Chip and PIN Tampering

Posted by Gunter Ollmann on February 29, 2008 at 12:21 AM EST.

There's an old(ish) saying amongst Internet security professionals, "if you can get physical access to it, you can 0wn it." Unfortunately too many organizations just don’t grasp the concept.

Case in point – smartcard readers used for Chip & PIN transactions.

A really interesting paper has just been released by the University of Cambridge titled "Thinking inside the box: system-level failures of tamper proofing" which dives in to the fallibility of this supposedly tamper-proof technology.

It’s an important paper not just because of its description of the weaknesses in the Chip & PIN handheld system, but because it also comes at a time when many banks are rolling out new anti-fraud technologies, yet are increasingly placing the financial burden of security breaches upon their own customers. I don’t know if it’s a genuine belief that they’ve deployed unbreakable systems or whether they’re seriously underestimating the ends that organized criminal gangs will go to, but it’s self evident that that old saying still has legs.  In the meantime, customers are routinely accused of negligence or even complicity in any subsequent fraud.

Parallels between the smartcard "shim-in-the-middle" vector described in the new paper and the latest generation of "man-in-the-browser" malware being observed by X-force can be easily made. Both attacks sit in between layers of encryption technology, but manage to intercept key communications 'in the clear'.

Similarly, the apparent complexity of these kinds of security solutions (to an average non-technical customer) are themselves a vector for successful attack – offering many avenues for attackers to socially engineer or obfuscate the nature of their attack.

Another area of their report that I also find interesting are the comments on certification processes – in this case, the Common Criteria lab evaluations – where they state that "market competition may help reduce evaluation costs, but it promotes a race to the bottom between the labs." This is also a concern for the wider security industry (and its customers). While product evaluation labs compete against each other they must continuously balance how vendors will employ their service. If they make the evaluation criteria too difficult, they end up failing too many products, and the vendors cease to use them – meanwhile, if they make them too easy, every vendor ends up with the same 'award' and consequently has no differentiating value, so the vendors will cease to use them.

That said, at the end of the day, the quality of the evaluation is down to the people who scope the criteria and their understanding (if not ‘imagination’) of how attackers would seek to tamper with the technology. So, let’s terminate this late night blog with another even older saying - "there's always someone smarter than you are."

    Copyright 2001-2008 © Gunter Ollmann