Tamper resistant =/= Tamper proof
Ross Anderson's team at Cambridge University has demonstrated physical security vulnerabilities in two of the devices commonly used to validate chin-and-PIN cards in the UK. The vulnerabilities would enable an attacker with sufficient physical access to the devices and some manual dexterity with a needle or bent paper clip to hack them, exposing PIN codes. With PIN codes plus data from the magnetic stripes, card hackers could create fake cloned cards that work in non chip-and-PIN validators (which are becoming uncommon in the UK now, but less so abroad), or in chip-and-PIN validators that fallback to the magstrips if card chips don't work.
This ably demonstrates the difference between "tamper resistance" and "tamper proofing". The chip-and-PIN security mechanism, like many others, was designed to resist certain attacks not to prevent them. Compromises inevitably had to be made during the chip-n-PIN design specification prosess for the sake of cost, usability etc., including the decision to retain magstripes on chipped-cards (as the team puts it, "Essentially, the vulnerabilities we exploit are not just a matter of hardware design, but also of the options many banks chose as they implemented EMV"). Hackers, as a breed, feed on such security compromises. There is no shortage of fodder. We've already seen miniature CCTV cameras plus magstripe readers used in the wild to capture PINs and card data on ATM skimmers, and chip-n-PIN device tampering in frauds at Shell service stations in the UK in 2006.
The team draws out some general lessons in the paper, aspects such as:
- the complexity of the EMV specifications (leading to local interpretations and the introduction of further unintended flaws)
- obvious conflicts of interest that result from equipment vendors selecting and paying security labs to assess their products against Common Criteria - something economists call "moral hazard" apparently - plus the commercial pressure on labs to issue pass slips like confetti (same with ISO/IEC 27001 certifications!)
- further issues that arise when product assessments and certifications are clouded in secrecy, thanks to the whole banking industry closing ranks and lax controls by the UK's Common Criteria certification body (apparently, anyone can claim to have had their product Common Criterial Evaluated, whereas they must have actually passed the tests to claim Common Criteria Certified ...)
- the potential applicability of this kind of hack to other tamper-resistant mechanisms such as on electronic voting terminals. The same class of attack would probably succeed against devices using biometric mechanisms (fingerprints, iris scans, whatever) for user validation: if the codes sent by a biometric reader can be captured in the clear en route to the encryption/validation guts, they can probably be replayed or used for other attacks. Blog-reading designers of dual-interlock atomic missile launch fire biometric authorization mechanisms please take note. Tamper resistance has its limits.
The paper is well written and thought provoking for hackers and security professionals alike, even those with only fleeting interest in chip-n-PIN while paying for stuff.
This ably demonstrates the difference between "tamper resistance" and "tamper proofing". The chip-and-PIN security mechanism, like many others, was designed to resist certain attacks not to prevent them. Compromises inevitably had to be made during the chip-n-PIN design specification prosess for the sake of cost, usability etc., including the decision to retain magstripes on chipped-cards (as the team puts it, "Essentially, the vulnerabilities we exploit are not just a matter of hardware design, but also of the options many banks chose as they implemented EMV"). Hackers, as a breed, feed on such security compromises. There is no shortage of fodder. We've already seen miniature CCTV cameras plus magstripe readers used in the wild to capture PINs and card data on ATM skimmers, and chip-n-PIN device tampering in frauds at Shell service stations in the UK in 2006.
The team draws out some general lessons in the paper, aspects such as:
- the complexity of the EMV specifications (leading to local interpretations and the introduction of further unintended flaws)
- obvious conflicts of interest that result from equipment vendors selecting and paying security labs to assess their products against Common Criteria - something economists call "moral hazard" apparently - plus the commercial pressure on labs to issue pass slips like confetti (same with ISO/IEC 27001 certifications!)
- further issues that arise when product assessments and certifications are clouded in secrecy, thanks to the whole banking industry closing ranks and lax controls by the UK's Common Criteria certification body (apparently, anyone can claim to have had their product Common Criterial Evaluated, whereas they must have actually passed the tests to claim Common Criteria Certified ...)
- the potential applicability of this kind of hack to other tamper-resistant mechanisms such as on electronic voting terminals. The same class of attack would probably succeed against devices using biometric mechanisms (fingerprints, iris scans, whatever) for user validation: if the codes sent by a biometric reader can be captured in the clear en route to the encryption/validation guts, they can probably be replayed or used for other attacks. Blog-reading designers of dual-interlock atomic missile launch fire biometric authorization mechanisms please take note. Tamper resistance has its limits.
The paper is well written and thought provoking for hackers and security professionals alike, even those with only fleeting interest in chip-n-PIN while paying for stuff.