Gast Geplaatst: 29 mei 2002 Geplaatst: 29 mei 2002 Er is blijkbaar een nieuwe manier om de informatie op bepaalde smartcards uit te lezen ontdekt. Deze biedt wellicht perpectieven voor onze hobby. Niet voor iedere huis tuin en keuken kraker, maar toch blijkbaar simpel genoeg om als serieus probleem te worden gezien. Heeft iemand anders hier nog wat over gehoord en is dit toepasbaar op de nieuwe kaarten die nu her en der in Europa in gebruik worden genomen? Hierbij het artikel uit de New York Times: SAN FRANCISCO, May 12 — Two University of Cambridge computer security researchers plan to describe on Monday an ingenious and inexpensive attack that employs a $30 camera flashgun and a microscope to extract secret information contained in widely used smart cards. The newly discovered vulnerability is reason for alarm, the researchers said, because it could make it cost-effective for a criminal to steal information from the cards. Smart cards are used for dozens of different applications, including electronic identity protection, credit and debit cards and cellular phone payment and identity systems. The Cambridge researchers said they had discussed their discovery with a number of card manufacturers, and several had acknowledged the vulnerability. One company reported that its security testing teams had already considered types of attacks similar to the one mounted by the Cambridge team and that they believed their products were not vulnerable. The researchers said they had also proposed a potential design change to the companies that would protect against the attack. "This vulnerability may pose a big problem for the industry," they wrote in their paper, "Optical Fault Induction Attacks." The researchers argued the industry would need to add countermeasures to the cards to increase their security. The Cambridge group's discovery is one of two new smart card attacks that will be introduced Monday evening in Oakland, Calif., at an Institute of Electrical and Electronics Engineers symposium on security and privacy. A team of researchers from I.B.M.'s Thomas J. Watson Laboratory in Yorktown Heights, N.Y., said they would present a report at the conference based on their discovery of a different vulnerability in subscriber identification module, or S.I.M., cards. These are used in the type of digital cellphone known as G.S.M., widely used in Europe and to a lesser extent here. The vulnerability would make it possible for a criminal to find the secret information stored in the card, steal the user's cellphone identity and make free phone calls. Smart cards are credit-card-like devices containing a microprocessor chip and a small amount of computer memory for storing bits of electronic data that represent money or other information that can be used to ensure identity, like a code or a digitized retina scan or fingerprint. More widely used in Europe than in the United States, the cards have long been promoted as the key to a cashless society as well as for identity and authorization applications. Some countries have begun using them for national identity cards, and they have recently been discussed as a way of confirming travelers' identities to speed airport security. The Pentagon has armed soldiers with smart cards for online identity and physical access, and the cards are in use in the United States in commercial services like the American Express Blue credit card and the Providian Smart Visa Card. Both cards are offered by their providers as a convenient and safe way to make Internet purchases, although their actual use for those purposes so far has been limited. Some of the information stored in the card is in the form of a number composed of ones and zeros that cryptographers refer to as a "private key." That key is part of a two-key system that is used to encode and decode information. The security of such systems is compromised if the private key is revealed. Typically, after the card holder authenticates the card by supplying a pin number, the private key will then be used to encrypt any sort of transaction using the card. For example, the card might be used to authorize a purchase or a transfer of funds, make an e-mail message private, log on to a computer network or enter a building. The researchers from Britain, Sergei Skorobogatov and Ross Anderson, who are based at the University of Cambridge Computer Laboratory, discovered the flaw after Mr. Skorobogatov found that he could interrupt the operation of the smart card's microprocessor simply by exposing it to an electronic camera flashbulb. They were able to expose the circuit to the light by scraping most of the protective coating from the surface of the microprocessor circuit that is embedded in each smart card. With more study, the researchers were able to focus the flash on individual transistors within the chip by beaming the flash through a standard laboratory microscope. "We used duct tape to fix the photoflash lamp on the video port of a Wentworth Labs MP-901 manual probing station," they wrote in their paper. By sequentially changing the values of the transistors used to store information, they were able to "reverse engineer" the memory address map, allowing them to extract the secret information contained in the smart card. Mr. Skorobogatov is a Russian emigrant who was once employed in the former Soviet Union's nuclear weapons program, where his job was to maintain bombs. Mr. Anderson is a well-known computer security researcher whose work in both computer security and cryptography is widely recognized. The researchers said they had discussed their findings with a number of companies that had acknowledged the vulnerability. However, at least one manufacturer who had read the paper said it believed its products were not vulnerable to the attack. "This is a paper for an academic conference," said Alex Giakoumis, director of product lines for the Atmel Corporation, a San Jose, Calif.-based maker of smart cards. "We've already looked at this area." He said his company had built defensive measures into its products that would make them invulnerable to such an attack. However, he said he was unwilling to be specific about the nature of the security system, because such information would be valuable to someone who was attempting to break the security of the Atmel smart cards. The I.B.M. paper, which is titled "Partitioning Attacks: Or How to Rapidly Clone Some G.S.M. Cards," was prepared by Josyula R. Rao, Pankaj Rohatgi, Helmut Scherzer and Stefan Tinguely. The researchers reported that they had dramatically shortened the time needed to steal secret information from today's G.S.M. cellphones. Their new approach can seize the information within minutes, they said, making it a much more useful method than either breaking the cryptographic algorithms used by the card or by intrusive attacks such as the Cambridge approach. The I.B.M. researchers' report also offers advice to the smart card industry on how to protect against vulnerabilities.
Gast Geplaatst: 29 mei 2002 Geplaatst: 29 mei 2002 Oud nieuws inmiddels: kijk ook eens hier: http://www.sat4all.com/nl_ubb/ultimatebb.php?ubb=get_topic;f=1;t=001652 en hier ook maar even: http://www.sat4all.com/nl_ubb/ultimatebb.php?ubb=get_topic;f=1;t=001654
Aanbevolen berichten