2016 - Henri Watson - What’s in your pocket?

take it away wonderful so as mentioned the idea behind this talk is to discuss the data that we have on these cards that have just kind of quietly crept into our lives over the past few years but before I start I should probably introduce myself so I'm currently working in London for a mobile payments startup called judo payments during most of the year I am a student at alberta University up in the lovely dundee scotland and this year I'll be serving as the secretary for the ethical hacking society and will be organising next year security prior to moving to Scotland I lived in the Dominican Republic for 13 years and grew up there and the things

that I'm interested in our payments technologies the idea of security versus user experience embedded devices and public transportation ticketing so if you look at the common use cases for smart cards they're often used as replacements for magnetic stripe cards and the reason for this is that with magnetic stripe cards anybody can read or write to the cards and additionally they tend to not be very durable they might lose their encoding and you have to replace them more often so as a result smart cards very quickly grew in popularity because you could more or less trust the data that was held on them and hold them to a certain degree of security if you take a look at

your wallet you may find a handful of these cards in it you probably have a bank card maybe you have a transit card you might have a student card or an office key that may also have smart cards on them and if you take a look at your appliances you might have a decoder card in satellite box I have a sim card in your cell phone and you may use a smart card to top up your electricity at home so basically we are absolutely surrounded by smart cards in 2016 but we perhaps haven't stopped to consider the implications the security implications that we have with these devices and potentially we haven't considered what data is held on these cards now in

contrast to magnetic stripe cards where you directly interact with the data on the card so for example this is a magnetic stripe card being exposed to iron oxide and showing the ones and zeros as gaps in the metal it's quite impractical to directly interact with the storage on a smart card effectively you have to subject it to acid in order to analyze silicon and chances are you're going to damage the smart card in the process of doing so so the chances of you being able to interact with it after inspecting the smart card is quite unlikely additionally if you sort of think about it there's no real data on the smart card that you can clone um

because when you speak with a smart card you're not necessarily interested in the data itself on the smart card but rather you're interested in these more cards responses to a handful of commands because you're not directly interacting with the data as it stored on the smart card the smart card for example might be doing some pre-processing on it and in order to give it to you in a nicer format so with this in mind you do have to speak with a smart card in order to inspect its contents and you have to play by the smart cards rules and you have to use the interfaces out it exposes and commonly to do this you'll use one

of two interfaces you'll more commonly use a contact interface so one of the various pinouts shown on the left here or you could use NFC or contact list in order to interact with the smart card so if you're speaking with a smart card over a contact interface that's defined by the ISIS specification 78 16 whereas contactless cards are defined by 14 443 which uses 7378 16 st1 protocol so it's effectively the same thing just that you might have more interference if you have multiple cards in the field now the cool thing about this is that because they use the same protocols just over different communication fields you can share silicon across both interfaces so here's an example of a bank card

where you can see that the wires for the contactless interface are going into the same chip that is used for the actual contact interface and effectively smart cards are varyingly clever asics you have you know an application-specific controller on these cards that depending on on how clever the manufacturer decided they wanted the card to be can do a variety of different things many of these smart cards will run Java card which is a heavily stripped-down a java virtual machine it doesn't have things like strings and said you have to use byte arrays for most things and you know which is reasonable when you consider how small and how limited these chips are and this is the type of you'll

you'll have java cards in your bank cards and gpg cards and in various other you know cryptographic hearts because these cards are able to easily perform a variety of cryptographic operations so here's an example of a visa debit card that as mentioned is running java card in this case it's running java card version 2.2 and on it is running the visa card manager however other smart cards are more purpose-built so for example things like a dorky don't full Java Virtual Machine and in fact you may want to spend that processing power on other more useful things you might want to get more source capacity out of it for example okay so without mine how do we actually speak with a smart

card how do we get it to do something it's previous Lee mentioned you don't just read a smart card you have to talk with it so you know what's the process for doing that when you first insert a smart card into a reader you send it a reset command which asks the smart card to power on and to initialize it it's basic memory state after this the card responds with a answer to reset and basically this defines things like the rate at which the smart card should reply to commands the protocol version transmission speed any error correction settings you know basic communication parameters here's an example of what that might look like and specifically here's an analysis of what

all those different hex characters mean so you know this defines as I mentioned the protocol and a transmission rate that are used the other kind of fun thing about answer to resets is that they because they have all these different parameters and can vary slightly between different cards and devices is that you can also use these to identify what kind of a card you're talking with so in this case this is the answer to reset for a united kingdom biometric residence permit but here are other examples of other common answer to resets for you know a handful of other cards that you might run into in the wild so after you receive an answer to reset you'll want

to select an application on the card further this is where the answer to reset might be helpful and that it allows you to determine what applications might be available on the card just before you've been trying to select one the card then says okay cool that applications loaded you're ready to go and this sounds great this sounds really easy pretty simple pretty standard you know except not really because you know although you have this this wonderful flow some cards are kind of rude and don't answer to your resets so some cards will do this as a form of obfuscation things like laundry cards electricity cards and that if they don't answer to your reset then you won't know how to speak with

them so it's secure and so when you you know try to do it you don't get a reply and you know you don't know how to proceed but you know fine whatever let's assume that you did get an answer to reset or that you somehow otherwise know the transmission writing the protocol and all that so then how you proceed after selecting the application is completely up to the application applications usually implement a handful of sand or commands here are a couple examples of them and these commands are defined by a specification called global platform and the idea behind global platform is so that smart cards are able to interoperate with each other and to enable smart cards to host multiple

applications so you could you know in theory have a card that acts both as a sim card and as a bank card because of these interop standards however it's totally cool to ignore these which means that speaking with a random card is an absolute headache because you need to know what what subset of these commands and supports will custom commands at sports and how it would like these commands to be set to it but you know further on let's assume that you do know what commands the card supports you know let's say that it's it's a standard that you're aware of or that you sniffed the communication going on you know while the card is being legitimately

used and as a simple example of you know well-known a smart card specification let's look at gsm authentication now gsm is a particularly good example of where a smart card can be useful because your cell phone provider wants to be able to securely authenticate you but doesn't necessarily trust your handset however it does trust the sim that it issued to you so when you first connect to a gsm network the cell tower sends a random string a nonce to your cell phone and at the same time the cell tower is aware of a ki which is an encryption key associated with your SIM card now to make this a bit more interesting let's assume that your SIM card also has

a pin on it so your SIM card is also aware of this ki and it also has a counter in it of how many times you're allowed to try a pin entry so you tell the SIM card you know my pin is 1234 the SIM card says no that's actually not the correct pin it decreases this counter then you know try a different pen and it says yes that's fine great at which point you know the SIM card has now authenticated use in an ok state to proceed and to act on your behalf so then the phone will ask the SIM card to sign this random string and using this ki it will perform on board crypto

and return a the signed nonce which the phone can then send back to the cell tower and demonstrate that you do indeed possess the SIM card and in this example the SIM card is demonstrating to access control methods it protects both the pin and the ki because the sim card performs cryptographic operations on board the ki isn't exposed at all so it's not like when you enter your PIN the phone is now able to read the ki and so this keeps it secure unless you're able to brute-force DKI so one attack that you could perform would be to ask the SIM card to sign multiple of these announcers and eventually because of a weakness in the

algorithm that was previously used in older SIM cards you could then use this to determine what the ki was this isn't a problem in new SIM cards but it used to be more of an issue in more developing nations I would use these older SIM cards for cost reasons now we also have smart cards in our bank cards which is defined by a different protocol called EMV and the idea behind this protocol is to provide a secure environment in a assumed hostile environment a same thing as with a cell phone you don't necessarily trust the handset just like with a payment environment you don't necessarily trust the payments terminal additionally the other fun thing is that

you can have multiple applications you know on one payments card this is more commonly used in the United States and in continental Europe to do things like debit cards that support multiple payment networks however you can also use smart cards for more generic data storage so you can use them for door cards student cards so on and so forth where you're not really asking the card to perform any cryptographic operations on your behalf and instead you're just asking it to prove that that you possess that part now quite a few of these cards are belong to a series called mifare ultralight these aren't they my fare series of cards generally aren't Java cards and instead they're custom asics purely for

this sort of data storage use case and my favorite altra like cards are mostly publicly readable and have very basic access control settings these cards are pretty popular with disposable or single-use tickets so above is a Dutch single-use real ticket and below is a Glasgow subway single-use ticket and both of these are cardboard cards that do actually have a contactless smart cards in them and here is an example of the data held on them to the left is the trail card to the right is the Glasgow subway card and as you can see there's not a whole lot of storage space on here there's also no you know immediately humanly readable data on here you have to use you know

binary data in order to keep things you know down to a reasonable size however more permanent cards are mifare classic cards and so you'll you'll see these in actual plastic cards things like student cards or transit cards and with these you just read sectors off the card you there's also some you know cryptographic operations that go on in order to ensure that you are actually allowed to read the different sectors on the card or whether you're allowed to modify them the way that most door cards that use mifare classic work is they simply read the sector zero which contains a serial number which is written into the card at the factory and is Hardware locked and can't be modified so in

theory you can't just go and buy a blank my favorite classic card and change the UID on it however you can buy these changeable UID my fare cards from shady websites you know in China now the cool thing is some people store data on these cards but you know as mentioned this this is in theory safe because you need the encryption keys to read and write data from these cards and in theory the card has the ability to say no I'm not going to let you read that you don't have the right encryption key for it however these cards have been demonstrated to have pretty broken crypto and these exploits have been known for a while

and this is to the point where mxp the manufacturer of these cards have said that these cards are unsafe to use anymore and any usage of them should be discontinued because you can go and just dump any card that uses mifare classic so here's an example of my santo domingo subway card and i have the reed keys as well as the right keys so if i wanted to i could totally just change my card balance the fun thing is that although these are known to be very vulnerable they're still pretty commonly deployed the first oyster cards were mifare classic the scottish national entitlement cards are in a mifare classic and it's pretty common to use these in

student cards as well just because they're fairly low cost and they're pretty easy to deploy and that they're very simple cards but you know of course not everybody uses mifare classic some people actually listen when the manufacturer says hey stop giving us money for these cards they're unsafe so instead nxp says that you should use mifare desfire instead and this is what modern oyster cards use this is what most modern transit cards will use as well and des fire uses an entirely new protocol it uses stronger cryptographic algorithms additionally it cleanly supports multiple applications and has a much stronger access control system instead of just interacting with raw sectors on the card as you do with my classic you

allow the des fire card to manage the data sectors for you and handle them on a per application basis the other fun thing with this is that because of the access control system the card issuer can say that it wants certain aspects of the card to be publicly readable so here's an example of an Android application that takes it edge of this to read a handful of publicly available transit cards in this case it's reading a San Francisco clipper card and is showing a few of the most recent trips taken using the card unfortunately Transport for London doesn't allow you to inspect an oyster card but you know that this is something that that's fully up to the card issuer to

decide on unfortunately there's a way to break into these the older versions of these cards through a side channel attack you can measure the electric magnetic interference that's created by the card while it's carrying out cryptographic operations and you can use that to determine its secret keys this isn't exploitable and newer versions of des fire cards and so hopefully this should be an issue but you know as is the case with my fair classics and with older SIM cards you know there are still operators that choose to issue these cards knowing that they're vulnerable simply because they're cheaper additionally in the United Kingdom we have a fun transit card system called it so if you have a concessionary travel

pass or if you live in a city that is not London and have a smart card that you use to travel on it will probably have this logo somewhere on it now the specification supports using my favorite classic although you're not supposed to use that for newer deployments anymore and instead you're supposed to use my faire des fire and it so is kind of a double whammy for smart parts inside every ticket barrier ticket vending machine and ticket inspection device you have one of these cards and the this card is a secure application module which contains a private key defined by it so which can be used to cryptographically verify the contents of any given card so this is used by ticket

barriers and ticket inspection devices to make sure that your tickets balance you know so on and so forth are valid and essentially the the way that this works is your reader speaks with your card reads you know the products that you have on the card from it and these are signed using this the Sam card and you're able to securely verify that additionally there's another popular transit card protocol called Calypso that is used in Belgium Germany France and Portugal which is more interesting a smart part of use case in that instead of the smart card simply storing your ticket data and the ticket barrier is responsible for validating whether you're allowed through the smart card is

instead trusted and is in charge of determining whether you're allowed to conduct a journey or not and so in this regard the smart card is slightly smarter than just in it so card however of course there are other applications that smart cards are used for like passports and passports are fun because you have sensitive data on them that has to be protected with some countries passports you have fingerprint information on all countries passports you have biometric information you have the information on the cover page and so be kind of terrible if you just had a passport in your bag and someone was able to read it in order to protect against this there's a oughtn't occation scheme called basic

access control we're when you read information from a passport you have to supply the holders birthday the passport number and the passports expiration date and this is why you when a passport is scanned at the airport you still have to scan these two lines at the bottom because that's where this information is contained so after extracting that information you can send it to the passport who then generate session keys for you and you can use these session keys to securely read the holders photo you know the information on the card so on and so forth additionally for more sensitive information such as fingerprints you have extended access control which requires that a actual certificate be

presented to the passport before it's able to give up data and in this sense merely possessing the identity document isn't enough to get that information you also have to be trusted by the issuer of the document now the information that's used for basic access control is all numeric data you know your birthday document number expiration date which we can brute force and there is a pretty interesting paper on this which used a webcam to see the cover of the exterior cover of the passport to determine which country issued it and by with this information you can determine certain patterns about passports so for example newer American passports tend to start their passport numbers at 50,000 so you

know you can already eliminate a bunch of iterations with that information additionally you could inspect things like the wear and tear on the passport to figure out you know to kind of guess how soon it's going to expire now some countries are a bit clever about this American passports include a Faraday cage on their cover so unless you have the passport open you're unable to speak with the NFC coil at the NFC chip inside of the passport however you know this is still a problem with with other countries which don't have shield in their passport covers right so basically it's pretty impractical to attack the smart card itself because of the physical security elements involved

because of risk of damage and because you know even if you do manage to directly read the data off the EEPROM on the smart card you still have to figure out how to interpret that data because you no longer have the operating system on your side to help you out there instead most attacks on smart cards rely on broken cryptographic operations or they rely on side channel leaks smart cards run very very small and heavily optimized applications this is you know they kind of interestingly enough you know these cards were invented in the 70s and you know since then they haven't changed a whole lot so you only have a couple k of you know persistent storage you only

have a handful of megahertz of processing speed and additionally you know the they're very low powered devices as well especially when you consider contactless cards which are powered you know just from the induction field because of this you know the very limited scope of the operating systems on these cards you're kind of unlikely to find things like buffer overflow attacks just because you don't really have the space to have that much code on these cards but because they've been around for so long there's a lot of software that allows you to interact with no smart cards so card peak is one of my favorite applications for doing this runs on Windows Linux Mac OS and it

allows you to read both contact list and contact cards should you have you know the appropriate readers for your computer an XP tag info is an Android application that allows you to read NFC cards on a android phone that supports them it's also quite cool that it will attempt to interpret the contents of the card if it is able to and there's also the e subs a smart ticket checker which allows you to read the contents of an it so card which is also an Android app occasion so if you have one of these UK transit cards you can see what information is held on them but the fun doesn't stop there because you can also build your own

smart cards there's a very interesting talk at defcon 21 about these two guys who built a custom gsm network at tor camp and they allowed people to write their own applications to live on sim cards that they issued at the cap so they have on this github page a bunch of documentation on the Java card SDK how you go about loading applications onto smart cards how to test it you know all that fun stuff a thing to hopefully get out of this is that we have tiny computers in all of our pockets you know we have them in our appliances they're just absolutely everywhere and if you say hello to them props will say hi back

thank you [Applause] yes okay so any questions anybody

this question is there any online tutorials so there are quite a few online resources regarding the how to read information on smart cards the programs that i mentioned do for example card peak is fully open source and so then you can go through the source code of that see which commands it's sending and get a better understanding of how it's speaking with the cards there are also a handful of other websites that go into that with more detail that'll put on that URL it's not up right now because ssh is blocked on this network i forgot so hopefully later this evening i'll put that up for you nes yeah you actually so codes don't actually still bouncing uh they can

so for example the Glasgow subway cards do store a balance on them and you when you go through a ticket barrier it goes through and it validates you know that your top-ups were legitimately signed and then it you know deduct the balance but in theory because of that signature you can't modify your balance yourself whether that's actually the case or not I leave open to interpretation and considering the hiepro Hospital easy and breathe how is it the the what article sorry and he from uh I'm not aware of what happened at Heathrow so two employees basically they clone that physical access gosh no easy to do so depending on the card type it can be reasonably easy to do if it was a

mifare classic card as I mentioned you can bye completely reprogrammable my fare cards and so you can just use off-the-shelf hardware you know just a boring My Fair writer too or sorry an NFC a like dongle to read the data off the original card break the encryption keys and then write it onto the new card because mifare classic is just data there's no application or anything like that that you need to clone you just need to copy the data over but it could it's more difficult for other cards like des fire and such yes no Mikey drunkenly told me that he had a question for me last night so cilla remember speakers but what is your

opinion of them apples gavel to my new smart phone wall so the idea that is Apple for their iCloud encryption use smart cards in order to store the encryption keys that are used you know to secure user data and effectively if you think about it smart cards are just very cheap hardware security modules you can use them to store private key data you can use them to perform cryptographic operations on your behalf and they will not expose the private key data unless they're programmed to do so additionally one thing that's sort of interesting that Apple does is once they finish using a card they throw it into a shredder which is you know potentially overkill

because the idea with the smart card is that if you you don't have too many invalid pin entries or something like that it will block itself and refuse to do anything but you know I suppose there's no harm in shredding it anything else okay well let's you