909-744-2891

2015-11-07 Crypto failures

Crypto failures

The common thread in all of these is that the encryption system was developed in secret with no peer review, the hardware was then built and installed in large volumes, the encryption was then reverse engineered and flaws were found, and the resulting fixes were either expensive or not widely deployed.

UK Chip and Pin cash card

In 2010, Steven J. Murdoch, Saar Drimer, Ross Anderson and Mike Bond from University of Cambridge published a paper showing how to break the EMV chip and pin system used to protect cash card transactions in much of Europe. The response of the EMV consortium was to dismiss the attack as improbable.

In 2011, criminals in France had reduced the backpack sized Cambridge proof-of-concept to a single chip that could be soldered/glued to a card, and used that to steal about $600K in 7000 transactions. Learning absolutely nothing from their previous attempt at security-by-obscurity, the EMVCo "has implemented countermeasures that would prevent the exploitation of the vulnerabilities that lead to this attack, but they did not share them with the public so that criminals would have a tougher time bypassing them". If these coutermeasures would actually "prevent" such an attack, there is no reason to keep them secret. Instead, it seems they are waiting for either the Cambridge group or some criminals to demonstrate the flaws in their revised system.

The full paper describing the analysis of the French cards is here. In the "Aftermath & Lessons Learned" section, they give a few examples of countermeasures against this specific attack based on a chip module from a FUN card. All of those countermeasures are trivial to avoid by properly implementing the EMVCo payment card specs.

The criminals were caught because they had no sense of operational security. They carried radio transmitter beacons (aka phones) with them while using the modified cards, and they used the modified cards repeatedly in only a few shops. A very slightly smarter class of criminal would not have made such mistakes.

In 2012, Mike Bond, Omar Choudary, Steven J. Murdoch, Sergei Skorobogatov, and Ross Anderson published another paper showing another weakness in the EMV protocol. Rather than cloning the card, the criminals can clone arbitrary transactions. From the bank's view, it looks like the card has been cloned. The banking community has so far ignored this - since it is in their interest to claim that the card cannot be cloned. That pushes the cost of the fraud onto their customers.

They went public at the 2014 IEEE Symposium on Security and Privacy, with a paper extending the previous attack.

GSM phones

Wikipedia has a brief history of GSM at http://en.wikipedia.org/wiki/GSM. An brief introduction to the GSM crypto system is available at http://www.hackcanada.com/blackcrawl/cell/gsm/gsm-secur/gsm-secur.html.

GSM phones were first introduced in 1991. A rough design of the A5/1 encryption algorithm was reverse engineered in 1994, and the exact details were reverse engineered by Briceno in 1999. By 2000, Alex Biryukov, Adi Shamir and David Wagner published Real Time Cryptanalysis of A5/1 on a PC. The A5/1 system was fully broken in 2010. See https://srlabs.de/blog/wp-content/uploads/2010/07/Attacking.Phone_.Privacy_Karsten.Nohl_1.pdf for details and also https://srlabs.de/blog/wp-content/uploads/2010/07/100729.Breaking.GSM_.Privacy.BlackHat1.pdf.

The supposedly more secure A5/3 encryption was also broken in 2010. See http://cryptome.org/a5-3-attack.pdf.

The GSM security model and encryption algorithms were developed in secrecy and never published for peer review. It is possible that some of the flaws subsequently discovered in those implementations could have been avoided by public peer review.

Hong Kong casinos

I ran across a story years ago, but I cannot find it again. The claim was that the casinos in Hong Kong or Macau had designed a cash card so that gamblers could take their winnings (more likely losses) from one casino to another on the same street easily. It became obvious that the encryption was cracked when the casinos were losing money on the gambling part of their operations. The claim was that the entire system needed to be scrapped, a new system designed, and all the gambling machines rebuilt.

It would be nice to find some evidence of this farce, or else evidence that the story is a hoax.

Boston transit fare cards

NXP builds a line of rfid cards, including the Mifare classic card. The encryption system on their cards was secret, so there was no peer review. They they sold this system to many users, including transit systems and building access control vendors. A simple publication of their system for peer review would have prevented all the disruption that followed, since that weak encryption system would have never been put into production. It is much cheaper to fix such problems before the hardware is built and installed in many thousands of buildings.

Many transit systems use Mifare classic rfid cards, which have been broken. In 2007, Karsten Nohl announced a break in the crypto-1 encryption on the Mifare classic cards. In 2008, Zack Anderson, Russell J. Ryan, Alessandro Chiesa and Samuel G. McVeety from MIT published an attack method. See http://tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf.

The first response from the vendor NXP was to sue to attempt to stop publication of the vulnerabilities. The first response from the Boston transit system http://en.wikipedia.org/wiki/MBTA_v._Anderson was to sue to attempt to stop publication of the vulnerabilities. Both of those attempts were unsuccessful.

The Mifare classic card is also widely used for building access control. Any building protected with such a system must be considered to be open to attack.

Dumb Crypto in Smart Grids

In 2015, Philipp Jovanovic and Samuel Neves published https://eprint.iacr.org/2015/428.pdf about an encryption system that Bruce Schneier says is so bad as to be laughable.