Smart Cards Vulnerable to Photo-Flash Attacks?

← Back to Stories (view on slashdot.org)

Smart Cards Vulnerable to Photo-Flash Attacks?

Posted by CmdrTaco on Monday May 13, 2002 @02:24AM from the now-thats-an-issue dept.

belphegor writes "Researchers at the University of Cambridge have found a way to use a camera flash and microscope to extract data from smart cards. " Notable because its apparently relatively simple to do and really throws a monkey wrench into a variety of businesses that use smart cards to store important data.

11 of 214 comments (clear)

Min score:

Reason:

Sort:

No worries, we'll just pass more laws... by Dimensio · 2002-05-13 02:32 · Score: 5, Insightful

All that needs to happen is for makers of smart cards to send money to Congresscritters to pass laws against smart card "circumvention devices" and have anyone making, selling or posessing a flash-based camera arrested.

Remember, when a security technology is comprimised you don't improve the technology, you outlaw anything that exposes its weakness.

--
STOP MISUSING APOSTROPHES, YOU MORONS!!!
At least they need to steal them first by eet23 · 2002-05-13 02:37 · Score: 2, Insightful

From the article:
They were able to expose the circuit to the light by scraping most of the protective coating from the surface of the microprocessor circuit that is embedded in each smart card.
With more study, the researchers were able to focus the flash on individual transistors within the chip by beaming the flash through a standard laboratory microscope.
Could they make the cards so that removing the coating destroyed the chip?
don't write the PIN on the back of your smart card by Bogatyr · 2002-05-13 02:38 · Score: 3, Insightful

And if I'm not running an enccrypted filesystem on a hard drive, and someone steals the hard drive out of that computer, they can read the data. Now I consider this article's significance to be just another reminder that physical security is important.
(quoting from the linked article)
"The Pentagon (news - web sites) has armed soldiers with smart cards for online identity and physical access...Some of the information stored in the card is in the form of a number composed of ones and zeros that cryptographers refer to as a "private key." That key is part of a two-key system that is used to encode and decode information. The security of such systems is compromised if the private key is revealed. Typically, after the card holder authenticates the card by supplying a pin number, the private key will then be used to encrypt any sort of transaction using the card."
I hope that this is a joke by dmomo · 2002-05-13 02:40 · Score: 2, Insightful

Since laws only stop people who obey laws. Not people with a large enough incetive to benefit from sevurity circumvention.
Denying problem by hether · 2002-05-13 03:05 · Score: 2, Insightful

a manufacturer who had read the paper said it believed its products were not vulnerable to the attack.

I love how the smart card manufacturing companies are just denying that this is a problem and saying that they've already looked at that issue. Do you really think they feel that way and have covered this problem already, or off the record they are panicking to find a way to fix the problem? I would guess that this is new to them, but that they don't want to admit their cards are vulnerable.

BTW, The story is taken from the NY Times, so if you have problems getting to the Yahoo! version of the story, try this link:

http://www.nytimes.com/2002/05/13/technology/13SMA R.html?todaysheadlines

--

Most people would die sooner than think; in fact, they do.
physical card access by krokodil · 2002-05-13 03:35 · Score: 3, Insightful

The vulnerability would make it possible for a criminal to find the secret information stored in the card, steal the user's cellphone identity and make free phone calls.
To do this he needs first to get physical access to the card, which is inside the phone (usually under battery). Having access to the phone, usually allow him to make calls anyway without complex card reading procedure.
1. Re:physical card access by Anonymous Coward · 2002-05-13 04:03 · Score: 1, Insightful
  
  To do this he needs first to get physical access to the card, which is inside the phone (usually under battery). Having access to the phone, usually allow him to make calls anyway without complex card reading procedure.
  But then the owner knows the phone is missing and can cancel it. If you have physical access to a phone (somebody forgot it) and can clone it without their knowledge and return it, many more calls can be made.
We fixed it, but we can't tell you how! by tweakt · 2002-05-13 08:01 · Score: 3, Insightful

"He said his company had built defensive measures into its products that would make them invulnerable to such an attack. However, he said he was unwilling to be specific about the nature of the security system, because such information would be valuable to someone who was attempting to break the security of the Atmel smart cards."
If it's secure, but only because noone knows how it works, then it's inherently *NOT* secure. When will they learn?
OBSCURITY IS NOT SECURITY
*sigh*
1. Re:We fixed it, but we can't tell you how! by Alsee · 2002-05-13 17:00 · Score: 3, Insightful
  
  OBSCURITY IS NOT SECURITY
  
  Once again, someone taking a piece of truth and misapplying it.
  
  Obscurity is an excellent additional layer of defence.
  
  An example: Take any well known strong encryption, say Triple-DES. Thousands of people have spent thousands of hours studying it and analyized the best attacks against it. I guarantee some organizations have built special hardware to crack it. They grab a message, feed it into the NSA ultra-parallel computer and *BING* 24 hours later an answer pops out.
  
  Now, lets say I use triple-DES but then I add a piece of crap insecure custom encryption on top. Heck, even a ROT-13 layer would cause dedicated hardware to barf. Now the million man-hours of triple-DES research and your billion-dollar super computer are completely useless until someone invests the time to crack my personal encryption layer. It doesn't matter if the "obscure" layer is insecure. If a million people use a million obscure custom encryptions, the time you invest breaking one does you no good when you get to the next.
  
  Security through obscurity is only flawed when it is your primary line of defense.
  
  -
  
  --
  - - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Um by scrytch · 2002-05-13 08:21 · Score: 3, Insightful

If someone grabs your smartcard, why wouldn't they just *use* it. Or call the credit card company, tell them they're you, pass their rigourous security screening questions like asking for your social security number, and get a new card. Social engineering is a lot easier than tunnelling a flash with a microscope.

Jesus ... it's a *key*. That's why you keep keys safe. Someone grabs my keys (those little jangly jagged metal things), they can use them, and if they have key duplicating equipment, they can duplicate my keys. Big deal.

--
I've finally had it: until slashdot gets article moderation, I am not coming back.
Huh? by Anonymous Coward · 2002-05-13 08:53 · Score: 1, Insightful

Doesn't this attack require you to have physical posession of the card, and doesn't it destroy the card in the process? Doesn't sound like much of a security hole for GSM phones to me. When was the last time you loaned out your smart card to a criminal, and didn't mind getting it back disassemble? Now it is a serious security hole for the smart cards used for decrypting sattelite television...