Скачать презентацию Smart Card Security From GSM to Parking Meters Скачать презентацию Smart Card Security From GSM to Parking Meters

743a16b2b7866c2092f08c8b592de9d9.ppt

  • Количество слайдов: 87

Smart Card Security: From GSM to Parking Meters David Hulton <h 1 kari@dachb 0 Smart Card Security: From GSM to Parking Meters David Hulton Researcher, Dachb 0 den Labs Chairman, Toor. Con Information Security Conference 2004

Disclaimer § Educational purposes only § Curiosity not fraud § Full disclosure © 2004 Disclaimer § Educational purposes only § Curiosity not fraud § Full disclosure © 2004 Dachb 0 den Labs

Goals § This talk will cover: § Introduction to Smart Cards § Basic Technical Goals § This talk will cover: § Introduction to Smart Cards § Basic Technical Knowledge § Analyzing Proprietary Cards § Asynchronous - GSM SIM Cards § Synchronous - Parking Meter Cards § Breaking it! © 2004 Dachb 0 den Labs

Introduction – What is a Smart Card? § ISO 7816 Standard § Durability Requirements Introduction – What is a Smart Card? § ISO 7816 Standard § Durability Requirements § Pin Layout § Asynchronous Protocols (T=0, T=1) © 2004 Dachb 0 den Labs

Introduction - Durability Requirements § § § § § UV Light Protection X-Ray Protection Introduction - Durability Requirements § § § § § UV Light Protection X-Ray Protection Surface Profile Contacts Mechanical Strength Electrical Resistance Magnetic Field Static Electricity Bending Resilience … blah …. © 2004 Dachb 0 den Labs

Introduction - Pin Layout 1. 7 mm 2 mm 19. 23 10. 25 mm Introduction - Pin Layout 1. 7 mm 2 mm 19. 23 10. 25 mm Vcc Gnd Reset Vpp Clock I/O RS 1 RS 2 © 2004 Dachb 0 den Labs

Introduction - Pin Layout 1. 7 mm 2 mm 19. 23 10. 25 mm Introduction - Pin Layout 1. 7 mm 2 mm 19. 23 10. 25 mm Vcc Gnd Reset Vpp Clock I/O RS 1 RS 2 © 2004 Dachb 0 den Labs

Introduction - Protocols § Asynchronous § § T=0 – Half-duplex character transmission T=1 – Introduction - Protocols § Asynchronous § § T=0 – Half-duplex character transmission T=1 – Half-duplex block transmission Operates at a set baud rate 9600/19200/etc Uses APDU Protocol (Application Protocol Data Unit) § Synchronous § Clock set by reader, used with Memory/Security Cards © 2004 Dachb 0 den Labs

Introduction – Asynchronous Cards § § § All Processor Cards GSM SIM Cards Bank Introduction – Asynchronous Cards § § § All Processor Cards GSM SIM Cards Bank Cards PKI Token Cards Java Cards © 2004 Dachb 0 den Labs

Synchronous Protocol § Use Clk, Rst, & I/O to create 9600 bps connection § Synchronous Protocol § Use Clk, Rst, & I/O to create 9600 bps connection § Reader sets Rst line high (5 v) § Reader sends APDU Command across I/O a 0 a 4 00 00 Command 02 7 f 20 Len Data (Arguments) § Reader receives response 19 Response © 2004 Dachb 0 den Labs

GSM SIM’s § Rely on COMP 128 Algorithm for security of Ki Phone Challenge GSM SIM’s § Rely on COMP 128 Algorithm for security of Ki Phone Challenge GSM Base Station Ki COMP 128 SIM Card Response © 2004 Dachb 0 den Labs

GSM Attacks § COMP 128 Attacks § Narrow pipe collision attack § Side-channel attack GSM Attacks § COMP 128 Attacks § Narrow pipe collision attack § Side-channel attack § What does it get you? § Clone phones § Eavesdrop § Downsides? § Attacks SIM card § Possibility of killing the card © 2004 Dachb 0 den Labs

Interfacing with the Card § Towitoko CHIPDRIVE micro 130 § Hardware § http: //www. Interfacing with the Card § Towitoko CHIPDRIVE micro 130 § Hardware § http: //www. towitoko. de § http: //www. txsystems. com § Software § dsccmd. exe (will be released on dachb 0 den. com soon) § Dumb Mouse § Hardware § http: //cuba. calyx. nl/hip/dumbmouse. html § Software § ftp: //ftp. ccc. de/gsm § Season (? ) § See Phrack 62 -15 © 2004 Dachb 0 den Labs

Protocol § Connect to card § Insert card § Select GSM directory on card Protocol § Connect to card § Insert card § Select GSM directory on card § a 0 a 4 00 00 02 7 f 20 § Authenticate with PIN § a 0 20 00 01 08 xx xx ff ff § Run COMP 128 § a 0 88 00 00 10 xx xx xx xx Thankz CCC and ender © 2004 Dachb 0 den Labs

Demonstration? ? Demonstration © 2004 Dachb 0 den Labs Demonstration? ? Demonstration © 2004 Dachb 0 den Labs

Don’t know the protocol? § Make your own! (Phrack 62 -15) § Buy a Don’t know the protocol? § Make your own! (Phrack 62 -15) § Buy a Season § http: //www. sdlogic. com § Beware, could get sued by Primestar/Direct. TV © 2004 Dachb 0 den Labs

Narrow Pipe Collision Attack § How to do it? § Ian Goldberg found a Narrow Pipe Collision Attack § How to do it? § Ian Goldberg found a narrow pipe in COMP 128 which attacks the second round (2 -R Attack) § Collisions in COMP 128 responses reveal key information § Can crack COMP 128 in ~ 115, 000 queries © 2004 Dachb 0 den Labs

GSM Precautions § New SIM Cards § Card will die after 65, 535 queries GSM Precautions § New SIM Cards § Card will die after 65, 535 queries § Optimizations in COMP 128 attack allow cracking in < 20, 000 queries © 2004 Dachb 0 den Labs

COMP 128(challenge) Initialization: For i = 0 … 15 x[i + 16] = challenge[i] COMP 128(challenge) Initialization: For i = 0 … 15 x[i + 16] = challenge[i] Scrambling: For i = 1 … 8 For j = 0 … 15 x[j] = key[j] For j = 0 … 4 For k = 0 … 2 j For l = 0 … 24 -j m = l + k * 25 -j n = m + 24 -j y = (x[m] + 2 * x[n]) % 29 -j z = (2 * x[m] + x[n]) % 29 -j x[m] = table[j][y] x[n] = table[j][z] For j = 0 … 31 For k = 0 … 3 bit[4 * j + k] = (x[j] >> (3 - k)) & 1 if(i < 8) For j = 0 … 15 x[j + 16] = 0 For k = 0 … 7 nb = ((8 * j + k) * 17) % 128 x[j + 16] |= bit[nb] << (7 - k) Output: For i = 0 … 3 output[i] = (x[2 * i] << 4) | x[2 * i + 1] For i = 0 … 5 output[4 + i] = (x[2 * i + 18] <<6) | (x[2 * i + 19] <<2) | (x[2 * i + 20] >>2) output[10] = (x[30] << 6) | (x[31] << 2) output[11] = 0 © 2004 Dachb 0 den Labs

COMP 128(challenge) Initialization: For i = 0 … 15 x[i + 16] = challenge[i] COMP 128(challenge) Initialization: For i = 0 … 15 x[i + 16] = challenge[i] For j = 0 … 31 For k = 0 … 3 bit[4 * j + k] = (x[j] >> (3 - k)) & 1 if(i < 8) For j = 0 … 15 x[j + 16] = 0 For k = 0 … 7 nb = ((8 * j + k) * 17) % 128 the NSA 16] |= bit[nb] << (7 - k) x[j + Scrambling: For i = 1 … 8 For j = 0 … 15 x[j] = key[j] Complements of For j = 0 … 4 Output: For k = 0 … 2 j For i = 0 … 3 For l = 0 … 24 -j output[i] = (x[2 * i] << 4) | x[2 * i + 1] m = l + k * 25 -j For i = 0 … 5 n = m + 24 -j output[4 + i] = (x[2 * i + 18] <<6) | y = (x[m] + 2 * x[n]) % 29 -j (x[2 * i + 19] <<2) | (x[2 * i + 20] >>2) z = (2 * x[m] + x[n]) % 29 -j output[10] = (x[30] << 6) | (x[31] << 2) x[m] = table[j][y] x[n] = table[j][z] output[11] = 0 © 2004 Dachb 0 den Labs

COMP 128(challenge) Initialization: For i = 0 … 15 x[i + 16] = challenge[i] COMP 128(challenge) Initialization: For i = 0 … 15 x[i + 16] = challenge[i] For j = 0 … 31 For k = 0 … 3 bit[4 * j + k] = (x[j] >> (3 - k)) & 1 if(i < 8) For j = 0 … 15 x[j + 16] = 0 For k = 0 … 7 nb = ((8 * j + k) * 17) % 128 the NSA 16] |= bit[nb] << (7 - k) x[j + Scrambling: For i = 1 … 8 For j = 0 … 15 x[j] = key[j] Complements of For j = 0 … 4 (Thanks NSA) Output: For k = 0 … 2 j For i = 0 … 3 For l = 0 … 24 -j output[i] = (x[2 * i] << 4) | x[2 * i + 1] m = l + k * 25 -j For i = 0 … 5 n = m + 24 -j output[4 + i] = (x[2 * i + 18] <<6) | y = (x[m] + 2 * x[n]) % 29 -j (x[2 * i + 19] <<2) | (x[2 * i + 20] >>2) z = (2 * x[m] + x[n]) % 29 -j output[10] = (x[30] << 6) | (x[31] << 2) x[m] = table[j][y] x[n] = table[j][z] output[11] = 0 © 2004 Dachb 0 den Labs

COMP 128 For Dummies COMP 128(Challenge) © 2004 Dachb 0 den Labs COMP 128 For Dummies COMP 128(Challenge) © 2004 Dachb 0 den Labs

COMP 128 For Dummies COMP 128(Challenge) X[32] 0 -15 Ki © 2004 Dachb 0 COMP 128 For Dummies COMP 128(Challenge) X[32] 0 -15 Ki © 2004 Dachb 0 den Labs

COMP 128 For Dummies COMP 128(Challenge) 16 -31 X[32] 0 -15 Ki © 2004 COMP 128 For Dummies COMP 128(Challenge) 16 -31 X[32] 0 -15 Ki © 2004 Dachb 0 den Labs

COMP 128 For Dummies COMP 128(Challenge) 16 -31 X[32] 0 -15 Ki FFT_Bit_Reduction() © COMP 128 For Dummies COMP 128(Challenge) 16 -31 X[32] 0 -15 Ki FFT_Bit_Reduction() © 2004 Dachb 0 den Labs

COMP 128 - FFT Bit Reduction key = all zeros challenge = all zeros COMP 128 - FFT Bit Reduction key = all zeros challenge = all zeros x[32] = 0 1 2 3 4 5 6 7 8 9 a b c d e f 00 00 00 00 00 00 00 00 © 2004 Dachb 0 den Labs

COMP 128 - R 1 Round 1 x[32] = 8 bits 0 1 2 COMP 128 - R 1 Round 1 x[32] = 8 bits 0 1 2 3 4 5 6 7 8 9 a b c d e f 66 00 00 00 00 00 00 00 00 © 2004 Dachb 0 den Labs

COMP 128 - R 1 Round 1 x[32] = 8 bits 0 1 2 COMP 128 - R 1 Round 1 x[32] = 8 bits 0 1 2 3 4 5 6 7 8 9 a b c d e f 66 66 00 00 00 00 00 00 00 © 2004 Dachb 0 den Labs

COMP 128 - R 1 Round 1 x[32] = 8 bits 0 1 2 COMP 128 - R 1 Round 1 x[32] = 8 bits 0 1 2 3 4 5 6 7 8 9 a b c d e f 66 66 66 66 66 66 66 66 © 2004 Dachb 0 den Labs

COMP 128 - R 2 Round 2 x[32] = 7 bits 0 1 2 COMP 128 - R 2 Round 2 x[32] = 7 bits 0 1 2 3 4 5 6 7 8 9 a b c d e f 1 c 66 66 66 66 66 66 66 66 © 2004 Dachb 0 den Labs

COMP 128 - R 2 Round 2 x[32] = 7 bits 0 1 2 COMP 128 - R 2 Round 2 x[32] = 7 bits 0 1 2 3 4 5 6 7 8 9 a b c d e f 1 c 1 c 66 66 66 66 66 66 66 © 2004 Dachb 0 den Labs

COMP 128 - R 2 Round 2 x[32] = 7 bits 0 1 2 COMP 128 - R 2 Round 2 x[32] = 7 bits 0 1 2 3 4 5 6 7 8 9 a b c d e f 1 c 1 c 1 c 1 c 66 66 66 66 © 2004 Dachb 0 den Labs

COMP 128 - R 2 Round 2 x[32] = 7 bits 0 1 2 COMP 128 - R 2 Round 2 x[32] = 7 bits 0 1 2 3 4 5 6 7 8 9 a b c d e f 1 c 1 c 1 c 1 c 1 c 1 c 1 c 1 c © 2004 Dachb 0 den Labs

COMP 128 - R 3 Round 3 x[32] = 6 bits 0 1 2 COMP 128 - R 3 Round 3 x[32] = 6 bits 0 1 2 3 4 5 6 7 8 9 a b c d e f 37 37 1 c 1 c 1 c 1 c 1 c 1 c © 2004 Dachb 0 den Labs

COMP 128 - R 3 Round 3 x[32] = 6 bits 0 1 2 COMP 128 - R 3 Round 3 x[32] = 6 bits 0 1 2 3 4 5 6 7 8 9 a b c d e f 37 37 37 37 37 37 37 37 © 2004 Dachb 0 den Labs

COMP 128 - R 4 Round 4 x[32] = 5 bits 0 1 2 COMP 128 - R 4 Round 4 x[32] = 5 bits 0 1 2 3 4 5 6 7 8 9 a b c d e f 08 08 37 37 37 37 37 37 37 © 2004 Dachb 0 den Labs

COMP 128 - R 4 Round 4 x[32] = 5 bits 0 1 2 COMP 128 - R 4 Round 4 x[32] = 5 bits 0 1 2 3 4 5 6 7 8 9 a b c d e f 08 08 08 08 08 08 08 08 © 2004 Dachb 0 den Labs

COMP 128 - R 5 Round 5 x[32] = 4 bits 0 1 2 COMP 128 - R 5 Round 5 x[32] = 4 bits 0 1 2 3 4 5 6 7 8 9 a b c d e f 05 05 08 08 08 08 08 08 08 08 © 2004 Dachb 0 den Labs

COMP 128 - R 5 Round 5 x[32] = 4 bits 0 1 2 COMP 128 - R 5 Round 5 x[32] = 4 bits 0 1 2 3 4 5 6 7 8 9 a b c d e f 05 05 05 05 05 05 05 05 © 2004 Dachb 0 den Labs

COMP 128 For Dummies COMP 128(Challenge) 16 -31 X[32] 0 -15 Ki FFT_Bit_Reduction() Shift_Bytes() COMP 128 For Dummies COMP 128(Challenge) 16 -31 X[32] 0 -15 Ki FFT_Bit_Reduction() Shift_Bytes() © 2004 Dachb 0 den Labs

COMP 128 For Dummies COMP 128(Challenge) 16 -31 X[32] 0 -15 Ki FFT_Bit_Reduction() Shift_Bytes() COMP 128 For Dummies COMP 128(Challenge) 16 -31 X[32] 0 -15 Ki FFT_Bit_Reduction() Shift_Bytes() Repeat 7 Times © 2004 Dachb 0 den Labs

COMP 128 For Dummies COMP 128(Challenge) X[32] 0 -15 Ki FFT_Bit_Reduction() Reduce_Bytes() Shift_Bytes() Repeat COMP 128 For Dummies COMP 128(Challenge) X[32] 0 -15 Ki FFT_Bit_Reduction() Reduce_Bytes() Shift_Bytes() Repeat 7 Times © 2004 Dachb 0 den Labs

COMP 128 For Dummies COMP 128(Challenge) X[32] 0 -15 Ki Return Null-pad_10_bits!() Reduce_Bytes() FFT_Bit_Reduction() COMP 128 For Dummies COMP 128(Challenge) X[32] 0 -15 Ki Return Null-pad_10_bits!() Reduce_Bytes() FFT_Bit_Reduction() Shift_Bytes() Repeat 7 Times © 2004 Dachb 0 den Labs

COMP 128 - Baseline 2 -R Attack key = 0123456789 abcdeffedcba 9876543210 challenge = COMP 128 - Baseline 2 -R Attack key = 0123456789 abcdeffedcba 9876543210 challenge = 230000…… 550000…… x[32] = 0 1 2 3 4 5 6 7 8 9 a b c d e f 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10 23 00 00 55 00 00 We first look for challenges that have the same responses (collisions) © 2004 Dachb 0 den Labs

COMP 128 - Baseline 2 -R Attack key = 0123456789 abcdeffedcba 9876543210 challenge = COMP 128 - Baseline 2 -R Attack key = 0123456789 abcdeffedcba 9876543210 challenge = 230000…… 550000…… x[32] = 0 1 2 3 4 5 6 7 8 9 a b c d e f 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10 23 00 00 55 00 00 key = 0123456789 abcdeffedcba 9876543210 challenge = 0 d 0000……e 70000…… x[32] = 0 1 2 3 4 5 6 7 8 9 a b c d e f 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10 0 d 00 00 e 7 00 00 © 2004 Dachb 0 den Labs

COMP 128 - Baseline 2 -R Attack Round 1 x[32] = 0 1 2 COMP 128 - Baseline 2 -R Attack Round 1 x[32] = 0 1 2 3 4 5 6 7 8 9 a b c d e f 0 e 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10 d 3 00 00 55 00 00 x[32] = 0 1 2 3 4 5 6 7 8 9 a b c d e f df 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10 bc 00 00 e 7 00 00 © 2004 Dachb 0 den Labs

COMP 128 - Baseline 2 -R Attack Round 1 x[32] = 0 1 2 COMP 128 - Baseline 2 -R Attack Round 1 x[32] = 0 1 2 3 4 5 6 7 8 9 a b c d e f 0 e 2 f 01 e 8 cc 44 e 4 17 d 0 dc ba 98 76 54 32 10 d 3 31 96 c 6 35 4 a a 7 e 2 f 3 00 00 x[32] = 0 1 2 3 4 5 6 7 8 9 a b c d e f df 2 f 01 e 8 cc 44 e 4 17 2 e dc ba 98 76 54 32 10 bc 31 96 c 6 35 4 a a 7 e 2 21 00 00 © 2004 Dachb 0 den Labs

COMP 128 - Baseline 2 -R Attack Round 1 x[32] = 0 1 2 COMP 128 - Baseline 2 -R Attack Round 1 x[32] = 0 1 2 3 4 5 6 7 8 9 a b c d e f 0 e 2 f 01 e 8 cc 44 e 4 17 d 0 7 f 8 f 90 3 a c 9 0 d 6 d d 3 31 96 c 6 35 4 a a 7 e 2 f 3 ea e 3 1 a 18 d 9 57 fc x[32] = 0 1 2 3 4 5 6 7 8 9 a b c d e f df 2 f 01 e 8 cc 44 e 4 17 2 e 7 f 8 f 90 3 a c 9 0 d 6 d bc 31 96 c 6 35 4 a a 7 e 2 21 ea e 3 1 a 18 d 9 57 fc © 2004 Dachb 0 den Labs

COMP 128 - Baseline 2 -R Attack Round 2 x[32] = 0 1 2 COMP 128 - Baseline 2 -R Attack Round 2 x[32] = 0 1 2 3 4 5 6 7 8 9 a b c d e f 37 2 f 01 e 8 cc 44 e 4 17 60 7 f 8 f 90 3 a c 9 0 d 6 d d 3 31 96 c 6 35 4 a a 7 e 2 f 3 ea e 3 1 a 18 d 9 57 fc x[32] = 0 1 2 3 4 5 6 7 8 9 a b c d e f 37 2 f 01 e 8 cc 44 e 4 17 60 7 f 8 f 90 3 a c 9 0 d 6 d bc 31 96 c 6 35 4 a a 7 e 2 21 ea e 3 1 a 18 d 9 57 fc © 2004 Dachb 0 den Labs

COMP 128 - Baseline 2 -R Attack Round 2 x[32] = 0 1 2 COMP 128 - Baseline 2 -R Attack Round 2 x[32] = 0 1 2 3 4 5 6 7 8 9 a b c d e f 37 5 e 05 27 5 a 1 f 7 a 11 60 36 6 b 39 31 42 69 28 7 a 31 96 c 6 35 4 a a 7 e 2 64 ea e 3 1 a 18 d 9 57 fc Collision! x[32] = 0 1 2 3 4 5 6 7 8 9 a b c d e f 37 5 e 05 27 5 a 1 f 7 a 11 60 36 6 b 39 31 42 69 28 7 a 31 96 c 6 35 4 a a 7 e 2 64 ea e 3 1 a 18 d 9 57 fc © 2004 Dachb 0 den Labs

COMP 128 § What can we do with this Collision? § If we get COMP 128 § What can we do with this Collision? § If we get a collision from COMP 128 with those 2 challenges, we know that 2 bytes of the key must be those 2 values If COMP 128(chall = 230000… 550000…) == COMP 128(chall = 0 d 0000…e 70000…) Then we know: key = 01 xxxxxxxxfexxxxxxx © 2004 Dachb 0 den Labs

COMP 128 § What can we do with this Collision? § If we get COMP 128 § What can we do with this Collision? § If we get a collision from COMP 128 with those 2 challenges, we know that 2 bytes of the key must be those 2 values If COMP 128(chall = 230000… 550000…) == COMP 128(chall = 0 d 0000…e 70000…) Then we know: key = 01 xxxxxxxxfexxxxxxx Repeat 8 times until full key is recovered © 2004 Dachb 0 den Labs

COMP 128 Optimizations § This baseline attack takes 115, 000 tries § Card will COMP 128 Optimizations § This baseline attack takes 115, 000 tries § Card will die after 65, 535 requests § How do we get the number down? § Precompute all collisions § Find the challenges that collide the most § Try them first § Still not fast enough? © 2004 Dachb 0 den Labs

COMP 128 - 3 -R Attack x[32] = 0 1 2 3 4 5 COMP 128 - 3 -R Attack x[32] = 0 1 2 3 4 5 6 7 8 9 a b c d e f 01 00 00 00 xx 00 00 00 fe 00 00 xx 00 00 00 Once we know bytes 0 and 8 of the key, we can attack the 3 rd round -virtually 1 byte at a time These require a bit of pre-computation but only require ~ 768 tries © 2004 Dachb 0 den Labs

COMP 128 - 3 -R Attack x[32] = 0 1 2 3 4 5 COMP 128 - 3 -R Attack x[32] = 0 1 2 3 4 5 6 7 8 9 a b c d e f 01 00 00 00 89 00 00 00 fe 00 00 00 xx 00 00 00 xx 00 00 00 © 2004 Dachb 0 den Labs

COMP 128 - 4 -R Attack x[32] = 0 1 2 3 4 5 COMP 128 - 4 -R Attack x[32] = 0 1 2 3 4 5 6 7 8 9 a b c d e f 01 00 xx 00 89 00 00 00 fe 00 00 00 76 00 00 00 xx 00 xx 00 Same for the 4 th round © 2004 Dachb 0 den Labs

COMP 128 - 4 -R Attack x[32] = 0 1 2 3 4 5 COMP 128 - 4 -R Attack x[32] = 0 1 2 3 4 5 6 7 8 9 a b c d e f 01 00 45 00 89 00 cd 00 fe 00 ba 00 76 00 xx 00 xx 00 xx 00 © 2004 Dachb 0 den Labs

COMP 128 - 5 -R Attack x[32] = 0 1 2 3 4 5 COMP 128 - 5 -R Attack x[32] = 0 1 2 3 4 5 6 7 8 9 a b c d e f 01 xx 45 00 89 00 cd 00 fe 00 ba 00 76 00 32 00 xx xx xx xx And the 5 th © 2004 Dachb 0 den Labs

COMP 128 - 5 -R Attack x[32] = 0 1 2 3 4 5 COMP 128 - 5 -R Attack x[32] = 0 1 2 3 4 5 6 7 8 9 a b c d e f 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 xx xx xx xx xx © 2004 Dachb 0 den Labs

COMP 128 - 5 -R Attack Key = 01 23 45 67 89 ab COMP 128 - 5 -R Attack Key = 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10 0 wned (In < 20 thousand tries) © 2004 Dachb 0 den Labs

COMP 128 Attack § Works on most GSM carriers in the US § T-Mobile COMP 128 Attack § Works on most GSM carriers in the US § T-Mobile § Cingular § Etc § New attack takes around 15 minutes w precomputed dictionary § SIM card emulators can be purchased online or emulated with a $2 PIC § Open Source tools will be released shortly § SIM SCAN v 2 implements this (thx Dejan Kaljevic) © 2004 Dachb 0 den Labs

Parking Meters? WTF is a Parking Meter? Smart Card Coin Input Coin Output © Parking Meters? WTF is a Parking Meter? Smart Card Coin Input Coin Output © 2004 Dachb 0 den Labs

PARKING METER DEBIT CARD 1. Insert debit card into meter in direction shown by PARKING METER DEBIT CARD 1. Insert debit card into meter in direction shown by arrow. 2. The Meter will increment in 6 min. segments. 3. When desired time is displayed, remove card. DID YOU BUY TOO MUCH TIME? TO OBTAIN EXTRA TIME REFUND * Insert the same debit card that was used to purchase time on the meter. Full 6 minute increments will be credited to the card. Increments of less than 6 minutes will be lost. © 2004 Dachb 0 den Labs

Introduction – Synchronous Cards § § § Memory Cards Kinkos Cards Internet Café Cards Introduction – Synchronous Cards § § § Memory Cards Kinkos Cards Internet Café Cards Cash Cards Parking Meters © 2004 Dachb 0 den Labs

Synchronous Protocol § Also uses Clk, Rst, and I/O § Clk sets the transfer Synchronous Protocol § Also uses Clk, Rst, and I/O § Clk sets the transfer speed § When Clk high (5 v) read from I/O, write when it’s low (Gnd) § Reader sets Rst line high (5 v) § After Rst drops, Card starts sending bits to Reader for each high Clk Rst Clk I/O Bit 0 = 1 Bit 1 = 0 © 2004 Dachb 0 den Labs

Parking Meter Cards § Similar to the SLE 4406 (European Telecom Card) § Implements Parking Meter Cards § Similar to the SLE 4406 (European Telecom Card) § Implements a one-way counter § Bits are set by a programmer § Fuse is blown § Bits will only go 1 -> 0 © 2004 Dachb 0 den Labs

Demonstration? ? Demonstration © 2004 Dachb 0 den Labs Demonstration? ? Demonstration © 2004 Dachb 0 den Labs

Parking Meter Card – Memory Dump 98 FF 00 00 FF FF FE FF Parking Meter Card – Memory Dump 98 FF 00 00 FF FF FE FF FF 14 FF 00 00 FF FF FF FF 3 C FF 00 00 FF FF 92 FF 00 00 00 F 8 FF FF FF 00 00 00 FF FF 46 FF 00 00 00 FF FF B 1 00 00 00 00 FF FF FF FF FF FF FF FF 00 00 FF FF FF FF 00 00 80 FF FF FF FF 00 00 FF FF © 2004 Dachb 0 den Labs

Parking Meter Card – Memory Dump 98 FF 00 00 FF FF FE FF Parking Meter Card – Memory Dump 98 FF 00 00 FF FF FE FF FF 14 FF 00 00 FF FF FF FF 3 C FF 00 00 FF FF 92 FF 00 00 00 F 8 FF FF FF 00 00 00 FF FF 46 FF 00 00 00 FF FF B 1 00 00 FF FF ATR (Answer to Reset) Credit Bits Refund Buffer Bits FF 00 00 00 00 FF FF FF FF FF FF FF FF 00 00 FF FF 00 00 80 FF FF FF FF 00 00 FF FF Serial Number Refund Bits © 2004 Dachb 0 den Labs

Parking Meter Card – Memory Dump 98 FF 00 00 FF FF FE FF Parking Meter Card – Memory Dump 98 FF 00 00 FF FF FE FF FF 14 FF 00 00 FF FF FF FF 3 C FF 00 00 FF FF 92 FF 00 00 00 F 8 FF FF FF 1 bit = $0. 10 00 FF 00 00 00 FF FF 46 FF 00 00 00 FF FF B 1 00 00 00 00 FF FF FF FF FF FF FF FF 00 00 FF FF FF FF 00 00 80 FF FF FF FF 00 00 FF FF 6 bits + 7 bits = $1. 30 © 2004 Dachb 0 den Labs

Parking Meter Card - Tapping § Reverse Engineering the Protocol § Tap the connection Parking Meter Card - Tapping § Reverse Engineering the Protocol § Tap the connection § Log the data § Decode protocol © 2004 Dachb 0 den Labs

Tapping the Connection § Make a fake smart card § Plastic card § Copper Tapping the Connection § Make a fake smart card § Plastic card § Copper tape § Get a smart card socket § Rip it out of a smart card reader § Connect the two with a cable § Old floppy/ide cables work good § Tap the connection § Vampire clips § Run signal through 10 k resistors to a buffer § Connect buffer to a parallel port © 2004 Dachb 0 den Labs

ASCII Art Parallel Port D 10 - Ack - I 6 o-------------, | D ASCII Art Parallel Port D 10 - Ack - I 6 o-------------, | D 11 - Busy - I 7 o---------------, | | D 12 - Paper Out - I 5 o-----------------, | | | D 13 - Select - I 4 o-------------------, | | D 25 - Gnd o-----, | | | | External 5 V (USB) | | | | | 5 V o---------, | | | 0 V o-------*-----|---*----------|---|-----, | | | , --==--==--==--==--==--, | __+__ | |_ 20 19 18 17 16 15 14 13 12 11 | | ///// | | ] 74 HCT 541 N || | |' 1 2 3 4 5 6 7 8 9 10 | | | '--==--==--==--==--==--' | | | | '---*---* | | '-----' '-----*-----, , ---|---* | | | , -|---* | | Smart Card | | | *---|------, , ----------, | | | | *----, | , -------|--* Vcc | Gnd *--|-* | | | , -, | |----------| | | | | , -----|--* Reset | Vpp |||||||| || | | |----------| | | |_| |_| | | , ---|--* Clock | I/O *--|-* | |r 1 |r 2 |r 3 |r 4 | | |----------| | | |10 k|10 k | | | , -|--* RF 1 | RF 2 *--|---* | | | '----------' | | | '---*---*---' | | *-|-------------|-|-|-----------' | | *-|-|-------------|-|-|------------' |||| | | Smart Card Reader ||| | | , ----------, | | | '-------|--* Vcc | Gnd *--|-' | | |----------| | | '-----|--* Reset | Vpp | || | | |----------| | | '---|--* Clock | I/O *--|---' | | |----------| | '-|--* RF 1 | RF 2 *--|-----' '----------' Sneak peek of possible future Phrack article © 2004 Dachb 0 den Labs

Logging the Data § Sniffing connection (synclog. c) § Poll parallel port I/O § Logging the Data § Sniffing connection (synclog. c) § Poll parallel port I/O § If I/O lines change, log it to memory § When finished, write bits to log file © 2004 Dachb 0 den Labs

Logging the Data #include <stdio. h> #include <signal. h> #include <sys/types. h> #include <machine/sysarch. Logging the Data #include #include #include #include #include int main(int argc, char *argv[]) { unsigned char a, b, c; unsigned int *ptraddr; unsigned int address; #define BASE 0 x 378 #define DATA (BASE) #define STATUS (BASE + 1) #define CONTROL (BASE + 2) #define ECR (BASE + 0 x 402) #define BUF_MAX (1024 * 8) /* max log size 8 mb */ if(argc < 2) { fprintf(stderr, "usage: %s n", argv[0]); exit(1); } logfile = argv[1]; int bufi = 0; u_char buf[BUF_MAX]; char *logfile; /* enable port writing privileges */ if(i 386_iopl(3)) { printf("You need to be superuser to use thisn"); exit(1); } void die(int signo) { int i, b; FILE *fh; /* clear status flags */ outb(STATUS, inb(STATUS) & 0 x 0 f); /* open logfile and write output */ if((fh = fopen(logfile, "w")) == NULL) { perror("unable to open lpt log file"); exit(1); } for(i = 0; i < bufi; i++) printbits(fh, buf[i]); /* set epp mode, just in case */ outb(ECR, (inb(ECR) & 0 x 1 f) | 0 x 80); /* log to file when we get ctrl+c */ signal(SIGINT, die); /* fetch dataz 0 r */ c = 0; while(bufi < BUF_MAX) { /* select low nibble */ outb(CONTROL, (inb(CONTROL) & 0 xf 0) | 0 x 04); /* flush and exit out */ fflush(fh); fclose(fh); exit(0); } /* read low nibble */ if((b = inb(STATUS)) == c) continue; int printbits(FILE *fh, int b) { fprintf(fh, "%d%dn", (b >> 7) & 1, (b >> 6) & 1, (b >> 5) & 1, (b >> 4) & 1); } buf[bufi++] = c = b; /* save last state bits */ } printf("buffer overflow!n"); die(0); } © 2004 Dachb 0 den Labs

Decoding Protocol § Convert to bytes (analyze. c) § Push a bit into our Decoding Protocol § Convert to bytes (analyze. c) § Push a bit into our buffer every time the clock is high § When reset is high, reset bit counter and print buffer § Time graph analysis (timing. pl) § Plot 2 -D graph of communication (thx prole!) § Uses GD to plot a large jpg © 2004 Dachb 0 den Labs

Demonstration? ? Demonstration © 2004 Dachb 0 den Labs Demonstration? ? Demonstration © 2004 Dachb 0 den Labs

Protocol Dumps Memory Dump: 00011001001010001111001111000100100100000110001010001101 111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000111111111111111111111111111111111111111111111111111111111 Write to Card: 00011001001010001111001111000100100100000110001010001101 11111111011110101101 © 2004 Protocol Dumps Memory Dump: 00011001001010001111001111000100100100000110001010001101 111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000111111111111111111111111111111111111111111111111111111111 Write to Card: 00011001001010001111001111000100100100000110001010001101 11111111011110101101 © 2004 Dachb 0 den Labs

Timing Graph Analysis - Deduct Rst Clk I/O Rsv 1 Then issues Write to Timing Graph Analysis - Deduct Rst Clk I/O Rsv 1 Then issues Write to Card Command © 2004 Dachb 0 den Labs

Timing Graph Analysis - Refund Rst Clk I/O Rsv 1 Then issues Write to Timing Graph Analysis - Refund Rst Clk I/O Rsv 1 Then issues Write to Card Command Rst Clk I/O Rsv 1 1 Credit 2 Credits Refunds 2 Credits to Parking Meter Card © 2004 Dachb 0 den Labs

Emulate Protocol § Code a PIC to speak the protocol § See Phrack 48 Emulate Protocol § Code a PIC to speak the protocol § See Phrack 48 -11 for hints § PIC 16 F 84 A § Supply RC or external clock and connect proper pins § Tip: Tie clock line to interrupt § Full code & schematics may be released in Phrack 63 § See me for more detailz © 2004 Dachb 0 den Labs

BRUTE FORCE !!!!! § Impatient? § § Fold a business card in half Insert BRUTE FORCE !!!!! § Impatient? § § Fold a business card in half Insert into meter’s slot so it’s difficult to remove Meter will go out of order after ~ 90 seconds Out of order meters are free © 2004 Dachb 0 den Labs

Parking Meters Owned © 2004 Dachb 0 den Labs Parking Meters Owned © 2004 Dachb 0 den Labs

Other Security Memory Cards § SLE 4442/SLE 4428 § Implement a PIN for Write Other Security Memory Cards § SLE 4442/SLE 4428 § Implement a PIN for Write Access § Similar to GSM SIM Cards § 3 Strikes You’re Out! § University Soda Machines § § Each card has different PIN Reader performs voodoo magic to determine PIN Rewrites credits on card (thx Michael Stegan) § Most of the time § Same PIN on every card © 2004 Dachb 0 den Labs

Conclusions § David Hulton § h 1 kari@dachb 0 den. com § http: //www. Conclusions § David Hulton § h 1 kari@dachb 0 den. com § http: //www. dachb 0 den. com § References § § § Phrack 48 10/11 Phrack 62 15 ISO 7816 -1/2/3 http: //www. cs. berkeley. edu/isaac/gsm. html http: //www. towitoko. de http: //www. sdlogic. com © 2004 Dachb 0 den Labs

Conclusions / Shameful Plugz § Come to Toor. Con! § September 24 th-26 th, Conclusions / Shameful Plugz § Come to Toor. Con! § September 24 th-26 th, 2004 § http: //www. toorcon. org § Celebrating 20 Years After Big Brother § Come to Shmoo. Con! § Super Bowl Weekend, 2005 § http: //www. shmoocon. com § No moose, (they swear). § Come to Layer. One! § http: //www. layerone. info © 2004 Dachb 0 den Labs

Questions ? Suggestions ? § Got any good cards to look at? § Anything Questions ? Suggestions ? § Got any good cards to look at? § Anything I missed? (mercy!) © 2004 Dachb 0 den Labs