll – Digital Security 21
Common problems with crypto keys • people using the same key in all cards • for one customer, or - worse - all their customers! • HID iClass uses a globally unique master key, which is built into all HID card readers • worse still, using the default keys • 75% of MIFARE applications was found to use default keys or keys used in examples in documentation [Source: Lukas Grunwald, DEFCON14, 2007] • A0A1A2A3A4A5 is an initial transport key of MIFARE tags. Googling for A0A1A2A3A4A5 produces links to documentation with other example keys to try! Erik Poll – Digital Security 22 22
Logical attacks: attacking security protocols Erik Poll – Digital Security 23
Fraud with internet banking in Netherlands 2008 2.1 M€ 2009 1.9 M€ 2010 9.8 M€ (7100€ per incident) 2011 35 M€ (4500€ per incident) 2012 (1st half) 27.3 M€ [source: NVB] Erik Poll – Digital Security 24
Internet banking & Man-in-the-Browser attacks display of PC can not be trusted (despite ) 59 8 76 23 4 → 3 6 54 2 ←1 Erik Poll – Digital Security 25
Internet banking & protecting against Man-in-the-Browser attacks this display can be trusted and understood USB Erik Poll – Digital Security 26
Protocol of USB-connected e.dentifier2 Erik Poll – Digital Security 27
Protocol of USB-connected e.dentifier2 Erik Poll – Digital Security 28
Protocol of USB-connected e.dentifier2 Vulnerability:  e.dentifier2 tells PC that user pressed OK  PC instructs e.dentifier2 to continue transaction Erik Poll – Digital Security 29
Attack Erik Poll – Digital Security 30
Movie Erik Poll – Digital Security 31
Other example logical weaknesses - for e-passports Erik Poll – Digital Security 32
Unwanted functionality • Test version of Dutch passport provided software emulation of Mifare Classic • with default key, of course... This allows adding a cloned ov-chipcard on the passport Erik Poll – Digital Security 33
Attacking the terminal software  Lukas Grunwald managed to crash e-passport terminals by sending a malformed JPEG  causing a buffer overflow in the graphics library  Smartcards and RFID tags should be treated as untrusted inputs  until we have authenticated the card and/or the data it provides Erik Poll – Digital Security 34
e-passport leaking info by error response 2 byte error meaning response Belgian 6986 not allowed Dutch 6982 security status not satisfied French 6F00 no precise diagnosis Italian 6D00 not supported German 6700 wrong length Error code for illegal B0, ie. READ BINARY, instruction This reveals the nationality of a passport • in spite of access control to passport data 255 other instructions to try, But attack range limited to 30 cm, so danger of passport bombs overhyped and we can try different parameters ... Erik Poll – Digital Security 35
Physical attacks: side-channel attacks Erik Poll – Digital Security 36
Power trace of an RSA encryption [Source: Riscure] Erik Poll – Digital Security 37
Power analysis: reading the key from this trace! Erik Poll – Digital Security 38
Physical, invasive attacks Erik Poll – Digital Security 39
First step: removing chip from smartcard Erik Poll – Digital Security 40
Optical reverse engineering microscope images with different layers in different colours, before and after etching [Source: Oliver Kömmerling, Marcus Kuhn] Erik Poll – Digital Security 41
Probing  Observe or change the data on the bus while the chip is in operation. eg to observe key probing with 8 needles Erik Poll – Digital Security 42
Fibbing FIB = Focussed Ion Beam can observe or modify chip by • drilling holes • cutting connections • soldering new connections and creating new gates hole drilled in the chip surface blown fuse Erik Poll – Digital Security 43
Extracting ROM content Staining can optically reveal the bits stored in ROM: dark squares are 1 light squares are 0 [Source: Brightsight] Erik Poll – Digital Security 44
Latest fashion: fault attacks • Introduce a fault while chip is operating – by glitching: dipping the voltage – by shooting a laser at the chip Erik Poll – Digital Security 45
Conclusions • Smartcard & RFID security not perfect – cheap, logical attacks • little equipment, but some time & brainpower – expensive, physical atacks • more equipment – both can be devastating... • The ongoing arms race between defenders and attackers will never end – these days esp. for side-channel and fault attacks Erik Poll – Digital Security 46

Recomendados

OSI Layer Security
OSI Layer SecurityOSI Layer Security
OSI Layer Security
Nurkholish Halim
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
Joe McCarthy
 
2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference 2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference
Rea & Associates
 
You Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionYou Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And Detection
CrowdStrike
 
Smart Card Security
Smart Card SecuritySmart Card Security
Smart Card Security
Reben Dalshad
 
Attribute Based Encryption
Attribute Based EncryptionAttribute Based Encryption
Attribute Based Encryption
UT, San Antonio
 
Attendance management system using rfid or biomatric
Attendance management system using rfid or biomatricAttendance management system using rfid or biomatric
Attendance management system using rfid or biomatric
Shitalinfotech
 
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...
CODE BLUE
 

Recomendados

OSI Layer Security
OSI Layer SecurityOSI Layer Security
OSI Layer Security
Nurkholish Halim
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
Joe McCarthy
 
2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference 2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference
Rea & Associates
 
You Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionYou Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And Detection
CrowdStrike
 
Smart Card Security
Smart Card SecuritySmart Card Security
Smart Card Security
Reben Dalshad
 
Attribute Based Encryption
Attribute Based EncryptionAttribute Based Encryption
Attribute Based Encryption
UT, San Antonio
 
Attendance management system using rfid or biomatric
Attendance management system using rfid or biomatricAttendance management system using rfid or biomatric
Attendance management system using rfid or biomatric
Shitalinfotech
 
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...
CODE BLUE
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanisms
Aleksandr Timorin
 
Supply Chain Attacks
Supply Chain AttacksSupply Chain Attacks
Supply Chain Attacks
Lionel Faleiro
 
Arduino based heartbeat monitoring system.
Arduino based heartbeat monitoring system.Arduino based heartbeat monitoring system.
Arduino based heartbeat monitoring system.
Arkadeep Dey
 
INFINITY Presentation
INFINITY PresentationINFINITY Presentation
INFINITY Presentation
Cristian Garcia G.
 
CNIT 129S: 8: Attacking Access Controls
CNIT 129S: 8: Attacking Access ControlsCNIT 129S: 8: Attacking Access Controls
CNIT 129S: 8: Attacking Access Controls
Sam Bowne
 
Physical security
Physical securityPhysical security
Physical security
Tariq Mahmood
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security tools
Vicky Fernandes
 
Password Cracking
Password Cracking Password Cracking
Password Cracking
Sina Manavi
 
The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...
Aladdin Dandis
 
Malware attack Social engineering attack
Malware attack Social engineering attackMalware attack Social engineering attack
Malware attack Social engineering attack
taufiq463421
 
OWASP Top 10 for Mobile
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for Mobile
Appvigil - Mobile App Security Scanner
 
Bug bounty
Bug bountyBug bounty
Bug bounty
n|u - The Open Security Community
 
Security Automation and Machine Learning
Security Automation and Machine LearningSecurity Automation and Machine Learning
Security Automation and Machine Learning
Siemplify
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
Kapil Nagrale
 
Encryption algorithms
Encryption algorithmsEncryption algorithms
Encryption algorithms
trilokchandra prakash
 
Threat Modeling for IoT Systems
Threat Modeling for IoT SystemsThreat Modeling for IoT Systems
Threat Modeling for IoT Systems
Denim Group
 
Keyloggers.ppt
Keyloggers.pptKeyloggers.ppt
Keyloggers.ppt
Chetanmalviya8
 
Stay ahead of the Threats: Automate and Simplify SecOps to revolutionize the SOC
Stay ahead of the Threats: Automate and Simplify SecOps to revolutionize the SOCStay ahead of the Threats: Automate and Simplify SecOps to revolutionize the SOC
Stay ahead of the Threats: Automate and Simplify SecOps to revolutionize the SOC
Cristian Garcia G.
 
Threats to information security
Threats to information securityThreats to information security
Threats to information security
arun alfie
 
Embedded _c_
Embedded _c_Embedded _c_
Embedded _c_
Moorthy Peesapati
 
Electronic key-card & ELC;elc
Electronic key-card & ELC;elcElectronic key-card & ELC;elc
Electronic key-card & ELC;elc
MohitKataria15
 
Hack one iot device, break them all!
Hack one iot device, break them all!Hack one iot device, break them all!
Hack one iot device, break them all!
Justin Black
 

Más contenido relacionado

La actualidad más candente

Arduino based heartbeat monitoring system.
Arduino based heartbeat monitoring system.Arduino based heartbeat monitoring system.
Arduino based heartbeat monitoring system.
Arkadeep Dey
 
Threat Modeling for IoT Systems
Threat Modeling for IoT SystemsThreat Modeling for IoT Systems
Threat Modeling for IoT Systems
Denim Group
 

La actualidad más candente (20)

SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanisms
 
Supply Chain Attacks
Supply Chain AttacksSupply Chain Attacks
Supply Chain Attacks
 
Arduino based heartbeat monitoring system.
Arduino based heartbeat monitoring system.Arduino based heartbeat monitoring system.
Arduino based heartbeat monitoring system.
 
INFINITY Presentation
INFINITY PresentationINFINITY Presentation
INFINITY Presentation
 
CNIT 129S: 8: Attacking Access Controls
CNIT 129S: 8: Attacking Access ControlsCNIT 129S: 8: Attacking Access Controls
CNIT 129S: 8: Attacking Access Controls
 
Physical security
Physical securityPhysical security
Physical security
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security tools
 
Password Cracking
Password Cracking Password Cracking
Password Cracking
 
The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...
 
Malware attack Social engineering attack
Malware attack Social engineering attackMalware attack Social engineering attack
Malware attack Social engineering attack
 
OWASP Top 10 for Mobile
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for Mobile
 
Bug bounty
Bug bountyBug bounty
Bug bounty
 
Security Automation and Machine Learning
Security Automation and Machine LearningSecurity Automation and Machine Learning
Security Automation and Machine Learning
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 
Encryption algorithms
Encryption algorithmsEncryption algorithms
Encryption algorithms
 
Threat Modeling for IoT Systems
Threat Modeling for IoT SystemsThreat Modeling for IoT Systems
Threat Modeling for IoT Systems
 
Keyloggers.ppt
Keyloggers.pptKeyloggers.ppt
Keyloggers.ppt
 
Stay ahead of the Threats: Automate and Simplify SecOps to revolutionize the SOC
Stay ahead of the Threats: Automate and Simplify SecOps to revolutionize the SOCStay ahead of the Threats: Automate and Simplify SecOps to revolutionize the SOC
Stay ahead of the Threats: Automate and Simplify SecOps to revolutionize the SOC
 
Threats to information security
Threats to information securityThreats to information security
Threats to information security
 
Embedded _c_
Embedded _c_Embedded _c_
Embedded _c_
 

Similar a Hacking Smartcards & RFID

Workshop on 03 11-2012
Workshop on 03 11-2012Workshop on 03 11-2012
Workshop on 03 11-2012
Gaurav Gautam
 
How to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneHow to do Cryptography right in Android Part One
How to do Cryptography right in Android Part One
Arash Ramez
 
RFID Hacking: Live Free or RFID Hard
RFID Hacking: Live Free or RFID HardRFID Hacking: Live Free or RFID Hard
RFID Hacking: Live Free or RFID Hard
Bishop Fox
 

Similar a Hacking Smartcards & RFID (20)

Electronic key-card & ELC;elc
Electronic key-card & ELC;elcElectronic key-card & ELC;elc
Electronic key-card & ELC;elc
 
Hack one iot device, break them all!
Hack one iot device, break them all!Hack one iot device, break them all!
Hack one iot device, break them all!
 
Smart cards & RFID-Anant Patel
Smart cards & RFID-Anant PatelSmart cards & RFID-Anant Patel
Smart cards & RFID-Anant Patel
 
Inside .NET Smart Card Operating System
Inside .NET Smart Card Operating SystemInside .NET Smart Card Operating System
Inside .NET Smart Card Operating System
 
Encryption 2021
Encryption 2021Encryption 2021
Encryption 2021
 
Access controls
Access controlsAccess controls
Access controls
 
Why is it so hard to make secure chips?
Why is it so hard to make secure chips?Why is it so hard to make secure chips?
Why is it so hard to make secure chips?
 
Encryption in industrial control systems; Is the juice worth the squeeze?
Encryption in industrial control systems; Is the juice worth the squeeze?Encryption in industrial control systems; Is the juice worth the squeeze?
Encryption in industrial control systems; Is the juice worth the squeeze?
 
Ewallet
EwalletEwallet
Ewallet
 
Smart Cards Evolution
Smart Cards EvolutionSmart Cards Evolution
Smart Cards Evolution
 
smartcard-120830090352-phpapp02.pdf
smartcard-120830090352-phpapp02.pdfsmartcard-120830090352-phpapp02.pdf
smartcard-120830090352-phpapp02.pdf
 
Cryptographic tools
Cryptographic toolsCryptographic tools
Cryptographic tools
 
Workshop on 03 11-2012
Workshop on 03 11-2012Workshop on 03 11-2012
Workshop on 03 11-2012
 
Cryptology - The practice and study of hiding information
Cryptology - The practice and study of hiding informationCryptology - The practice and study of hiding information
Cryptology - The practice and study of hiding information
 
Meetup -- RFID
Meetup -- RFIDMeetup -- RFID
Meetup -- RFID
 
Cyber security
Cyber securityCyber security
Cyber security
 
Hardwar based Security of Systems
Hardwar based Security of SystemsHardwar based Security of Systems
Hardwar based Security of Systems
 
Cryptographysecurity 1222867498937700-9
Cryptographysecurity 1222867498937700-9Cryptographysecurity 1222867498937700-9
Cryptographysecurity 1222867498937700-9
 
How to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneHow to do Cryptography right in Android Part One
How to do Cryptography right in Android Part One
 
RFID Hacking: Live Free or RFID Hard
RFID Hacking: Live Free or RFID HardRFID Hacking: Live Free or RFID Hard
RFID Hacking: Live Free or RFID Hard
 

Más de Devnology

Slides Felienne Hermans Symposium EWI
Slides Felienne Hermans Symposium EWISlides Felienne Hermans Symposium EWI
Slides Felienne Hermans Symposium EWI
Devnology
 
Devnology auteursrecht en open source 20130205
Devnology auteursrecht en open source 20130205Devnology auteursrecht en open source 20130205
Devnology auteursrecht en open source 20130205
Devnology
 
Learn a language : LISP
Learn a language : LISPLearn a language : LISP
Learn a language : LISP
Devnology
 
Devnology Back to School IV - Agility en Architectuur
Devnology Back to School IV - Agility en ArchitectuurDevnology Back to School IV - Agility en Architectuur
Devnology Back to School IV - Agility en Architectuur
Devnology
 
Introduction to Software Evolution: The Software Volcano
Introduction to Software Evolution: The Software VolcanoIntroduction to Software Evolution: The Software Volcano
Introduction to Software Evolution: The Software Volcano
Devnology
 
Devnology Workshop Genpro 2 feb 2011
Devnology Workshop Genpro 2 feb 2011Devnology Workshop Genpro 2 feb 2011
Devnology Workshop Genpro 2 feb 2011
Devnology
 
Devnology Coding Dojo 05-01-2011
Devnology Coding Dojo 05-01-2011Devnology Coding Dojo 05-01-2011
Devnology Coding Dojo 05-01-2011
Devnology
 
Spoofax: ontwikkeling van domeinspecifieke talen in Eclipse
Spoofax: ontwikkeling van domeinspecifieke talen in EclipseSpoofax: ontwikkeling van domeinspecifieke talen in Eclipse
Spoofax: ontwikkeling van domeinspecifieke talen in Eclipse
Devnology
 
Experimenting with Augmented Reality
Experimenting with Augmented RealityExperimenting with Augmented Reality
Experimenting with Augmented Reality
Devnology
 
Unit testing and MVVM in Silverlight
Unit testing and MVVM in SilverlightUnit testing and MVVM in Silverlight
Unit testing and MVVM in Silverlight
Devnology
 
mobl: Een DSL voor mobiele applicatieontwikkeling
mobl: Een DSL voor mobiele applicatieontwikkelingmobl: Een DSL voor mobiele applicatieontwikkeling
mobl: Een DSL voor mobiele applicatieontwikkeling
Devnology
 

Más de Devnology (20)

What do we really know about the differences between static and dynamic types?
What do we really know about the differences between static and dynamic types?What do we really know about the differences between static and dynamic types?
What do we really know about the differences between static and dynamic types?
 
Meetup at SIG: Meten is weten
Meetup at SIG: Meten is wetenMeetup at SIG: Meten is weten
Meetup at SIG: Meten is weten
 
Software Operation Knowledge
Software Operation KnowledgeSoftware Operation Knowledge
Software Operation Knowledge
 
Slides Felienne Hermans Symposium EWI
Slides Felienne Hermans Symposium EWISlides Felienne Hermans Symposium EWI
Slides Felienne Hermans Symposium EWI
 
Devnology auteursrecht en open source 20130205
Devnology auteursrecht en open source 20130205Devnology auteursrecht en open source 20130205
Devnology auteursrecht en open source 20130205
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Learn a language : LISP
Learn a language : LISPLearn a language : LISP
Learn a language : LISP
 
Learn a language : LISP
Learn a language : LISPLearn a language : LISP
Learn a language : LISP
 
Devnology Back to School: Empirical Evidence on Modeling in Software Development
Devnology Back to School: Empirical Evidence on Modeling in Software DevelopmentDevnology Back to School: Empirical Evidence on Modeling in Software Development
Devnology Back to School: Empirical Evidence on Modeling in Software Development
 
Devnology Back to School IV - Agility en Architectuur
Devnology Back to School IV - Agility en ArchitectuurDevnology Back to School IV - Agility en Architectuur
Devnology Back to School IV - Agility en Architectuur
 
Devnology Back to School III : Software impact
Devnology Back to School III : Software impactDevnology Back to School III : Software impact
Devnology Back to School III : Software impact
 
Devnology back toschool software reengineering
Devnology back toschool software reengineeringDevnology back toschool software reengineering
Devnology back toschool software reengineering
 
Introduction to Software Evolution: The Software Volcano
Introduction to Software Evolution: The Software VolcanoIntroduction to Software Evolution: The Software Volcano
Introduction to Software Evolution: The Software Volcano
 
Devnology Workshop Genpro 2 feb 2011
Devnology Workshop Genpro 2 feb 2011Devnology Workshop Genpro 2 feb 2011
Devnology Workshop Genpro 2 feb 2011
 
Devnology Coding Dojo 05-01-2011
Devnology Coding Dojo 05-01-2011Devnology Coding Dojo 05-01-2011
Devnology Coding Dojo 05-01-2011
 
Spoofax: ontwikkeling van domeinspecifieke talen in Eclipse
Spoofax: ontwikkeling van domeinspecifieke talen in EclipseSpoofax: ontwikkeling van domeinspecifieke talen in Eclipse
Spoofax: ontwikkeling van domeinspecifieke talen in Eclipse
 
Experimenting with Augmented Reality
Experimenting with Augmented RealityExperimenting with Augmented Reality
Experimenting with Augmented Reality
 
Unit testing and MVVM in Silverlight
Unit testing and MVVM in SilverlightUnit testing and MVVM in Silverlight
Unit testing and MVVM in Silverlight
 
mobl: Een DSL voor mobiele applicatieontwikkeling
mobl: Een DSL voor mobiele applicatieontwikkelingmobl: Een DSL voor mobiele applicatieontwikkeling
mobl: Een DSL voor mobiele applicatieontwikkeling
 
Devnology Fitnesse workshop
Devnology Fitnesse workshopDevnology Fitnesse workshop
Devnology Fitnesse workshop
 

Último

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Overkill Security
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Último (20)

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 

Hacking Smartcards & RFID

  • 1. Hacking smartcards & RFID Erik Poll Digital Security Radboud University Nijmegen 1
  • 2. What are smartcards & RFID tags? Micro-controller with contact interface or contactless interface Erik Poll – Digital Security 2
  • 3. Why use them? Convenience • more convenient than username/password Security • more secure than username/password Also more convenient & secure than barcodes and magstripes Erik Poll – Digital Security 3
  • 4. What makes them secure? • Tamper-resistant and tamper-evident – to some degree, but never tamper-proof • no way to remove or access the “hard disk” • therefore – any access to data - say the credit on your ov-chipcard - is under control of the card’s functionality – the same goes for adding or changing code on the card • if possible at all Erik Poll – Digital Security 4
  • 5. What can they do ? 1. stupid card just reports some data card shouts out a (unique) serial number on start-up 2. stupid smartcard aka memory card provides configurable file system with some access control by means of PIN code/passwords or crypto keys or even simpler: irreversible writes (OTP or WORM memory) 3. smart smartcard aka microprocessor card provides programmable CPU that can implement any functionality Erik Poll – Digital Security 5
  • 6. Smartcard hardware for microprocessor cards • CPU (usually 8 or 16, but now also 32 bit) • possibly also – crypto co-processor & random number generator (RNG) • memory: RAM and ROM & EEPROM – EEPROM serves as the smartcard's hard disk • no power, no clock! A modern card may have 512 bytes RAM, 16K ROM, 64K EEPROM and operate at 13.5 MHz Erik Poll – Digital Security 6
  • 7. Do-it-Yourself • Buy a card reader or NFC mobile phone • Buy some tags and cards • Programming you own smartcards is possible using JavaCard or MULTOS smartcards • Check • www.ru.nl/ds/smartcards • libnfc • proxmark • rfidiot.org Erik Poll – Digital Security 7
  • 8. Attacking smartcards and RFID • logical attacks – find flaw in the functionality, targeting eg • the crypto – ie the cryptographic algorithms • the protocol • the key management • any other functionality • physical attacks – physically mess with the card • combinations – abuse functionality while you mess with the card Erik Poll – Digital Security 8
  • 9. The simplest physical attack External power supply and external clock • Vcc: orignally 5 V, now also 3V or 1.8V • Vpp: higher voltage for writing EEPROM (13 V) Vpp no longer used: painting over this contact is a major security threat Erik Poll – Digital Security 9
  • 10. Logical attacks: tools of the trade for passive eavesdropping or active Man-in-the-Middle
  • 11. Logical attacks: A very weak RFID tag Erik Poll – Digital Security 11
  • 12. Mifare Ultralight • Used in disposable ov-chipkaart • No keys to protect memory access • Relies on read-only and write-once memory for security • Memory organised in 16 pages of 4 bytes – first part is read-only • includes 7 byte serial number – second part is One Time Programmable (OTP) • you can write 1's, not 0's • includes data for locking – third part is readable & writable Erik Poll – Digital Security 12 12
  • 13. MIFARE Ultralight memory layout Page byte 0 byte 1 byte 2 byte 3 read 0 UID0 UID1 UID2 checksum serial number only UID 1 2 checksum lock 0 lock1 OTP 3 OTP 0 OTP 1 OTP 2 OTP 3 4 5 application read/ 6 data write 7 8 9 10 Erik Poll – Digital Security 13 13 11
  • 14. Flaw in disposable ov-chipcard • wo lock bytes initially 0x00F0 • set to 0xF8FF to invalidate tag • we can change an invalid tag so that terminals fail to recognize it as invalid... • remaining 3 lock bits can still be set to one, so that lock bytes become 0xFFFF • flaw in terminals: tags with lock bytes 0xF8FF are recognized as invalid, but tags with 0xFFFF are not • flaw since fixed by patching terminals [Source "Security Evaluation of the disposable OV chipkaart", by UvA students Pieter Siekerman and Maurits van der Schee , July 2007] Erik Poll – Digital Security 14 14
  • 15. More fundamental limitation: replay attack • Mifare Ultraright can store signed or encrypted data, but cannot do any processing, or offer any access control to reading the data • No way to protect against spoofing of tags • Only mitigation: serial number (UID) cannot be overwritten, so spoofing requires special hardware if UID is used Erik Poll – Digital Security 15 15
  • 16. Logical attacks: Attacking the crypto Erik Poll – Digital Security 16
  • 17. Challenge-response secret CPU challenge c key K response encryptK(c) • If the card can do encryption, the secret key K never leaves the card • Card issuer does not have to trust card holder, terminal, or network • This is how you bank card works: it uses a 3DES key that only the bank knows Erik Poll – Digital Security 17
  • 18. Breaking this? secret CPU challenge c key K response encryptK(c) 1. Figuring out which encryption function is used – maybe this is known & published – otherwise: reverse engineering, experimenting to figure out how encryption works 2. For poor encryption: by trying out few challenges, you may be able to reconstruct key For good crypto – 3DES, AES, RSA,... – this is hopeless Erik Poll – Digital Security 18
  • 19. Proprietary crypto broken in DS group • Mifare Classic • ATMEL SecureMemory, CryptoMemory and CryptoRF • HID iClass and iClass Elite • Hitag2 • Moral of the story: use established, crypto primitives – publicly studied according to Kerckhoffs principle Erik Poll – Digital Security 19
  • 20. Crypto 1 in Mifare Classic Erik Poll – Digital Security 20
  • 21. Logical attacks: Attacking the key management Erik Poll – Digital Security 21
  • 22. Common problems with crypto keys • people using the same key in all cards • for one customer, or - worse - all their customers! • HID iClass uses a globally unique master key, which is built into all HID card readers • worse still, using the default keys • 75% of MIFARE applications was found to use default keys or keys used in examples in documentation [Source: Lukas Grunwald, DEFCON14, 2007] • A0A1A2A3A4A5 is an initial transport key of MIFARE tags. Googling for A0A1A2A3A4A5 produces links to documentation with other example keys to try! Erik Poll – Digital Security 22 22
  • 23. Logical attacks: attacking security protocols Erik Poll – Digital Security 23
  • 24. Fraud with internet banking in Netherlands 2008 2.1 M€ 2009 1.9 M€ 2010 9.8 M€ (7100€ per incident) 2011 35 M€ (4500€ per incident) 2012 (1st half) 27.3 M€ [source: NVB] Erik Poll – Digital Security 24
  • 25. Internet banking & Man-in-the-Browser attacks display of PC can not be trusted (despite ) 59 8 76 23 4 → 3 6 54 2 ←1 Erik Poll – Digital Security 25
  • 26. Internet banking & protecting against Man-in-the-Browser attacks this display can be trusted and understood USB Erik Poll – Digital Security 26
  • 27. Protocol of USB-connected e.dentifier2 Erik Poll – Digital Security 27
  • 28. Protocol of USB-connected e.dentifier2 Erik Poll – Digital Security 28
  • 29. Protocol of USB-connected e.dentifier2 Vulnerability:  e.dentifier2 tells PC that user pressed OK  PC instructs e.dentifier2 to continue transaction Erik Poll – Digital Security 29
  • 30. Attack Erik Poll – Digital Security 30
  • 31. Movie Erik Poll – Digital Security 31
  • 32. Other example logical weaknesses - for e-passports Erik Poll – Digital Security 32
  • 33. Unwanted functionality • Test version of Dutch passport provided software emulation of Mifare Classic • with default key, of course... This allows adding a cloned ov-chipcard on the passport Erik Poll – Digital Security 33
  • 34. Attacking the terminal software  Lukas Grunwald managed to crash e-passport terminals by sending a malformed JPEG  causing a buffer overflow in the graphics library  Smartcards and RFID tags should be treated as untrusted inputs  until we have authenticated the card and/or the data it provides Erik Poll – Digital Security 34
  • 35. e-passport leaking info by error response 2 byte error meaning response Belgian 6986 not allowed Dutch 6982 security status not satisfied French 6F00 no precise diagnosis Italian 6D00 not supported German 6700 wrong length Error code for illegal B0, ie. READ BINARY, instruction This reveals the nationality of a passport • in spite of access control to passport data 255 other instructions to try, But attack range limited to 30 cm, so danger of passport bombs overhyped and we can try different parameters ... Erik Poll – Digital Security 35
  • 36. Physical attacks: side-channel attacks Erik Poll – Digital Security 36
  • 37. Power trace of an RSA encryption [Source: Riscure] Erik Poll – Digital Security 37
  • 38. Power analysis: reading the key from this trace! Erik Poll – Digital Security 38
  • 39. Physical, invasive attacks Erik Poll – Digital Security 39
  • 40. First step: removing chip from smartcard Erik Poll – Digital Security 40
  • 41. Optical reverse engineering microscope images with different layers in different colours, before and after etching [Source: Oliver Kömmerling, Marcus Kuhn] Erik Poll – Digital Security 41
  • 42. Probing  Observe or change the data on the bus while the chip is in operation. eg to observe key probing with 8 needles Erik Poll – Digital Security 42
  • 43. Fibbing FIB = Focussed Ion Beam can observe or modify chip by • drilling holes • cutting connections • soldering new connections and creating new gates hole drilled in the chip surface blown fuse Erik Poll – Digital Security 43
  • 44. Extracting ROM content Staining can optically reveal the bits stored in ROM: dark squares are 1 light squares are 0 [Source: Brightsight] Erik Poll – Digital Security 44
  • 45. Latest fashion: fault attacks • Introduce a fault while chip is operating – by glitching: dipping the voltage – by shooting a laser at the chip Erik Poll – Digital Security 45
  • 46. Conclusions • Smartcard & RFID security not perfect – cheap, logical attacks • little equipment, but some time & brainpower – expensive, physical atacks • more equipment – both can be devastating... • The ongoing arms race between defenders and attackers will never end – these days esp. for side-channel and fault attacks Erik Poll – Digital Security 46