Prepared by: Onur DUMAN – dumanonur@gmail.com
Quick Announcements:
1. Assignment 2 is due April 7 th at 8pm and email it to TA, no paper copies accepted.
2. Project is due April 22 – give hard copy or email but hard copy preferred, only email if you are out of town and can not give hard copy.
3. Final is finalized and it is on May 1 st
About Assignment 2: For an example pitfall, for Apple's GoToFail, static analysis detects it but static analysis also detects so many things that are not bugs. Background information is about what it does, what exactly does it exploit that type of thing for vulnerabilities. About attacks, it is more important what attacker is allowed to do. Also, what attacks does it enable needs to be mentioned.
Three Classes left, this lecture about hardware, after that human based procedures like social engineering, usability, procedures in airport security, formal ways to analyze usability. Usability is very important. A lot of vulnerabilities happen because users are not great at security based tasks, not because of attacks. Last two lectures about those topics
Hardware Security
You use hardware whether you realize it or not.
There is hardware:
– In your computer, there is processor, firmware, memory, etc...
– You can have carry around hardware which includes: different kinds of cards, phone has SIM card, RFID, Smart
Card, Bank Card(like Chip&PIN),
Note: Chip&PIN is also smart card but a very specific example of smart card.
Notes about RFID: No chip in them, they are thick since there is antenna in it. Some smart cards have RFID as well. Bank card has a chip, specifically Chip&PIN card.
Example smart card: It has metal contact on it, so when you put it into reader, metal contact interacts with the chip.
Example of a modern bank card: It has a chip, so it is a smart card, specifically it is a Chip&PIN card. New ones also have pay-wave in them where you can just tap it and there is contact list information.
Older technology was like barcodes. Barcodes have passive fixed information. If you have barcode reader, you can read it.
So there is no protection in barcodes. Band stripes used to be secure before because it was hard to get a reader but now you can buy it from amazon for a cheap price.
Check:

http://www.amazon.com/gp/product/B00D3D3L8Y/ref=pd_lpo_sbs_dp_ss_3/183-7079204-4596350?
pf_rd_m=ATVPDKIKX0DER&pf_rd_s=lpo-top-stripe-
1&pf_rd_r=0ZFS4J2PQSV23TCB3CJD&pf_rd_t=201&pf_rd_p=1944687742&pf_rd_i=B006RE896K
So, we are not considering barcodes and band stripes since there is no protection. If you have a reader, you can read it. In terms of band stripes, there is no security at all.
In the future, one thing people are really excited but it does not exist yet:
PUF(Physically unclonable functions)s: A lot of materials can be fingerprinted when you manufacture them. As an example, if you have a piece of paper, exact paper fibres on your paper uniquely identify that piece of paper. So, every other piece of paper have slightly different fibers and layout. So, you can authenticate using a single piece of paper. So, you can scan a piece of paper with high resolution. There is a scientific paper in which they used commodity scanners: http://citpsite.s3-website-us-east-1.amazonaws.com/oldsite-htdocs/pub/paper09oak.pdf
Basically the idea is, if we know how a paper looks like, we can't produce another piece of paper that exactly looks the same. We can't physically manufacture it to match. So, they have a fingerprint that can not be replicated. The way to use them is to use them as challenge response. Message is sent to physical object( as an example, you may hit it with light and light may reflect back). If you change the object itself, they both react differently. If you send information to one, you get back a unique response. If you send message to a different object, you get back a different response. These objects are impossible to clone. In order to answer the challenge, you have to physically have the device or function. Like circuits,when you send them signal, they reflect back unique signals. There are different ways of doing this. So, this is futuristic, like bank might give you one of these. When you go to ATM, it uses physical properties of the object to make sure you are the only person who has that object. Only one object in the world of that kind and you have it.
Attacks:
First a brief overview of attacks is going to be given than specific cases are going to be mentioned.
– Physical attacks: Main thing that differentiates hardware from software is that you are doing physical attacks. You can do protocol based attacks or software based attacks, as example you can attack the processor at software level.
But for hardware security, we are concerned about actual physical attacks. So, we are doing something physically with the object.
– This raises the bar (the fact that you can attack physically) for attacks as opposed to software : You need some special equipment and you need knowledge as well to attack hardware. To attack Software, it is easier since there are automated tools for it. However, to attack hardware, it is a lot harder since you have to physically do things with it. Hardware differs from software in the sense that you can't just download some code and run it and find vulnerabilities in a piece of hardware. If you have a program, you can implement it in software or you can put it on a chip. If you put it on a chip, it is less likely to be exploited than if you run it in software.
– Secret is hidden by hardware: The property hardware does is trying to protect some secret. In a bank card, your pin is encoded. If you are able to put some probes in the chip and read the PIN, it would be useless. There are also cryptographic keys that are used to authenticate card that is being issued to you by the bank. If you rip those keys out, that also would work. In metro card, there is a balance. Same for buss pass, subway pass. Balance is encoded in card. You can put probe and overwrite that information. If you are able to do any of those kinds of those attacks, it would be useless. There can be a secret hidden by the hardware, or it can be a property that is unwritable. Like in bus pass, balance in the card is not a secret and available to terminals but at the same time users shouldn't be able to overwrite it.
– Confidentiality and Integrity: We think about confidentiality if something is hidden. Confidentiality matches with
“Information Disclosure” in STRIDE.
– Integrity: We think about Integrity if something is unwritable. Integrity matches with “tampering” in STRIDE.

* In the exam if you are asked: What STRIDE category is overwriting the balance on your subway pass?
The answer is: Tampering
* In the exam if you are asked: What STRIDE category is if the attacker gets your PIN on your bank card by putting your bank card on terminal?
The answer is: Information Disclosure attack. Not tampering since you are just learning secret information. You just read it because you have the right probes to read it but you didn't tamper with it. Tampering is modification. However, if you overwrite the PIN, in that case it is tampering.
* If you fake the terminal, it is considered as Spoofing. However, we consider two main attacks in hardware which are tampering and information disclosure.
Attack Vectors:
1) Someone has to fabricate the hardware: If you have hardware, someone has to make it. There is a factory somewhere that made your card. This factory:
– Programs it with secrets
– In terms of making things unreadable, there is a common technique which is: have memory with read access in one component, and write access in other component. Program it and destroy the component for writing into chip: Usually on the card, there will be a piece of circuitry for programming a memory location with whatever you want. There will be a separate piece of circuitry for reading from that location. In bank case, factory ships cards out and give them to bank, bank writes the data to it and they physically destroy the component that allows them to write. As an example, this can happen with a laser (writing on the chip with a laser) and they physically destroy it. In subway pass, this is not applicable since you need to keep writing data to it. Terminal should have write access to location where balance is stored but the user shouldn't have write access to that location. Usually, this is handled at protocol level. Unless you have instructions signed by certain certificates, the card will ignore write commands.
* Reprogrammable or programmable cards: You are able to program the card as many times as needed.
* Un-programmable cards: you set the card once and it is set forever. In bank card case, there is a way to overwrite the secret.
* In order to fabricate things, there is another question that should be asked: “Does the circuit do what it is supposed to do?”
As example: Circuits do encryption on board, there is AES command, you send it to processor and it will do AES encryption. How do you know that AES is implemented right, how do you know there is no backdoor in it which can be if you ask it to decrypt using a certain password, it may reveal the secret key. There are so many different ways to program a backdoor. Essentially:
2) You have to trust labs that are fabricating those chips: Labs get certified. There is a process where people go in, they audit it, they look at employees, etc... There is a whole procedure for it, than they claim that “This lab is a trusted lab”. If you want to manufacture secure chips, you can use one of those labs that has certification from independent third party for making those chips. However, there is less factories that have those certifications than there is demand for factories to produce chips.
Another thing that can be done is to Attack the Supply Chain:
Supply Chain Security:
1) Spy agencies have intercepted large shipments and tampered with devices: Someone has to ship those devices, you can intercept them as they are being shipped. It is not possible to change every device manufactured by the factory but in this case, you can change hundreds or thousands of devices.
* Large leak of intelligence data from Edward Snowden: In one of the documents leaked by Edward Snowden, it is explained that NSA plants backdoor in CISCO products. NSA intercept shipment of CISCO devices without CISCO's

knowledge. They take those devices into a facility, they open packages very carefully and equip those devices with hidden surveillance tools. Than they repack those devices in a way that users are not able to notice those devices have been tampered by NSA. After that, they resend them back to where they were going. You can't tell that product was physically tampered by just looking at the product. Product can no longer be trusted since it does not perform what it is supposed to perform anymore. This allows NSA to eavesdrop on many communications. More on this story is found on the URL: http://www.infoworld.com/article/2608141/internet-privacy/snowden--the-nsa-planted-backdoors-in-cisco-products.html
This story was also explained in a book by Glenn Greenwald called: “No Place to Hide”: http://www.amazon.com/No-Place-Hide-Snowden-Surveillance/dp/162779073X/ref=sr_1_1?
s=books&ie=UTF8&qid=1427915782&sr=1-1&keywords=no+place+to+hide
2) Point of sale terminals: NEXTEP is one of big point-of-sale terminal producers. They are investigating a possible data breach because law enforcement notified them about a pattern of fraudulent use of credit cards that have been used in locations where NEXTEP provides point-of-sale terminal. Security breach on their terminals affected more than one location. Before, there was an attack called “ de rigeur”, which was breaching PoS systems by exploiting companies' remote administration tools and uploading malware like Backoff that exflitrated magnetic stripe data residing on PoS devices. So, most probably PoS terminals were compromised by an employee in the warehouse before they were shipped. More on this story on: http://www.darkreading.com/attacks-breaches/point-of-sale-device-manufacturer-investigating-card-breach-at-soupfranchise/d/d-id/1319408
* So, it is not possible to tell if a product is tampered by just looking at the product.
3) Accidents:
- There are memory based hardware devices which include things like USB keys, digital picture frames: It is possible that you buy one of those devices and there is malware on it. So, since it contains malware, you plug it into your computer and your computer gets infected assuming that your computer is still vulnerable to that malware that's on the device. As example, your Windows was not updated and it gets affected by malware by some digital USB based device.
* It is still questionable if this can be called as an accident but the most logical explanation is that “When Quality
Assurance department of the factory which produced those devices plugged those devices on a computer to test them and to make sure they work, the computer which they plugged the device in contained malware and malware got leaked on the devices”. No-one was intentionally was sending malware, it can be a sabotage. It is not like a crime where you intercept large packets, this is most likely an accident.
* This affected big companies like Dell, IBM, Samsung, HP, Apple, Toshiba – All those companies have at least one example of shipping a product that came with malware.
One such incident can be found on: http://blog.trendmicro.com/trendlabs-security-intelligence/yet-another-digital-picture-frame-malware-incident/
So, all of those ( intercepting shipments, compromised point-of-sale terminals, accidents) are main reasons why you might get a bad piece of hardware. In this case, hardware is attacking you. That's one aspect to look at hardware security, the other aspect is you have a piece of hardware and you want to attack it, not a defective hardware affecting you(not it is attacking you).
Attacking Circuits a) A circuit can be: RFID ( Radio-frequency identification) , smart card, micro-controller, ASIC (A pplication-Specific
Integrated Circuit ), FPGA ( F ield-programmable gate array)
- RFID is passive, you just send it a signal and it responds, you can't program it. It doesn't do any computation based on what you sent it (a smart card does)

- A chip, or an Ardino chip is a micro-controller.
- An ASIC is a fabricated circuit. Circuit that was custom made for a specific implementation. All processors are
ASICs.They are expensive since they are custom-made. You have to buy thousands or tens of thousands of them. So, you have to do lots of testing with FPGAs before you commit your design to an ASIC to make sure the circuit works as expected.
- FPGA is a programmable chip. When you get it, the chip is blank. You can use software to program it to do whatever you want. They are not as fast as ASICs since they are general purpose hardware that can be reprogrammed to implement circuits. It is bunch of gates and you wire those gates in a particular way to implement your function. FPGAs are faster than software but slower than ASICs.
* An attack called “Rawhammer Attack” was mentioned in class. It is an attack where the attacker gets super user status by exploiting DRAM weakness. This is a memory attack but this is also a fault based attack at high level. This attack exploits physical weakness in certain types of DDR memory chips to elevate system rights of untrusted users of Intel compatible
PCs running on Linux. More on this attack: http://arstechnica.com/security/2015/03/cutting-edge-hack-gives-super-user-status-by-exploiting-dram-weakness/ b) Why do we attack circuits? Reason is typically to recover a secret/ program chip: Usually we are trying to recover some secret that is embedded in the hardware or we are trying to program the secret to certain value we want by attacking the hardware. These types of attacks are based more on trying to recover secret. c) The secret can also be the actual algorithm itself. In some cases people manufacture hardware and they don't tell you what the algorithm is used for encryption. If you can just reverse engineer what the algorithm is, you may find flaws in the algorithm. In Cryptography, there should be no secret algorithms. According to Kerckhoffs's principle, security should only depend on key. However, people make their own algorithms and they keep it secret thinking that keeping the algorithm secret adds more to security. Others reverse engineer the device and get the algorithm and in most cases it was found that the secret algorithm used was not a standard algorithm and it was not secure. Designing a secure algorithm is really hard to do. If you don't know how a standard algorithm works, it is really hard to design a secure algorithm. Most of such algorithms which were kept secret, often got broken.
Attacks that can be performed on circuits:
1) Blackbox testing:
It is basically se nding inputs and getting outputs.
* In class a question was asked which was: “Let's say you have one OPUS card, if you have 50-100 and you learn the algorithm how it is working in each one, can you attack them based on algorithm?”
The answer was: Certain algorithms could be vulnerable too if you have bunch of different cards issued. As an example, in bank PINs, sometimes they are encoded funny. Attacker does not know what the PIN is but the attacker sees a bunch of data. Attacker sets the PIN, changes PIN 100 times and there is one piece of memory that gets changed which is 4 bytes.
Attacker concludes that PIN is stored in those four bytes. This is a differential analysis. Hard part is getting that secret out, you can't just dump contents of your OPUS card. It won't let you dump contents of it.
In Blackbox testing: You just send inputs to the device and see how it behaves. Based on input-output behaviour, you figure out what type of algorithm it is running. Example of this is:
* SpeedGas: It was an early RFID. You get a Gas Card and tap it, rather than charging your bank card, it charges your gas card. It was proprietary, they did not disclose the crypto. They were using stream cipher. In stream ciphers, it is a big challenge to figure out the algorithm just by looking at plaintext and ciphertext. Researchers went to a bunch of documentation and they found one powerpoint presentation given by someone who worked in the company that implemented these cards. The algorithm in the presentation was not exactly what was used in SpeedGas but it was close enough.They made some minor modifications to the algorithm they found in the presentation, using this they were able to find out what algorithm was used in SpeedGas. So, they broke it and they could do things like charging their card and not paying for it.

* This method is classified as non-invasive: In non-invasive, you don't ruin the card/chip while performing the attack. In invasive attack, you learn the secret but you can't use the card after. As an example, by performing invasive attack to a bank card, you can learn the PIN but since you have destroyed the card, you can't go to an ATM and use the bank card. In some cases, it can be fine to destroy the chip/card to learn the secret but not in bank card case.
* Fuzzing: This is another thing you can do which is classified as blackboxing. We send lots of random and weird inputs to the device and we might get weird responses and we can find things like undocumented features. A lot of times device has special factory modes for testing. User is not supposed to be able to access testing mode. You need to find right commands to send the device so the device goes into testing mode. As a result, you are able to program things that you are not supposed to program or read things you are not supposed to read.
* In order to perform blackbox testing to a smart card, you have to put it into a reader. Your software-based fuzzer is communicating with the reader. The reader sends to software and software sends to reader. So, there has to be an interface to read from the card.
2) Physical Probing: A probe looks like:
This is an example probing hardware which is called “Florida Probing”, more information can be found at: http://en.wikipedia.org/wiki/Florida_Probe
* Used to measure data, typically off a bus: You stick a probe into the chip and you are going to read data( at electrical level, data is voltage so you are measuring waveform) from the chip. There are wires that connect components to each other called bus. That's usually where you are trying to read from. You can also read from memory locations if it is transistor based memory.
* Probes can have sub-micron precision: Probes have to be very precise down to sub-micron level, which is very very small.
In that case, we are talking about doing things that are at microscopic level.
* This is an invasive method: You have to physically bind probes in order to read from the device. It basically destroys the circuit. It destroys the chip, you can't use it when you are done with probing. You can use it in cases where learning the secret is enough. As an example you may have two cards and learning the secret from the first card helps you with the second card.
*Slow down the clock: A lot of circuits are driven by clock. These circuits are called synchronous. In this case, you can slow down the clock. Consider clock like a heartbeat. Clock is a component telling the circuit how fast to go. You can replace with your own clock, which is very slow. That gives you a lot of time to read the voltage. You can also rewind sometimes.
3) Reverse Engineering:
* MiFare: For subway cards, MiFare is a big one. It is a smart card. It was used by lots of subways early on.

* Attack on MiFare: MiFare is a smart card. It was running a proprietary algorithm( no-one knew its crypto algorithm). In order to recover the algorithm, they put it in acid and expose the circuit. Once they were able to recover, it was a weak algorithm. Before you attack the crypto, you have to figure out what the actual algorithm is doing. They took the card and they wanted to physically expose the circuit. Firstly, circuit is covered by plastic. Also, when you manufacture a circuit, there are different layers on top it. In this scenario, the attackers wanted to remove all the layers until the physical circuit can be seen. They wanted to be able to see the gates. They used different combinations of acids to remove metals and plastics and they were able to expose the circuit. Once they had the circuit, they took high resolution photographs of it and they took photographs and put them inside computer. Than they used machine learning(they created layouts of different gates like NAND gates) to figure out the circuit used. Machine learning translated photos into circuit layout. Once they knew the circuit, they knew the algorithm. So, they broke the algorithm. It was a crypto algorithm and it was weak. Details of the attack can be found on: http://proxmark.nl/files/Documents/13.56%20MHz%20-%20MIFARE%20Classic/The_MIFARE_Hack.pdf
* MiFare is RFID and smart card. It is a combination.
4) Fault Generation: It is more protocol kind of attack.
* Some technologies fail:
Some devices work according to following states: open -> get response -> get privilege
*TV providers: In that case, provider sends a message like “Are you permitted to have access to this channel? Did You pay to access this channel? ”. It is up to your device( your set-top box, your satellite box) to respond with NO. If your device does not give any response, TV provider just gives you access to this channel. This is obviously terrible security.
*In this case, you turn your device off when your device is about to respond. Or, you can act as MITM and drop the messages. Or, you can cut the power at the right time. These are more protocol level attacks that involve hardware. In this case there is no encryption, even if there was you could still drop the messages.
* In another attack, people add scotch tape. They tape part of their set-box device, they would flip the channel, reveal the tape off and watch it.
* Cutting the power at the right time and then re-power it, that is deliberately creating a fault. You can cut the power at the right time that is non-invasive
* You may modify memory contents, you can flip bits in memory. This is also non-invasive.
• Glitch(rapidly change) the clock or power: Circuits are driven by clock, you can change the clock in a glitchy fashion. That can cause bad circuit execution, certain gates do not execute. You can introduce faults this way. Also, you can drop voltage very quickly to create glitchy things. This is also non-invasive
* You can heat up components. Circuits behave differently in different temperature. As an example, a laser can be used for this purpose. You shoot laser to components, it heats them up and as a result that component fails or behaves differently.

These are semi-invasive. There is risk you may cause permanent damage. You should make sure you do not heat up too much in order to prevent permanent damage
* You can modify chip: This can be done bu cutting wires. At circuit level you are destroying electrical bus by shooting a laser. This is invasive. Chip is permanently damaged. This may allow to bypass things, it may allow error states not communicated to right places, etc... You may run the chip and cut wires at the same time, there are different techniques of generating faults.
5) Side-Channel Analysis:
* This is non-invasive: Since it is side-channel, you are not damaging any components.
– Power
– Long time ago used in ATMS. When you press a button, voltage changes. Every button has different voltage, there are slight differences between buttons. They measured the voltage at a very sensitive level, they read PINs as people type their PINs, just by looking at voltage.
– NSA used power analysis to read key in TPMs. TPMs are used by Windows to encrypt hard drive and they store a key to encrypt hard drive.
– Timing
– Used a lot with crypto. As an example, in RSA you take a message and to encrypt you raise it to public key and to decrypt, raise power of secret key. There are math operations, mostly exponentiation. For a key with lots of zeros, it is very fast to compute the exponentiation. Key with lots of ones, it is very slow to perform exponentiation. By looking at timing in decryption, you can guess the key.
– Timing attacks are also used in software. A timing attack was used in SSL servers: You send a packet, server signs the packet and sends back, based on distance you are able to infer what their private key was.
– Electromagnetic Emissions
– In Netherlands, they used DREs( like ATMs but for voting), buttons for each candidate, button for one candidate emits different frequency from another candidate. So, an adversary is able to stand outside polling place with a radio and based on frequency, adversary can guess which candidate was selected.
– Acoustic Sounds
– In old computers, there was so much noise during computation. Acoustic sound was used to attack RSA. One of the inventors of RSA, Adi Shamir, had a very sensitive microphone, he listened to his computer as it was doing RSA encryptions, he made recordings. Gave those to machine learning algorithm and he learnt RSA key stored on computer based on those acoustic sounds. This attack is detailed in: http://www.tau.ac.il/~tromer/papers/acoustic-20131218.pdf
*In Side Channel Analysis: You take hardware and run the circuit normally but you take sensitive measurements of different things. These are side channel, they are outside of threat model. They are all information but because we normally think about channels as actual data. These are not main channels. As an example, when you design crypto, you do not take how much power it takes into account. In OpenSSL, it does not matter whether bit of key is 0 or 1, it follows exact same steps. It will do exact same operations in exact same order, whatever the key is. It is slower but it is constant time.
Counter-measures:
* Obfuscate Data: Regarding probing, you can obfuscate data( scramble, encrypt) on buses. Data moves across buses. If you encrypt it, you have to add circuitry to encrypt it. Same for decryption. It is going to be on circuit. Usually, they try to make it complicated to adversary by bouncing data around different buses or XORing data with randomness. Technically, this is a stream cipher. They do things to make it more complicated for the adversary.
* Obfuscate the ASIC layout: When you do ASIC design. Everything is organized hierarchically. There are logical places to put components. Components are put close to each other to run faster. Actual VLSI design, you are able to read the circuit out relatively easy. However, you are able to make components, that are at totally different ends of circuit, talk to each other. Also, you can have many jump gates that do nothing. Lots of things to do to try to make the ASIC layout obfuscated.
Another thing that can be done:

– 3D Stacking: Expensive technology, so not used frequently. Circuit consists of three layers:
When you do this, your bottom layer is hidden. To be able to reach bottom layer which contains chips, you need to destroy top two layers. This is very difficult to achieve. In this case, it is difficult to reverse engineer. Also circuits may be face down, so when you look from top, you are not able to see anything. This is a countermeasure that makes it more expensive to attack these types of circuits.
* Put metal mesh on top of the circuit: If you probe the circuit, it will cause a short circuit. This mesh is connected to different spots in circuit. If it is touched, it shorts out. When it shorts out, different things can be done like it may cause a memory reset. You have to remove that mesh before you probe the circuit. This just makes attacking the circuit more expensive, it is not a bulletproof method.
* Side Channel Analysis: You can put physical shields. Instead of mesh, it can be an actual layer of metal. Any electromagnetic radiation may get caught by that layer. If you are worried about acoustics, soundproofing can be done.
- Asynchronous circuits: You can use asynchronous circuits. This helps with timing attacks. In synchronous circuits, there is heartbeat in the circuit. However, asynchronous circuits go as fast as the electricity goes through the circuit. There are certain parts of circuit that wait other parts to complete before any operation.
- Decrease the signal to noise ratio: Information you are trying to read is a signal. In communications, there is a signal to noise ratio. You have to take so many readings because there is a lot of random variation which is noise. So, in order to prevent signals from being read, signal to noise ratio can be decreased. So, by weakening the signal or strengthening the noise, you make it harder for side channel analysis. You can add artificial noise. Noise does not mean acoustic noise, it can be power noise, or it can be emitting randomly electromagnetic interference. Also, you can try to decrease signal. As example, if you have a low power circuit, power analysis becomes really hard because the voltage fluctuations become so small. Even if you add artificial power noise, it becomes even more impossible to pull the data from the circuit.
Methodologies:
- No good methodology: There is no static analysis or dynamic analysis for hardware. There is not something you can do that finds hardware flaws in your hardware. This is an open question. So, there is lots of research to be done in this area.
*Example: If you are given a chip and asked: Can you probe it or not, there is no recipe to say Yes or No.
-Domain Specific Knowledge: You know a lot about how circuit fabrication works, you use that knowledge to determine if a circuit is secure or not and there are no general methodologies.
-Follow Requirements Engineering Process: This way, you get a good idea about what security requirements are needed.
You get a good idea about what are hacks you need to prevent and what attacks can be performed and what attacks are too unrealistic. If the attack affects only one card, it is not a big deal.
*Example: Someone finds a way to get into subway for free but they need to spend $1M to break the chip, this is not a feasible attack.
-Common Criteria / NIST have protection profile: They have protection profiles for hardware. A requirement does not tell you how to do things it just tells what should be done. They are descriptive, not prescriptive. They just tell properties, not how to achieve them.
*Example: Requirement states that someone can't probe your chip. It does not say: “This is how you mitigate it”.
*Hardware hasn't given same attention as software. Hardware attacks are at a scale lower than software attacks, people start attacking software before hardware. Software is free to attack. Hardware, you need special equipment, it is not free to attack. As an example, if you are given a software and asked to perform static analysis, it is not guaranteed that you can do a great job, but it is feasible to perform static analysis on software. However, if you are asked to increase balance an OPUS

card with hardware attacks, you need terminal and probes and all sorts of special equipment. In that case, it may be better to put secrets in hardware instead of software. However, in terms of securing your technology, there is a lot less science in hardware than in software.
Example Attack:
-Chip&PIN: EMV( Named after EuroPay, MasterCard, VISA) is a frequently used protocol for smart card payments. It is known as Chip&PIN by customers. EMV secures credit and debit card transactions by authenticating both the card and the customer presenting it through a combination of cryptographic authentication codes, digital signatures, and the entry of a
PIN. Attackers found a flaw which allowed them to pay using a genuine card without entering PIN and remain undetected .
The fraudster performs a man-in-the-middle attack to trick the terminal into believing the PIN verified correctly, while telling the card that no PIN was entered at all. In the receipt, it states verified by PIN, so most banks ignored disputes. This attack is a big flaw in Chip&PIN found by researchers in Cambridge University. This attack worked in UK so there is no guarantee it will work in Canada since Chip&PIN implementation may be slightly different.
-Protocol Attack: This is a protocol attack and the attack is implemented using custom hardware. Basically, this attack exploits a flaw in Chip&PIN system. In order to implement the attack, you have to use custom hardware. A flaw in
Chip&PIN allows terminal to think that correct PIN was entered. It allows card to think that a signature authorized the transaction, no PIN was entered. At the end, receipt says verified by PIN. The bank thinks the PIN was entered correctly, but the attacker did not know the PIN( From the attacker's perspective, any PIN can be entered, since card is tricked that no
PIN was required).
- Basic attack: The attack is basically using a bank card without knowing the PIN. This is worst kind of attack you can perform against a bank card. A worse attack than this would be being able to withdraw money when you don't have the card and you don't know the PIN and you manufacture a fake copy of the card.
*In this attack, you steal someone's card and you can go and start buying things even though you don't know the PIN.
* If you withdraw money from ATM, it uses a different protocol than a PoS terminal. The attack mentioned here works on
PoS terminals, but it does not work for ATMs. In this attack, you can purchase things using debit card, but you can't withdraw money from ATM.
EMV protocol is split into three phases which are:
– Card authentication: Assures the terminal which bank issued the card, and that the card data have not been altered.
– Cardholder verification: Assures the terminal that the PIN entered by the customer matches the one for this card
– Transaction authorization: Assures the terminal that the bank which issued the card authorizes the transaction
Notes: Bank plays a minor role in this protocol. Bank is more than one bank, there is bank who supplies the PoS and there is also bank who issues the credit card. As an example, the grocery store might be using TD terminal but customer's bank card may be CIBC credit card. There is bank which is issuer of the credit card, also there are other banks, for simplicity, all of them are collapsed into one bank in the description of Chip&PIN protocol and the attack.
1. When you stick the terminal, protocol is negotiated between PoS device and the credit card. There are so many different protocols and 50 different crypto algorithms, so they always negotiate the protocol first. Negotiating protocol has nothing to do with attack.
2. Than the card sends account information( like bank card number, expiry date, etc...), this information is signed by the card. Card's key is signed by a root certificate. Terminal has the root certificate in it. This is like SSL. The bank itself gave you your card, they signed something that signed something so there is a key embedded in your card. As an example, terminal knows CIBS's key so when you put the card, terminal knows it is CIBC's key. So, they conclude that this is legitimate card that came from CIBC. Terminal concludes that the card was issued by the bank in question. So, when terminal talks to the bank, it knows who to talk to. Since, there is a key embedded in the card and signed by the bank, you won't be able to invent your own card and start spending with it.
3. Terminal asks user for the PIN.
4. User enters PIN
5. Terminal sends PIN to the card. Card knows the PIN. That's the other secret embedded in the card other than bank's key. Card is going to say if the PIN is valid or not.

* Each card has a unique key signed by the bank. This is similar to many websites signed by the same CA. Root certificate is bank's secret. In addition to this, every card has its own secret. Terminal has hardcoded just the root key.
6. Card asks if PIN is correct. Answer is either YES or NO.
7. If the PIN is correct, card just sends “VALID” message. If the PIN is incorrect, card increments number of attempts, and sends “INVALID” message with number of attempts remaining to try.
* Bank does not know your PIN. Terminal asks the card “Is this the PIN that is stored in you?”. PINs are not stored in the bank, PIN is on the card. User can change their PIN and bank does not know. In this protocol, just terminal asks the card if the user entered correct key and card responds with YES or NO. However, in online PIN protocol, bank knows your PIN. This is the reason the attack mentioned does not work with ATMs. Copy of the PIN exists on the card and there are terminals which work offline without communicating with the bank.
* Your card is keeping track of number of wrong PINs you enter.
* Problem #1 with the protocol: The response from the card which states if PIN is valid or not is not signed or authenticated. A man-in-the-middle can change the response and make it “PIN is valid”. This is basis for the attack.
8. Terminal sends details of the transaction to the card. These details include amount on transaction, currency used, time of transaction. It will also include a status which basically states “Everything is OK”.
* If there was a problem( things aren't OK, there is a bunch of code you can encode). As example, keypad on terminal was broken, terminal would send a code that says “I wasn't able to ask for the PIN since keypad was broken”. However, in terms of this attack, nothing goes wrong. Always “Everything is OK” message is assumed.
9. Card signs details sent to it and card also includes its own details. If the user has entered a PIN and if the PIN was correct, this fact is also encoded in card details. Card basically states: “I agree about all the details sent by the terminal, in addition to this, I was asked about the PIN and I said that the PIN was correct”. And signs the message r=[Details by Terminal, Card Details including “Entered by PIN”] by MAC. Terminal checks Details given by the card to check if they match details sent by the terminal. About card Information, this is the part terminal can't understand, it is signed in a way that only bank can understand.
10. Terminal forwards the response: r=[Details, Card Details (including “PIN Entered”)]
MAC to the bank. Bank checks funds, runs bunch of algorithms to see if this is a fraud or not. At the end, the bank either authorizes it or not.
11. Bank sends “Authorized” or “Not Authorized” message to the terminal. If it is authorized terminal will display the message stating transaction went through. After that there are some more steps where terminal asks more information to the card and at the end terminal sends transaction certificate to the bank.
Here is the sequence of events in UML Sequence Diagram:

So, if we don't know what is the PIN or just by entering “0000” for the PIN, how can this bank card be used?
Two things that are wrong with this protocol:
1. The message stating PIN is valid or not is not signed.
2. Terminal does not know card details, card details can not be read by the terminal. So, if card says something that has not happened in reality, terminal is not able to say: “Wait a second, that did not happen”
* These two properties are going to be used to exploit this protocol. Attacker is going to be a Man-in-the-middle. Attacker is going to be man-in-the-middle in steps 5,6,7. Man in the middle behaves like a card while communicating to the terminal. It behaves like a terminal while communicating with the card. Man-in-the-middle is going to relay messages and he is going to change some messages.
From terminal's perspective nothing changes, it asks for PIN from the card. Since “Valid PIN” message is intercepted and not signed, man-in-the-middle sends terminal the message “Valid PIN”. Since “Valid PIN” message is not signed, terminal

doesn't know that it came from the card. If the terminal immediately sends transaction details ( message number 8 in the flow), card is going to block the transaction since card will say: “You did not even ask me for my PIN”. In order to trick the card, there is a small trick. Banking systems have to be compatible and things happen like keypad on terminal breaks, internet connection goes down, etc... There are all these fallbacks. So, man-in-the-middle sends the credit card : “No PIN required, we got physical signature” message. In some cases, terminal does not ask PIN, just prints out a receipt, user signs the receipt and this is considered as authorization of transaction.
* Card gets message “No PIN required, we got client's signature”. So, if the terminal sends details message, card is no longer surprised by it. Card was not expecting a PIN, so it was ready to receive transaction details message.
* In Message #8, there is status code, terminal sends status code “Everything is OK, user sent the correct PIN”. In that case, card should say “Wait a second, I was never asked a PIN”, in that case the fraud would be detected. There are problems with status code:
Here is the sequence of events where there is man-in-the-middle:
Issues:
1) PIN Valid or Not Valid is not signed as explained
2) Details are not detailed enough: If the transaction required a signature and user signed it, terminal sends exactly same message as in the situation where the user has entered correct PIN. In this case, status code states “We required a signature everything is OK”. Status message doesn't change so terminal thinks different set of events happen, card thinks different set of events happen. They are supposed to agree on what happened but these events are similar enough so that there is no difference in the status code. So, they can't tell the difference between two events. So, not enough details to detect this attack.
* In card details, it card says: “I did not validate the PIN because I was not asked, terminal mentioned it is signature instead”. So, details “Status OK” message says nothing if there was a PIN or not, but the message “Card
Details” has that information.

3) After that step, terminal could say: “Wait a minute, I asked you about the PIN and you said the PIN was valid but in card details, you say 'No PIN required, physical signature protocol was used instead'. ”. However, card details can be read by the bank but terminal can not read that information. So, the problem is terminal can not read card details, terminal can not parse card details, only bank can. Terminal says everything worked fine. It passes details to bank. Last chance of detecting the attack lies with the bank. Bank receives this message and it knows that “No
PIN required”, however bank does not know that terminal asked for the PIN. To the bank, it looks like a normal message since it gets : “It is OK, customer signed for it”. Bank won't flag it either. Bank thinks customer signed for it, card thinks customer signed for it, terminal thinks it was given a valid PIN. So, everyone is happy but in reality, this transaction was not authorized.
This attack was implemented in real life:
More details about this attack:
The article: http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.pdf
Video: https://www.youtube.com/watch?v=JPAX32lgkrw
* Real life implementation: In the picture above, real life implementation is demonstrated. There is a real card, computer communicates with the real card using an Ardino chip, there is a FPGA which gets information from real card and sends to fake card at the other end. They wanted to use it in real life but there are too many equipments.
So, they put all devices inside a big knapsack (contains laptop and FPGA) as seen in the video link given above.
Wire that was running to circuit from fake card was going under the attacker's sleeve, so it was hard to detect.
There was a wire that was attached to fake card.
* In Chip&PIN, you are the only person who is allowed to touch your card. People working in stores are not allowed to touch your card.
* When this attack was discovered, banks could not say: “Ok, everyone is getting new card tomorrow”. So, it is really hard to update and replace the system when you deploy a new technology. Most probably, this attack won't work in cards issued in Canada.