Slashdot Mirror

← Back to Stories (view on slashdot.org)

Time Machines, Computer Memory, and Brute Force Attacks Against Smartcards

Posted by Unknown on from the one-too-many-questions dept.

An anonymous reader writes "IEEE Spectrum reports on a method that exploits the decaying contents of unpowered computer memory to create an hourglass-like 'time machine' that rate limits brute force attacks against contactless smartcards and RFIDs. The paper takes an odd twist on the 'cold boot' attack reported four years ago at USENIX Security. Not quite as cool as a hot tub time machine though. " Full paper (PDF).

8 of 49 comments (clear)

  1. What? by jhoegl · · Score: 4, Insightful

    Why do I have to decrypt the summary?

    1. Re:What? by Baloroth · · Score: 5, Informative

      SRAM looses coherency in a statistically predictable pattern for a few seconds/minutes after it looses power. That means an otherwise powerless and clockless RFID chip can detect when it was powered on recently, and deny access attempts until at least a few seconds after the last access, rendering brute-force attempts vastly less practical (those normally use thousands of access attempts a second). Also, potentially annoying the hell out of anyone for whom the card doesn't work the first time, but security has always been a tradeoff with practicality (and if it is just a matter of seconds, not a huge deal).

      --
      "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
  2. Neat trick... by fuzzyfuzzyfungus · · Score: 3, Interesting

    Taking advantage of the (statistically) predictable decay rate of data stored in the RFID's SRAM is a cute trick for rough timekeeping, I have to admit.

    It makes me wonder, though, and some perfunctory googling isn't giving me the immediate gratification that I demand, is there anything reasonably practical that could modify the decay rate for SRAM, ideally in a way that would be practical for an attack? Does a strong magnetic field affect contemporary transistors in any useful way? Would a hit of radiation before each attack attempt sufficiently scramble the RAM contents before it also scrambled the nonvolatile memory storing the secret being attacked?

    1. Re:Neat trick... by fredprado · · Score: 2

      If you keep it hot but within working parameters that should do the trick. Working temperature ideally shouldn't get higher than 70 C.

    2. Re:Neat trick... by Baloroth · · Score: 3, Informative

      If the attacked has lengthy, exclusive access to the chip and sufficiently advanced resources, basically nothing will stop them cracking it. This technique is simply a software added trick that can be used with cheap existing RFID technology to prevent drive-by attacks, not dedicated cracking. The key is "cheap": nearly free, in fact, rather than a more complicated method (my first thought was to use a simple RCI circuit to detect if the card has had power in the last few seconds to achieve the same effect as this, but that of course would add complexity and cost and most importantly couldn't be used with existing chips. Also potentially crackable, but it would help).

      --
      "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
  3. First Officer, report! by MobileTatsu-NJG · · Score: 3, Funny

    Just like putting too much air into a balloon.

    --

    "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)

  4. Re:Sounds like BS to me by Anonymous Coward · · Score: 3, Insightful

    Unlike your top of line PC, there are a lot of constraints on an embedded chip especially one that cost pennies, can run on energy from the RF near field and amount of computation. Unlike white board software, this is real world Engineering where there is a trade-off between constraints/requirement/economic/physical that are opposite to each other. So might want to not mouth off without knowing the subject.

    The chip is also highly observable and a lot of information can be deduced from the amount of time for the processing and power profile during execution.

  5. Re:Sounds like BS to me by gman003 · · Score: 2

    Which makes it harder, actually.

    The "trick" is basically the card using the slow decay of unpowered memory to detect if the card has been powered on recently, and if so, force a small delay. The goal is basically to limit the rate of attacks with minimal impact on proper use (if the card reads properly every time, this has near-zero impact on proper use - it might annoy a bit if your card doesn't read right, having to wait a second or two to swipe again, but that's neither a terribly common case nor a significant impact on real users).

    Chilling it actually makes it worse for you, as the card will detect itself as "having been powered up recently" for longer than it would normally, so you limit your attack rate even more.