Wired recently posted an article and video detailing our friend [Chris Tarnovsky]’s process for hacking smart cards. In the video, [Chris] shows how he strips away physical components of the chips inside the smartcards using various gadgets and chemicals.
The first step is to remove the chip from its plastic frame. After soaking it in acid for about 10 minutes, the epoxy is removed and the chip is exposed. After that the outer layer is loosened by soaking the chip in two solutions of acetone, the second being the “clean” one. Then the chip is placed on a hotplate where a drop of fuming nitric acid is applied with a dropper; the chip is washed again in an ultrasonic cleaner, removing any residue left.
[Chris] then returns the chip to the card. He will apply nail polish to act as a masking material. He scratches a hole through the polish with a needle held by a micro positioner in the area of interest. The hole is treated with hydrofluoric acid and then etched in short intervals until the desired layer of silicon is exposed. At this point, the card is fully prepped.
Now by powering the chip with the needle resting on the bus, [Chris] can read the code on the chip by sending it various commands and watching how it reacts. To see more of [Chris]’s reverse engineering work, check out Flylogic Engineering’s Analytical Blog. It’s a enjoyable read even if you’re new to silicon hacking.
sweet
does any one else think that ICs evolved to fast? i mean not to long ago we were using pcbs with tones and tones of can transistors and not to long b4 that we were useing tubes
So you can read the information on the smart card?
Could you use this to create false credentials to log into a computer as a local administrator?
This sounds pretty dangerous, if misused. You can disable starting from Optical Drives and USB in order to defeat intrusion by way of live distributions, but it seems that for computers that require Smart Card logon you’re pretty much left wide open here.
Hydrofluoric acid…… wow, thats nasty stuff alright!
Very nice technique though! although I think its a bit extreme for a home job.
I love reading the stuff on flylogic. but he hasn’t posted much in the last 2 months.
Hi everyone!
Always nice to see positive comments. I will try to do more blogging. I’ve been overwhelmed with the stresses of work (which is a good thing).
fyi- I need to eventually get around to blogging on a few things: the Intel 4004 (nice hires images of a piece of history), some C64 devices, a declassified NSA cryptographic link controller, and a few other things that have come in.
Thanks to those who have contributed. I will find the time!
-Chris
“O.k., now that we’re ‘in’, what do we do now?” -A hex dump is pretty useless unless you know what is what. I doubt the manufacturer is going to give you the memory map, register’s, or anything else for that matter. And, when you tied into the clock/data line, were those not already bonded out?
“You can do anything you want”. (skeptical).
Mike, what would you like to do? Using a second needle, I could take over the CPU’s decoding area and make it single step it’s code rendering every address onto the tip of the other needle. Do this 8 times and I have the full dump.
What else…Hrmmm… Study the code and understand how the UART works incase I don’t know ISO7618 but knew where VCC,RST,CLK,IO,GND were but didn’t understand their protocol… It’s clear in the code where a transmit and receive routine is from the software side of things..
As well, let’s say I write a small script and using a single needle, I wait until clock period n in time and change the instruction. Using this method (the preferred by myself), I can introduce a series of glitches into the software contained inside to maybe overwrite the stack, abuse a readout loop, force a bad signature good, and so on.. Anything imaginable is possible. Complete control with a single needle.
Make sure you come to Blackhat/Defcon for more of a hands-on!
its awesome stuff like this that make me laugh a the proposal of nagra3
theres nothing you can do that we can’t undo
All I want to know is how to read/write the laundry card I have. Once I fill it up with like 10$ I want to be able to do a memory dump, and rewrite it everytime i want to do laundry. Why would I have to mess around with acids and stuff ?
@Mike: Unlikely it uses a proper encrypted card. Have a look at some of the other security tagged hacks on here for a safer way than melting your bones with hydrofluoric.
“melting your bones with hydrofluoric”
Girl :D GJ on the rosin information
Anybody have any updates on this? Need to know more.