SensePost, profile picture
Uploaded bySensePost
PPTX, PDF3,925 views

Inside .NET Smart Card Operating System

This document discusses smart card security and summarizes research into vulnerabilities in the .NET smart card platform. It provides an overview of smart card applications and operating systems, then discusses attacks against smart cards that have been reported in the news. The document focuses on analyzing the security of .NET smart cards, including how the HiveMod tool was created to aid vulnerability research by allowing visualization and manipulation of .NET smart card binaries. It demonstrates how the tool could be used to spoof a digital signature and bypass the application firewall as a proof of concept attack. Responses from vendors are presented, and the conclusion discusses remaining security challenges but also potential for patching vulnerabilities.

Embed presentation

Downloaded 75 times
Inside .NET Smart Card Operating System 44Con, September 2012 Behrang Fouladi, SensePost behrang@sensepost.com
What is a smart card? VS
What is a smart card?
Single Application Smart Cards
Multi-Application Smart Card Card Parking Access Control Cashless Payments Computer Access Identification
Did you know? • How many of you have Orange SIM cards? • What applications are running on your SIM card? • Any other apps working silently?
Example: SIM Tracker Applet • Operators goal: sending the MMS/APN settings to the new handset • Can also be used for investigation purposes
In The News… – Oyster card: Crypto-1 encryption algorithm attack, 2004 – Cambridge university: EMV relay attack, 2010 – Sykipot malware Targeting US DoD smart cards, 2011-2012
In The News…
Why?
Why? • • • • • 8 billion smart cards by 2014 The “Internet of Things” Chip-enabled mobile payments Hardware backdoors Malware is everywhere!
Smart Card Firewall
Multi-application Smart Card Platforms .NET card MULTOS JavaCard
.NET Smart Card • First .NET virtual machine on the chip • Native support in Windows 7 and server 2008 • Used in: – Smart card based corporate badges (Microsoft employees badge) – Remote Access Control (USA DoD and UK MOD)
.NET smart card overview
.NET smart card security model App Domain B App Domain C App Domain A RSA Sig(B) RSA Sig(C) RSA Sig(A)
Public Key Token
Code Access Security
Data Access Security
Card application development ?? Deployment & Debugging ?? Communication (APDU) ??
Card application development .NET assembly Converter Plug-in (1) Compiles program (3) Signed card binary (2) Conversion to card binary (4) .NET remoting comm. Comm. Proxy (5) APDU comm. Vendor’s SDK
How secure is .NET card? • Has EAL5+ certified Infenion chip • EAL certification is widely used by smart card industry (EAL3 to EAL7) • .NET card OS is designed to achieve EAL4+ • EAL4+ audit: – takes 6 to 9 months, costs high 10sk to low 100sk £ – includes independent penetration testing and source code review in some case • No published vulnerabilities so far
Rev. Engineering For Vuln. Discovery
Smart Card Vuln. research • No Chip OS binary is available • Traditional tools (debuggers, disassemblers) are useless • No publicly available testing tools • Secure chips have sensors, shields, encryption • ON-card bytecode/IL code verifier
“HiveMod” Tool
HiveMod • Vulnerability research tool, for: – .NET card binary (Hive format) visualization – Card Binary manipulation – Card binary Re-signing
.NET Card Binary Compiler Header Digital signature Header Object counters Header Namespaces reference table Types reference table Methods reference table Fields reference table Blob definitions Type definitions Method definitions Program code (IL code) RSA signature
HIVE manipulation/fuzzing
Manipulating Digital Signature Header Compiler Header Digital signature Header Object counters Header Namespaces reference table Types reference table Methods reference table Fields reference table Blob definitions Type definitions Method definitions Program code (IL code) RSA signature offset 32 52 60 64 68 Field name SHA1 hash of the full assembly Public key token RSA modulus length RSA public exponent RSA modulus size 20 8 4 (len) 4 len
Manipulating Digital Signature Header PBKT=Reverse(Right(SHA1(RSA_modulus),8))
(Bypassing .NET card app Firewall) Old school attack: Public Key Token Spoofing
Attack Demo Let’s use the HiveMod tool to test this vulnerability!
Manual testing vs. HiveMod • • • • Rev. engineering the SDK: ~2 months Hex editor for binary patching : Frustrating Modified card binary needs to be signed Destroying at least 10 cards: ~200 Euros
Real World Attack? GSM (data) (2) Payment Access control app Employee E-Purse app (4) save to card (no GSM access) (1) Attacker plants malware in e-purse corporate cafeteria POS terminal GSM (data) (3) Access control data exfiltration Attacker’s system
Fiction or Real? Document available on the internet
Vendor’s Response • “An attacker needs administration key to be able to upload his malicious application on the card, This Key is normally securely stored in a HSM or a smart card based controller”.
Vendor’s Response • “Knowledge of the Public Key Token of the targeted application is required”.
Vendor’s Response • “The targeted application must use private file-system storage for its data to be exposed. Therefore, internal (Application Domain) storage is immune to such attack”. byte[] key={0xaf,0x09,0x45,0x12,....};
More Vulnerabilities... • Unauthorized memory read in InitializeArray(): public static void InitializeArray(Array array,RuntimeFieldHandle fldHandle); • Results: Partial memory dump • Destroys the card (no reliable exploitation yet)
More Vulnerabilities...
Conclusions • • • • don’t worry! check the apps PKTs for tampering. Use a secure card management system Smart card apps can be patched/updated , but not the card’s OS! • Smart cards OS and apps and card management software need pen tests too!
Closing words • HiveMod Tool would be available to Smart Card vendors and security researchers (contact research@sensepost.com)
Questions?

More Related Content

PPTX
3D PASSWORD
byramyasaikondapi
 
PPTX
Blue eyes
byRudra Bhatt
 
PPT
3D PASSWORD
byAkhi Balakrishnan
 
PPTX
Chapter five HCI
byyihunie ayalew
 
PDF
SEMINAR REPORT ON 3D PASSWORD
byKarishma Khan
 
PPTX
Chapter 2
byLatesh Malik
 
PPTX
Blue Eyes Technology
bySuchita Agrawal
 
PDF
Report on online bus management
byNaeem Ahmad
 
3D PASSWORD
byramyasaikondapi
 
Blue eyes
byRudra Bhatt
 
3D PASSWORD
byAkhi Balakrishnan
 
Chapter five HCI
byyihunie ayalew
 
SEMINAR REPORT ON 3D PASSWORD
byKarishma Khan
 
Chapter 2
byLatesh Malik
 
Blue Eyes Technology
bySuchita Agrawal
 
Report on online bus management
byNaeem Ahmad
 

What's hot

DOCX
Online property management system design document
byAbhilasha Lahigude
 
PPT
3D-Password: A More Secure Authentication
byMahesh Gadhwal
 
PPTX
3d password ppt
bymanisha0902
 
PPTX
Mobile Application Development Unit 1.pptx
bynihitagrawal4
 
PPT
Airline Reservation system(project report of six week training)-ppt
byPunjab technical University
 
PPTX
human computer interface
bySantosh Kumar
 
PPTX
Mobile Application development
byMIT Autonomous Aurangabad
 
PPTX
SEMINAR ON BIOMETRIC TECHNOLOGY.1pptx.pptx
by1A255Gauravwankar
 
PPTX
Biometric Systems and Security
byShreyans Jain
 
DOCX
Airline Reservation System
bySahil Talwar
 
PPTX
HCI(Human Computer Interaction).pptx
byXanGwaps
 
PPTX
Bluetooth Chat
byPanchhi Sahu
 
PDF
Bus tracking application project report
byAbhishek Singh
 
PPT
Use case-diagrams
byMaoelana Noermoehammad
 
PPTX
Firebase Overview
byaashutosh kumar
 
PPTX
Vision of cloud computing
bygaurav jain
 
PPTX
bluejacking.ppt
byAeman Khan
 
PPTX
SELECT THE PROPER DEVICE BASED CONTROLS
byDhanya LK
 
PPT
Daknet Technology
byAranta Chatterjee
 
PPT
Bluetooth V2.1
bySanjeev Kumar Jaiswal
 
Online property management system design document
byAbhilasha Lahigude
 
3D-Password: A More Secure Authentication
byMahesh Gadhwal
 
3d password ppt
bymanisha0902
 
Mobile Application Development Unit 1.pptx
bynihitagrawal4
 
Airline Reservation system(project report of six week training)-ppt
byPunjab technical University
 
human computer interface
bySantosh Kumar
 
Mobile Application development
byMIT Autonomous Aurangabad
 
SEMINAR ON BIOMETRIC TECHNOLOGY.1pptx.pptx
by1A255Gauravwankar
 
Biometric Systems and Security
byShreyans Jain
 
Airline Reservation System
bySahil Talwar
 
HCI(Human Computer Interaction).pptx
byXanGwaps
 
Bluetooth Chat
byPanchhi Sahu
 
Bus tracking application project report
byAbhishek Singh
 
Use case-diagrams
byMaoelana Noermoehammad
 
Firebase Overview
byaashutosh kumar
 
Vision of cloud computing
bygaurav jain
 
bluejacking.ppt
byAeman Khan
 
SELECT THE PROPER DEVICE BASED CONTROLS
byDhanya LK
 
Daknet Technology
byAranta Chatterjee
 
Bluetooth V2.1
bySanjeev Kumar Jaiswal
 

Similar to Inside .NET Smart Card Operating System

PPT
Smart cards
byimshubham
 
PPTX
Smart Card Security
byReben Dalshad
 
PDF
smartcard-090723101806-phpapp01.pdf
byssuser5b47c8
 
PPT
Smart Card Technology
bythinkahead.net
 
PDF
Spelunking Credit Cards with Ruby
bySau Sheong Chang
 
PPT
What is smart card on tam
by崇倍 洪
 
PPT
Smart Card
byAlan Leewllyn Bivera
 
PPT
Smartcard
byaashish2cool4u
 
PPTX
Smart Cards
byRajan Kumar
 
PPTX
L12_Smart cards security prof Hamid.pptx
byFutureTechnologies3
 
PPT
Introduction to SmartCards - Michael Perlov
byFilipe Mello
 
PDF
Soviet Russia Smartcard Hacks You
byPriyanka Aash
 
PPT
51775454-SMART-CARDS.ppt
byKumar290483
 
DOCX
Smart card
byVaibhaw Mishra
 
PDF
Inside .NET Smart Card Operating System - 44CON 2012
by44CON
 
PDF
Vanderhoof smartcard-roadmap
byHai Nguyen
 
PPT
Gao
byMd Jasim Uddin
 
PPT
51775454-SMART-CARDS.ppt
byAjaySahre
 
PPT
smart card
by12422rahulkumar
 
PPT
Smart Cards
byVarun Arora
 
Smart cards
byimshubham
 
Smart Card Security
byReben Dalshad
 
smartcard-090723101806-phpapp01.pdf
byssuser5b47c8
 
Smart Card Technology
bythinkahead.net
 
Spelunking Credit Cards with Ruby
bySau Sheong Chang
 
What is smart card on tam
by崇倍 洪
 
Smart Card
byAlan Leewllyn Bivera
 
Smartcard
byaashish2cool4u
 
Smart Cards
byRajan Kumar
 
L12_Smart cards security prof Hamid.pptx
byFutureTechnologies3
 
Introduction to SmartCards - Michael Perlov
byFilipe Mello
 
Soviet Russia Smartcard Hacks You
byPriyanka Aash
 
51775454-SMART-CARDS.ppt
byKumar290483
 
Smart card
byVaibhaw Mishra
 
Inside .NET Smart Card Operating System - 44CON 2012
by44CON
 
Vanderhoof smartcard-roadmap
byHai Nguyen
 
Gao
byMd Jasim Uddin
 
51775454-SMART-CARDS.ppt
byAjaySahre
 
smart card
by12422rahulkumar
 
Smart Cards
byVarun Arora
 

More from SensePost

PDF
Introducing (DET) the Data Exfiltration Toolkit
bySensePost
 
PPTX
Improvement in Rogue Access Points - SensePost Defcon 22
bySensePost
 
PDF
Corporate Threat Modeling v2
bySensePost
 
PPTX
Rat a-tat-tat
bySensePost
 
PDF
Ruler and Liniaal @ Troopers 17
bySensePost
 
PDF
Hacking Z-Wave Home Automation Systems
bySensePost
 
PPT
Attacks and Defences
bySensePost
 
PPTX
Vulnerabilities in TN3270 based Application
bySensePost
 
PDF
Botconf 2013 - DNS-based Botnet C2 Server Detection
bySensePost
 
PPT
Its Ok To Get Hacked
bySensePost
 
PDF
objection - runtime mobile exploration
bySensePost
 
PPT
Major global information security trends - a summary
bySensePost
 
PPTX
State of the information security nation
bySensePost
 
PPTX
Offence oriented Defence
bySensePost
 
PPT
Web Application Hacking
bySensePost
 
PDF
SNMP : Simple Network Mediated (Cisco) Pwnage
bySensePost
 
PPTX
Threats to machine clouds
bySensePost
 
PDF
Heartbleed Overview
bySensePost
 
PDF
Putting the tea back into cyber terrorism
bySensePost
 
PPTX
ZaCon 2015 - Zombie Mana Attacks
bySensePost
 
Introducing (DET) the Data Exfiltration Toolkit
bySensePost
 
Improvement in Rogue Access Points - SensePost Defcon 22
bySensePost
 
Corporate Threat Modeling v2
bySensePost
 
Rat a-tat-tat
bySensePost
 
Ruler and Liniaal @ Troopers 17
bySensePost
 
Hacking Z-Wave Home Automation Systems
bySensePost
 
Attacks and Defences
bySensePost
 
Vulnerabilities in TN3270 based Application
bySensePost
 
Botconf 2013 - DNS-based Botnet C2 Server Detection
bySensePost
 
Its Ok To Get Hacked
bySensePost
 
objection - runtime mobile exploration
bySensePost
 
Major global information security trends - a summary
bySensePost
 
State of the information security nation
bySensePost
 
Offence oriented Defence
bySensePost
 
Web Application Hacking
bySensePost
 
SNMP : Simple Network Mediated (Cisco) Pwnage
bySensePost
 
Threats to machine clouds
bySensePost
 
Heartbleed Overview
bySensePost
 
Putting the tea back into cyber terrorism
bySensePost
 
ZaCon 2015 - Zombie Mana Attacks
bySensePost
 

Recently uploaded

PPTX
Corporate AI Training to AI Enable a Company Workforce
byStélio Inácio
 
PDF
MAD (1).pdf Mobile application develipment
byprathiT1
 
PPT
HDTV and DTV Standards: The United States Opts for a Digital HDTV Standard
byJeffrey Hart
 
PPTX
Why 2026 Could Be a Turning Point for Decentralized Exchanges.pptx
bycalliemorgan193
 
PDF
Top 10 API Automation Testing Tools: Features, Pros & Cons
byhenrycavill30521
 
PPTX
Compare and contrast types of attacks.pptx
bysyednaqihassan14
 
PPTX
Introduction to Computer Network Concepts.pptx
byAnacrissa Soriano
 
PDF
How Application Performance Monitoring Tools Are Used in Performance Testing
byhenrycavill30521
 
PDF
The_Boardroom_Cyber_Playbook_Research_Edition
bySaraDavis91
 
PDF
The Future of AI-Powered Fashion Design 10 Top Generators for 2026
bymockitseo
 
PDF
From Compliance to Competitive Advantage Board-Level Cyber Governance Under D...
bySaraDavis91
 
PDF
splunk-peak-threat-hunting-framework.pdf
bylobster6719
 
PPTX
Digital transformation success powered by EPM and NexInfo.pptx
byjayasuryanexinfo
 
PPTX
Scrape YouTube Video Data for Influencer Analytics.pptx
byWeb Data Crawler
 
PPTX
Search Engine Responses to Conspiratorial Search Practices AANZCA 2025 Presen...
bykkasianenko
 
PPTX
Pizza Chain Market Data Scraping for Better Insights Report.pptx
byWeb Data Crawler
 
PPTX
UNIT III TYPOLOGY OF CRIME AND CRIMINAL BEHAVIOUR (1).pptx
bybloodyhumanoid
 
PDF
Azure Identity, Governance, and Monitoring solutions
byVICTOR MAESTRE RAMIREZ
 
PPT
Information and Communication Technologies and Power
byJeffrey Hart
 
PDF
“Lessons from Yesterday's Tomorrowland” by Scott M. Graffius
byScott M. Graffius
 
Corporate AI Training to AI Enable a Company Workforce
byStélio Inácio
 
MAD (1).pdf Mobile application develipment
byprathiT1
 
HDTV and DTV Standards: The United States Opts for a Digital HDTV Standard
byJeffrey Hart
 
Why 2026 Could Be a Turning Point for Decentralized Exchanges.pptx
bycalliemorgan193
 
Top 10 API Automation Testing Tools: Features, Pros & Cons
byhenrycavill30521
 
Compare and contrast types of attacks.pptx
bysyednaqihassan14
 
Introduction to Computer Network Concepts.pptx
byAnacrissa Soriano
 
How Application Performance Monitoring Tools Are Used in Performance Testing
byhenrycavill30521
 
The_Boardroom_Cyber_Playbook_Research_Edition
bySaraDavis91
 
The Future of AI-Powered Fashion Design 10 Top Generators for 2026
bymockitseo
 
From Compliance to Competitive Advantage Board-Level Cyber Governance Under D...
bySaraDavis91
 
splunk-peak-threat-hunting-framework.pdf
bylobster6719
 
Digital transformation success powered by EPM and NexInfo.pptx
byjayasuryanexinfo
 
Scrape YouTube Video Data for Influencer Analytics.pptx
byWeb Data Crawler
 
Search Engine Responses to Conspiratorial Search Practices AANZCA 2025 Presen...
bykkasianenko
 
Pizza Chain Market Data Scraping for Better Insights Report.pptx
byWeb Data Crawler
 
UNIT III TYPOLOGY OF CRIME AND CRIMINAL BEHAVIOUR (1).pptx
bybloodyhumanoid
 
Azure Identity, Governance, and Monitoring solutions
byVICTOR MAESTRE RAMIREZ
 
Information and Communication Technologies and Power
byJeffrey Hart
 
“Lessons from Yesterday's Tomorrowland” by Scott M. Graffius
byScott M. Graffius
 

Inside .NET Smart Card Operating System

  • 1.
    Inside .NET SmartCard Operating System 44Con, September 2012 Behrang Fouladi, SensePost behrang@sensepost.com
  • 2.
    What is asmart card? VS
  • 3.
    What is asmart card?
  • 4.
  • 5.
    Multi-Application Smart Card CardParking Access Control Cashless Payments Computer Access Identification
  • 6.
    Did you know? •How many of you have Orange SIM cards? • What applications are running on your SIM card? • Any other apps working silently?
  • 7.
    Example: SIM TrackerApplet • Operators goal: sending the MMS/APN settings to the new handset • Can also be used for investigation purposes
  • 8.
    In The News… –Oyster card: Crypto-1 encryption algorithm attack, 2004 – Cambridge university: EMV relay attack, 2010 – Sykipot malware Targeting US DoD smart cards, 2011-2012
  • 9.
  • 10.
  • 11.
    Why? • • • • • 8 billion smartcards by 2014 The “Internet of Things” Chip-enabled mobile payments Hardware backdoors Malware is everywhere!
  • 12.
  • 13.
    Multi-application Smart CardPlatforms .NET card MULTOS JavaCard
  • 14.
    .NET Smart Card •First .NET virtual machine on the chip • Native support in Windows 7 and server 2008 • Used in: – Smart card based corporate badges (Microsoft employees badge) – Remote Access Control (USA DoD and UK MOD)
  • 15.
  • 16.
    .NET smart cardsecurity model App Domain B App Domain C App Domain A RSA Sig(B) RSA Sig(C) RSA Sig(A)
  • 17.
  • 18.
  • 19.
  • 20.
    Card application development ?? Deployment& Debugging ?? Communication (APDU) ??
  • 21.
    Card application development .NETassembly Converter Plug-in (1) Compiles program (3) Signed card binary (2) Conversion to card binary (4) .NET remoting comm. Comm. Proxy (5) APDU comm. Vendor’s SDK
  • 22.
    How secure is.NET card? • Has EAL5+ certified Infenion chip • EAL certification is widely used by smart card industry (EAL3 to EAL7) • .NET card OS is designed to achieve EAL4+ • EAL4+ audit: – takes 6 to 9 months, costs high 10sk to low 100sk £ – includes independent penetration testing and source code review in some case • No published vulnerabilities so far
  • 23.
    Rev. Engineering ForVuln. Discovery
  • 24.
    Smart Card Vuln.research • No Chip OS binary is available • Traditional tools (debuggers, disassemblers) are useless • No publicly available testing tools • Secure chips have sensors, shields, encryption • ON-card bytecode/IL code verifier
  • 25.
  • 26.
    HiveMod • Vulnerability researchtool, for: – .NET card binary (Hive format) visualization – Card Binary manipulation – Card binary Re-signing
  • 27.
    .NET Card Binary CompilerHeader Digital signature Header Object counters Header Namespaces reference table Types reference table Methods reference table Fields reference table Blob definitions Type definitions Method definitions Program code (IL code) RSA signature
  • 28.
  • 29.
    Manipulating Digital SignatureHeader Compiler Header Digital signature Header Object counters Header Namespaces reference table Types reference table Methods reference table Fields reference table Blob definitions Type definitions Method definitions Program code (IL code) RSA signature offset 32 52 60 64 68 Field name SHA1 hash of the full assembly Public key token RSA modulus length RSA public exponent RSA modulus size 20 8 4 (len) 4 len
  • 30.
    Manipulating Digital SignatureHeader PBKT=Reverse(Right(SHA1(RSA_modulus),8))
  • 31.
    (Bypassing .NET cardapp Firewall) Old school attack: Public Key Token Spoofing
  • 32.
    Attack Demo Let’s usethe HiveMod tool to test this vulnerability!
  • 34.
    Manual testing vs.HiveMod • • • • Rev. engineering the SDK: ~2 months Hex editor for binary patching : Frustrating Modified card binary needs to be signed Destroying at least 10 cards: ~200 Euros
  • 35.
    Real World Attack? GSM(data) (2) Payment Access control app Employee E-Purse app (4) save to card (no GSM access) (1) Attacker plants malware in e-purse corporate cafeteria POS terminal GSM (data) (3) Access control data exfiltration Attacker’s system
  • 36.
    Fiction or Real? Documentavailable on the internet
  • 37.
    Vendor’s Response • “Anattacker needs administration key to be able to upload his malicious application on the card, This Key is normally securely stored in a HSM or a smart card based controller”.
  • 38.
    Vendor’s Response • “Knowledgeof the Public Key Token of the targeted application is required”.
  • 39.
    Vendor’s Response • “Thetargeted application must use private file-system storage for its data to be exposed. Therefore, internal (Application Domain) storage is immune to such attack”. byte[] key={0xaf,0x09,0x45,0x12,....};
  • 40.
    More Vulnerabilities... • Unauthorizedmemory read in InitializeArray(): public static void InitializeArray(Array array,RuntimeFieldHandle fldHandle); • Results: Partial memory dump • Destroys the card (no reliable exploitation yet)
  • 41.
  • 42.
    Conclusions • • • • don’t worry! check theapps PKTs for tampering. Use a secure card management system Smart card apps can be patched/updated , but not the card’s OS! • Smart cards OS and apps and card management software need pen tests too!
  • 43.
    Closing words • HiveModTool would be available to Smart Card vendors and security researchers (contact research@sensepost.com)
  • 44.

Editor's Notes

  • #3 Smartvs Dumb : 1)microprocessor chip 2)Tamper resistance : -it can execute small applications -perform crypto operations; difficult cloning difficult tampering and data extraction : best option for SIM cards that store private key; subscriber identity token + call encryption- Have contact and contactless interfaces
  • #4 The IC package contains : CPU, crypto co-processor, ROM, EEPROM and RAM. Modern smart cards: 32bit CPU 10Mhz, ~8KB RAM, ~80KB ROM, 400KB EEPROMProtection against invasive and non-invasive attacks: power analysis, side channel attacks: EM emission – fault injection , modifying the circuits
  • #5 -Oyster card,Conditional Access Cards (pay TV), Access control cards-Proprietary operating systems , Proprietary encryption and comm protocols (CRYPTO-1 stream cipher failure)-No post issuance applications
  • #6 -Example: Corporate badges, College cards, Military/Law enforcement personnel (access control) -Stores and runs applications with different security importance level-Java, .NET, C and even Google Dalvik code (dkard)-Post issuance application management: Uninstall/update/install apps, encryption keys or data files.
  • #8 Orange
  • #9 Smart cities: Funded by EU (2007-2013) , 6 countries in north sea region : UK, DE, NL, BL, SE, Norway ; Gov and academic co-work to facilitate : e-Gov servicesNHS: Medical records and EPS Oyster: 22m cards, <300ms transaction processing speed (offline), Project to integrate it in the banking cards (no topup)
  • #10 NXPmaifare card : proprietary stream cipher algorithm attack; key recovery attack EMV relay attack: public static and dynamic authentication protocol ; rouge POSSykipot: Steals PIN code using keylogger then When a card is inserted into the reader, the malware then acts as the authenticated user and can access sensitive information. A trend: moving from protocol attacks to smart card software Next?? On the card itself??
  • #11 -Was running at least for 3 years before being detected. -Attackers view the list of PKI certificates and logon to protected resources via C&C commands (SSL); common C&C commands we had seen in our analysis of a defense equipment manufacturer network break-in in summer 2011; same actors??Smart card proxy malware had been seen before this incident, but this one was the first attack against an specific product ActivIdentityʼsActivClient solution
  • #12 Why the malicious code threat to smart cards is important to research?
  • #13 8bn Excluding RFID chips Internet of Thing : radio tags are embedded in things and things people ware or carry which can identify them to computer systems or small GSM connectivity modules used in M2M . Remote monitoring of utility meters, high value items tracking, smart energy grids; challenge: deploying application securely, over the air management ; tamper resistance smart cardsFirst NFC SIM cards rolled out in France by orange in Jun (beats the NFC chip on handset approach) , Microsoft Windows 8 digital wallet , jun 2012, Wallet API and wallet vulnerabilitiesCyberwar is going on silently and we have seen malware was delivered and planted successfully in high security isolated environments, Smart cards are cosy place to plant malicious code in a very large scale. Compare with something like web servers and web apps on the netIntegrated NFC, SIM or microSD, Fob or Sticker
  • #14 Fixed : Phone cards, Health card, RFID tags, most of Access Control Cards- Dynamic:Banking card, SIM card, Government Identity Cards
  • #15 - Application sandboxing
  • #16 MULTOS:Gov and Military grade security; Expensive and complicated development process; Proprietary VM (MULTOS Executable Language) MELJavacard: Developed by Sun/Oracle; The most popular smart card; mainly used in telecomm (SIM cards) and banking sector as well as a certificate storage card (cheap); runs on different chips from different vendors .NET card: Smart card of choice for multi-factor authentication and remote access to Windows networks; has easy to use SDK for Microsoft Visual Studio 2005 to 2010
  • #17 - First embedded MS .NET implementation in 2004, even before .NET Micro (2009)MS:Over 300.000 badges delivered since 2005USA DoD: combination of .NET and JavaCardsUK DoD: .NET smart card for remote access to ISA 2006 and (intelligent app gateway) IAG 2007
  • #18 Adds smart card based OTP to FIM
  • #19 Windows like file system1 base class library: mscorlib.dll , 1 smart card specific library: PIN and transaction management, .NET remoting
  • #24 -APDU : Application protocol data unit; format: <instruction class><intsr code><command data> /<response data>; 4 bytes header
  • #26 Evaluation assurance level (EAL) : numeric grade for evaluation the security IT products.Widely used by smart card vendors to give “assurance” to consumer; performed by approved companies certifited by CBELA5 means that independent pen test was done on chip OS and hardware ELA4+ independent pen testing and possibility source code audit
  • #27 We have good tools and procedures for rev engineering the software and even embedded systems, however this is not the case for smart cards: they are designed to resists hardware reving and hacks; a smart card test lab would cost more than 200K USDNormally begins with profiling the target software (dynamic analysis of file system, registry , network access) or identifying the CPU architecture, hardware security measures and operating system type for embedded systems firmware or binary code disassembly Running firmware or its components inside emulator; file format, network protocol fuzzingMonitoring the target process or JTAG or serial port
  • #28 Sensors: light, power Shields: protects against probsEncryption: logic encryption and os code encryptionMakes chip hardware reverse engineering very expensive My goal was finding vulns in the virtual machine not reversing an algorithm running on the chip My approach: reverse engineering the converter program in the SDK that converts the MS .NET assembly to .NET card binary -> knowledge of card binary metadata and their meanings-> model the way that card’s VM loads and execute apps-> identify interesting metadata and manipulate them to trigger vulns in the card’s VM
  • #30 - The first such tool for smart cards
  • #31 -More technical details is available at sensepost research web site
  • #32 Decided to create limited set of test cases forHIVE headers which will be parsed by ContentManagerIL code section which will be verified and executed by the VMDigital signature header was interesting case, because card security model was built on assemblies public key
  • #33 RSA modulus and public exponent were the only required information to a) verify the card binary’s signature a) compute the PBKTWhy the PBKT is already there?For performance reasons??
  • #34 PBKT can be easily computed by knowing the RSA_modulusPBKT is the application’s identity token
  • #35 Can we modify it to spoof the identity of other apps and bypass the app firewall?
  • #36 Backdoor or vuln??
  • #38 Rev. engineering: includes analysis of obfuscated code of the converter, writing small .NET programs to map different .NET types and method to their hive binary data, find out how different metadata tables are built and how they can be parsed correctly.Hex editor: can be trivial for modifying different sections of the same binary, but is not easy to use with different card binaries which have the same header or metadata table in a different file offsetRandomly modifying the card binary and loading it into the card can damge VM memory and render the card useless
  • #40 Picture of attack
  • #41 Case study document from MULTOS web site; NATO member militaryMulti-application card ; cashless payment and health care apps sit next to access control app
  • #42 How many of you use smart card based authentication?Do you use HSM or card management solution?If the attacker had admin key, then he could simply download the file and there was not need to exploit PBKT vulnerability
  • #43 - Public key is public!
  • #45 - Exploit: Modifying the fldHnadle to types without hasRVA modifier->Raw memory read
  • #46 Picture of the dead card