Smart Cards Used To Hack Smart Cards

Back in the day, true hackers – the kind that would build VCRs out of 555 chips only to end up in the Hackaday comments section in their twilight years – would steal satellite TV feeds with the help of tiny little microcontrollers embedded in a credit card. This was the wild west, when a parallel port was the equivalent of a six-shooter and Jnco jeans were a ten gallon hat.

The backdoors that enabled these satellite pirates have long been closed, but these devices for stealing HBO have now evolved into stealing €600,000 worth of goods using a most unlikely source: chip and pin card terminals. A gang of criminals in Belgium have successfully broken chip and pin, and although the exploit has now been closed, the researchers behind the investigation have published their war story for one of the most interesting hacks in recent memory.

Chip and pin verification for Point of Sale (PoS) transactions are a relatively simple process; during a transaction, the PoS system asks for the user’s PIN and transmits it to the card. The card then simply answers ‘yes’ or ‘no’. In 2010, a vulnerability to this system was discovered, making it a simple matter for anyone to break chip and pin systems. This system used an FPGA with a backpack worth of modified hardware – executing it in a store would raise more than a few eyebrows.

The 2010 exploit hardware
The 2010 exploit hardware

The problem of implementing this system into something that was easily concealable was simply a matter of miniaturization. Thanks to the proliferation of smart cards over the last 20 years, very tiny microcontrollers are available that could manage this man-in-the-middle attack on a chip and pin system. What is a gang of criminals to do? Simply program a smart card with all the smarts required to pull of the hack, of course.

To pull off this exploit, an engineer in the gang of criminals used a FUNcard, a development platform for smart cards loaded up with an Atmel AVR AT90S8515 microcontroller and an EEPROM packaged in a small golden square. By removing the chip from this chipped card and replacing the chip in a stolen credit card, the criminals were able to reproduce the 2010 exploit in the wild, netting them €600,000 in stolen merchandise before they were caught.

How were they caught? The ‘buyer’ of the gang kept shopping at the same place. Rookie mistake, but once security researchers got their hands on this illegal hardware, they were amazed at what they found. Not only did the engineer responsible for this manage to put the code required for the exploit in an off-the-shelf smart card, the gold contact pads from the original credit card were rewired to the new microcontroller in an amazing feat of rework soldering.

Before this exploit was made public, the researchers developed a countermeasure for this attack that was swiftly installed in PoS terminals. They also came up with a few additional countermeasures that can be deployed in the future, just in case. In any event, it’s an amazing bit of reverse engineering, soldering, and craftsmanship that went into this crime spree, and as usual, it only took a massive loss for retailers to do anything about it.

Developed On Hackaday: Beta Testers And Automated Testing

Mooltipass with Holder

At Hackaday we believe that your encrypted vault containing your credentials shouldn’t be on a device running several (untrusted) applications at the same time. This is why many contributors and beta testers from all over the globe are currently working on an offline password keeper, aka the Mooltipass.

Today we’re more than happy to report that all of our 20 beta testers started actively testing our device as they received the v0.1 hex file from the development team. Some of them had actually already started a few days before, as they didn’t mind compiling our source files located on our github repository and using our graphics generation tools. We are therefore expecting (hopefully not) many bug reports and ways to improve our device. To automatize website compatibility testing, our beta tester [Erik] even developed a java based tool that will automatically report non-working pages found inside a user generated list. You may head here to watch a demonstration video.

Developed on Hackaday: Demonstration Video and Feedback Request

For months our dear Hackaday readers have been following the Mooltipass password keeper’s adventures, today we’re finally publishing a first video of it in action. This is the fruit of many contributors’ labor, a prototype that only came to be because of our motivation for open hardware and our willingness to spend much (all!) of our spare time on an awesome project that might be just good enough to be purchased by others. We’ve come a long way since we started this project back in December.

In the video embedded above, we demonstrate some of our platform’s planned functionalities while others are just waiting to be implemented (our #1 priority: PIN code entering…). A quick look at our official GitHub repository shows what it took to get to where we are now. What’s next?

We need your input so we can figure out the best way to get the Mooltipass in the hands of our readers, as our goal is not to make money. The beta testers batch has just been launched into production and I’ll be traveling to Shenzhen in two weeks to meet our assembler. When materials and fabrication are taken into account we expect each device to cost approximately $80, so please take 3 seconds of your time to answer the poll embedded below :

Developed on Hackaday: Current Status and Selected Beta Testers

Mooltipass final prototype

The Hackaday community is currently working on an offline password keeper, aka Mooltipass. The concept behind this product is to minimize the number of ways your passwords can be compromised, while generating and storing long and complex random passwords for the different websites you use daily. The Mooltipass is a standalone device connected through USB and is compatible with all major operating systems on PCs, Macs and Smartphones. More details on the encryption and technical details can be found on our github repository readme or by having look at all the articles we previously published on Hackaday.

As you can see from our commit activity these last weeks have been extremely busy for us. We finally have a firmware that uses all the different libraries that our contributors made but also a chrome plugin and extension that can communicate with our Mooltipass. We’re very happy to say that our system is completely driverless. A video will be published on Hackaday next week showing our current prototype in action as some of the contributors are already using it to store their credentials.

We selected 20 beta testers that will be in charge of providing us with valuable feedback during the final stages of firmware / plugin development. Selection was made based on how many passwords they currently have, which OS they were using but also if they were willing to contribute to the prototype production cost. We expect them to receive their prototypes in less than 2 months as the production funds were wired today.

We think we’ve come a long way since the project was announced last december on Hackaday, thanks to you dear readers. You provided us with valuable feedback and in some cases important github push requests. You’ve been there to make sure that we were designing something that could please most of the (non) tech-savy people out there and we thank you for it. So stay tuned as in a week we will be publishing a video of our first prototype in action!

Want to chat with us? You can join the official Mooltipass Google Group or follow us on Hackaday Projects.

Developed on Hackaday: We Have Final Prototypes!

The last few weeks have been quite tense for the Mooltipass team as we were impatiently waiting for our smart cards, cases and front panels to come back from production. Today we received a package from China, so we knew it was the hour of truth. Follow us after the break if you have a good internet connection and want to see more pictures of the final product

Mooltipass final prototype

Continue reading “Developed on Hackaday: We Have Final Prototypes!”

Developed on Hackaday: Vote for your Favorite Card Art

A few weeks ago we asked our dear readers if they were interested in coming up with some card art for the Mooltipass project. We received more than a dozen of them and a few days ago the HaD project Mooltipass followers/Mooltipas Google group recipients voted for their favorite ones.

Today we’ll present you the three popular ones and ask you to pick your favorite, so please follow us after the break…

Continue reading “Developed on Hackaday: Vote for your Favorite Card Art”

Developed on Hackaday: 2 Days Left to Submit your Design!

We’re sure that many of Hackaday readers already know that one of the two main components of the Mooltipass project is a smart card, containing (among others) the AES-256 encryption key. Two weeks ago we asked if you’d be interested coming up with a design that will be printed on the final card. As usual, many people were eager to contribute and recently sent us a few suggestions. If you missed the call and would like to join in, it’s not too late! You may still send your CMYK vector image at mathieu[at]hackaday[dot]com by sunday. More detailed specifications may be found here.

In a few days we’ll also publish on Hackaday a project update, as we recently received the top and bottom PCBs for Olivier’s design. The low level libraries will soon be finished and hopefully a few days later we’ll be able to ship a few devices to developers and beta testers. We’re also still looking for contributors that may be interested in helping us to develop browser plugins.

The Mooltipass team would also like to thank our dear readers that gave us a skull on Hackaday projects!