Now Available: Smart Card Hacking for the Masses?

Published On August 5, 2011 | By Randy Sabett | Data Security, International
TwitterLinkedInFacebookRedditCopy LinkEmailPrint

At Black Hat this past week, research was publicly unveiled that some commentators say could lead to smart card hacking effectively reaching the domain of script-kiddies.  In a session entitled “Reviving Smart Card Analysis”, Karsten Nohl and Chris Tamovsky promised to “demonstrate a method of extracting application code from smart cards with simple equipment to open the application code for further analysis.”  Mr. Nohl has significant experience with hardware reverse engineering, having been part of the team that broke the encryption used in the chip at the heart of the Mifare card.  The research presented at Black Hat involves the development of a set of tools that allow the Degate VLSI-reverse engineering analysis tool to be used for easily accessing and analyzing the protocols used by smart card chips.  According to the abstract of their presentation, “[t]he protection capabilities of the chips is increasingly used to also keep secret application code running on the devices.”  The abstract ends on a somewhat amusingly ironic note by stating that “[s]uch obscurity is hindering analysis, hence letting logic and implementation flaws go unnoticed in widely deployed systems, including credit card systems.”  Time will tell whether these tools will be used only for analysis of logic and implementation flaws or whether they will lead to actual attacks on smart cards and other chip-based systems.  It does appear, however, that the bar on protecting such smart cards and systems has certainly been raised.

About The Author

Randy V. Sabett joined ZwillGen as Counsel in 2011. He advises clients on information security, privacy, IT licensing, and intellectual property. Randy has over 20 years of infosec experience, including as an NSA crypto engineer and a CISSP. He works closely with companies in helping them develop strategies to protect and exploit their information and IP based on various evolving business models, including SaaS, mobile applications, cloud, and more traditional client/server architectures. Specific areas on which he focuses include information security, privacy, IT licensing, IP strategy, big data, metrics, active defense, venture capital, legislative matters, government contracting, digital and electronic signatures, federated identity, state and federal information security and privacy laws, identity theft, and data breaches. He also drafts and negotiates a variety of technology transaction agreements.