Download pdf - DEFCON Presentation

8/6/2019 DEFCON Presentation

1/116

Bypassing Smart-Card

Authentication and Blocking

Debiting:

Jonathan LeeNeil Pahl

Vulnerabilities in Atmel Cryptomemory basedStored-Value Systems


2/116

Primer

Who are we?

Jonathan Lee UBC Computer Engineeringstudent

Neil Pahl UBC Electrical Engineering, recentgraduate


3/116

Disclaimer !

- We are not (yet) security industry

professionals or 1337 code-breaking hackers

- We did not break Smart Card Security

- But, we can show that even with introductorysecurity knowledge, we were able to find

vulnerability in a secure systems

implementation


4/116

Primer

What do we know about Security?

EECE 412: Intro to Computer Security Fundamental Security Principles

Cryptography

Authentication

Access Control

Secure Design


5/116

Primer

What Was Our Motivation For this Project?

Term Project to Perform a Security Analysis(Opportunity to Legitimately try Cool Hacks)

Smart Cards are synonymous with Security

We hoped to emulate known replay attacks on anearby Smart Card laundry system


6/116

Primer

Why should anyone care about our Hack?

Companies spend time and money to add more

security functions to their products

However, security functions cannot protect the

system if they are not implemented thoughtfully


7/116

History?

The need for Authentication + Encryption

Joe Grand (2009) SF parking meters, vulnerable

to replay attack

Strom Carlson (2006) Fedex Kinkos SLE4442,

vulnerable to simple password replay


8/116

Early Efforts

Smart card laundry machine (stored value card)


9/116

Early Efforts

We were thinking of trying some of the usualattacks:

Could we simply read and modify monetary valuesdirectly on the card?

Could we sniff out read/write passwords?

Could we perform replay attacks?

But, the success of these attacks depend on thesecurity measures in place


10/116

Early Efforts

A few Google searches lead us to an interestingblog of someone attempting to hack a laundrysystem (http://tinyurl.com/2csk6dr)

Their success was limited to reading theconfiguration settings from the card.

We couldnt confirm it yet, but we decided to startwith the assumption that our system used thesame chip.
http://tinyurl.com/2csk6drhttp://tinyurl.com/2csk6dr


11/116

Early Efforts

Atmel CryptoMemory AT88SC0404 Smart-card

ATR: 3B B2 11 00 10 80 00 04


12/116

Early Efforts

High Security Features:

64-bit Mutual Authentication Protocol (under license

of ELVA)

Encrypted Checksum

Stream Encryption

Four Key Sets for Authentication and Encryption

Eight Sets of Two 24-bit Passwords

Anti-tearing Function

Voltage and Frequency Monitor


13/116

Early Efforts

Security Modes:

Standard/password mode is Default

Command sequences are needed to enter othersecurity modes


14/116

Atmel CryptoMemory AT88SC0404


15/116



16/116


Interpreting the Memory Dump:


17/116



Addresses


18/116



Addresses

Status - Access Granted


19/116



Addresses

Status - Access Granted

Status - Access Denied


20/116



DCR Data Config Reg


21/116



DCR Data Config Reg

1011 1111


22/116



DCR Data Config Reg

1011 1111

4 Authen. Attempts Allowed


23/116



DCR Data Config Reg

1011 1111

4 Authen. Attempts Allowed

Authen. Attemps Counter Enabled


24/116


25/116



ARn Access Registers

1101 1111


26/116




1101 1111

Encryption not necessary


27/116




1101 1111


no read/write passwords


28/116




1101 1111


no read/write passwords

Authentication required for

read/write command use


29/116


We Now Know: What it Tells Us:


30/116


We Now Know: Authentication Attempts

Counter Enabled

4 Authentication AttemptsAllowed

What it Tells Us:

Brute force key cracking is

impossible


31/116



Counter Enabled



What it Tells Us:


impossible

Might be able to sniff

read/write passwords


32/116



Counter Enabled



No read/write passwords

What it Tells Us:


impossible



No Passwords to sniff


33/116



Counter Enabled



No read/write passwords

Authentication required

for read/write command

use

What it Tells Us:


impossible



No Passwords to sniff

System will be run

under Authentication Mode

mode


34/116


Recall the Security Modes:

MAC Value used for data integrity check is a

checksum encrypted by a session key

This rules out Replay Attack!


35/116

Early Findings

A simple replay attack isnt possible

And we have no expertise or time for crypto-

analysis of authentication procedure either

(6 weeks!!)

Whats left?


36/116


37/116

A HypothesisWhat would be the most logical implementation of this

type of system?


38/116

A HypothesisWhat would be the most logical implementation of this

type of system?

Would there be a MiM opportunity here?


39/116

Alice, Bob and Trudy

Man in the middle concept

Can we apply this in hardware?


40/116

MACHINE-TO-CARD

COMMUNICATION


41/116

Machine-to-Card Communication

Sniffing Tools:

Modified Smart Card

RESET

GROUND

DATA IO

CLOCK


42/116


Sniffing Tools:

Modified Smart Card

Logic Analyzer


43/116


44/116


Communication Flow(Before Pressing Start): Card Sends Answer To Reset (ATR)

Machine Reads 8-Byte Cryptogram and 7-Byte IDo Machine uses Cryptogram to compute challenge value

Machine Sends Authentication Request Commando Machine sends 16-Byte challenge value and nonce

o Card uses challenge to compute new cryptogram

Machine Reads new8-Byte Cryptogramo New cryptogram is verified

Machine Reads from User Zones


45/116









46/116









47/116









48/116









49/116









50/116


Communication Flow(After Pressing Start):


Machine Writes Newly Decremented Balance to User

Zones (Using 3 Write Commands)

l** Read and Write Commands Require Trailing CheckSum Cmds


51/116








52/116








53/116








54/116


Looking closely at the final 3 write commands:


55/116



5-Character Command

INS ADDRESS NCLA


56/116



5-Character Command

Card replies with INS

INS ADDRESS NCLA


57/116



5-Character Command


INS ADDRESS NCLA

N-Data Bytes (8)


58/116



5-Character Command


INS ADDRESS NCLA

N-Data Bytes (8)

Card Sends Status

(waiting for cksm)


59/116



5-Character Command


INS ADDRESS NCLA

N-Data Bytes (8)

Card Sends Status

(waiting for cksm)


60/116



5-Character Command


INS ADDRESS NCLA

N-Data Bytes (8)

Card Sends Status

(waiting for cksm)

5-Character Command


61/116



5-Character Command


INS ADDRESS NCLA

N-Data Bytes (8)

Card Sends Status

(waiting for cksm)

5-Character Command

Card replies


62/116



5-Character Command


INS ADDRESS NCLA

N-Data Bytes (8)

Card Sends Status

(waiting for cksm)

5-Character Command

Card replies

CheckSum sent


63/116



5-Character Command


INS ADDRESS NCLA

N-Data Bytes (8)

Card Sends Status

(waiting for cksm)

5-Character Command

Card replies

CheckSum sent

Card Sends Status

(OK)


64/116


65/116

The Vulnerability

The Plan:


66/116

The Vulnerability

Recall the writing process

5-Character Command


INS ADDRESS NCLA

N-Data Bytes (8)

Card Sends Status

(waiting for cksm)

5-Character Command

Card replies

CheckSum sent

Card Sends Status

(OK)


67/116

The Vulnerability

the Machine expects non-unique replies

Card replies with INS Card Sends Status

(waiting for cksm)

Card replies Card Sends Status

(OK)


68/116

The Vulnerability

THERE IS NO SECURE RECEIPT AFTER WRITING!

- The card confirms that data from the Host is

legitimate

- However, the Host is not assured that the

writing actually took place


69/116

The Vulnerability

What a hacker needs to do:

5-Character Command

INS ADDRESS NCLA


70/116

The Vulnerability


5-Character Command

Fake This Reply

INS ADDRESS NCLA


71/116

The Vulnerability


5-Character Command

Fake This Reply

INS ADDRESS NCLA

Block These Data Bytes


72/116

The Vulnerability


5-Character Command

Fake This Reply

INS ADDRESS NCLA


Fake This Status

(waiting for cksm)


73/116

The Vulnerability


5-Character Command

Fake This Reply

INS ADDRESS NCLA


Fake This Status

(waiting for cksm)

5-Character Command


74/116

The Vulnerability


5-Character Command

Fake This Reply

INS ADDRESS NCLA


Fake This Status

(waiting for cksm)

5-Character Command

Fake This Reply


75/116

The Vulnerability


5-Character Command

Fake This Reply

INS ADDRESS NCLA


Fake This Status

(waiting for cksm)

5-Character Command

Fake This Reply

Block CheckSum


76/116

The Vulnerability


5-Character Command

Fake This Reply

INS ADDRESS NCLA


Fake This Status

(waiting for cksm)

5-Character Command

Fake This Reply

Block CheckSum

Fake This Status

(OK)


77/116

VULNERABILITY EXPLOITATION


78/116

Vulnerability Exploitation

MCU

MUX SWITCH

REAL CARDDUMMY CARDIOIO

CLK, RST

Control

Logic

l b l l


79/116

2 Strategies:


MCU

MUX SWITCH


CLK, RST

Control

Logic

l b l l


80/116

2 Strategies:

Microcontroller Forwarding


MCU

MUX SWITCH


CLK, RST

Control

Logic

l bili l i i


81/116

2 Strategies:

Microcontroller Forwarding

MUX Forwarding


MCU

MUX SWITCH


CLK, RST

Control

Logic

V l bili E l i i


82/116


LINE 1 : Machine to Microcontroller Node

LINE 2 : Microcontroller to Card Node

Answer To Reset is being forwarded through the MUX

switch (No Delay)

V l bili E l i i


83/116


Subsequent commands are being forwarded through

the microcontroller

V l bili E l i i


84/116


Subsequent commands are being forwarded through

the microcontroller (1 Character Delay)

V l bilit E l it ti


85/116


V l bilit E l it ti


86/116


Recognized Write Command

V l bilit E l it ti


87/116



Blocked all further communication to the card (Open Mux Switch)

V l bilit E l it ti


88/116



Blocked all further communication to the card (Open Mux Switch)

Forged Confirmation of Write Back to Machine

V l bilit E l it ti


89/116


The Final Product:

Value of Components:

Less than $15

A M V l biliti ?


90/116

Any More Vulnerabilities?

Session Hijacking: Allow system to reach the authenticated state

MIM communicates exclusively with smart card

Dump the protected user zones

A M V l biliti ?


91/116


Session Hijacking: Allow system to reach the authenticated state

MIM communicates exclusively with smart card

Dump the protected user zones

Our Injected command toread 0x7F bytes starting at

address 0x00Smart Card begins spewing its

guts out



92/116


Analysing the Protected User Memory:



93/116


Analysing the Protected User Memory: System uses History Buffer

Slot #1 Slot #2 Slot #3@1

Reference: Holds location of Current Card Value

Memory Slots: History of Values



94/116

Analysing the user memory: System uses History Buffer

For example,

@1


$5 null null

MachineTimes Used: 0



95/116


For example,

@1


$5 null null

Machine

Reads a 1

Times Used: 0



96/116



For example,

$5 null null

Machine

Reads card

value @1

@1

Times Used: 0



97/116



For example,

$5 $4 null

Machine

Writes new Value to slot 2

@1

Times Used: 0



98/116

@2



For example,

$5 $4 null

MachineUpdates reference

to value

Times Used: 0



99/116

@2



For example,

$5 $4 null




100/116

@2



For example,

$5 $4 null


Reads a 2



101/116

@2



For example,

$5 $4 null


Reads card

value @2



102/116

@2



For example,

$5 $4 $3


Writes new Value to slot 3



103/116

@3


For example,


$5 $4 $3


Updates reference

to value



104/116

@3


For example,


$5 $4 $3




105/116

Can this system be manipulated?


$5 $4 $3


@3


106/116



107/116

Can this system be manipulated? When the final memory slot is reached, what if


$5 $4 $3


@3

Reads a 3



108/116



$5 $4 $3


@3

Reads card

value @3



109/116



$5 $4 $2


@3

Write is redirected to slot 3MIM



110/116

@1



$5 $4 $2


Updates reference

to value



111/116

@1



$5 $4 $2


The card will now hold the original $5 value!


112/116



113/116


Machine

New Value is redirected to overlap

Slot #1 Slot #3@3

MIM

What value will slot #1 hold?

Slot #2



114/116


So we tried to redirect the write

But, were denied.

Summary


115/116

Summary

Communications that end in write commandare not secure!

Even though Atmel App note recommends thisexact behaviour

Fix: End Communication with a read command to verify the

new card value

Summary


116/116

Summary

Dump User Zone memory using MiM andsession Hijacking

Fix:

Use encryption mode

Host side tamper detection(voltage/current monitor)

MONTAGE VIDEO TIME!!!