Smartvs Dumb : 1)microprocessor chip 2)Tamper resistance : -it can execute small applications -perform crypto operations; difficult cloning difficult tampering and data extraction : best option for SIM cards that store private key; subscriber identity token + call encryption- Have contact and contactless interfaces
The IC package contains : CPU, crypto co-processor, ROM, EEPROM and RAM. Modern smart cards: 32bit CPU 10Mhz, ~8KB RAM, ~80KB ROM, 400KB EEPROMProtection against invasive and non-invasive attacks: power analysis, side channel attacks: EM emission – fault injection , modifying the circuits
-Oyster card,Conditional Access Cards (pay TV), Access control cards-Proprietary operating systems , Proprietary encryption and comm protocols (CRYPTO-1 stream cipher failure)-No post issuance applications
-Example: Corporate badges, College cards, Military/Law enforcement personnel (access control) -Stores and runs applications with different security importance level-Java, .NET, C and even Google Dalvik code (dkard)-Post issuance application management: Uninstall/update/install apps, encryption keys or data files.
Smart cities: Funded by EU (2007-2013) , 6 countries in north sea region : UK, DE, NL, BL, SE, Norway ; Gov and academic co-work to facilitate : e-Gov servicesNHS: Medical records and EPS Oyster: 22m cards, <300ms transaction processing speed (offline), Project to integrate it in the banking cards (no topup)
NXPmaifare card : proprietary stream cipher algorithm attack; key recovery attack EMV relay attack: public static and dynamic authentication protocol ; rouge POSSykipot: Steals PIN code using keylogger then When a card is inserted into the reader, the malware then acts as the authenticated user and can access sensitive information. A trend: moving from protocol attacks to smart card software Next?? On the card itself??
-Was running at least for 3 years before being detected. -Attackers view the list of PKI certificates and logon to protected resources via C&C commands (SSL); common C&C commands we had seen in our analysis of a defense equipment manufacturer network break-in in summer 2011; same actors??Smart card proxy malware had been seen before this incident, but this one was the first attack against an specific product ActivIdentityʼsActivClient solution
Why the malicious code threat to smart cards is important to research?
8bn Excluding RFID chips Internet of Thing : radio tags are embedded in things and things people ware or carry which can identify them to computer systems or small GSM connectivity modules used in M2M . Remote monitoring of utility meters, high value items tracking, smart energy grids; challenge: deploying application securely, over the air management ; tamper resistance smart cardsFirst NFC SIM cards rolled out in France by orange in Jun (beats the NFC chip on handset approach) , Microsoft Windows 8 digital wallet , jun 2012, Wallet API and wallet vulnerabilitiesCyberwar is going on silently and we have seen malware was delivered and planted successfully in high security isolated environments, Smart cards are cosy place to plant malicious code in a very large scale. Compare with something like web servers and web apps on the netIntegrated NFC, SIM or microSD, Fob or Sticker
Fixed : Phone cards, Health card, RFID tags, most of Access Control Cards- Dynamic:Banking card, SIM card, Government Identity Cards
- Application sandboxing
MULTOS:Gov and Military grade security; Expensive and complicated development process; Proprietary VM (MULTOS Executable Language) MELJavacard: Developed by Sun/Oracle; The most popular smart card; mainly used in telecomm (SIM cards) and banking sector as well as a certificate storage card (cheap); runs on different chips from different vendors .NET card: Smart card of choice for multi-factor authentication and remote access to Windows networks; has easy to use SDK for Microsoft Visual Studio 2005 to 2010
- First embedded MS .NET implementation in 2004, even before .NET Micro (2009)MS:Over 300.000 badges delivered since 2005USA DoD: combination of .NET and JavaCardsUK DoD: .NET smart card for remote access to ISA 2006 and (intelligent app gateway) IAG 2007
Adds smart card based OTP to FIM
Windows like file system1 base class library: mscorlib.dll , 1 smart card specific library: PIN and transaction management, .NET remoting
Evaluation assurance level (EAL) : numeric grade for evaluation the security IT products.Widely used by smart card vendors to give “assurance” to consumer; performed by approved companies certifited by CBELA5 means that independent pen test was done on chip OS and hardware ELA4+ independent pen testing and possibility source code audit
We have good tools and procedures for rev engineering the software and even embedded systems, however this is not the case for smart cards: they are designed to resists hardware reving and hacks; a smart card test lab would cost more than 200K USDNormally begins with profiling the target software (dynamic analysis of file system, registry , network access) or identifying the CPU architecture, hardware security measures and operating system type for embedded systems firmware or binary code disassembly Running firmware or its components inside emulator; file format, network protocol fuzzingMonitoring the target process or JTAG or serial port
Sensors: light, power Shields: protects against probsEncryption: logic encryption and os code encryptionMakes chip hardware reverse engineering very expensive My goal was finding vulns in the virtual machine not reversing an algorithm running on the chip My approach: reverse engineering the converter program in the SDK that converts the MS .NET assembly to .NET card binary -> knowledge of card binary metadata and their meanings-> model the way that card’s VM loads and execute apps-> identify interesting metadata and manipulate them to trigger vulns in the card’s VM
- The first such tool for smart cards
-More technical details is available at sensepost research web site
Decided to create limited set of test cases forHIVE headers which will be parsed by ContentManagerIL code section which will be verified and executed by the VMDigital signature header was interesting case, because card security model was built on assemblies public key
RSA modulus and public exponent were the only required information to a) verify the card binary’s signature a) compute the PBKTWhy the PBKT is already there?For performance reasons??
PBKT can be easily computed by knowing the RSA_modulusPBKT is the application’s identity token
Can we modify it to spoof the identity of other apps and bypass the app firewall?
Backdoor or vuln??
Rev. engineering: includes analysis of obfuscated code of the converter, writing small .NET programs to map different .NET types and method to their hive binary data, find out how different metadata tables are built and how they can be parsed correctly.Hex editor: can be trivial for modifying different sections of the same binary, but is not easy to use with different card binaries which have the same header or metadata table in a different file offsetRandomly modifying the card binary and loading it into the card can damge VM memory and render the card useless
Picture of attack
Case study document from MULTOS web site; NATO member militaryMulti-application card ; cashless payment and health care apps sit next to access control app
How many of you use smart card based authentication?Do you use HSM or card management solution?If the attacker had admin key, then he could simply download the file and there was not need to exploit PBKT vulnerability
- Public key is public!
- Exploit: Modifying the fldHnadle to types without hasRVA modifier->Raw memory read
Picture of the dead card
Transcript of "Inside .NET Smart Card Operating System"
Inside .NET Smart Card Operating System
44Con, September 2012
Behrang Fouladi, SensePost
Multi-application Smart Card Platforms
.NET Smart Card
• First .NET virtual machine on the chip
• Native support in Windows 7 and server 2008
• Used in:
– Smart card based corporate badges (Microsoft
– Remote Access Control (USA DoD and UK MOD)
Card application development
Deployment & Debugging ??
Communication (APDU) ??
Card application development
(1) Compiles program
(3) Signed card binary
to card binary
(4) .NET remoting comm.
(5) APDU comm.
How secure is .NET card?
• Has EAL5+ certified Infenion chip
• EAL certification is widely used by smart card
industry (EAL3 to EAL7)
• .NET card OS is designed to achieve EAL4+
• EAL4+ audit:
– takes 6 to 9 months, costs high 10sk to low 100sk £
– includes independent penetration testing and source
code review in some case
• No published vulnerabilities so far
Smart Card Vuln. research
• No Chip OS binary is available
• Traditional tools (debuggers, disassemblers)
• No publicly available testing tools
• Secure chips have sensors, shields, encryption
• ON-card bytecode/IL code verifier
Manipulating Digital Signature Header
Digital signature Header
Object counters Header
Namespaces reference table
Types reference table
Methods reference table
Fields reference table
Program code (IL code)
SHA1 hash of the full assembly
Public key token
RSA modulus length
RSA public exponent
Manipulating Digital Signature Header
(Bypassing .NET card app Firewall)
Old school attack: Public Key Token Spoofing
Let’s use the HiveMod tool to test this
Manual testing vs. HiveMod
Rev. engineering the SDK: ~2 months
Hex editor for binary patching : Frustrating
Modified card binary needs to be signed
Destroying at least 10 cards: ~200 Euros
Real World Attack?
Access control app
(4) save to card
(no GSM access)
(1) Attacker plants malware
(3) Access control data
Fiction or Real?
Document available on the internet
• “An attacker needs administration key to be able to
upload his malicious application on the card, This Key is
normally securely stored in a HSM or a smart card
• “Knowledge of the Public Key Token of the
targeted application is required”.
• “The targeted application must use private
file-system storage for its data to be exposed.
Therefore, internal (Application Domain)
storage is immune to such attack”.
• Unauthorized memory read in InitializeArray():
public static void InitializeArray(Array array,RuntimeFieldHandle fldHandle);
• Results: Partial memory dump
• Destroys the card (no reliable exploitation
check the apps PKTs for tampering.
Use a secure card management system
Smart card apps can be patched/updated , but
not the card’s OS!
• Smart cards OS and apps and card
management software need pen tests too!
• HiveMod Tool would be available to Smart
Card vendors and security researchers