Slashdot Mirror
Cracking the Smartcards
hanuman writes: "So you know you're a true hacker when: 'Breaking the encryption alone would cost up to $5m. The process demanded the use of ultra-expensive electron-scanning microscopes, with the team probing wafer-thin chips no bigger than a thumbnail. Each chip contained up to 50 layers, with each layer in turn carrying up to 1,000 transistors, every one of which had to be pulled apart and analysed.'." This is a follow-up to the Vivendi vs. News Corp. story with more details about what is alleged to have occurred. Update: 03/14 12:28 GMT by M : And yet another story, which alleges that the head of security at NDS funded the website that distributed the hack for their rival's smart cards.
Try searching for it, a lot more information than you would expect _is_ available on the net. Start building your own little "smart-cubes"
it's in my head
Putting so much money and effort in cracking a
protection mechanism, don't their lawyers know about
DMCA. I guess this law was aimed only at individuals
or small corporations.
You can build a hardware device called Season2 interface, which allows you to plug it into the decoder, and then plug the smartcard into the Season2. This device has a serial port conector, so you can connect it to the computer, and then "sniff" all the traffic between the card and the decoder.
Here in Europe, Canal Satelite uses the SECA encryption, which is absolutely cracked. Applying some bugs of the existing smartcards you can create a "masker key", which is a kind of "root" account in the card. When you have created this master key on the card, you are ready to add providers, channels, buy pay per view events and a lots of interesting things.
Also there are lots of emulation software you can program into some pics (16f84, 16f876) and build a smartcard (piccard, piccard2), so you are able to watch all channels for free with these cards.
DVD Ripping, Divx, VCD, SVCD under Linux
A properly designed system will have the following two features.
a) Leaking the card owners details does not compromise the system for other users.
b) Plugging the card into a reader does not immediately compromise the owners security. e.g. authentication is used with the remote client [and the reader acts as a relay or proxy].
Trying to prevent people from tearing it apart and looking at the guts is just stupid and counter-productive. The more important side channels are timing and power, not preventing people with electron microscopes...
For example, with a bogus reader even if a) and b) hold true, it could be that a timing attack reveal clues about the secret keys used.
Tom
Someday, I'll have a real sig.
Canal+ has a very long history of crackers kicking the living daylights out of their encryption/scrambling schemes.
When the channel was launched in the early '80s, it took less than two months for the electronic schematics of a "pirate" descrambler to be posted in a popular electronics magazine... who quickly pulled the issue from the shelves when sued by Canal+. It's been downhill ever since.
A lot of web sites in Belgium, Switzerland and the UK (hint: border countries) actually advertise pirate descramblers or electronics schematics.
I seriously doubt the company attacked by Canal+ had to spend millions and millions of $$$ to crack the scrambling -- the figure (as well as Canal+ losses) were probably grossly over-inflated by greedy lawyers and C+ legal department.
One final note: Canal+ has a nasty reputation in France and in the rest of Europe for cracking down hard on pirates & crackers. Jean-Marie Messier (CEO of Vivendi/Universal/Canal +), who is a complete megalomaniac, is probably to prove he has got a bigger... Uh... large... Ahem... hairy cojones than News Corps's CEO.
Just my 0.02 Euros.
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
If you can't guess it, brute force it. If you can't brute force it, hand the best team you have a blank check and say, "Enjoy."
One of the interesting things I saw recently at the NSA career website was a mention that many of their engineers get their own, individual, custom hardware. If they have the budget and facilities for that, you better believe that they have what NDS has and more.
You can never go home again... but I guess you can shop there.
- The cracked cards will ruin Canal+'s business (or have already done so).
- Murdochs media empire certainly gains a very strong strategic advantage by a ruined competition.
- Thus, Murdochs media empire does have a strong incentive.
Even if it didn't take place as they claim, this would certainly be a working strategy: crack your competitions technology, release it anonymously on the net in an easy-to-use form and let the script-kiddies do the rest. I guess we'll be seeing more of that tech/cyberwar in the future.Idempotent operation: Like MS software, wether you run it once or often, that doesn't make it any better.
It's long been "common knowledge" (eg, possible fallacy that everyone holds to be true) that Canal+'s encryption was broken because European hackers wanted free access to the porn that's encrypted using it.
Sky's encryption however didn't shelter any porn and was therefore not worth the effort.
Amusingly enough, AFAIK, one of the major victims of this (ITV Digital in the UK) took on the encryption AFTER it had been publicly cracked.
I think the interesting part is this just shows with enough big dollar corporate investment, even sophisticated security schemes can be cracked.
Do you have any reliable information on the actual investment required for the crack other Vivendi's statement? The nature of the security business is that the crackers don't break systems the way their designers expect - they bypass mechanisms instead of attacking them directly, they cheat, they are creative.
The numbers cited by Vivendi represent the resources required for a group of well-funded but imagination-impaired engineers to break the system. I find it hard to believe that whoever did this (whether or not it was really NDS) actually spent that much money.
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
I spent a few months cracking ARM 60 CPUs and seeing if I could find the key kept in the memory by observing the power consumption. Using a fast storage scope I could simply hook onto sequences in the program (branches are easily visible) and find the operations on the key. The power measurements told me how many bits in the key were on or off when driving the ALU read bus. As the algorithm was working with bytes it was very easy to find most of the bits of information. From a 32bit (4 billion combinations) key I could get down to about 2000 possibilities. From there its easy to just try them all out. Synchronous processors were very simple to crack. Asynchronous processors didn't have easily visible features like the clock to find the key instructions. They also have temporal shifts so different runs have the instructions executing at different times dependant on the data. From an asynchronous Amulet2e I could only get two or three bits of information (down to 1 billion possibilities).
Mouse powered Chips, Open source Processors and Lego
As a matter of fact, given that amount of money the simplest way to force the system is an exaustive search on the 3des keyspace (yes, 3des is the algorithm)
This part makes me wonder if you're trolling. Well, if so, I bit. Searching the 3DES keyspace is not currently feasible, and won't be for quite some time. 3DES has an effective keyspace of ~111 bits (it's 112, but the complement property of DES keys, plus a number of weak keys reduce it by 1 bit and change). That's a keyspace that is 70,368,744,177,664 times larger than the 64-bit keyspace that distributed.net has been working on for over three years, and 18,014,398,509,481,984 times larger than the one Deep Crack can search in a week. Actually, Deep Crack isn't really set up to attack 3DES (because it's infeasible and the EFF guys that build Deep Crack aren't stupid), but if it could, this means that finding a 3DES key would take, on average, 346,430,740,566,961 years. Of course, Deep Crack only cost $250K, and that was a couple of years ago, so more money and newer technology might be able to reduce that by a factor of 100 or so. Hell, assume you can do 1000 times better, Then you'd only need 346 trillion years.
112-bit keys won't be safe forever, but they'll be safe for the next decade or two at the very least, barring the discovery of flaws in DES, which has successfully stood against all comers for nearly 30 years.
Regarding power analysis, see my other post on why power analysis is dead. Timing analysis is similarly infeasible.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
The lawsuit alleges that Murdoch's company released the information with the intent that others would use the information to steal proprietary information (the video streams) from Murdoch's competitors. That is MUCH different than cracking a scheme for the sake of the knowledge itself or merely to see if it can be done.
The former case is analogous to the following: Employee has combination to Boss' safe where all company assets are kept. Employee and Boss have an antagonistic relationship. Employee publishes an ad in "Robbers Daily News" with the address of the business and safe combination knowing (or hoping with a high probability that his hope will come true) that Robber reading the RDN will use the combination and steal the assets. Robber actually does use and steal. Employee is part of a conspiracy to steal the company's assets and is guilty of the theft as much as Robber. Don't say that my scenario is not accurate - I assure you as a lawyer that under this hypothetical situation, Employee is a conspirator.
Also, don't say that trying to look at the subjective intent of the actors kcreates an unworkable situation because WE DO IT EVERY DAY. In courts all across this and other countries around the world, we use the intent of the actor to determine the guilt of people for crimes (or to determine levels of guilt) or liability for civil offenses. Example: Man runs Woman over with car. Did Man intend to kill woman? If yes == murder. If no == somehting else. Did Man drive recklessly such that his actions constituted a depraved indifference to human life. If yes == murder or homocide. If no == something else. Was Man driving carelessly? If yes == involuntary manslaughter or negligent homocide. If no == something else. Was Man driving according to all posted rules and carefully? If yes == accident, no intent (or substitute for intent like recklessness), therefore NOT GUILTY.
Although it is more work looking at subjective intent, it usually provides a more thorough examination of the situation and an individualized solution. Simple, bright line rules just do not work well in complex situations. Case in point: the DMCA.
Laws affecting technology will always be bad until enough techies become lawyers.
Smartcards for the general market have to be robust enough and low power enough that they are smallish CPUs. The fast ones are 8Mhz and have some crypto functions built in. In raw CPU terms they are about the same level as a fast Z80.
In a cable TV system, the smart cards generate a seed that is feed to crypto unit. Most system gave up on the smart cards that just say "they get channles 2-20,45,Pr0n..." since they were cracked within days but you never know when a 20 year old cable system is still in use. The Foxtel system in Australia for example uses a signal down the wire that goes to the smart card which then generates a pseudo random sequence. Each of thouse numbers is like an index that tells it where the line is swaped. Their encryption is they take each scanline, break it and send the second part first. Someone in Norway(?) had written a program that would look for the split in real time and put it back together. I guess Murdoch might have something to worry about if the rumor is true and someone else is willing to pay for a crack.
Modern credit card systems do the ATM pin hiding trick in the smart card. If you have access to the networks used by a large department store, it would take about a year to crack most repeat customer's pin numbers. Since most pin numbers are only 4 digits, you only need to be able to feed the chip a few wrong tries per "swipe" and if they come in a few times a week, you could try 500 pin codes in a year. If you do that with 20 different cards a week, you will have someones full account details and their pin number in a year. Since its automated, there is no use to limit yourself to 20. This works for both Visa and that cool new clear card from that company no one will accept.
So in a smartcard based credit card system, All you accounts are belong to us.
Using Focused Ion Beam technology, it is a simple matter to carve away pieces of the container and leave behind the parts that operate the switches. When that is done, the switches can be disconnected. A FIB mill is able to mill cuts smaller than a micron. I know as I use one at work in R&D in a chip plant. We take apart chips all the time to get critical dimension measurements and diagnose failures under several layers of the chip. One new chip had a design flaw where a VIA was where it was not supposed to be. This shorted the chip so it couldn't be probbed to check the health of the rest of the chip. The engineering data was saved by using a FIB to etch a circle around the VIA disconnecting that one connection. This saved much R&D time as we didn't need to get a new reticle fixing only one problem. The next reticle had the shorted VIA fix as well as many other changes based on the probed data of the chip. Disconnecting the tamper switch circuit that would erease a chip would be a trivial task.
The truth shall set you free!
Dear Lumpy,
/. and in other circles, which is that everybody thinks they aren't secure because of the encrypted TV problem. What they don't realize is that the encrypted TV problem in inherently insecure using current protcols. It wouldn't be the fault of the iButton any more than the current situation is the fault of the smart card industry. It is simply that the problem is hard.
I agree with you that the form factor of an iButton gives it the potential to be more secure than a smart card, even if both use basically the same technology for the chip itself. In fact I would even say that the this is an ideal application for the form factor of the iButton.
I will warn you though, that having iButtons placed in satellite TV decoders might be the worst thing that could ever happen to a good product.
As has been pointed out many times here, the problem with these encrypted TV schemes is that they seem to depend on all the cards having the same key. Please correct me if I am wrong. In a well designed smart card system all the cards have card unique keys, which means that if you go through the time and expense of cracking one card then you have one card cracked. This makes it so nobody even wants to crack a card because there is a limited amount of harm that you can do with one cracked card.
Since encrypted TV requires all the cards to have the same keys, cracking one card means that the entire system is cracked. You can pump out as many cards as you like. This means that there is actually incentive to crack the card, since you can do exactly what the culprits here did.
What is the point of all this? You can bet that if an iButton were used instead of a smart card that eventually a single iButton would be cracked. Even if it takes millions of dollars to crack a single one, it would be done. Then the iButton would be in the same boat as smart cards are in here on
Maybe they could make a "Super iButton" that could be larger, have its own internal power source and a nifty mesh like the IBM 4758. They would become more expensive and you'd have to toss them when the battery runs out, but that might work better.
Let me know what you think.
Lasers Controlled Games!