11 comments

[ 3.1 ms ] story [ 29.8 ms ] thread
> The required time and effort are quite low: “For our measurements, we needed a DESFire MF3ICD40 card, an RFID reader, the probe and an oscilloscope to measure the power consumption”, says Oswald. This equipment only costs a few thousand euros. Having obtained knowledge on the characteristic properties of the smartcard, the attack takes three to seven hours.

So you need a few thousand Euros of equipment, some knowledge, and undetected access to a card for three to seven hours... --considering the requirements to be "quite low" is just the typical security world scare-mongering journalism.

To a cryptographer, that is "quite low". It's not that uncommon to use algorithms where the best known attack takes something like 10 times the lifetime of the universe, assuming every single quark and every tiny bit of energy is used for computation.

(A bit of perspective: this is not really a new result, the same group has cracked similar systems before. Smart cards are quite hard to protect from side-channel attacks.)

Yup. It's not about being able to get on Melbourne trains for free, it's about being able to get access to your competitor's research lab, or to their mergers & acquisitions plans, or whatever. In that context, a few hours and a few thousand euros is absolute peanuts.

I used to work for a DRM company, and the physical protections designed into those things (not near-field, just standard smartcards) was ludicrous. self-destruction on exposure to light. Measured to ensure that you can't detect good or bad keys by: thermal emissions, electric resistance, electrical consumption, time to respond, and rf emissions.

All of that on top of the standard cryptographic requirements makes smartcard design an incredibly challenging proposition, and one that is ultimately futile in my opinion. For example, the last I heard from friends in the biz was that the crackers are still just using agregate measurements, but what happens when they start using high-res thermal imaging? You'll have to make sure that there is no special hotspot (or coldspot) on the chip when decryption succeeds. The same applies to RF emissions. Not easy.

Yeah. And that's just passive attacks. It gets even scarier when people start creating faults with precisely-timed laser pulses (this equipment is commercially available). Etcetera.

Theoretical cryptographers have recently begun studying this kind of problem (in fact, that's what my PhD is about). That may help. Or not. But throwing the problem "over the wall" to the engineers hasn't worked that well, and I hope that some theory can be helpful here.

Joachim, I totally agree with you on the comparison of requirements for power analysis (side channel) attack vectors versus cryptanalysis attack vectors against well vetted algorithms. The difference can be staggering as you mentioned.

The issues I take with calling the requirements "quite low" are two fold; (1) Most people could never succeed with this attack vector, and (2) Most people would never bother. This certainly isn't "FireSheep" which really does have "quite low" requirements, and getting free bus passes in San Francisco is certainly not worth the time, expense, and effort, so most people would ever bother to do it.

BTW, I've collected some interesting papers and whatnot on side channel attacks. If you want them, email me, but knowing you, you probably already have most of them. ;)

getting free bus passes in San Francisco is certainly not worth the time, expense, and effort, so most people would ever bother to do it

Selling fake bus passes might be worth it though

"This equipment only costs a few thousand euros... the attack takes three to seven hours."

Hiring the equipment would be possible. I bet it would bring the price down to under a hundred euros.

What's the price for a 'drive all you want' public transportation card in SF or Melbourne? What are the requirements to buy one? Can I buy a card ~anonymously~ and just unlock it for a month, maybe even with cash?

What I'm trying to get to is: Is there a (illegal) business model possible, a la

- invest 'a few thousand Euros' for equipment

- buy and unlock such a card for a month/year (maybe with stolen details, if necessary)

- copy this card (3-7 hours are no problem, it's yours) and sell it on the black market

Impossible? Why?

I never said it was impossible, but it is impractical. The reason why it's impractical is side channel attacks are not easy, in spite of the claims of the article. If you have the knowledge and skill required to correctly preform a successful side channel attack (passive or induced), a free bus pass, or even an illicit business of selling fake/dupe bus passes, is certainly not worth your time. You can easily make a small fortune working legitimately with skills like that.
The cost is "quite low" relative to the value of property and information that may be protected by this type of device.

Also, 3-7 hours for a typical attack time is notable because it fits into a typical human sleep cycle. You could pick the target's pocket on the way out of the office, and return the card as "lost and found" the next morning.

Super interesting!

Sadly, the 7MB file linked from that article is not a PDF of a published research paper, but an enormously high-res version of the photo to the right of the article.