Smart Cards Vulnerable to Photo-Flash Attacks? - Slashdot

Catch up on stories from the past week (and beyond) at the Slashdot story archive

Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Smart Cards Vulnerable to Photo-Flash Attacks? 217

Posted by CmdrTaco on Monday May 13, 2002 @10:24AM from the now-thats-an-issue dept.

belphegor writes "Researchers at the University of Cambridge have found a way to use a camera flash and microscope to extract data from smart cards. " Notable because its apparently relatively simple to do and really throws a monkey wrench into a variety of businesses that use smart cards to store important data.

This discussion has been archived. No new comments can be posted.

Smart Cards Vulnerable to Photo-Flash Attacks?

Search 217 Comments Log In/Create an Account

Comments Filter:

They should have used the iButton (Score:4, Informative)

by swagr ( 244747 ) writes: on Monday May 13, 2002 @10:26AM (#3509886) Homepage

It immediatly destroys it's internal data when forced open.
Here's the link. [ibutton.com]

Share
twitter facebook linkedin
smartcards have always been lacking (Score:5, Informative)

by Lumpy ( 12016 ) writes: on Monday May 13, 2002 @10:28AM (#3509897) Homepage

there is very little tamper protection on smartcards due to their flimsy construction. you cant make a rapid zeroization system on something that isn't rigid and tough enough to be driven over repeatedly by a car or take the huge amount of abuse the human carrier provides every day.

except... dallas semiconductor long ago created the ibutton [ibutton.com] that is more secure and better than any smartcard..

(I know I sound like a broken record, but ibuttons are way better and cooler than any smartcard, and you as a home hacker can use them!)

Share
twitter facebook linkedin
Easy to do? (Score:4, Informative)

by AlaskanUnderachiever ( 561294 ) writes: on Monday May 13, 2002 @10:37AM (#3509960) Homepage

Ok, maybe everyone else on slashdot has a full clean room. I mean, it could be a possibility. But when I hear phrases like "focusing light on a single transistor" and "Wentworth Labs MP-901 manual probing station" I tend not to think of simple or easy to do. I'm not saying you couldn't hack one, I'm just asking what % of criminals are going to have access to a "manual probing station"?

Share
twitter facebook linkedin
Re:as expected (Score:1, Informative)

by Anonymous Coward writes: on Monday May 13, 2002 @10:53AM (#3510061)

Well and good, but the Constitution has no such language. I salute you for a troll subtle enough that most people wouldn't pick up on it, however.

Troll rating:

First paragraph sounds reasonable and authoritative: 1 point
Factual statement about privacy invasion: 1 point
Reference to the constitution with the word "decannual": 1 point
A spurious "quote" from the Constitution that only a slashdotter could have written: -1 point
Cliche'd ending sentence about our "forefathers": -1 point

While you should be proud that you have a troll rating in positive territory, that's still not enough to send you over the edge and spark a flame war. Try again, next time.

Parent Share
twitter facebook linkedin
Re:They should have used the iButton (Score:4, Informative)

by egomaniac ( 105476 ) writes: on Monday May 13, 2002 @11:21AM (#3510230) Homepage

It's easy enough to open an iButton without destroying it. I seem to recall you just keep it in a pressurized N2 atmosphere while cracking the case, and it won't even realize that it has been opened.

Parent Share
twitter facebook linkedin
Re:smartcards have always been lacking (Score:1, Informative)

by Anonymous Coward writes: on Monday May 13, 2002 @11:23AM (#3510240)

Um, the problem is when you have cryptographic information on the card.

Like a private RSA key and certificate. There are many companies that use that for authentication and encryption. The Navy's CAC card for example. Every people in the Navy will have one. You wouldn't want someone to be able to steal your private key off of your card.

Parent Share
twitter facebook linkedin
Re:Easy to do? (Score:2, Informative)

by saider ( 177166 ) writes: on Monday May 13, 2002 @11:25AM (#3510251)

Much of this can be had at auctions. Many companies upgrade their equipment and shove their older, but still functional equipment out the back door to anyone who will haul it off. I know one guy who does this and makes a fairly good living. I remember he had a cell tower tranciever once. I'm sure some people would know what to do with that, but I don't.

Parent Share
twitter facebook linkedin
Re:It's relatively simple to do... (Score:2, Informative)

by JKR ( 198165 ) writes: on Monday May 13, 2002 @12:55PM (#3510687)

wouldn't it just be easier to yank the data with one of those smart-card reader/portable hard-drive things that ThinkGeek was advertising on here?

No, because the cards that are being talked about are cryptographically "secured", in some way or other. You'd find that, for example, you wouldn't be able to read out a private key required to descramble the program contents because the key wouldn't appear in the same memory space as the readable part of the card (this is how SD-card works).
The clever bit here is the use of high energy density light to tamper with "tamperproof" hardware.

Parent Share
twitter facebook linkedin
Re:smartcards have always been lacking (Score:2, Informative)

by Ilgaz ( 86384 ) writes: on Monday May 13, 2002 @01:03PM (#3510736) Homepage

I live in Istanbul, Turkey... 12M+ city. If what I see is right (on that website), that iButton takes care of near whole transportation system here. In busses, metro, sea. There wasn't a single incident since years.

Its named "Akbil" (Smart Ticket), in demos they showed huge cars&stuff driven over them, nothing happened.

Oh btw, to remind how widely they are used they are, its like 80% iButton vs 20% regular tickets.

Parent Share
twitter facebook linkedin
Re:smartcards have always been lacking (Score:3, Informative)

by pwagland ( 472537 ) writes: on Monday May 13, 2002 @01:37PM (#3510942) Journal

OK, so smart cards are not tamper resistant. I don't see that any attack based around stealing a smart card is anything to worry about, assuming the card itself only stores dumb information like a sum of money or an id number.

And herein lies the problem. Smart cards don't only store "dumb information". In particular, from the article (which I assume you read?):

Some of the information stored in the card is in the form of a number composed of ones and zeros that cryptographers refer to as a "private key." That key is part of a two-key system that is used to encode and decode information. The security of such systems is compromised if the private key is revealed.

In particular, here in the Netherlands (and I believe elsewhere in Europe), you can get online access to your account (with most banks) by using your ATM card. This is accomplished since each ATM card has a smart card on the card. If you can get the secret key out of the card, then you can login to someone elses banking site. No you can't do this with the card alone, since you need to know the cards PIN to access the smart card functionality.

Parent Share
twitter facebook linkedin

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

704 comments'DNC Hacker' Unmasked: He Really Works for Russia, Researchers Say
607 commentsFury and Fear In Ohio As IT Jobs Go To India
602 commentsBank's Severance Deal Requires IT Workers To Be Available For Two Years
556 commentsTop Democratic Senator Will Seek Legislation To "Pierce" Through Encryption
452 commentsHillary Clinton Urges Silicon Valley To 'Disrupt' ISIS

"Kill the Wabbit, Kill the Wabbit, Kill the Wabbit!" -- Looney Tunes, "What's Opera Doc?" (1957, Chuck Jones)