Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Encryption Security

IBM Crypto Up For Grabs? 230

Posted by timothy from the oops dept.
An Anonymous Coward writes: "BBC Newsnight have tonight shown an article about a groups of hackers who are about to release details of the vulnerability of the IBM Cryptographical processors. ( Details here.) The BBC article can be watched online here. Alan Cox makes a starring role ;)" windowlicker adds some detail: "Mike Bond and Richard Clayton, from Cambridge University, have cracked IBM's 4758 crytoprocessor running the 'Common Cryptographic Architecture' (CCA). You can do the same with $1000-worth of hardware and the info from here. Many banks use this system for protecting PINs." The video file requires Real software; here's the BBC's article online for those of us without.
This discussion has been archived. No new comments can be posted.

IBM Crypto Up For Grabs? More

IBM Crypto Up For Grabs?

Comments Filter:

  • Hacker divas suck. (Score:2, Insightful)

    by perdida ( 251676 )
    If you're gonna release some shit for purely knowledge reasons, then why are you advertising your intention to release it before releasing it?

    Knowledge is knowledge. If you want to propagate effective computer security, don't badger and pressure corporations to cow to your wishes with publicity stunts like this one.

    Instead, just release the hole, and let the damage be done. The damage itself will be far more instructive to the company. It will also be a better influence on computer security as a whole -- damaging releases will, perhaps, induce large corporations to practice better preventative security.

    • Re:Hacker divas suck. (Score:1, Informative)

      by Anonymous Coward
      You got the wrong end of the stick. They have already released the information. They told IBM about it a year ago.
    • Instead, just release the hole, and let the damage be done. The damage itself will be far more instructive to the company. It will also be a better influence on computer security as a whole -- damaging releases will, perhaps, induce large corporations to practice better preventative security.

      It's also criminally negligent behavior, you idiot. Do you really want them being held responsible for banks and other high security installations being 'hacked'?

      Or maybe you just don't want your money to be secure..

      • No, criminal negligence is know there is a problem, and not fixing it!
        • Ah, but how many of these banks know there is a problem? Should the first thing they know about it be some 'hax0r' posting the results to the internet where anyone [criminals, terrorists, etc] can get access to them?

          Or should it be presented to the banks first, to give them a chance to upgrade?

          • See, this is the problem...no upgrade. IBM was notified about the problem a year ago, with no fix. In reality a firmware update should do it (I believe the card is capable of it...) but they've done nothing. They didn't say the banks didn't know they just didnt say they did. Also you have to have physical access to the machine with the chip in it to do it. That's alot of banks to notify also!
            • Hmm.. If IBM knew about it and didn't say anything that is irresponsible.. however, mindlessly the exploit to the public is just as bad.

              I think the middle ground they selected to follow [ie: informing the media that there was a problem and letting them hype it up] raised just as much public interest as releasing the details would do, while not providing exploitable information for John Q Public.

              • Not true IMHO. By releasing it to the public, it forces IBM and the banks to fix the problem, or (hopefully) face public scrutiny and possibly a loss of customers. Hyping it up and not relasing the information will simply entice some hacker to repeat the crack him/herself. No one will no they did it until they bribe some bank manager to help him still the money...Not releasing the information is far more dangerous than releasing it. By releasing it, you know what is out ther eand what you have to protect against. Either way, it's a difficult crack to pull off, simply for access reasons...

    • Re:Hacker divas suck. (Score:3, Interesting)

      by demaria ( 122790 )
      And screw all the people who are using the systems or products in question.

      I'm all for full disclosure, but blind siding is not ethical.
    • Uh, Mike Bond published this stuff in a paper back in May. BBC were the ones playing up the fact that they were putting it on the internet tonight.
    • Knowledge is knowledge. If you want to propagate effective computer security, don't badger and pressure corporations to cow to your wishes with publicity stunts like this one.

      Actually, the knowledge of hardware DES cracking is already pretty old [eff.org].
  • I wonder how far professional crypto freaks will go? I mean it's cool, it's forcing banks to keep up with security, but I wonder how long it'll be (if ever) before we hit a point where it's just too damned expensive to crack security?

  • The Great Game! (Score:1, Insightful)

    by euroderf ( 47 )
    Cryptography/Countercryptography, it is all a neodarwinian game, an arms race, a cold war, call it what you will the key fact is that the decryptors are never very far behind the encryptors, the nature of technology is that the ability to encrypt blesses one with an equivalent ability to decrypt, the knowledge and techniques that improve encryption also improve decryption.


    The problem is the competitive nature of modern business. Despite what the hackers and libertarians may say, the home user has no real need of encryption - encryption is the technology of big government and big business. The home user does not need it for his emails to Aunt Beth and porn downloading, but Big Government and Megacorp(TM) most certainly do, for their official secrets and industrial espionage.


    The development of encryption is rather like the development of weapons - it is at it's fastest in a cuthroat society of vicious competition.


    If we really want secure communication, we must not treat the symptoms by encrypting, but rather effect a radical cure - we must render all motivations for evesdropping redundant.


    How?


    Simple. Just attack the basis of competitive society by encouraging greater global cooperation (some sort of 5th International?), smashing big business, nationalise the worst, most competitive industries leaving only the big, lumbering and safe monopolies to do their thing. This way, we reduce the competitive nature of modern society and consequently the technological encryption/decryption competitive paradigm.


    It would be tough, but is eminently possible. We just need the will to power!

    • Cool. It looks like parents are letting their kids watch Fight Club before they know how to read.
    • How's the weather on your planet?
    • Cryptography/Countercryptography, it is all a neodarwinian game, an arms race, a cold war, call it what you will the key fact is that the decryptors are never very far behind the encryptors, the nature of technology is that the ability to encrypt blesses one with an equivalent ability to decrypt, the knowledge and techniques that improve encryption also improve decryption.

      Ok, sure. I can agree with that.

      The problem is the competitive nature of modern business. Despite what the hackers and libertarians may say, the home user has no real need of encryption - encryption is the technology of big government and big business. The home user does not need it for his emails to Aunt Beth and porn downloading, but Big Government and Megacorp(TM) most certainly do, for their official secrets and industrial espionage.


      Hmmmm. Nope.

      The development of encryption is rather like the development of weapons - it is at it's fastest in a cuthroat society of vicious competition.


      So, the common folk have no right to protect themselves or their communication? Just the bigwigs of CorporateSociety and those in high places of power within the governments of the world? Huh-uh. Government exists to serve us, and neither would the Corporations of the world exist without consumers to fleece.
    • Encryption is used to protect ones privacy.

      In order to make it impossible to break ones privacy, you propose to just drop privacy ourself?

      Another possibility to reduce the motivation for evesdropping would be to encrypt everything. Let the individuals decide which one they like :)

    • Hmm.. I don't know. Sounds to me like you want to remove the very mechanism that drives innovation?

      Competition breeds better products and more goodies for the consumer.
    • Yeah! It worked for the Soviets! And Mao! Let's go!

      Ri-yot! Ri-yot! Ri-yot!

      reduce the competitive nature of modern society and consequently the technological encryption/decryption competitive paradigm

      Not to mention the free society paradigm, the able to feed oneself paradigm, and the use-the-forebrain paradigm. Rubbish!

  • Lessons to be learned: (Score:4, Insightful)

    by alewando ( 854 ) on Thursday November 08, 2001 @09:33PM (#2541212)
    1. Hardware encryption will always be more difficult than software-based encryption to patch when vulnerabilities arise. There are advantages that can offset this when deciding whether or not to go with hardware, but contingency plans must be put in place for yanking the hardware back when a vulnerability is discovered.
    2. Homogeneity in network environments is nearly always bad. This particular vulnerability wouldn't be nearly as critical if it weren't for the fact that all banks who use these cryptoprocessors either use the same ones or use ones that are similar enough that vulnerabilities like these can be used on more than one "different" type. It's much harder to crack one and then crack another and another than it is to crack one and have therefore cracked them all.
    At least I have high hopes that this vulnerability will be patched forthwith -- not only does IBM have a better track record than certain other corporations, banks have both the money and the clout to demand and receive.
    • 1. Hardware is more expensive to produce and fix and as a result has better testing methods. The fact that you can bug fix software implies bugs can just patched if they show up after inadequate testing. What software package is tested as thoroughly as a typical hardware design is.

      2. Related to time of testing. If you get one processor that is 99.99% tested or 10 processors that are 80% tested, which would you rather have? Either the bug is very, very hard to find and it gives you access to all doors or there are a number of implementations all of which are easy to crack.
    • At least, not relevant for this particular story.

      1) The hackers themselves say "Until IBM fix the CCA software to prevent our attack...". According to the experts here, the fix is a software patch, not a hardware change-out.

      2) This particular vulnerability only needs access to any single IBM 4758 running IBM's ATM. It does not depend on a whole set of them working together. In fact, given that you only need one, increased heterogeneity would increase the overall chance that a given network/organization has one exploitable system somewhere (although it does indeed decrease the overall chance that ALL your elements are exploitable).

    • Re:Lessons to be learned: (Score:5, Interesting)

      by swillden ( 191260 ) <shawn-ds@willden.org> on Friday November 09, 2001 @12:28AM (#2541842) Journal

      Hardware encryption will always be more difficult than software-based encryption to patch when vulnerabilities arise.

      Actually this is incorrect. The 4758 is eminently software-patchable because it's a software device inside a secure hardware module. In fact the most difficult and complex part of the 4758 design is the support for secure upgrades of critical software components in a hostile environment. It uses a combination of carefully designed boot stages coupled with hardware interlocks (they call it a "ratchet") that gradually increase the complexity and decrease the access of the software that can be loaded. Thus they start with a miniature boot PROM whose code can be thoroughly proven (in the mathematical sense) to be correct, but whose only purpose is to be able to load the next stage after validating the signature on it. After that second stage is loaded, the "ratchet" is moved and the region of memory that has been loaded is now unwritable. It's very cool stuff, you can read about it in the design whitepaper [ibm.com].

      Homogeneity in network environments is nearly always bad. This particular vulnerability wouldn't be nearly as critical if it weren't for the fact that all banks who use these cryptoprocessors either use the same ones or use ones that are similar enough that vulnerabilities like these can be used on more than one "different" type.

      I agree in principle, but in practice (1) 4758s are still fairly rare in the banking environment and (2) the reason that the 4758 was an interesting device to attack is because the CCA API is far *more* secure than the APIs provided by comparable devices from other vendors. The authors of the crack paper even mention that they've cracked other devices this way. The 4758 was interesting because it's the best of them.

      Note, BTW, that I work for IBM and I know the guys who created the 4758, so I have some obvious biases. I also know my way around the boards :) The real weakness uncovered was not in the 4758, but in a thoughtless patch to the 20+ year old CCA API. The "patch" was the addition of 3DES. CCA is the only (AFAIK) formally-designed API for symmetric key management, and it's really well done. When it was created, though, 3DES was unnecessary. It's now obvious that a little more thinking needed to be done when it was "extended" to support 3DES.

      This weakness is very easy to close. I don't know what fix they'll choose to implement, but there's a really obvious and simple one: Don't allow a replicate key part (3DES key with identical halves) to be combined with a non-replicate key part to create a non-replicate whole that is an export key.

      What I am certain of, though, is that the entire "patched" CCA API is going to be going back to IBM's cryptographers for formal modeling, so that the integrity of the structure can tweaked until the structure can once again be proven to be mathematically correct. This won't happen again; IBM takes security very seriously and has the people that know how to do it.

      While I'm on the subject, Linux freaks will be interested to know that the next-generation OS for the 4758 is... Linux! Well, a stripped-down, thoroughly validated version of Linux, anyway. Dunno if the source will be published or not, but I think so. Linux is already running on the boards, but getting the validated version will take some time.

      • Re:Lessons to be learned: (Score:4, Interesting)

        by Anonymous Coward on Friday November 09, 2001 @02:12AM (#2542067)
        Mod this parent up, he knows exactly what he's talking about

        This group has some misconceptions about the FIPS 140 process. First, they rightly point out that the level 4 cert on the IBM 4758 does not cover the CCA software, and then they go on to talk about how a bug in this (admittedly, non-evaluated software) shows the weakness of FIPS 140-1.

        Hmm... Well, interesting, but wrong. First, as they point out, the CCA software is not covered by the FIPS cert. Once you install the CCA software on the 4758, the 4758 is no longer a FIPS 140-1 module, level 4 or otherwise. The FIPS cert only applies to the module as it was evaluated. As this post's parent points out, the 4758 allows arbitrary code to be uploaded into the module. This means that as soon as you load unevaluated (ie: non-FIPS 140-1 evaluated) code into the module, it looses its FIPS 140-1 level 4 status.

        So, what is evaluated? Examining the NIST FIPS 140 validated modules list [nist.gov] you'll see there are several pertinent certificates that apply to the IBM 4758 card. First, there is the level 4 certification of the 4758 and the boot code (Miniboot layers 0 and 1) (certificates # 35 and 116). Next you see the FIPS 140-1 level 3 certificates involving the 4758 with its onboard OS (CP/Q++) at layer 2 (certificates #122, 122). Note that as soon as you add the OS the certification drops to at most level 3. And that's without any application code at all; no CCA, no other libraries, and no applications.

        You'll also note, that the CCA is not evaluated under any of these certificates. If you think that this is an oversight on IBM's part, I have a lovely patch of land to sell you.

        Now, just to put all this 4758 bashing into perspective: The IBM 4758 is an amazingly secure cryptographic module. It is by far the most well designed and implemented cryptographic module I have ever worked with, and that says a hell of a lot. Sure, there may be more secure modules out there, but not in the civilian market. The 4758 is, to put it plainly, The Shit. The reason this module is such an interesting target is that it defines the state of the art of cryptographic modules. To put it another way, virtually every other cryptographic module (software or hardware) is less secure than the IBM 4758.

        When someone demonstrates a possible attack against an IBM 4758, you shouldn't just say to yourself "Oh, this doesn't matter, I don't own/use/deal with one of these". Because the IBM 4758 is the commercial state of the art, the work factor associated with breaking every other cryptographic module out there is less. So, if it only takes an a few days compromise the 4758, it is a fairly good bet that it takes less time than that to compromise any other commercial cryptographic module.

        Ain't it grand?

      • It's very cool stuff, you can read about it in the design whitepaper

        The correct URL for the white paper is here [ibm.com].
    • Banks around here (New Zealand) use 3DES for PIN encryption (which is a bit of a joke because most PINs are only 4 digits). They also use 3DES (with the same master key) for message checksumming.

      Banks make a big hullabaloo about security, more to scare people off than for real security.
  • but wouldn't it be funny if IBM contacted them and offered to purchase the info on the vulnerability, thus keeping it a secret? I've oft wondered if anything like this has every occurred. Software blackmail anyone?

  • RealVideo Coverage (Score:5, Informative)

    by guru_steve ( 205501 ) on Thursday November 08, 2001 @09:34PM (#2541217)
    I'm watching the video right now, and its taken a bit of time to find out where this segment is on the bbc news.

    So, for those of you who don't feel like jumping around the video for this segment, it starts at about 22 minutes in the broadcast.

  • Insiders (Score:5, Interesting)

    by Embedded Geek ( 532893 ) on Thursday November 08, 2001 @09:36PM (#2541230) Homepage
    I'm glad they pointed out that most thefts are perpetrated by insiders (at banks or other companies) due to the other (physical) security measures. I can only hope that other media outlets don't drop the ball on this and start shouting "hackers can steal your cash" on the 6PM news.

    Then again... I guess you'd only need to be an insider at the phone company (or whatever company might be leasing a cable to a phone company) to exploit ATM transfers. You wouldn't need to be a bank employee (who undergo background checks, etc).

    • Re:Insiders (Score:2, Interesting)

      by maladroit ( 71511 )
      It seems like it would be tough for even an insider to exploit this. Supposing the would-be thief has managed to (a) tap into the (leased) line (b) separate out the transaction data being sent from the ATM and (c) decrypt it, then they have a set of card numbers and pins. Now what ? I don't think you can get any money without the physical ATM card.


      Maybe the debit cards or other transactions they mention are more vulnerable ...

      • I don't think you can get any money without the physical ATM card.

        A magnetic stripe recorder can be had for a few hundred dollars, so it's not too hard to create a replica of the "physical ATM card."

        • And then the thief can get his picture taken when using that replica ... even if they manage to stay off camera, the risk is enormous for the few hundred bucks they can get before hitting the daily withdrawal limit.
          As someone else has pointed out, the more likely way to use this would be transfer money into an account they can abscond with, but simulating those transactions is yet another hurdle to overcome. The risk seems relatively low ...
      • Now what ?

        More dangerous than decrypting any individual transaction would be decrypting the keys used to encode the transactions (which is what the article says they've done).

        So, you make up your own set of transactions tranferring funds from one place to another, perhaps using the credit card and account numbers you collected along the way, encrypt them with the discovered keys, and send them off to be processed.

      • Re:Insiders (Score:3, Interesting)

        by gorilla ( 36491 )
        If you have the card number and the pin, then you can write your own card with that number on it, put it into any machine, and enter the pin.
    • This is much easier than you'd think. You probably would only have to be an IT staffer for a company in the same building as a bank. (preferably an old bank where the telephone room was an afterthought). A simple shoulder surf of a DSL guy and I had access to the building phone closet. The bank's leased lines ran there, as well as our own DSL (which I had to rewire, hence the shoulder surfing). I even voulenteered to finish off the punch downs (handy punch down tool in hand) and the tech let me.

      I was 19 at the time, in generic t-shirt and jeans sort of attire, not exactly 'professional' looking. As far as thievery goes it's probably easier to generate a check card number (they should be within a certain range, and credit card generation is public knowledge).

    • Re:Insiders (Score:3, Insightful)

      by swillden ( 191260 )

      Then again... I guess you'd only need to be an insider at the phone company (or whatever company might be leasing a cable to a phone company) to exploit ATM transfers.

      Nope, read the article. Performing the attack requires that the insider have permission to use the Combine_Key_Parts function of the board. That means, essentially, that you have to have an "account" on the board with a username and password, and that your account has to have those permissions. Generally, only a very small number of people will have accounts, and only two or three at will have this permission.

  • Crypto is like the law...it's made to be broken!
  • "Until IBM fix the CCA software to prevent our attack, banks are vulnerable to a dishonest branch manager whose teenager has $995 and a few hours to spend in duplicating our work."


    Oh man, I can see it now


    Banker's son: "Hey dad, I need a new computer. I hear Alteras are pretty good...."

  • ATM's are more prone to stone age methods (Score:4, Informative)

    by number one duck ( 319827 ) on Thursday November 08, 2001 @09:39PM (#2541242) Journal
    I'm not too worried about this. An electronic fraud is something that can be reasonably gotten out of, its the *banks* fault if their system eats your money. (Admittedly, I haven't read the small print of my own bank, but hey, its not the article, anyway).

    The big problem I have with my bank, however, is the location and layout of their ATM machines to begin with:

    1) ATM's are built into the wall, rather than in any kind of nook. The line generally forms directly behind the user. (This isn't so much of a problem for e.g. drive through atms, as the bulk of the car is obscuring view of the transaction).

    2) The buttons on the keypad are almost two inches across! I know they have to make them 'easy to use', and big happy buttons are important for that, I imagine... but having to move my entire hand around to enter the code makes it trivial to watch someone's movements...as opposed to normal sized buttons where what is being pushed is generally obscured by your hand itself.

    3) This is a general problem. Cards are *inserted* rather than *swiped*, which makes it almost trivial for people to rig the machines to prevent the card from being returned. A card swipe, where the card never leaves my hand, would be infinitely preferred to leaving my bank card at the mercy of any hoodlum with a bottle of soap and a pair of pliers.

    4) Apparently the ATM card I recieved is more than I asked for... it is also a credit card AND a debit card AND who knows what all else... if they acquire it they can run me down even if I don't have any money left in the account proper.

    • Re:ATM's are more prone to stone age methods (Score:1, Informative)

      by Anonymous Coward
      Sounds like your bank is pretty bad. Try getting a new one. but in response:

      3) It's not that easy to screw around with an ATM without getting caught. Otherwise you would see a lor more criminals stealing cash directly from within the machine.

      4) Don't get a debit card if you don't want one. In the US a debit card is usually also on the Maestro/Mastercard networks, while ATM cards are on only (e.g.) Cirrus and NYCE. See the logos on the back. Also a debit card will have a hologram and usually a network logo on the front.
    • In a previous life, I worked as a teller at a bank. Not only are most tellers underpaid, they are continually dumped on by rude customers. Anyways, for giggles, some tellers would go to the cabinet/closet where our ATM was housed, and when someone put a card in, they'd pull it into the reject bin. They'd do this when the bank was closed, so the luser would have to come into the branch the following morning to get the card back. Pretty funny to watch peoples faces on the camera when they realize their card isn't going to pop back out...
  • Ok granted they have hacked the hardware with a neato device that they built but.... Is it really practical as a hack, I was struck by the length of time it took to acomplish this hack in real time. Looks like three days total of the device attached to the machine. This is a VERY long time to try and hack something that is in a secure position. Also you have to get inside the bank undetected (either as an insider or as some sort of infiltrator) place the device out of sight (don't forget to hide the connections).

    Frankly if you have gone that far why not just rob the vault? The money is right their. Ultimatly with this stealth run of encryption you have a bunch of PIN numbers.... Ok great but you don't have any of the cards or the card info that is needed even. Even if you some how extract the contents of the cards magnetic strip you still have to manufacture a card, then you have my pin number. Great now you can withdraw the total sum of my bank account which is ... about $20 right now. That's a lot of work in a high risk way to garner a very small amount of reward.

    This is really not all that different than me saying I can crack a PCs bios password if I can get access to the physical machine and have a screwdriver. the amount of effort that precedes the hack negates the hacks effectiveness.

    I applaud their inginuity, and I hope IBM buys the idea off of them as a handy tool to recover lost data, but if I was IBM I would not be in any big hurry to change all of this hardware.

    • You only neeed access to the ATM for 20 minutes to download the keys. You then spend a couple days decrypting the keys offline.

      I don't know about the rest of you but I have more than $20 in my bank account.
    • If you steal the right keys (and i assume you do once you made it to this high security device), you don't have go get any more cards or something.

      With these keys you could forge inter-bank or bank-atm traffic at will! Just choose some account and transfer as much money as you need.

      Well, you shouldn't use an account that can be traced back to you... ;)

  • Question... (Score:5, Interesting)

    by srvivn21 ( 410280 ) on Thursday November 08, 2001 @09:42PM (#2541256)
    So they article says that this is really only exploitable by "insiders". At first I felt safe. "Well, at least my money is Federally protected". Then I got to thinking about it. How would I prove that I wasn't the one who used my PIN at an ATM (or several) to clear out my account? Anyone have an answer that can put my mind at ease?
    (Not like I'm going to take all my money from the bank, and stuff it in a jar. Just idle thoughts of threat)
    • All atms have cameras on them to record the physical person who removed the cash. If they show a withdrawl at 1pm and their is no one standing in front of the machine at that time then I would think yuo have a case. And if they do use a physical card to do it with a physicall person pushing the buttons, it won't be you standing their taking the money out...

      • Re:Question... (Score:3, Interesting)

        by srvivn21 ( 410280 )
        Two problems with that.

        1)Not all of the ATM's in my home city have cameras.

        2)I also live in a cold climate. There would be nothing odd with someone being bundled up with a ski mask on making use of an ATM...

        • Re:Question... (Score:2, Funny)

          by psavo ( 162634 )
          2)I also live in a cold climate. There would be nothing odd with someone being bundled up with a ski mask on making use of an ATM...

          I used to live in poor country, there was nothing odd with someone being bundled up with a ski mask on making use of an ATM...
      • All atms have cameras on them to record the physical person who removed the cash. If they show a withdrawl at 1pm and their is no one standing in front of the machine at that time then I would think yuo have a case.

        All the bank then has to do is say "well the cardholder must have lent their card to someone else".

    • Re:Question... (Score:2, Informative)

      by sachmet ( 10423 )
      Because most banks that I am aware of have a $300 limit on account withdrawls; also, with enough witnesses willing to provide affidavits, you can prove you were not in the location you said you were in at the time the withdrawl took place. The withdrawl limit is to prevent a person from physically accosting you from ATM to ATM trying to take all your money.
      • > you can prove you were not in the location you said you were in at the time the withdrawal

        That doesn't help if the banks response is "then you must have given your PIN to someone else - our system is perfect so the money must have been withdrawn by someone with your PIN".
        _You_ know they are lying, but how do you prove it?

        Back to this attack, there are details at http://www.cl.cam.ac.uk/~rnc1/descrack/ and http://www.cl.cam.ac.uk/~mkb23/research.html
        • The banks can do the opposite. All ATMs are fittable with a camera, and can be programmed to take a picture of the person making the withdrawal. When this is produced, almost certainly it's someone known to the cardholder, if not the cardholder themselves.
          • > The banks can do the opposite. All ATMs are fittable with a camera,

            Only relevent if the cash was actually taken out of an ATM. If the bank are trying to cover up a fraudulent transaction by an insider, which was the context under discussion, there will be no photo. But since not all ATMs actually have cameras taking pictures of every transaction, the banks failure to produce a photo doesn't help you prove the withdrawal didn't happen.
    • How would I prove that I wasn't the one who used my PIN at an ATM (or several) to clear out my account? Anyone have an answer that can put my mind at ease?

      In a word, no. Here in the UK, there was an unpleasant case some years back when the banks tried to do just that -- covering up security flaws in their ATM machines and prosecuting the man who had suffered from their errors when he protested about unauthorised withdrawals from his account.

      There's a selection of relevant papers on Ross Anderson's website: read up on the subject here [cam.ac.uk]. "Why Cryptosystems Fail" is probably the most immediately rewarding, given your concerns.
      • Here in the UK, there was an unpleasant case some years back when the banks tried to do just that -- covering up security flaws in their ATM machines and prosecuting the man who had suffered from their errors when he protested about unauthorised withdrawals from his account.

        It actually turns out internal fraud by bank employees is a common cause here. This need not involve any hacking. Simply something as simple as ordering additional cards attached to an account can do it. Since statements generally don't indicate which card is used or even how many cards are attached to the account.
    • This is exactly what has happened in the UK with 'phantom withdrawals' - one poor guy was on holiday with his bank card in a drawer at home (no-one else with access to house) when one withdrawal happened, and he was *still* accused of defrauding the bank.

      The most important feature of any bank is the small print in their contract with you - check to see whether they assume that a fraud is nothing to do with you, and must prove that you committed it. For far too long, at least in the UK, banks assumed their customers guilty until proven innocent...
  • Like ssh-agent, this chip seems to be secure keyholder. It is a little unnerving that an hardware implementation could be so easily broken, but I also suspect that, unlike ssh-agent, this was not ever an open-source implementation. :-)

    The news (I liked Real links) claims that development took 20 years, and that normal banking procedures would prevent this type of attack. But Alan Cox, of course, strongly suggests that publishing the algorithm behind the chip would have helped to avoid this calamity.

  • as is typical, the mechanism was broken not because of the crypto algorithm but because of the implementation.

  • Pretty focussed branch manager... (Score:4, Funny)

    by WasterDave ( 20047 ) <davep@z e d k e p.com> on Thursday November 08, 2001 @09:46PM (#2541269)
    "banks are vulnerable to a dishonest branch manager whose teenager has $995 and a few hours to spend in duplicating our work."

    If you have a teenager who can hack FPGA's sufficiently well to brute force into a cash machine, you're really not going to have any problems making money in years to come. Either that or your problems are just beginning.

    Dave
  • The kid from Terminator 2 did that with a hacked atari computer.

  • Well, it's a worry but... (Score:1, Insightful)

    by Anonymous Coward
    I type my pin into my cordless phone,
    to check my balance regularly.
    So anyone could tap my phone,
    or just use an AM radio.
    But chances are it will never happen to me...

  • Only a matter of time (Score:4, Insightful)

    by CmdrTroll ( 412504 ) on Thursday November 08, 2001 @09:57PM (#2541307) Homepage
    My brother used to work as a contractor for Cirrus. He said that the PIN encryption was a private joke amongst all of the engineers there. The suits all believed that cryptographic mumbo-jumbo and really expensive chips sold by "connected" salespeople at IBM would protect the banks' assets. But, he said, the problems with the PIN were nearly impossible to solve. Consider:
    • The PIN is four decimal digits = 10,000 combinations ~= somewhere between 13 and 14 bits of security. It is entirely feasible for a quick P4 to encrypt every single PIN within an hour, with time left over to play Unreal Tournament.
    • There is no trusted path between the user's memory and the bank. Fake ATMs have been installed in shopping malls, collecting PINs and ATM cards from unsuspecting victims. Do you *really trust* every single PIN keypad at every shady gas station, grocery store, and Wal-Mart, not to have logging devices installed? Replay attacks are not rocket science.
    • Embedding DES keys inside a chip will inevitably lead to compromise. One needs to look no farther than the DirecTV access cards (particularly the H and F cards) to see the amount of damage that a few determined hobbyists can do. Imagine if there are billions of dollars at stake rather than just a little free TV.

    Regardless, this is not a widespread problem. It is a weak system and it was always a weak system. But it's not worth thieves' time to steal PINs yet (for the most part anyway) just because PINless credit card fraud is still so easy.

    -CT

    • Re:Only a matter of time (Score:5, Insightful)

      by WasterDave ( 20047 ) <davep@z e d k e p.com> on Thursday November 08, 2001 @10:08PM (#2541342)
      10,000 combinations ~= somewhere between 13 and 14 bits of security. It is entirely feasible for a quick P4 to encrypt every single PIN within an hour, with time left over to play Unreal Tournament.

      But if you read their page about how PIN works [cam.ac.uk] it becomes aparrent that you still need the derivation key, which is the hard bit to get.

      Fake ATMs have been installed in shopping malls, collecting PINs and ATM cards from unsuspecting victims

      LOL! Someone did a whole bunch of these in the UK a couple of years ago. Looked and smelled like an ATM, but took the PIN then complained that the card was borked, or something. Easy EASY kill.

      because PINless credit card fraud is still so easy.

      Exactly. 1e6+1 easier ways of stealing money than opening an ATM with an oxy-acetylene, spending two days cracking it with an FPGA and using all that to hack the banks comms. Easier to just look over some lamers shoulder then pick their pocket. Not that I would know. Not at all.

      Dave
      • Exactly. 1e6+1 easier ways of stealing money than opening an ATM with an oxy-acetylene, spending two days cracking it with an FPGA and using all that to hack the banks comms.

        If you are going to crack one open far easier to simply pinch a machine just after it has been filled...

    • Some corrections (Score:4, Insightful)

      by hearingaid ( 216439 ) <redvision@geocities.com> on Thursday November 08, 2001 @10:55PM (#2541510) Homepage

      I live in Canada. Some of this may not apply to your jurisdiction.

      My bank uses a PIN which is a minimum of 4 digits long. I believe the maximum is 12. This solves the length problem. I have a 4-digit PIN, but that's mainly because I'm a grad student, and anybody who steals my bank card and gives me money has my thanks. Unfortunately, no luck yet. :)

      We have Interac cops. Interac is the Canadian banking network; the ATMs you see in malls in Canada are usually run by chartered banks, and when they're not, they're run by somebody on the Interac network. These devices get policed, and they have some pretty serious security measures on them.

      There's still the basic vulnerability of the encryption scheme to consider, of course. But the other concerns you bring up can be dealt with.

    • Re:Only a matter of time (Score:5, Informative)

      by Black Acid ( 219707 ) on Thursday November 08, 2001 @11:25PM (#2541604)
      The PIN is four decimal digits = 10,000 combinations ~= somewhere between 13 and 14 bits of security.

      For those interested, you can find how many bits a key with x values is using logarithms:



      bits = log(x) / log(2), or

      bits = d / log(2)

      Where d is the number of decimal digits the key is. Therefore, a 4-digit PIN has 4/log(2) or precisely 13.287712379549449391481277717958 bits of cryptographic strength. Not much compared even to weak encryption such as 64-bit DES, or the 56-bit des-ii cracked by d.net [distributed.net].

      • You're assuming that all 10,000 combinations are valid. Most systems exclude 'first guess' combinations such as 0000,1234, etc. This reduces the number to 9000 and some.

    • Do you *really trust* every single PIN keypad at every shady gas station, grocery store, and Wal-Mart, not to have logging devices installed?

      I work at a Walmart. Don't give me ideas. :)

  • After breaking the encryption on bank accounts.

    Where can I go to book tickets to Bermuda?

    Go to http://www.bermuda-online.org/airlines.htm

    Funny stuff.

  • Is your parent a bank manger? (Score:4, Funny)

    by Quizme2000 ( 323961 ) on Thursday November 08, 2001 @09:57PM (#2541309) Homepage Journal
    Until IBM fix the CCA software to prevent our attack, banks are vulnerable to a dishonest branch manager whose teenager has $995 and a few hours to spend in duplicating our work.

    I like the tech about hacking the processor, very clever. The rest is better read as bad fiction. Chalk this one up under the anarchist cookbook. Sure you may be able too, but you'll get thrown into jail or blow off a limb.
  • The EFF DES machine [eff.org] was breaking DES quite quickly even without special information about the key--three years ago. 56 hours. Since you can speed it up by adding transistors or cranking speed, I bet an implementation today could reach 10 hours. If you have something that can tell you half the bits in the key, setup time would begin to dominate over solve time.

    So, yeah, it sucks that these people found a weakness that lets them guess key bits, but DES should have been tossed years ago. At least for 3DES, which doubles the effective key size. But isn't the AES standard finalized now?

    Problem is, banks don't want to replace outdated hardware and networks, as long as their customers don't know they should be scared where their money is going.

    • Problem is, banks don't want to replace outdated hardware and networks, as long as their customers don't know they should be scared where their money is going.

      Should their customers really be scared? How likely is it that the technology to do the hardware cracking is easily available? Not too likely, I'd assume.

      For a janitor to even have access to a server room is relatively unlikely, especially in a bank; I can't imagine they would let minimum-wage grunts in the same room as the financial data of their customers. For said janitor to have $1000 of specialized computing hardware is another thing. For him to know how to hook up that hardware to the IBM Encryption Coprocessor is even more difficult. Then he would have to actually go grab the PINs - all he'd have at this point is the DES key which they are encrypted with.

      Sure, one person may exploit it - but seeing as most janitors aren't reading Slashdot, and probably don't even know it, or an IBM cryptocard exists, there is very little to worry about.

      You'd be more likely to win the lotto than to have your money stolen by a janitor who cracked IBM's encryption.
  • Maybe now I can get my hands on one of these using my employee discount ;) Imagine a pair of these hacked into supporting VPN endpoints? Or hardware-assisted GnuPG?

    If having physical access to the card is a prereq to cracking it, I'm not too worried about my mother-in-law coming by while I'm at work. Now, the black van down the street that never seems to move.. that's a different story..

  • Related technical paper (Score:4, Informative)

    by dazed-n-confused ( 140724 ) on Friday November 09, 2001 @02:21AM (#2542096)
    If you want more technical detail, check out the
    paper on API-Level Attacks on Embedded Systems [ross-anderson.com] by Mike Bond and Ross Anderson.

    Ross Anderson is the author of "Security Engineering" -- if you're interested in this story but haven't read the book, consider this a strong recommendation. More details inc. sample chapters at his website. Plus other fascinating stuff.

  • Most worring aspect (Score:3, Insightful)

    by Martin S. ( 98249 ) on Friday November 09, 2001 @07:20AM (#2542613) Journal

    The most worring aspect of this is that if this discover had been made by American academics (rather than British) it would have been squashed by the DMCA.

    A nice real world example, that you should be able to exploit, to beat the politicians, to our collective benefit.

  • Jesus Jackie! And it runs Linux too. (Score:3, Informative)

    by opkool ( 231966 ) on Friday November 09, 2001 @09:21AM (#2542792) Homepage
    I used to work with some of those cards at my former employee [ibm.com].

    Ther are actualy 2 models, well, there were 2 models when I was there. They are called cryptographic 4758 and 4758-II [ibm.com].

    The first (and older model) wasn't that good at being a fast crypto card. That good for 2001 standards, that's it. Back when they were developed were pretty darn good.

    The newest model was better and more powerfull. It supports more and tougher encryption keys. It offloads any machine of the heavy-cpu-load encryption burden. And it is pretty good piece of technology.

    Their mision is to take over the CPU when dealing with encryption. That is, encrypt stuff before being sent or decrypt stuff received. It can seen not a big deal. But think of e-commerce and/or bank transactions: litearly hundreds of encrypt/decrypt processes.

    The card is (was) a computer-in-a-card. It has a CPU with the power of a 486 (it does not use a 486 cpu). And it costs lotsa money.

    Not so long ago, I heard that IBM was considering dumping the propietary OS of those cards, and use instead embeded secure Linux. [ibm.com]

    Now, I want to believe that they have craked the older model. If it is the newer model, well, it is pretty bad. This banks means not being able to trust each other. And I'm serious.

    Nevertheless, to access one of those cards installed in a sensitive system, you must have phisycal access to the card. And this is not easy. It's like a real-life ,a href="http://www.missionimpossible.com/">Missio n Impossible kind-of-thing.

    If there's any problem with it, I'm pretty sure that the crypto team has worked and solved this thing.
  • The last question in the FAQ [cam.ac.uk] will help you out.

Slashdot Top Deals

Truly simple systems... require infinite testing. -- Norman Augustine

Close