Smart-Card Hacking?

← Back to Stories (view on slashdot.org)

Posted by Cliff on Saturday June 18, 2005 @03:45AM from the what-exactly-do-they-put-on-these-things dept.

W3bbo asks: "With the ever-increasing information being stored on so-called 'Smart-Cards', including credit cards with the chips, how do we know what data is read by stores when you hand over your plastic? Seaching for 'smart-card hacking' just turns up satelite TV piracy websites and virtually nothing for (sort-of) legitimate investigation to our cards. So what methods are available to hack smart-card chips and see what information about us our banks store on our cards?"

32 comments

Min score:

Reason:

Sort:

Got junk? by Anonymous Coward · 2005-06-18 03:55 · Score: 0

Well, you can always read the mag-stripe with a audio tape player's read head. As for the chip, you could always try eBay for used reading hardware. ;x
1. Re:Got junk? by Anonymous Coward · 2005-06-19 13:24 · Score: 0
  
  1975 called, they want their technology back. Dude, these cards are the ones with the ICs in them? Like, a microcontroller and stuff? You can buy the socket at Digikey? Like, why would you even waste a minute trying to build something that's worth 10$????
it's called carding... by da5idnetlimit.com · 2005-06-18 03:56 · Score: 3, Informative

so have a few searches on this term
http://www.kallipse.com/creaweb/galaad/carding.php

Also there is an open source project devoted to reading cards and chips, don't remember the name right now...

Was on slashdot, so have a check 8)

--
It takes 40+ muscles to frown, but only four to extend your arm and bitchslap the motherfucker
1. Re:it's called carding... by Mattcelt · 2005-06-18 04:56 · Score: 4, Informative
  
  One of the original smart card hacks was done by Ben Jun, Paul Kocher, and Joshua Jaffe, the guys at Cryptography Research, using a technique called "Differential Power Analysis" which they did with a $50 HP oscilliscope to extract the private key stored on a smart card. You can find the white paper here.
2. Re:it's called carding... by pbhj · 2005-06-18 12:32 · Score: 1
  
  IIRC DPA is a subset of sideband analysis (or attack!). When I first came across this in a patent spec I thought "awesome" you can hack systems based solely on how much power is drawn??!!
  
  That's what I call 1337!!1111
  
  Did you notice the clue on a useful source of technical data ... try http://uspto.gov/ or http://ep.espacenet.com/
3. Re:it's called carding... by QuantumG · 2005-06-22 14:47 · Score: 1
  
  Wow, thanks to linking to a french document. Back in my day we used the term "carding" to mean credit card fraud. Now I hear the kids use the term "codes" for that.
  
  --
  How we know is more important than what we know.
Kind of Esoteric, But... by fuzzybunny · 2005-06-18 03:56 · Score: 4, Informative

The best way to learn is to latch onto someone who really knows their stuff (which is what I did on a previous project.) If you don't have that luxury, start looking at vendor pages (Schlumberger, ActivCard, Siemens, Utimaco, Gemplus, etc.) and chipset manufacturers (Infineon, Sagem or Giesecke & Devrient for example.)

Depending on how far down you want to dig (do you want to learn about applications? Circuit design? Interfaces? Security issues?) you should probably browse around related manufacturers' pages and related newsgroups. A good example would be looking at PKCS#11-related docs, Entrust implementation docs, the Javacard specifications, how Javacards differ from other implementations, docs on "Open Platform", types of card readers (class 1 through class 4, what is "middleware", how hardware key storage works, etc.)

A lot of card-related documentation and information is strongly vendor-specific, poorly documented and, to be honest, largely irrelevant for someone who wants to learn about it in a not-too-hardcore manner.

If you're professionally seriously interested, I recommend talking to one of the serious pros, such as Jerome Ajdenbaum who really know their stuff. For starters, though, a quick google search on "smart card" +documentation turned up a number of good results, including from Microsoft (whose card interface for many manufacturers and variants is surprisingly well-written), ,a href="http://java.sun.com/products/javacard/refere nce/docs/">Java card docs from Sun, and the Open Card platform.

--
Cole's Law: Thinly sliced cabbage
1. Re:Kind of Esoteric, But... by Cthefuture · 2005-06-18 04:26 · Score: 2, Informative
  
  Along with PKCS#11 and Javacard, you should be looking at all the ISO 7816 specifications for technical information.
  
  However, do any stores actually use the smartcard portion of the card? All I have seen is using the mag-strip on the back and nothing more (which is usually just your account number, expiration, and name on the card). So there is no "secret" information that is even being used on the card.
  
  Once you get into it you will realize that smartcards are not some magical device designed to invade privacy or something. Really, a smartcard is best for carrying protected private keys to be used with PKI (like a certificate). A smartcard provides benefits over traditional "soft" tokens by protecting your data in hardware.
  
  Generally speaking a smartcard has one or more sets of keys and maybe certificates to go with those keys (just like PGP keys or a certificate you get from Verisign). Other than that the information is similar to what is on your credit card. Maybe your name, expiration date, etc. Some military cards have more information about the person. Almost always all the information is also printed on the card somewhere (just like how your credit card's mag-strip has the same information stamped on the front of the card).
  
  --
  The ratio of people to cake is too big
2. Re:Kind of Esoteric, But... by swillden · 2005-06-18 05:05 · Score: 4, Informative
  
  Along with PKCS#11 and Javacard, you should be looking at all the ISO 7816 specifications for technical information.
  
  The ISO 7816 specs are generally not free. You buy them from your national standards body, which in the US is ANSI. It'll cost around $150-$200 to buy the whole set from ANSI.
  
  However, much of the content of the 7816 documents is replicated in the EMV specifications. EMV stands for Europay Mastercard Visa and is a consortium for establishing smart card banking standards, so if you're interested in looking at your bank card chip, that's the more relevant set of documents anyway. You can find all of the EMV documents on-line, free, at the EMVCo web site. You may still have to acquire some of the 7816 specs (parts 3 and 4 are probably the most important), but the EMV docs contain most of what you need. Word of warning: be prepared to plow through a lot of material. Smart card technology has acquired a lot of complexity through 30 years of incremental enhancements.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
3. Re:Kind of Esoteric, But... by fuzzybunny · 2005-06-18 05:10 · Score: 2, Interesting
  
  Oh yeah? OH YEAH? Well, if you're going to provide actually _useful_ information, I might as well. Sigh. :-)
  
  One common implementation of the key store Cthefuture mentioned uses the concept of a fixed-size "private" store on the card to protect your private keys via some sort of applet (as on a Javacard) or similar application. A "smart card" is basically a tiny computer with an external power source--it provides a processor and storage on board.
  
  Your public keys will reside in a "public" store, typically 3x or more the size of the private store. The rest of the card can, in some instances and depending on the middleware present on the host computer, be used for application storage and execution, not just storage of personal data.
  
  What you might also look into, if you're interested in hardware crypto, is the concept of hardware key storage units, such as the Chrysalis-ITS Luna, often used to protect master keys of smart card distributions, or CA signing keys.
  
  Lastly, if you're getting yourself into a smart card-related deployment, you really should be aware that the technology, while occasionally fiddly, isn't going to be your core problem--especially if you're doing authentication, it's going to be the management of the cards and credentials (think: "what to do when called up with 'mommy I forgot my card at home'".)
  
  --
  Cole's Law: Thinly sliced cabbage
4. Re:Kind of Esoteric, But... by AdamInParadise · 2005-06-18 08:31 · Score: 1
  
  Well it's really not this clear cut. Basically, a smart card can store data (between a few bytes and a few megs) and process data (which is very handy for private keys and certificates). So you can't really tell what's going on in there. Maybe nothing, maybe close to nothing or maybe a whole bunch of stuff.
  
  To answer the main question, this data is usually protected anyway: if you don't have the right key, you will get nothing*.
  
  Regards,
  AIP
  
  * unless you're very smart and have access to a few million dollars worth of equipment.
  
  --
  Nobox: Only simple products.
5. Re:Kind of Esoteric, But... by aminorex · 2005-06-18 18:20 · Score: 1
  
  I get mine from ed2k
  
  --
  -I like my women like I like my tea: green-
Who else finds it funny... by Toby_Tyke · 2005-06-18 04:21 · Score: 2, Funny

That the story below this one is "Security Breach Exposes 40M Credit Cards" ?

--
"I realise this is not a very popular opinion but it's the truth, and there for needs to be said" -Bill Hicks
Re:Legitimate Investigation? by FidelCatsro · 2005-06-18 04:45 · Score: 2, Insightful

1:) finding out what personal data is stored on your card
2:) hacker(traditional meaning) mentality ,Some of us just can shake the urge to explore discover and create.
3:) setting up your own credit card reader to go into bussiness as a manufacturer

--
The only things certain in war are Propaganda and Death. You can never be sure which is which though
No "sort-of" about it... by Saeed+al-Sahaf · 2005-06-18 04:59 · Score: 2

...and virtually nothing for (sort-of) legitimate investigation to our cards...
I think it's important to understand that there is no "sort-of" about it. We have every right to know what information is contained on the cards that we use. Why wouldn't we? What can there possibly be there that is none of our business?

--
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
1. Re:No "sort-of" about it... by tengwar · 2005-06-18 07:47 · Score: 1
  
  Well, I can think of at least one example. GSM phones use SIMs (UICCs), which are a type of smartcard. These have a secret key on them, Ki, which is also present in the home network's authentication centre (AuC) - and nowhere else. A challenge and response mechanism is used to authenticate the SIM when it is used in a phone, and to create a session key (Kc) for air encryption. It is essential that no-one is able to determine Ki, since this would allow the SIM to be cloned, allowing fraud. I imagine similar principles apply to credit and ATM cards.
  BTW, yes I know some SIMs have been broken - they used an inappropriate algorithm.
2. Re:No "sort-of" about it... by vettemph · 2005-06-18 07:52 · Score: 1
  
  > What can there possibly be there that is none of our business?
  
  Your Homeland Security Threat Rating??? ;)
  
  --
  The government which is strong enough to protect you from everything is strong enough to take everything from you.
3. Re:No "sort-of" about it... by Anonymous Coward · 2005-06-18 08:00 · Score: 0
  
  You know what everyone here is talking about, don't be dense.
Maybe this is too obvious... by WonderSnatch · 2005-06-18 05:34 · Score: 1

Have you tried calling your card company?

Brett
Card security attacks by brejc8 · 2005-06-18 05:46 · Score: 3, Informative

These break down to a few different kinds:
Information leaking e.g. power analysis: observe the power consumption of a divide to determine what operations it is executing and what data it is working on. Usually these will only tell you the number of bits which are on in a particular stage. I found the ARM 6 gave a very clear signature of the result of the adder and could determine the number of on bits down to the nearest 2.
Error introduction e.g. clock glitch attack: This is an asynchronous engineers favorite. Basically a method of inserting errors into the processor in a deterministic method. Say the processor stage calculating a compare operation is the worst case path, the attack inserts an early clock forcing the comparison to be incorrectly made. Place this in the "are the checksums correct" code. Usually though these are a little more difficult than that.
Brute force with limited tries e.g. Flash charge pump: So to crack your card it only takes as many attempts as there are pin code combinations. To stop people from just trying out the 10,000 or so combinations the card remembers how many tries you had. Before it writes something to the flash it needs to drive up a charge pump. This is visible using power analysis and at this point you cut the power and try again.

More interestingly why are these not investigated? Well because there is no money for it. The async community has been offering better methods but the companies who make the only get a tiny profit are not inclined to make them any better.

--
Mouse powered Chips, Open source Processors and Lego
h1kari did some smart card work: by undef24 · 2005-06-18 06:19 · Score: 1

http://www.dachb0den.com/projects/scard/smartcards .ppt
dear /. by Anonymous Coward · 2005-06-18 07:40 · Score: 0

i want to learn how to hack id cards so i and my buddies can see if we can make money with the data. the problem is we're not sure how to do it.

can you help?
Circuit Cellar by AndroidCat · 2005-06-18 09:14 · Score: 1

Circuit Cellar magazine has articles on smart cards, RFID, etc, now and then.

--
One line blog. I hear that they're called Twitters now.
mnb Re:it's called carding... by Anonymous Coward · 2005-06-18 09:17 · Score: 0

Could you tell me where I can get an $50 HP oscilliscope?
1. Re:mnb Re:it's called carding... by Anonymous Coward · 2005-06-18 18:44 · Score: 0
  
  Gee, how about here? ($9.99)
  
  Or one that works for sure here. ($79.99)
  
  The auctions are already complete. I'll let you do the searching for ones you can buy yourself, now that I've shown you how, smartass.
2. Re:mnb Re:it's called carding... by Anonymous Coward · 2005-06-19 03:33 · Score: 0
  
  Ahh - so a $20 (not $9.99) broken one or a $80 working one with parts missing IS a $50 fully functional one!
  
  I see!
MUSCLE project by sgifford · 2005-06-18 11:48 · Score: 2, Informative

Information from the MUSCLE smartcard-on-Linux project be useful:

http://www.linuxnet.com/

--
My Web Page
Frighteningly enough by Dachannien · 2005-06-18 20:58 · Score: 1

There may be a potential DMCA violation involved with doing this, especially if credit card company-issued smart cards contain proprietary copyrighted information on them. In any case, the threat of a lawsuit (whether it's valid or not) may be enough to silence any efforts to figure out what sorts of personally identifiable info is stored on these cards.
Re:Legitimate Investigation? by Anonymous Coward · 2005-06-19 06:21 · Score: 0

Please pardon the cowardly post but I thought it might be helpful to mention a site that is compiling information on just such a topic. http://www.smartcardscanada.com/> is just starting out but has links to National identity card sites, smart card manufacturers, smartcard software sites and chipcard discussion and programming sites.
Phrack by th0mas.sixbit.org · 2005-06-20 01:56 · Score: 1

There was an article in the last phrack issue that dealt with precisely this, with specs on making a data sniffer for smartcards and what tools to use in the process. www.phrack.org, find it from there (the title was stylish with the word "cards" in the title, I can't give you a link as I'm at work).

--
twitter.com/gravitronic
Iso Spec by Anonymous Coward · 2005-06-22 02:04 · Score: 0

www.cardcoders org for more information on that spec =)