Digipass Instrumentation for Fun and Profit - DefCamp 2012

  • 432 views
Uploaded on

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
432
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
4
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. DefCamp 2012Adrian Furtunǎ, PhD, CEH(adif2k8@gmail.com)
  • 2. About me PhD in information security, CEH Penetration tester at KPMG Romania  Web apps  Infrastructure  Mobile apps  Source code reviews  + some other annoying stuff Always like to prove my point… 2
  • 3. What is this all about? The FUN part 3
  • 4. What is this all about? 4
  • 5. Our subject(s) 5
  • 6. Our subject(s) Digipass = security token Disconnected, display, keypad Used for:  User authentication (2nd factor) - OTP  Transaction signing (e.g. Internet Banking) Vendors: Vasco, CryptoCard, RSA, etc 6
  • 7. What is this all about? (still the fun part)  A machine that simulates human behavior when using a digipassBrains Neurons Muscles Eyes• Command the machine• Keep track of the logic • Transport the signal from • Push when powered on • Provide images forstate the brain to muscles the brain• Select the desired muscles • Release when poweredand send the necessary • Give the muscles the off • Tell the brain whatsignals necessary power/energy to is happening outside• Read an image from the actioneyes• Interpret the image andmake the next move 7
  • 8. OK… But why? Motivation 8
  • 9. The profit part Remember the old rounding attacks against Internet Banking apps? When working with two decimals most banks do the rounding to the closest value  8.3478 EUR ~= 8.35 EUR  8.3436 EUR ~= 8.34 EUR max profit = 0.005 EUR About rounding attacks:  “Assymetric Currency Rounding” by MRaïhi, Naccache and Tunstall of Gemalto – 2001 - http://tinyurl.com/d5akdkk  “Is Your Online Bank Vulnerable To Currency Rounding Attacks?”, Mitja Kolsek of ACROSSecurity - 2012 – http://tinyurl.com/6wpg7ew 9
  • 10. Rounding in currency exchange (1) Use the Internet Banking application to transfer money between your own accounts (e.g. RON -> EUR) RON EUR EUR Exchange rate (rounded) (RON / EUR rounded) 4.40 1 1.00 4.40 Official 2 0.4545 0.45 4.44 1 0.2272 0.23 4.34 0.5 0.1136 0.11 4.54 0.05 0.0113 0.01 5 0.03 0.0068 0.01 3 0.023 0.0052 0.01 2.3 The best 0.02 0.0045 0.00 not good100 * (0.023 RON -> 0.01 EUR) => 2.3 RON = 1 EUR 10
  • 11. Rounding in currency exchange (2) 11
  • 12. The Bank said… Known issue but we have the digipass to protects us:1. User initiates currency exchange in IB application 2. Application sends challenge code to user 3. User inputs code into digipass 4. User reads digipass response 5. User sends the response to IB application 6. Application finalizes the transaction 12
  • 13. The Bank said…  Known issue but we have the digipass to protects us: 1. User initiates currency exchange in IB application Now automated! 2. Application sends challenge code to user 3. User inputs code into digipass 4. User reads digipass response 5. User sends the response to IB application 6. Application finalizes the transactionWe can make lots of transactions automatically 13
  • 14. How much?C1 = minimum amount of currency 1 (e.g. 0.023 RON)C2 = minimum amount of currency 2 (e.g. 0.01 EUR)Ex_b = exchange rate for buying C2 with microtransactions (e.g. 2.3). Ex_b = C1 / C2Ex_s = exchange rate for selling C2 (e.g. 4.4) – real exchange rate – fixed by the Bank Ex_b Ex_s x RON y EUR z RON  z = y * Ex_s = (x / Ex_b) * Ex_s = x * (Ex_s / Ex_b)  multiplication rate = Ex_s / Ex_b  transactions required = x / C1Currency 1 Multiplication Initial Final Gain Transactions rate amount (x) amount (y) requiredRON 4.4 / 2.3 = 1.9 100 RON 190 RON 90 RON ~ 20 EUR 100 / 0.023 = 4347 14
  • 15. How the Banks should protect themselves Limit the number of transactions that can be performed in a given time Limit the minimum currency amount that can be exchanged in a transaction Monitor for suspicious transactions (very small amounts) State in the contract that such transactions are illegal Introduce a small fee for currency exchange operations (e.g. 0.01 EUR) 15
  • 16. Behind the curtains… Back to the FUN part 16
  • 17. External vs Internal instrumentation Internal instrumentation (direct electrical connections):  Pros:  more reliable and faster  almost error free  Cons:  might not be always possible – some digipasses deactivate if opened  must know the pinout of LCD screen (lots of pins!)  sensitive soldering required  mistakes can lead to deactivation External instrumentation:  Pros:  No interference with digipass’s internals  Can be applied to any digipass model  Cons:  Pretty slow (but good for the “low and slow” approach)  Some (mechanics) errors occur on pressing buttons (resolvable by a more professional construction)  OCR process needs special (lightning) conditions to produce correct results 17
  • 18. Electric diagram D3 D2 D1 D0 Sx Digipass key 0001 S1 0 0010 S2 1 0011 S3 2 0100 S4 3 0101 S5 4 0110 S6 5 0111 S7 6 1000 S8 7 1001 S9 8 1010 S10 9 1011 S11 = 1100 S12 S 1101 S13 ON/OFF 18
  • 19. Optical Character RecognitionOriginal Cleared Blurred Threshold applied OCR-ized background gocr / ocrad 7169309 -_16g309 1757450 1_5_G50 043i __ i_ì OG3i _i_i 9a__641 4 9__6G1G 19
  • 20. Current performance 10 transactions / minute (6 seconds / transaction)  max 21600 transactions / day  enter PIN, type challenge code, read response image, do OCR Our previous example:  100 RON  190 RON (gain ~20 EUR) => 4347 transactions * 6 sec/trans = 26082 sec = 7h:14m:42 s Maximum amount to multiply per day:  21600 * 0.023 RON = 496.8 RON => final: 943.9 RON  gain 447 RON ~= 101 EUR/day Money making machine?  20
  • 21. Photo gallery 21
  • 22. The first POC 22
  • 23. Development stages (1) 23
  • 24. Development stages (2) 24
  • 25. Development stages (3) 25
  • 26. Development stages (4) 26
  • 27. Final version - back 27
  • 28. Final version - front 28
  • 29. Demo 29
  • 30. Thank you! QUESTIONS ? Adrian Furtunǎ, PhD, CEH adif2k8@gmail.com http://pentest-tools.com 30