diff options
author | U-Thinking\Karsten <Karsten@Thinking.(none)> | 2010-08-17 14:15:09 +0200 |
---|---|---|
committer | U-Thinking\Karsten <Karsten@Thinking.(none)> | 2010-08-17 14:15:09 +0200 |
commit | e71463e716bc2e527a5960966bcfcdc9f9fccfa8 (patch) | |
tree | 633357d1cd63fef061149fac07b9a54f6bcd44a2 /paper | |
parent | f75fb90134eb1b45c8a91d82b75e4f78681062d5 (diff) | |
parent | d72bcdb8f9630ece273978d4979ea25a63e15997 (diff) |
Merge branch 'master' of git.gnumonks.org:easyhack
Conflicts:
paper/easycard.tex
Diffstat (limited to 'paper')
-rw-r--r-- | paper/easycard.tex | 73 |
1 files changed, 38 insertions, 35 deletions
diff --git a/paper/easycard.tex b/paper/easycard.tex index 248b2ec..ebaaf83 100644 --- a/paper/easycard.tex +++ b/paper/easycard.tex @@ -4,7 +4,7 @@ \usepackage{subfigure}
\pagestyle{plain}
-%\usepackage{url}
+\usepackage{url}
\setlength{\oddsidemargin}{0in}
\setlength{\evensidemargin}{0in}
@@ -20,7 +20,7 @@ \title{Security analysis of the EasyCard payment card in Taiwan}
\author{Harald Welte $<$laforge@gnumonks.org$>$}
-\date{UNRELEASED (September XX, 2010}
+\date{UNRELEASED (September XX, 2010)}
\maketitle
%%%%%%%%%%%%%%%%%%%
@@ -115,12 +115,12 @@ they key of at least one different sectors. \subsection{Recovering the MIFARE CRYPTO1 keys}
Since none of the sector keys was known, the publicly available MFCUK (MiFare
-Classic Universal toolKit) implementation of the "Dark Side" attack (Nicolas T.
+Classic Universal toolKit) implementation of the ``Dark Side'' attack (Nicolas T.
Courtois) was used as a card-only attack.
All that was required was the MFCUK Free Software, as well as a RFID
reader as supported by libnfc. Compatible readers are widely available,
-among them one for EUR 30 from http://www.touchatag.com/e-store.
+among them one for EUR 30 from \url{http://www.touchatag.com/e-store}.
Using the MFCUK key recovery tool, the A and B keys for all sectors have
been recovered within FIXME. This attack can definitely be optimized
@@ -140,6 +140,7 @@ with the nfc-mfclassic program (part of libnfc). A full dump of the newly-purchased, unused EasyCard revealed the following
content:
+\begin{verbatim}
0000000 a193 c031 88c3 0004 ba46 1214 1051 1004
0000010 140e 0100 0207 0308 0409 1008 0000 0000
0000020 0000 0000 0000 0000 0000 0000 0000 0000
@@ -204,6 +205,7 @@ content: 00003d0 0000 0000 0000 0000 0000 0000 0000 0000
00003e0 0000 0000 0000 0000 0000 0000 0000 0000
00003f0 ea02 0bda b62a 7708 008f 0000 0000 0000
+\end{verbatim}
\subsection{Re-engineering the on-card data format}
@@ -234,7 +236,7 @@ any of the tested transactions. The result of this analysis can be found in the next section:
-%%%%%%%%%%%%%%%%%%%
+
\section{Re-engineered EasyCard Data Format}
\subsubsection{Sector 0 and 1: The header}
@@ -254,7 +256,7 @@ transportation as well as stores use key A for this sector, as key A is sufficient to read and decrement the VALUE block.
Re-charging the card must happen using authentication with key B, as only
-Key B has permissions to increment and/or write to this sector.
+key B has permissions to increment and/or write to this sector.
\subsubsection{Sector 3 through 5: The transaction log}
@@ -308,7 +310,7 @@ FIXME: Transaction log pointer \subsubsection{Sector 7: The last MRT entry/exit record}
-Block 2 (Offset 0x1e0) contains a record dscribing the last MRT station
+Block 2 (Offset 0x1e0) contains a record describing the last MRT station
that was entered using this EasyCard.
\begin{itemize}
\item Bytes 0...3 are unknown
@@ -328,7 +330,7 @@ applicable discount in case a connection is made from MRT into a bus. \subsubsection{Sector 15: Maximum daily spending}
-Sector 2 (Offset 0x3e0) contains a record used for keeping track of
+Block 2 (Offset 0x3e0) contains a record used for keeping track of
the amount of money spent on a single day. This is needed in order
to impose a daily spending limit of (currently) NTD 3,000.
@@ -345,7 +347,7 @@ sum is incremented with every purchase. If an EasyCard terminal in the store detects that the current day-of-the-month is different from that stored on the
card, the sum is re-set and starts new for that day.
-%%%%%%%%%%%%%%%%%%%
+
\section{Manipulating the EasyCard}
\subsection{Decreasing the Value of the card}
@@ -367,16 +369,16 @@ balance. Re-reading the card after the purchase indicates the full success of the
operation. The purchase has left exactly the same changes in the card like
it would have with a card that has a genuine lower value. None of the
-erroneosly increased (or decreased) numbers had been updated.
+erroneously increased (or decreased) numbers had been updated.
This specifically confirms that the vending terminal did not have an online
connection to a centralized database. In that case, the erroneous values
on the card would have been corrected and the original value restored.
-\subsection{Increaing the value of the card}
+\subsection{Increasing the value of the card}
The approach works similar to the previous one. First, a purchase in a store
-is being made, preferably with relatively high value. Later, the transaction
+is being made, preferrably with relatively high value. Later, the transaction
log record, card balance and amount spent per day fields are modified to make
this purchase appear cheaper than it actually was. So after purchasing an item
with 1000 NTD, the card will look like only 100 NTD were spent for the purchase,
@@ -395,7 +397,7 @@ with the transaction log. So it would be wise for an attacker to also modify all purchases in the transaction log to appear as if they were made on a
previous day.
-%%%%%%%%%%%%%%%%%%%
+
\section{Mistakes of the EasyCard Corporation}
Based on this research as well as publicly known information on the
@@ -411,8 +413,8 @@ system. The underlying Mifare Classic product was launched in 1994, and thus already
relatively old and outdated technology at that time.
-It was publicly documented by NXP that the security of the system is baesd on a
-{\em prorprietary, symmetric, 48bit cipher}. Symmetric 48-bit encryption
+It was publicly documented by NXP that the security of the system is based on a
+{\em proprietary, symmetric, 48bit cipher}. Symmetric 48-bit encryption
was definitely no longer state-of-the-art in the year 2000. At that time,
the popular web-browser Netscape Navigator (used e.g. for web-based online
banking) had already introduced support for symmetric 128bit ciphers.
@@ -424,11 +426,11 @@ design} and {\em Security by obscurity}. In the former systems, security is achieved by using well-designed systems
that have undergone public peer review and have been subject to cryptanalysis.
-As a result, the system is secure because it has undergond the review and
+As a result, the system is secure because it has undergone the review and
scrutiny of the international community of cryptographers and security experts.
So, despite making all details of the system, particularly the cryptographic
-algorithms open, an attacker is not able to circumvent the systems security.
+algorithms open, an attacker is not able to circumvent the system's security.
A system relying on {\em Security by obscurity} is only secure because
nobody knows the details of how it works. As soon as this information
@@ -480,18 +482,18 @@ technically, cards can be re-charged without making actual payment for it. As far as cards are only used for public transportation, the incentive
for fraudulent use is relatively small and contained. Also, the amount
-of money for each transaction is realtively small.
+of money for each transaction is relatively small.
Thus, while the author would still disagree, it might be the case that
the business risk analysis inside EasyCard Corporation would have deemed the
risk of fraud in the public transport sector as acceptable.
When such a card is used as an electronic payment system in stores where
-goods of much higher value can be purcased, the threat model is quite
+goods of much higher value can be purchased, the threat model is quite
different, though.
The 2010 introduction of the EasyCard as means of payment in retail
-stores - while still relying on known-broken, 16 year old technology -
+stores -- while still relying on known-broken, 16 year old technology --
can thus only be seen as ignorant and incompetent.
It does not help that EasyCard corporation has to provide a full refund
@@ -504,7 +506,7 @@ only reflect themselves in increased transaction fees for retail stores, in the end it will be the consumer who pays them indirectly due to higher prices
including such fees.
-%%%%%%%%%%%%%%%%%%%
+
\section{Proposed Changes / Improvements}
The author of this paper argues that use of the current EasyCard system
@@ -536,31 +538,32 @@ EasyCard corporation should be liable for the complete system upgrade/transition cost, as the fault of the system can only be blamed
on them.
-%%%%%%%%%%%%%%%%%%%
+
\section{Credits}
The author of this paper expresses his gratitude to the many people
involved in trying to uncover the weaknesses of proprietary and ultimately
insecure RFID systems worldwide.
-Milosch and Brita Meriac
+\begin{description}
+\item[Milosch and Brita Meriac]
for their great work on OpenPCD and OpenPICC
-Henryk Ploetz, Karsten Nohl, starbug
+\item[Henryk Ploetz, Karsten Nohl, starbug]
for their work on MIFARE, Crypto1 and tiresome research into all kinds of proprietary snake-oil
-Jonathan Westhues
+\item[Jonathan Westhues]
for designing and openly publishing the Proxmark
-Mate Soos and Karsten Nohl
+\item[Mate Soos and Karsten Nohl]
for their results on exploiting CRYPTO1's statistical wekanesses using SAT solvers
-Nethemba
+\item[Nethemba]
for the Open Source implementation of the nested key attack in MFOC
-Roel Verdult
- for his research on RFID security at Radbound University and libnfc
-Nicolas T. Courtois
+\item[Roel Verdult]
+ for his research on RFID security at Radboud University and libnfc
+\item[Nicolas T. Courtois]
for his {\em darkside} paper
-Andrei Costin
- for his Open Sourc implementation of the darkside paper (MFCUK)
- http://andreicostin.com/
-
+\item[Andrei Costin]
+ for his Open Source implementation of the darkside paper (MFCUK)
+ \url{http://andreicostin.com/}
+\end{description}
%%%%%%%%%%%%%%%%%%%
\bibliographystyle{unsrt}
%\bibliographystyle{splncs}
@@ -585,4 +588,4 @@ Andrei Costin %13. [ROSSSASG] - "SASG35_Peter_v_Rossum_Mifare.pdf"
%14. [DARK2009] - "THE DARK SIDE OF SECURITY BY OBSCURITY and Cloning MiFare Classic Rail and Building Passes, Anywhere, Anytime"
-\end{document}
+\end{document}
\ No newline at end of file |