Smart Cards Used To Hack Smart Cards

Back in the day, true hackers – the kind that would build VCRs out of 555 chips only to end up in the Hackaday comments section in their twilight years – would steal satellite TV feeds with the help of tiny little microcontrollers embedded in a credit card. This was the wild west, when a parallel port was the equivalent of a six-shooter and Jnco jeans were a ten gallon hat.

The backdoors that enabled these satellite pirates have long been closed, but these devices for stealing HBO have now evolved into stealing €600,000 worth of goods using a most unlikely source: chip and pin card terminals. A gang of criminals in Belgium have successfully broken chip and pin, and although the exploit has now been closed, the researchers behind the investigation have published their war story for one of the most interesting hacks in recent memory.

Chip and pin verification for Point of Sale (PoS) transactions are a relatively simple process; during a transaction, the PoS system asks for the user’s PIN and transmits it to the card. The card then simply answers ‘yes’ or ‘no’. In 2010, a vulnerability to this system was discovered, making it a simple matter for anyone to break chip and pin systems. This system used an FPGA with a backpack worth of modified hardware – executing it in a store would raise more than a few eyebrows.

The 2010 exploit hardware
The 2010 exploit hardware

The problem of implementing this system into something that was easily concealable was simply a matter of miniaturization. Thanks to the proliferation of smart cards over the last 20 years, very tiny microcontrollers are available that could manage this man-in-the-middle attack on a chip and pin system. What is a gang of criminals to do? Simply program a smart card with all the smarts required to pull of the hack, of course.

To pull off this exploit, an engineer in the gang of criminals used a FUNcard, a development platform for smart cards loaded up with an Atmel AVR AT90S8515 microcontroller and an EEPROM packaged in a small golden square. By removing the chip from this chipped card and replacing the chip in a stolen credit card, the criminals were able to reproduce the 2010 exploit in the wild, netting them €600,000 in stolen merchandise before they were caught.

How were they caught? The ‘buyer’ of the gang kept shopping at the same place. Rookie mistake, but once security researchers got their hands on this illegal hardware, they were amazed at what they found. Not only did the engineer responsible for this manage to put the code required for the exploit in an off-the-shelf smart card, the gold contact pads from the original credit card were rewired to the new microcontroller in an amazing feat of rework soldering.

Before this exploit was made public, the researchers developed a countermeasure for this attack that was swiftly installed in PoS terminals. They also came up with a few additional countermeasures that can be deployed in the future, just in case. In any event, it’s an amazing bit of reverse engineering, soldering, and craftsmanship that went into this crime spree, and as usual, it only took a massive loss for retailers to do anything about it.

Mac EFI PIN lock brute force attack (unsuccessful)

[Oliver] wiped the hard drive from a Macbook Pro using the ‘dd’ command on another machine. This does a great job of getting everything off the drive, but he was still faced with the EFI PIN lock protection when he tried to put it back into the Mac. You used to be able to clear the NVRAM to get around this issue, but that exploit has now been patched. So [Oliver] set out to use a microcontroller to brute-force the EFI PIN.

You can read his back story at the link above. He had the chance to enter a 4-digit pin before the format process. Now that he’s wiped the drive the code is at least 6 characters long, which is a lot more possibilities (at least it’s numeric characters only!). To automate the process he programmed this Teensy board to try every possible combination. It worked great on a text editor but sometimes the characters, or the enter command wouldn’t register. He guesses this was some type of protection against automated attackers. To get around the issue he added different delays between the key presses, and between entering each code. This fixed the issue, as you can see in the clip after the break. Unfortunately after two 48-hour runs that tried every code he still hasn’t gained access!

Continue reading “Mac EFI PIN lock brute force attack (unsuccessful)”

Investigating the strength of the 4-digit PIN

If we wanted to take a look at the statistics behind 4-digit pin numbers how could we do such a thing? After all, it’s not like people are just going to tell you the code they like to use. It turns out the databases of leaked passwords that have been floating around the Internet are the perfect source for a little study like this one. One such source was filtered for passwords that were exactly four digits long and contained only numbers. The result was a set of 3.4 million PIN numbers which were analysed for statistical patterns.

As the cliché movie joke tells us, 1234 is by far the most commonly used PIN to tune of 10% (*facepalm*). That’s followed relatively closely by 1111. But if plain old frequency were as deep as this look went it would make for boring reading. You’ll want to keep going with this article, which then looks into issues like ease of entry; 2580 is straight down the center of a telephone keypad. Dates are also very common, which greatly limits what the first and last pair of the PIN combination might be.

We’ll leave you with this nugget: Over 25% of all PINs are made of just 20 different number (at least from this data set).

[Thanks Awjlogan]

Car computer requires PIN for ignition

[Ben’s] added some nice goodies to his Volvo in the form of an in-dash computer. The system monitors two pressure sensors for boost and vacuum, as well as reading RPM, O2, and exhaust directly. All of this is tied into the touch interface running on an eeePC 900A. But our favorite feature is that the system requires you to enter a PIN to start the ignition. The forum post linked above is short on details so we asked [Ben] if he could tell us more. Join us after the break for a demonstration video as well as [Ben’s] rundown on the system.

Continue reading “Car computer requires PIN for ignition”

Citibank ATM PIN heist mystery continues

For the last few months, the FBI have been investigating a breach of Citibank’s ATM transaction processing servers. We’ve seen credit card numbers get stolen before, but these compromised servers were used to collect card numbers and PINs as transactions took place. The group responsible hired people to write new cards and use them to make ATM withdrawals. The card makers would keep a percentage and launder the rest. This is just a very small part of story and the extent of the breach isn’t fully realised yet. Threat Level’s [Kevin Poulson] has the whole story on this disturbing situation.

[photo: Bryan Derballa]