Teardown: BlackBerry Smart Card Reader

Years before Steve Jobs showed off the first iPhone, the BlackBerry was already the must-have accessory for mobile professionals. Back then, nobody was worried about watching movies or playing the latest games on their mobile devices, they just wanted a secure and fast way to send and receive email on the go. For that, the BlackBerry was king.

Fast forward to today, and the company is just a shell of what it once was. They don’t even bother making their own hardware anymore. Over the last several years they’ve opted to partner with a series of increasingly obscure manufacturers to produce a handful of lackluster Android phones so they still have something to sell to their dwindling userbase. Anyone excited about the new 5G BlackBerry being built by Texas start-up OnwardMobility? Did you even know it was in the works before now?

A DoD Common Access Card

But this article isn’t about BlackBerry phones. It’s about something that’s even more irrelevant to consumers: the BlackBerry Smart Card Reader. Technically, this little device isn’t dependent on the phones of the same name, but it makes sense that Research In Motion (which eventually just renamed itself to BlackBerry Limited) would market the gadget under the brand of their most popular product. Though as you might expect, software was available to allow it to work with the BlackBerry phone that you almost certainly owned if you needed a dedicated smart card reader.

For those who might not be aware, a smart card in this context is a two-factor authentication token contained in an ID card. These are used extensively by organizations such as the Department of Defense, where they’re known as Common Access Cards, that require you to insert your ID card into a reader before you can log into a secure computer system. This sleek device was marketed as a portable reader that could connect to computers over USB or Bluetooth. Worn around your neck with the included lanyard, the battery-powered reader allowed the card itself to remain on the user’s body while still being readable by nearby devices.

Civilians will recognize the basic technology from modern “Chip and PIN” debit and credit cards, but we’ve never had to stick one of those into our laptop just to log in. To be sure, the BlackBerry Smart Card Reader was never intended for the average home computer user, it was sold to companies and organizations that had tight security requirements; which just so happened to be the same places that would likely already be using BlackBerry mobile devices.

Of course, times and technology change. These devices once cost $200 apiece and were purchased in vast quantities for distribution to trusted personnel, but are now all but worthless. Even in new and unopened condition, they can be had for as little as $10 USD on eBay. For that price, it’s certainly worth taking a peek inside. Perhaps the hacker community can even find new applications for these once cutting-edge devices.

Continue reading “Teardown: BlackBerry Smart Card Reader”

Hackaday Podcast 070: Memory Bump, Strontium Rain, Sentient Solder Smoke, And Botting Browsers

Hackaday editors Elliot Williams and Mike Szczys bubble sort a sample set of amazing hacks from the past week. Who has even used the smart chip from an old credit card as a functional component in their own circuit? This guy. There’s something scientifically devious about the way solder smoke heat-seeks to your nostrils. There’s more than one way to strip 16-bit audio down to five. And those nuclear tests from the 40s, 50s, and 60s? Those are still affecting how science takes measurements of all sorts of things in the world.

Direct download (~65 MB)

Places to follow Hackaday podcasts:

Continue reading “Hackaday Podcast 070: Memory Bump, Strontium Rain, Sentient Solder Smoke, And Botting Browsers”

Emulating And Cloning Smart Cards

A few years ago, we saw a project from a few researchers in Germany who built a device to clone contactless smart cards. These contactless smart cards can be found in everything from subway cards to passports, and a tool to investigate and emulate these cards has exceptionally interesting implications. [David] and [Tino], the researchers behind the first iteration of this hardware have been working on an improved version for a few years, and they’re finally ready to release it. They’re behind a Kickstarter campaign for the ChameleonMini, a device for NFC security analysis that can also clone and emulate contactless cards.

While the original Chameleon smart card emulator could handle many of the contactless smart cards you could throw at it, there at a lot of different contactless protocols. The new card can emulate just about every contactless card that operates on 13.56 MHz.

The board itself is mostly a PCB antenna, with the electronics based on an ATXMega128A4U microcontroller. This micro has AES and DES encryption engines, meaning if your contactless card has encryption and you have the cryptographic key, you can emulate that card with this device. They’re also making a more expensive version that also has a built-in reader that makes the ChameleonMini a one-stop card cloning tool.

Reading Smart Cards From A PLC (with A Little Arduino Help)

If you’ve spent any time on a factory or plant floor, it is a good bet you’ve run into PLCs (Programmable Logic Controllers). These are rugged computers that do simple control and monitoring functions, usually using ladder logic to set their programs. [plc4u] wanted to connect a smart card reader to an Allen Bradley PLC, so he turned to an Arduino to act as a go-between.

The Arduino talks to a USB card reader using a USB host shield. Then it communicates with the PLC using an RS232 link and the DF1 protocol that most Allen Bradley PLCs understand. You may not need a smart card, but once you know how to communicate between an Arduino and the PLC, you could do many different projects that leverage other I/O devices and code available on the Arduino and connects to existing PLC installations. Just remember that you’ll probably need to ruggedize the Arduino a bit to survive and be safe to the same level as a PLC (which might include a NEMA enclosure or even an explosion-proof box).

Continue reading “Reading Smart Cards From A PLC (with A Little Arduino Help)”

Smart Cards Used To Hack Smart Cards

Back in the day, true hackers – the kind that would build VCRs out of 555 chips only to end up in the Hackaday comments section in their twilight years – would steal satellite TV feeds with the help of tiny little microcontrollers embedded in a credit card. This was the wild west, when a parallel port was the equivalent of a six-shooter and Jnco jeans were a ten gallon hat.

The backdoors that enabled these satellite pirates have long been closed, but these devices for stealing HBO have now evolved into stealing €600,000 worth of goods using a most unlikely source: chip and pin card terminals. A gang of criminals in Belgium have successfully broken chip and pin, and although the exploit has now been closed, the researchers behind the investigation have published their war story for one of the most interesting hacks in recent memory.

Chip and pin verification for Point of Sale (PoS) transactions are a relatively simple process; during a transaction, the PoS system asks for the user’s PIN and transmits it to the card. The card then simply answers ‘yes’ or ‘no’. In 2010, a vulnerability to this system was discovered, making it a simple matter for anyone to break chip and pin systems. This system used an FPGA with a backpack worth of modified hardware – executing it in a store would raise more than a few eyebrows.

The 2010 exploit hardware
The 2010 exploit hardware

The problem of implementing this system into something that was easily concealable was simply a matter of miniaturization. Thanks to the proliferation of smart cards over the last 20 years, very tiny microcontrollers are available that could manage this man-in-the-middle attack on a chip and pin system. What is a gang of criminals to do? Simply program a smart card with all the smarts required to pull of the hack, of course.

To pull off this exploit, an engineer in the gang of criminals used a FUNcard, a development platform for smart cards loaded up with an Atmel AVR AT90S8515 microcontroller and an EEPROM packaged in a small golden square. By removing the chip from this chipped card and replacing the chip in a stolen credit card, the criminals were able to reproduce the 2010 exploit in the wild, netting them €600,000 in stolen merchandise before they were caught.

How were they caught? The ‘buyer’ of the gang kept shopping at the same place. Rookie mistake, but once security researchers got their hands on this illegal hardware, they were amazed at what they found. Not only did the engineer responsible for this manage to put the code required for the exploit in an off-the-shelf smart card, the gold contact pads from the original credit card were rewired to the new microcontroller in an amazing feat of rework soldering.

Before this exploit was made public, the researchers developed a countermeasure for this attack that was swiftly installed in PoS terminals. They also came up with a few additional countermeasures that can be deployed in the future, just in case. In any event, it’s an amazing bit of reverse engineering, soldering, and craftsmanship that went into this crime spree, and as usual, it only took a massive loss for retailers to do anything about it.

Developed On Hackaday: Beta Testers And Automated Testing

Mooltipass with Holder

At Hackaday we believe that your encrypted vault containing your credentials shouldn’t be on a device running several (untrusted) applications at the same time. This is why many contributors and beta testers from all over the globe are currently working on an offline password keeper, aka the Mooltipass.

Today we’re more than happy to report that all of our 20 beta testers started actively testing our device as they received the v0.1 hex file from the development team. Some of them had actually already started a few days before, as they didn’t mind compiling our source files located on our github repository and using our graphics generation tools. We are therefore expecting (hopefully not) many bug reports and ways to improve our device. To automatize website compatibility testing, our beta tester [Erik] even developed a java based tool that will automatically report non-working pages found inside a user generated list. You may head here to watch a demonstration video.

Developed On Hackaday: Demonstration Video And Feedback Request

For months our dear Hackaday readers have been following the Mooltipass password keeper’s adventures, today we’re finally publishing a first video of it in action. This is the fruit of many contributors’ labor, a prototype that only came to be because of our motivation for open hardware and our willingness to spend much (all!) of our spare time on an awesome project that might be just good enough to be purchased by others. We’ve come a long way since we started this project back in December.

In the video embedded above, we demonstrate some of our platform’s planned functionalities while others are just waiting to be implemented (our #1 priority: PIN code entering…). A quick look at our official GitHub repository shows what it took to get to where we are now. What’s next?

We need your input so we can figure out the best way to get the Mooltipass in the hands of our readers, as our goal is not to make money. The beta testers batch has just been launched into production and I’ll be traveling to Shenzhen in two weeks to meet our assembler. When materials and fabrication are taken into account we expect each device to cost approximately $80, so please take 3 seconds of your time to answer the poll embedded below: (poll has ended)