A Study of Smart Cards

Cards are quite an interesting species of object that have invaded our lives in every way: we either use them for public transit, laundry, gift cards, phone cards, credit cards etc… One could gather quite a lot of power buy not only understanding their functioning, but also by being able to tamper their data. I must admit that I have absolutely no knowledge (or almost) of those devices, but hopefully, by the end of this project, this will have completely changed.

Visual Study of Smart Cards

Smarts card are usually the size of the credit cards and dimensions are defined accordingly to the ISO/IEC 7810 standard. The standard defines four card sizes: ID-1, ID-2, ID-3 and ID-000. Smart cards are usually comprised in the ID-1 category although some are into the ID-000 category, which mostly comprise of SIM cards. Each of them are 0.76 mm thick. The properties are defined as follow1:

Example of a card using a chip
Example of a card using a chip
Format Dimension Usage
ID-1 85.60 × 53.98 mm Most banking cards and ID cards
ID-2 105 × 74 mm German ID cards issued prior to Nov 2010
ID-3 125 × 88 mm Passports and Visas
ID-000 25 × 15 mm SIM cards

The material use for the card is usually Polyvinyl chloride (PVC). Of course the most interesting item on rhe card is that golden connector. There are various type of connectors as shown in the picture below:

Different Layouts of Cardpads
Different Layouts of Cardpads

There are also three main types of smart cards: contact cards, contactless and vault cards [2]

The three main types of Smart Card available
The three main types of Smart Card available

Actually the two that are actually important in everybody’s life are the contact and contactless cards, the latest being use in public transit most of the time. For now I’ll concentrate on contact cards.

Contact Cards

Information is transferred using electrical connectors, i.e the golden chip on the card to the reader. Usually, the chip as around 8 connectors as follow:

Now contact cards are divided in two categories : memory cards and multiprocessor cards. Memory cards are furthermore divided into 3 categories:

  • Straight Memory Cards
  • Protected/Segmented Memory Cards
  • Stored Value Memory Cards

The Project

I recently got handed a laundry smart card and for some reason, got fascinated with it. I never really played with hardware but studying those devices have interested me to the point of studying them in a special project. The goal is to be able to modify the contents of the memory of the card. This project will be conducted in two phases :

  1. Dump the content of the memory into my computer
  2. Alter the content and write it back to the card

System Description

A client is handled a Smart Card called “SmartCity” from a company called Coinamatic, which provide laundry solutions to property managers. The card can be loaded and recharged using coins or debit/credit cards through “reload centers“. You can put up to 50$ maximum on the card. To use the facilites, you need to insert the card  into a slot built into the washers/dryers. The washer is a Commercial Energy Advantage Top Load Washer MAT14PRAWW model. The dryer is a 27″ Commercial Single-Load Electric Stack Dryer model MLE24PRAZW.

Next post : the card reader/writer

See also:

EMV 4.2 Specification, EMVCo, May 2008, http://emvco.com/ accessed on 2009-07-20

Infineon SLE4442, Flylogic Engineering’s Analytical Blog, December 1st, 2007, http://www.flylogic.net/blog/?p=17 accessed on 2009-07-20

How-to: Read a FedEx Kinko’s smart card (SLE4442), Ian Lesnet, Hack-a-day, November 28th, 2008, http://hackaday.com/2008/11/25/how-to-read-a-fedex-kinkos-smart-card-sle4442/, accessed on 2009-07-20

Intelligent 256-Byte EEPROM SLE 4432/SLE 4442, Siemens, 1995, http://www.smartcardsupply.com/PDF/DS_sle4432_42_0795.pdf accessed on 2009-07-20

Kinko’s Smart Card (Siemens SLE4442 memory chip), Strom Calson, http://www.stromcarlson.com/projects/smartcard/format.pdf accessed on 2009-07-20

1K EEPROM – Security Logic with Two Application Zones AT88SC102, Atmel, 1999, http://www.datasheetcatalog.org/datasheet/atmel/DOC1419.PDF accessed on 2009-07-20

[1] ISO/IEC 7810, Wikipedia, http://en.wikipedia.org/wiki/ISO/IEC_7810 accessed on 2009-07-20

[2] Types of Chip Cards, Smart Card Basics, 2005,  http://www.smartcardbasics.com/cardtypes.html accessed on 2009-07-20

ENISA releases list of mobile phones vulnerabilities

The European Network and Information Security Agency (ENISA) release a paper about general vulnerabilities that is affecting or will affect mobile communications. The organization surveyed experts via different medias to gather concerns from the industry about the future of wireless communications. The document discusses security issues about three different types of devices, each using wireless mechanism: mobile devices, contactless cards and smart cards.

Mobiles phones

The paper mentions two possible vulnerabilities on mobiles, which one of them is rather obvious and really didn’t need to be detailed:

  • Theft or Loss of device
  • Untrustworthy Interface

Since a lot of information is store on cells phones and other devices, theft can be a security issue, especially if used in a commercial/governmental context. Since mobiles devices are called to be

Untrustworthy interface refers to any exploits, worms or social engineering that usually affects computers. After all, mobiles use operating systems like any computer such as Android, Windows Mobile, Symbian OS, Linux or iPhone OS
Untrustworthy interface refers to any exploits, worms or social engineering that usually affects computers. After all, mobiles use operating systems like any computer such as Android, Windows Mobile, Symbian OS, Linux or iPhone OS

used for more and more uses, such as purchasing items and services as it’s actually done in Japan, theft will be a problem. As far as I know, not much can be done to prevent mobiles from being stolen except caution. On the other hand, encryption and authentification should be use to protect data stored inside the device.

Untrustworthy interface refers to any exploits, worms or social engineering that usually affects computers. After all, mobiles use operating systems like any computer such as Android, Windows Mobile, Symbian OS, Linux or iPhone OS. None of the OS can pretend to be 100% secure, and none should ever do either. For those who think that such things doesn’t happen on phones, here are a couple of example that might change your mind:

Last year, at the Black Hat conference which took place August 2nd, an attack against the iPhone was carried out by a team at the Independent Security Evaluators security company[1]. By setting up a fake access point with the same SSID and encryption type that an access point previously used by the user, one could use the fake access point to add malicious code to websites requested by the user[2].

At the beginning of the year, Symbian OS was victim of another worm, called Beselo that spread itself by harvesting contacts and sending MMS with a SIS attachment disguised as a picture or mp3 file[3].

In October, Google’s Android shipped with an outdated version of the WebKit package, which could allowed an attacker to steal saved passwords and cookies by crafting a malicious website[4].

Do I even need to give examples for the Windows Mobile OS? If yes, then the ones who come in mind what the one found by Collin Mulliner a while ago and disclosed at the 23rd CCC[5]

As mobile phones become more and more computers, exploiting cell phones will become more and more common.

Smart Cards

The paper mention specifically two issues concerning smart cards:

  • Physical Attacks
  • Side Channel Attacks

Physical attacks consist of studying the underlying hardware in order to reverse-engineer it:

“These kinds of attacks are usually invasive, eg, rewiring a circuit on the chip or using probing pins to monitor data flows. Physical attacks include altering the environment around the card, such as temperature or radiation, in order to induce faults. The goal of the attacker is to bypass security mechanisms and gain secret information stored on the card. In general, modern smart cards are quite resistant to physical attacks. Nevertheless, there have been a number of reverse-engineering attacks in attempts to retrieve private keys or find flaws in the hardware design.[6]

This usually involves a lot of different techniques and lots of time. Concrete examples of applying a physical attack on smart cards could go back to 2002, when two researchers from Cambridge University discovered they could extract data from smart cards by using a camera flash. Without forgetting that modern smart cards are often programmed with a subset of Java, therefore open to programming errors and exploit[7].

Side-Channels attacks are way touchier as they imply retrieving information from the card by analysing physical properties such as power consumption, radiation and signals duration to steal data from the card[8]. Using side-channel attacks can lead to the gathering of sensible information about the implementation of a cryptographic algorithm:

One of the most successful side-channel attacks exploits the correlation between the power consumption of a given device and the data being processed. These Power Analysis Attacks have particular relevance since for some of them, no knowledge regarding the implementation of the target device is needed in order to be effective.[9]

Contactless Cards

  • Skimming
  • Eavesdropping
  • Tracking
  • Relay Attack
  • Falsification of Content
A brilliant example of a skimming attack was the work done in the now infamous Oyster card case
A brilliant example of a skimming attack was the work done in the now infamous Oyster card case

A brilliant example of a skimming attack was the work done in the now infamous Oyster card case[10]. After reverse-engineering the MIFARE contactless card[11] by using acid to remove the plastic and studying the architecture of the hardware used in the card, the encryption algorithm was understood and could be cracked. In order for the hack to work, the attacker needs to skim the victim Oyster card by building a custom reader.

The last attack that I will shortly describe in this article is the relay attack as the others are well known. The relay attack is simply a man-in-the-middle attack, that will send data skimmed from a card to a reader by using a middle attacker relay.

The document also states two other vulnerabilites, which could be applied to various types of devices actually: cryptanalytic attacks and man-in-the-middle attacks (see Cyber-Espionage : The Triggerfish for an example of cell phone man-in-the-middle attack).

The paper also goes on with various use-case scenarios of these attacks for your reading pleasure.

See also:

Security Issues of Authentication Using Mobile Devices”, Ingo Naumann, Giles Hogben, November 21, 2008, http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_pp_mobile_eid.pdf (accessed on December 3, 2008)

PocketPC Security Research“, Collin Mulliner, July 9, 2007, http://mulliner.org/pocketpc/ (accessed on December 3, 2008)

Optical Fault Induction Attacks“, Sergei P. Skorobogatov, Ross J. Anderson, University of Cambridge, http://www.cl.cam.ac.uk/~sps32/ches02-optofault.pdf (accessed on December 3, 2008)

Add to FacebookAdd to NewsvineAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to Ma.gnoliaAdd to TechnoratiAdd to Furl

[1] “IPhone Flaw Lets Hackers Take Over, Security Firm Says”, John Schwartz, The New York Times, July 23, 2007, http://www.nytimes.com/2007/07/23/technology/23iphone.html?_r=1 (accessed on December 3, 12)

[2] “Exploiting the iPhone”, Independent Security Evaluators, 2007, http://securityevaluators.com/content/case-studies/iphone/ (accessed on December 3, 2008)

[3] “Fortinet: Symbian OS worm spreading in mobile networks”, Jack Rogers, SC Magazine, January 23. 2008, http://www.scmagazineus.com/Fortinet-Symbian-OS-worm-spreading-in-mobile-networks/article/104452/ (accessed on December 3, 2008)

[4] “Vulnerability patched in Google’s Android-powered phone”, Angela Moscaritolo, November 03, 2008, http://www.scmagazineus.com/Vulnerability-patched-in-Googles-Android-powered-phone/article/120322/ (accessed on December 3, 2008)

[5] “How to Exploit A Windows Mobile Handset”, Sergiu Gatlan, January 4, 2007, http://news.softpedia.com/news/How-to-Exploit-A-Windows-Mobile-Handset-43621.shtml (accessed on December 3, 2008)

[6] “Security Issues of Authentication Using Mobile Devices”, Ingo Naumann, Giles Hogben, November 21, 2008, p.10

[7] “Smart Card Security from a Programming Language and Static Analysis Perspective”, Xavier Leroy, INRIA Rocquencourt, Trusted Logic, 2003, http://pauillac.inria.fr/~xleroy/talks/language-security-etaps03.pdf (accessed on December 3, 2008)

[8] “Security Issues of Authentication Using Mobile Devices”, Ingo Naumann, Giles Hogben, November 21, 2008, p.10

[9] “Power Attacks Resistance of Cryptographic S-boxes with added Error Detection Circuits”, Francesco Regazzoni, Thomas Eisenbarth, Johann Großschädl, Luca Breveglieri, Paolo Ienne, Israel Koren, Christof Paar, University of Lugano, 2007, http://www.crypto.rub.de/imperia/md/content/texte/publications/conferences/dftsrome2007cameraready.pdf (accessed on December 3, 2008)

[10] “Oyster card hack published, released at security conference”, Nicholas Deleon, CrunchGear, October 7, 2008, http://www.crunchgear.com/2008/10/07/oyster-card-hack-published-released-at-security-conference/ (accessed on December 3, 2008)

[11] “Dismantling MIFARE Classic”, Flavio D. Garcia, Gerhard de Koning Gans, Ruben Muijrers,Peter van Rossum, Roel Verdult, Ronny Wichers Schreur, Bart Jacobs, Radboud University Nijmegen, 2008, http://www.sos.cs.ru.nl/applications/rfid/2008-esorics.pdf (accessed on December 3, 2008)