The document discusses smartcards and RFID tags, explaining that they provide more secure authentication than passwords but are still vulnerable to hacking through logical attacks targeting flaws in cryptographic algorithms, key management, or security protocols, or through physical attacks manipulating the hardware. It also provides examples of attacks that have broken proprietary crypto systems in smartcards and weaknesses like default keys that have enabled attacks on key management.
Chiptroniks is premier training institute for LED TV Panel Repair. We also manufacture VD-680-ps acf led lcd bonding machine and laser repair machine VD-512. For details contact :+91 9971004998
This presentation aims to share working knowledge on how attackers are taking an advantage of connected (IOT) devices for scaling attacks. From hardware to repeatable software exploitation that scale. X-ray on the current security resilience of some of today's connected devices. Typically challenges developers are facing today and a proof of concept attack on a "secure" connected camera with critical consequences. Finally we give valuable takeaways for improving the security of your solutions and avoid these horrible mistakes.
Chiptroniks is premier training institute for LED TV Panel Repair. We also manufacture VD-680-ps acf led lcd bonding machine and laser repair machine VD-512. For details contact :+91 9971004998
This presentation aims to share working knowledge on how attackers are taking an advantage of connected (IOT) devices for scaling attacks. From hardware to repeatable software exploitation that scale. X-ray on the current security resilience of some of today's connected devices. Typically challenges developers are facing today and a proof of concept attack on a "secure" connected camera with critical consequences. Finally we give valuable takeaways for improving the security of your solutions and avoid these horrible mistakes.
This presentation provides an overview of attack methods used against chips and highlights the importance of better security in a modern IoT infrastructure. Originally presented by Riscure's Marc Witteman at GLSVLSI symposium in May 2016.
My talk from the ICS Cyber Security Conference in Atlanta on October 24th. Really enjoyed the great conversations on a topic which really can highlight the difference of opinions in the ICSsec community. Hope you all enjoy!
1 Symmetric Encryption
2 Message Authentication and Hash Functions
3 Public-Key Encryption
4 Digital Signatures and Key Management
5 Random and Pseudo random Numbers
6 Practical Application: Encryption of Stored Data
7 Symmetric vs Asymmetric
First presentation of a Cryptography series, it aims to provide a high level overview of cryptography, clarify its objectives, define the terminology and explain the basics of how digital security systems, like Bitcoin, are built.
Mike Dance is a web developer and Bitcoin advocate.
----------
Presented at the BitcoinSYD Meetup on 11 February 2015
Its is project based on one of the most interesting and wide topic of Computer Science, named Cyber Security
CONTENT :
1. What is Cyber Security
2. Why Cyber Security is Important
3. Brief History
4. Security Timeline
5. Architecture
6. Cyber Attack Methods
7. Technology for Cyber Secuirty
8. Development in Cyber Security
9. Future Trend in Cyber Security
How to do Cryptography right in Android Part OneArash Ramez
Cryptography is an indispensable tool used to protect information in computing systems. It is used everywhere and by billions of people worldwide on a daily basis. It is used to protect data at rest and data in motion. While extremely useful, cryptography is also highly brittle. The most secure cryptographic system can be rendered completely insecure by a single specification or programming error.to argue that a cryptosystem is secure, we rely on mathematical modeling and proofs to show that a particular system satisfies the security properties attributed to it.
We often need to introduce certain plausible assumptions to push our security arguments through.
This presentation is about exactly that: constructing practical cryptosystems in android platform for which we can argue security under plausible assumptions.part one just covers fundamentals topics in cryptography world.
Youtube playlist:
https://www.youtube.com/playlist?list=PLT2xIm2X7W7gJgHWhKrIhS-L05xHVCPh2
gist:
https://gist.github.com/aramezx
Have you ever attended an RFID hacking presentation and walked away with more questions than answers? This talk will finally provide practical guidance on how RFID proximity badge systems work. We'll cover what you'll need to build out your own RFID physical penetration toolkit, and how to easily use an Arduino microcontroller to weaponize commercial RFID badge readers -- turning them into custom, long range RFID hacking tools.
This presentation will NOT weigh you down with theoretical details, discussions of radio frequencies and modulation schemes, or talk of inductive coupling. It WILL serve as a practical guide for penetration testers to understand the attack tools and techniques available to them for stealing and using RFID proximity badge information to gain unauthorized access to buildings and other secure areas. Schematics and Arduino code will be released, and 100 lucky audience members will receive a custom PCB they can insert into almost any commercial RFID reader to steal badge info and conveniently save it to a text file on a microSD card for later use (such as badge cloning). This solution will allow you to read cards from up to 3 feet away, a significant improvement over the few centimeter range of common RFID hacking tools.
Some of the topics we will explore are:
* Overview of best RFID hacking tools available to get for your toolkit
* Stealing RFID proximity badge info from unsuspecting passers-by
* Replaying RFID badge info and creating fake cloned cards
* Brute-forcing higher privileged badge numbers to gain data center access
* Attacking badge readers and controllers directly
* Planting PwnPlugs, Raspberry Pis, and similar devices as physical backdoors to maintain internal network access
* Creating custom RFID hacking tools using the Arduino
* Defending yourself from RFID hacking threats
This DEMO-rich presentation will benefit both newcomers and seasoned professionals of the physical penetration testing field.
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...CODE BLUE
Since 2010 Stuxnet caused substantial damage to the nuclear program of Iran, ICS security issues have been raised. Lots of researchers dig into the hacking skills and path and those known attacks in the history and more malwares and events happened. Enterprises need an efficient way to find vulnerabilities but they might not have the budget for ICS pentesters , which need strong background knowledge , and all the fields they have. To solve this problem, we try to make a rare OT targeting , open source adversary emulation tool as a plugin on MITRE open source tool - Caldera. Users can easily combine IT attacks with our OT adversaries and change steps of attacks or send manual commands in the process.
We summarize the experience of reviewing over 20 factories traffic and analyzing 19 MITRE defined ICS malwares, PIPEDREAM/Incontroller in 2022. We found the main trend of ICS malwares changes from single protocol targeting to modularized , multiple protocols supporting. The actions in malwares can be summarized as a 4 stages attacking flow, We will explain it with the real attacks from malwares. We use the above conclusions to build automatic adversary emulation tool.
Now the tool already supports 10 common protocols and over 23 techniques on the MITRE ICS matrix , which is able to reproduce over 80% of defined ICS malware actions in OT. We also follow the 4 stages conclusion to add some attacks havent been used by any malwares. We have tested it on real oil ,gas ,water, electric power factory devices , protocol simulations for SCADA developers and honeypot. We will have a demo in this presentation.
This presentation provides an overview of attack methods used against chips and highlights the importance of better security in a modern IoT infrastructure. Originally presented by Riscure's Marc Witteman at GLSVLSI symposium in May 2016.
My talk from the ICS Cyber Security Conference in Atlanta on October 24th. Really enjoyed the great conversations on a topic which really can highlight the difference of opinions in the ICSsec community. Hope you all enjoy!
1 Symmetric Encryption
2 Message Authentication and Hash Functions
3 Public-Key Encryption
4 Digital Signatures and Key Management
5 Random and Pseudo random Numbers
6 Practical Application: Encryption of Stored Data
7 Symmetric vs Asymmetric
First presentation of a Cryptography series, it aims to provide a high level overview of cryptography, clarify its objectives, define the terminology and explain the basics of how digital security systems, like Bitcoin, are built.
Mike Dance is a web developer and Bitcoin advocate.
----------
Presented at the BitcoinSYD Meetup on 11 February 2015
Its is project based on one of the most interesting and wide topic of Computer Science, named Cyber Security
CONTENT :
1. What is Cyber Security
2. Why Cyber Security is Important
3. Brief History
4. Security Timeline
5. Architecture
6. Cyber Attack Methods
7. Technology for Cyber Secuirty
8. Development in Cyber Security
9. Future Trend in Cyber Security
How to do Cryptography right in Android Part OneArash Ramez
Cryptography is an indispensable tool used to protect information in computing systems. It is used everywhere and by billions of people worldwide on a daily basis. It is used to protect data at rest and data in motion. While extremely useful, cryptography is also highly brittle. The most secure cryptographic system can be rendered completely insecure by a single specification or programming error.to argue that a cryptosystem is secure, we rely on mathematical modeling and proofs to show that a particular system satisfies the security properties attributed to it.
We often need to introduce certain plausible assumptions to push our security arguments through.
This presentation is about exactly that: constructing practical cryptosystems in android platform for which we can argue security under plausible assumptions.part one just covers fundamentals topics in cryptography world.
Youtube playlist:
https://www.youtube.com/playlist?list=PLT2xIm2X7W7gJgHWhKrIhS-L05xHVCPh2
gist:
https://gist.github.com/aramezx
Have you ever attended an RFID hacking presentation and walked away with more questions than answers? This talk will finally provide practical guidance on how RFID proximity badge systems work. We'll cover what you'll need to build out your own RFID physical penetration toolkit, and how to easily use an Arduino microcontroller to weaponize commercial RFID badge readers -- turning them into custom, long range RFID hacking tools.
This presentation will NOT weigh you down with theoretical details, discussions of radio frequencies and modulation schemes, or talk of inductive coupling. It WILL serve as a practical guide for penetration testers to understand the attack tools and techniques available to them for stealing and using RFID proximity badge information to gain unauthorized access to buildings and other secure areas. Schematics and Arduino code will be released, and 100 lucky audience members will receive a custom PCB they can insert into almost any commercial RFID reader to steal badge info and conveniently save it to a text file on a microSD card for later use (such as badge cloning). This solution will allow you to read cards from up to 3 feet away, a significant improvement over the few centimeter range of common RFID hacking tools.
Some of the topics we will explore are:
* Overview of best RFID hacking tools available to get for your toolkit
* Stealing RFID proximity badge info from unsuspecting passers-by
* Replaying RFID badge info and creating fake cloned cards
* Brute-forcing higher privileged badge numbers to gain data center access
* Attacking badge readers and controllers directly
* Planting PwnPlugs, Raspberry Pis, and similar devices as physical backdoors to maintain internal network access
* Creating custom RFID hacking tools using the Arduino
* Defending yourself from RFID hacking threats
This DEMO-rich presentation will benefit both newcomers and seasoned professionals of the physical penetration testing field.
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...CODE BLUE
Since 2010 Stuxnet caused substantial damage to the nuclear program of Iran, ICS security issues have been raised. Lots of researchers dig into the hacking skills and path and those known attacks in the history and more malwares and events happened. Enterprises need an efficient way to find vulnerabilities but they might not have the budget for ICS pentesters , which need strong background knowledge , and all the fields they have. To solve this problem, we try to make a rare OT targeting , open source adversary emulation tool as a plugin on MITRE open source tool - Caldera. Users can easily combine IT attacks with our OT adversaries and change steps of attacks or send manual commands in the process.
We summarize the experience of reviewing over 20 factories traffic and analyzing 19 MITRE defined ICS malwares, PIPEDREAM/Incontroller in 2022. We found the main trend of ICS malwares changes from single protocol targeting to modularized , multiple protocols supporting. The actions in malwares can be summarized as a 4 stages attacking flow, We will explain it with the real attacks from malwares. We use the above conclusions to build automatic adversary emulation tool.
Now the tool already supports 10 common protocols and over 23 techniques on the MITRE ICS matrix , which is able to reproduce over 80% of defined ICS malware actions in OT. We also follow the 4 stages conclusion to add some attacks havent been used by any malwares. We have tested it on real oil ,gas ,water, electric power factory devices , protocol simulations for SCADA developers and honeypot. We will have a demo in this presentation.
Presentation introducing LISP, looking at the history and concepts behind this powerfull programming language.
Presentation by Tijs van der Storm for the sept 2012 Devnology meetup at the Mirabeau offices in Amsterdam
Devnology Back to School: Empirical Evidence on Modeling in Software DevelopmentDevnology
Modeling is a common part of modern day software engineering practice. Little scientific evidence is known about how models are made and how they help in producing better software. In this talk Michel Chaudron presents highlights from a decade of research that he has performed in the area of software modeling using UML. Topics that will be addressed: What is the state of UML modeling in practice? What are effective techniques for assessing the quality of UML models? How do engineers look at UML models? Do UML models actually help in creating better software?
Devnology Back to School III : Software impactDevnology
Michiel van Genuchten talk on software impact, based on a series of columns in IEEE Software discussing the impact on software and analysis of size and volume of software.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Enhancing Performance with Globus and the Science DMZGlobus
ESnet has led the way in helping national facilities—and many other institutions in the research community—configure Science DMZs and troubleshoot network issues to maximize data transfer performance. In this talk we will present a summary of approaches and tips for getting the most out of your network infrastructure using Globus Connect Server.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Welcome to the first live UiPath Community Day Dubai! Join us for this unique occasion to meet our local and global UiPath Community and leaders. You will get a full view of the MEA region's automation landscape and the AI Powered automation technology capabilities of UiPath. Also, hosted by our local partners Marc Ellis, you will enjoy a half-day packed with industry insights and automation peers networking.
📕 Curious on our agenda? Wait no more!
10:00 Welcome note - UiPath Community in Dubai
Lovely Sinha, UiPath Community Chapter Leader, UiPath MVPx3, Hyper-automation Consultant, First Abu Dhabi Bank
10:20 A UiPath cross-region MEA overview
Ashraf El Zarka, VP and Managing Director MEA, UiPath
10:35: Customer Success Journey
Deepthi Deepak, Head of Intelligent Automation CoE, First Abu Dhabi Bank
11:15 The UiPath approach to GenAI with our three principles: improve accuracy, supercharge productivity, and automate more
Boris Krumrey, Global VP, Automation Innovation, UiPath
12:15 To discover how Marc Ellis leverages tech-driven solutions in recruitment and managed services.
Brendan Lingam, Director of Sales and Business Development, Marc Ellis
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
The Metaverse and AI: how can decision-makers harness the Metaverse for their...Jen Stirrup
The Metaverse is popularized in science fiction, and now it is becoming closer to being a part of our daily lives through the use of social media and shopping companies. How can businesses survive in a world where Artificial Intelligence is becoming the present as well as the future of technology, and how does the Metaverse fit into business strategy when futurist ideas are developing into reality at accelerated rates? How do we do this when our data isn't up to scratch? How can we move towards success with our data so we are set up for the Metaverse when it arrives?
How can you help your company evolve, adapt, and succeed using Artificial Intelligence and the Metaverse to stay ahead of the competition? What are the potential issues, complications, and benefits that these technologies could bring to us and our organizations? In this session, Jen Stirrup will explain how to start thinking about these technologies as an organisation.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Hacking Smartcards & RFID
1. Hacking smartcards & RFID
Erik Poll
Digital Security
Radboud University Nijmegen
1
2. What are smartcards & RFID tags?
Micro-controller
with contact interface
or contactless interface
Erik Poll – Digital Security 2
3. Why use them?
Convenience
• more convenient than username/password
Security
• more secure than username/password
Also more convenient & secure than barcodes and magstripes
Erik Poll – Digital Security 3
4. What makes them secure?
• Tamper-resistant and tamper-evident – to some degree,
but never tamper-proof
• no way to remove or access the “hard disk”
• therefore
– any access to data - say the credit on your ov-chipcard - is under control of
the card’s functionality
– the same goes for adding or changing code on the card
• if possible at all
Erik Poll – Digital Security 4
5. What can they do ?
1. stupid card just reports some data
card shouts out a (unique) serial number on start-up
2. stupid smartcard aka memory card
provides configurable file system with some access control
by means of PIN code/passwords or crypto keys
or even simpler: irreversible writes (OTP or WORM memory)
3. smart smartcard aka microprocessor card
provides programmable CPU that can implement any
functionality
Erik Poll – Digital Security 5
6. Smartcard hardware for microprocessor cards
• CPU (usually 8 or 16, but now also 32 bit)
• possibly also
– crypto co-processor & random number generator (RNG)
• memory: RAM and ROM & EEPROM
– EEPROM serves as the smartcard's hard disk
• no power, no clock!
A modern card may have 512 bytes RAM, 16K ROM, 64K EEPROM and
operate at 13.5 MHz
Erik Poll – Digital Security 6
7. Do-it-Yourself
• Buy a card reader or NFC mobile phone
• Buy some tags and cards
• Programming you own smartcards is
possible using JavaCard or MULTOS smartcards
• Check
• www.ru.nl/ds/smartcards
• libnfc
• proxmark
• rfidiot.org
Erik Poll – Digital Security 7
8. Attacking smartcards and RFID
• logical attacks
– find flaw in the functionality, targeting eg
• the crypto – ie the cryptographic algorithms
• the protocol
• the key management
• any other functionality
• physical attacks
– physically mess with the card
• combinations
– abuse functionality while you mess with the card
Erik Poll – Digital Security 8
9. The simplest physical attack
External power supply and external clock
• Vcc: orignally 5 V, now also 3V or 1.8V
• Vpp: higher voltage for writing EEPROM (13 V)
Vpp no longer used: painting over
this contact is a major security
threat
Erik Poll – Digital Security 9
10. Logical attacks: tools of the trade
for passive eavesdropping or active Man-in-the-Middle
11. Logical attacks:
A very weak RFID tag
Erik Poll – Digital Security 11
12. Mifare Ultralight
• Used in disposable ov-chipkaart
• No keys to protect memory access
• Relies on read-only and write-once memory for security
• Memory organised in 16 pages of 4 bytes
– first part is read-only
• includes 7 byte serial number
– second part is One Time Programmable (OTP)
• you can write 1's, not 0's
• includes data for locking
– third part is readable & writable
Erik Poll – Digital Security 12
12
13. MIFARE Ultralight memory layout
Page byte 0 byte 1 byte 2 byte 3
read 0 UID0 UID1 UID2 checksum serial number
only UID
1
2 checksum lock 0 lock1 OTP
3 OTP 0 OTP 1 OTP 2 OTP 3
4
5
application
read/ 6 data
write
7
8
9
10
Erik Poll – Digital Security 13
13
11
14. Flaw in disposable ov-chipcard
• wo lock bytes initially 0x00F0
• set to 0xF8FF to invalidate tag
• we can change an invalid tag so that terminals fail to
recognize it as invalid...
• remaining 3 lock bits can still be set to one, so that lock
bytes become 0xFFFF
• flaw in terminals: tags with lock bytes 0xF8FF are
recognized as invalid, but tags with 0xFFFF are not
• flaw since fixed by patching terminals
[Source "Security Evaluation of the disposable OV chipkaart", by UvA
students Pieter Siekerman and Maurits van der Schee , July 2007]
Erik Poll – Digital Security 14
14
15. More fundamental limitation: replay attack
• Mifare Ultraright can store signed or encrypted data, but cannot
do any processing, or offer any access control to reading the data
• No way to protect against spoofing of tags
• Only mitigation: serial number (UID) cannot be overwritten, so
spoofing requires special hardware if UID is used
Erik Poll – Digital Security 15
15
16. Logical attacks:
Attacking the crypto
Erik Poll – Digital Security 16
17. Challenge-response
secret
CPU challenge c
key K
response encryptK(c)
• If the card can do encryption, the secret key K never leaves the card
• Card issuer does not have to trust card holder, terminal, or network
• This is how you bank card works: it uses a 3DES key that only the bank knows
Erik Poll – Digital Security 17
18. Breaking this?
secret
CPU challenge c
key K
response encryptK(c)
1. Figuring out which encryption function is used
– maybe this is known & published
– otherwise: reverse engineering, experimenting to figure out how encryption works
2. For poor encryption: by trying out few challenges,
you may be able to reconstruct key
For good crypto – 3DES, AES, RSA,... – this is hopeless
Erik Poll – Digital Security 18
19. Proprietary crypto broken in DS group
• Mifare Classic
• ATMEL SecureMemory, CryptoMemory and CryptoRF
• HID iClass and iClass Elite
• Hitag2
• Moral of the story: use established, crypto primitives
– publicly studied according to Kerckhoffs principle
Erik Poll – Digital Security 19
20. Crypto 1 in Mifare Classic
Erik Poll – Digital Security 20
21. Logical attacks:
Attacking the key management
Erik Poll – Digital Security 21
22. Common problems with crypto keys
• people using the same key in all cards
• for one customer, or - worse - all their customers!
• HID iClass uses a globally unique master key, which is built into all
HID card readers
• worse still, using the default keys
• 75% of MIFARE applications was found to use default keys or keys
used in examples in documentation
[Source: Lukas Grunwald, DEFCON14, 2007]
• A0A1A2A3A4A5 is an initial transport key of MIFARE tags.
Googling for A0A1A2A3A4A5 produces links to documentation with
other example keys to try!
Erik Poll – Digital Security 22
22
23. Logical attacks:
attacking security protocols
Erik Poll – Digital Security 23
24. Fraud with internet banking in Netherlands
2008 2.1 M€
2009 1.9 M€
2010 9.8 M€ (7100€ per incident)
2011 35 M€ (4500€ per incident)
2012 (1st half) 27.3 M€
[source: NVB]
Erik Poll – Digital Security 24
25. Internet banking &
Man-in-the-Browser attacks
display of PC can
not be trusted
(despite )
59 8 76
23 4
→ 3 6 54
2
←1
Erik Poll – Digital Security 25
26. Internet banking & protecting
against Man-in-the-Browser attacks
this display can
be trusted and
understood
USB
Erik Poll – Digital Security 26
29. Protocol of USB-connected e.dentifier2
Vulnerability:
e.dentifier2 tells PC that
user pressed OK
PC instructs e.dentifier2
to continue transaction
Erik Poll – Digital Security 29
33. Unwanted functionality
• Test version of Dutch passport
provided software emulation of Mifare Classic
• with default key, of course...
This allows adding a cloned ov-chipcard on the passport
Erik Poll – Digital Security 33
34. Attacking the terminal software
Lukas Grunwald managed to crash e-passport terminals by
sending a malformed JPEG
causing a buffer overflow in the graphics library
Smartcards and RFID tags should be treated as untrusted
inputs
until we have authenticated the card and/or the data it
provides
Erik Poll – Digital Security 34
35. e-passport leaking info by error response
2 byte error meaning
response
Belgian 6986 not allowed
Dutch 6982 security status not satisfied
French 6F00 no precise diagnosis
Italian 6D00 not supported
German 6700 wrong length
Error code for illegal B0, ie. READ BINARY, instruction
This reveals the nationality of a passport
• in spite of access control to passport data
255 other instructions to try,
But attack range limited to 30 cm, so danger of passport bombs overhyped
and we can try different parameters ...
Erik Poll – Digital Security 35
36. Physical attacks:
side-channel attacks
Erik Poll – Digital Security 36
37. Power trace of an RSA encryption
[Source: Riscure]
Erik Poll – Digital Security 37
41. Optical reverse engineering
microscope images with different layers in different
colours, before and after etching
[Source: Oliver Kömmerling, Marcus Kuhn]
Erik Poll – Digital Security 41
42. Probing
Observe or change the data on the bus while the chip is in operation.
eg to observe key
probing with
8 needles
Erik Poll – Digital Security 42
43. Fibbing
FIB = Focussed Ion Beam
can observe or modify chip by
• drilling holes
• cutting connections
• soldering new connections and
creating new gates
hole drilled in
the chip surface blown fuse
Erik Poll – Digital Security 43
44. Extracting ROM content
Staining can
optically reveal
the bits
stored in ROM:
dark squares are 1
light squares are 0
[Source: Brightsight]
Erik Poll – Digital Security 44
45. Latest fashion: fault attacks
• Introduce a fault while chip is operating
– by glitching: dipping the voltage
– by shooting a laser at the chip
Erik Poll – Digital Security 45
46. Conclusions
• Smartcard & RFID security not perfect
– cheap, logical attacks
• little equipment, but some time & brainpower
– expensive, physical atacks
• more equipment
– both can be devastating...
• The ongoing arms race between defenders and attackers will
never end
– these days esp. for side-channel and fault attacks
Erik Poll – Digital Security 46