when organized crime applies academic results powerpoint
Post on 24-Jan-2017
45 Views
Preview:
TRANSCRIPT
When Organized Crime Applies Academic ResultsA Forensic Analysis of an In-Card Listening Device
Assia Triaassia.tria@cea.fr
David Naccache, Houda Ferradi, Rémi Géraud
Toulouse : 27 janvier 2016Assia Tria , Toulouse : 27 janvier 2016
15867 techniciens, ingénieurs,
chercheurs et collaborateurs
10 centres de recherche
4,3 Mds € de budget
1608 brevets prioritaires délivrés
et en vigueur en portefeuille
>650 dépôts de brevets prioritaires
150 start-up depuis 1984 dans
le secteur des technologies innovantes
45 Unités mixtes de recherche (UMR)
25 Laboratoires de recherche correspondants
Le Commissariat à l’Energie Atomique et aux Energies Alternatives
TechnologiesClés Génériques
Direction
de la Recherche
Technologique
Direction Générale du CEA
Tech
no
log
ie
Sci
en
ce
Défense Sécurité
Direction
des Applications
Militaires
Energie Nucléaire
Direction
de l’Energie
Nucléaire
Mission DAM : indépendance stratégique de la France
Mission DEN : indépendance énergétique de la France
Mission DRT : ré-industrialisation de la France par l’innovation
Recherche fondamentale
Direction des Sciences de la Matière
Direction des Sciences du Vivant
Assia Tria , Toulouse : 27 janvier 2016
3 Instituts
thématiques
1 Institut
de diffusionen régions
(2003)Saclay
(1967)Grenoble
(2005)Grenoble / Chambéry
280 M€ - 2100 pers. (1800 CEA)
80 M€ - 1000 pers. ( 800 CEA)
180 M€ - 1200 pers. (1000 CEA)
CEA TechRégions
(2012)
CEA-Tech acteur français majeur en recherche technologique
Assia Tria , Toulouse : 27 janvier 2016
Teams
• ITSEF (CESTI)
– Evaluations (15p)
• LSOC laboratory
– 20p, Security for applications
• CMP – Gardanne: ENMSE – LETI
– Components Security (30p incl 6 CEA)
• Resources from other LETI’s dpts (1500 p)
– Design, Technology,
Characterization
Assia Tria , Toulouse : 27 janvier 2016
Security in LETI and CEA-TECH PACA
Characterization of the Threats
• Implementing attacks on device
Evaluation of the security
• Common criteria, EMVCoevaluations
Improvement of the security
• Technology, architectures and software protections
Physical devices with physical access
from the attacker:
Crypto boards, HSM
Biometrics
Phones, smartphones
TPM, Trusted computing
Smarcards, e-passports,E-Id, RIFD
Assia Tria , Toulouse : 27 janvier 2016
Goal of This Presentation
• Illustrate to what length white collar criminals cango to hack embedded electronic devices.
• To date, the following is the most sophisticatedsmart card fraud encountered in the field.
• Goal: raise awareness to the level of resistancethat IoT devices must have to resist real attacks inthe field.
Assia Tria , Toulouse : 27 janvier 2016
Context
• A forensic assignments.
Assia Tria , Toulouse : 27 janvier 2016
The Judicial Seizure
Assia Tria , Toulouse : 27 janvier 2016
The Judicial Seizure
• What appears as an ISO/IEC 7816 smart card.
• The plastic body indicates that this is a VISA cardissued by Caisse d’Épargne (a French bank).
• Embossed details are:
– PAN5= 4978***********89;
– expiry date in 2013;
– and a cardholder name, hereafter abridged as P.S.
– The forgery’s backside shows a normally looking CVV.
• PAN corresponds to a Caisse d’Épargne VISA card.
PAN=Permanent Account Number (partially anonymized here).CVV=Card Verification Value.
Assia Tria , Toulouse : 27 janvier 2016
The backside is deformed around the chip area.
Such a deformation is typically caused by heating. Heating (around 80°C) allows melting the potting glueto detach the card module.
Visual Inspection
Assia Tria , Toulouse : 27 janvier 2016
Visual Inspection
The module looks unusual in two ways: • it is engraved with the inscription “FUN”;• glue traces (in red) clearly show that a foreign module was
implanted to replace the **89 card’s original chip
Assia Tria , Toulouse : 27 janvier 2016
FUNCards
Assia Tria , Toulouse : 27 janvier 2016
FUNCard’s Inner Schematics
Assia Tria , Toulouse : 27 janvier 2016
Side-views show that forgery is somewhat thicker thana standard card (0.83mm).Extra thickness varies from 0.4 to 0.7mm suggesting theexistence of more components under the card module,besides the FUNcard.
Assia Tria , Toulouse : 27 janvier 2016
FUNCard Under X-Ray
External memory (AT24C64) µ-controller (AT90S85515A)Connection wires Connection grid
Assia Tria , Toulouse : 27 janvier 2016
FunCard vs. Forgery X-Ray
Assia Tria , Toulouse : 27 janvier 2016
Forgery vs. FunCard
Stolen card module Connection wires added by fraudster Welding points added by the fraudster
Assia Tria , Toulouse : 27 janvier 2016
Pseudo-Color Analysis
Materials may have the same color in the visible regionof the EM spectrum and thus be indistinguishable tothe Human eye. However, these materials may havedifferent properties in other EM spectrum parts. Thereflectance or transmittance spectra of these materialsmay be similar in the visible region, but differ in otherregions.
Pseudo-coloring uses information included in the near-infrared region (NIR) i.e. 800-1000nm to discriminatematerials beyond the visible region.
Assia Tria , Toulouse : 27 janvier 2016
Pseudo-Color Analysis
Assia Tria , Toulouse : 27 janvier 2016
Pseudo-Color Analysis
Stolen chip now clearly appears in green.Assia Tria , Toulouse : 27 janvier 2016
Forgery Structure Suggested so Far
Assia Tria , Toulouse : 27 janvier 2016
Forgery Structure Suggested so Far
Stolen card speaks to reader but instead of the reader the communicationIs intercepted by the fun card
Assia Tria , Toulouse : 27 janvier 2016
Forgery Structure Suggested so Far
What the stolen card says goes into theFUNcard
Assia Tria , Toulouse : 27 janvier 2016
Forgery Structure Suggested so Far
FUNCard talks to the reader
Assia Tria , Toulouse : 27 janvier 2016
Electronic Analysis Attempt
It is possible to read-back FunCard code.
If the card is not locked
Attempted read-back failed. Device locked.
Anti-forensic protection by fraudster.
Assia Tria , Toulouse : 27 janvier 2016
Magnetic Stripe Analysis
The magnetic stripe was read and decoded.
ISO1 and ISO2 tracks perfectly agree with embossed data.
ISO3 is empty, as is usual for European cards.
Assia Tria , Toulouse : 27 janvier 2016
Electronic Information Query
Data exchanges between the forgery and the PoS weremonitored.
– The forgery responded with the following information:
– PAN = 4561**********79;
– expiry date in 2011;
– cardholder name henceforth referred to as H.D.
All this information is in blatant contradiction with dataembossed on the card.
The forgery is hence a combination of two genuine cards
Assia Tria , Toulouse : 27 janvier 2016
Flashback 2010
Assia Tria , Toulouse : 27 janvier 2016
Flashback 2010
Assia Tria , Toulouse : 27 janvier 2016
The problem is here!
Assia Tria , Toulouse : 27 janvier 2016
Flashback 2010
Assia Tria , Toulouse : 27 janvier 2016
Flashback 2010
Assia Tria , Toulouse : 27 janvier 2016
Flashback 2010
Assia Tria , Toulouse : 27 janvier 2016
Modus Operandi Hypothesis
Assia Tria , Toulouse : 27 janvier 2016
Problem with Hypothesis!
no visible signal activity here!
Assia Tria , Toulouse : 27 janvier 2016
Back to X-Ray: Solution to Riddle!
no visible signal activity here!
Assia Tria , Toulouse : 27 janvier 2016
Anti-Forensic Protection by Fraudster
Assia Tria , Toulouse : 27 janvier 2016
Using Power Consumption Analysis
Assia Tria , Toulouse : 27 janvier 2016
PoS sends the ISO command 00 A4 04 00 07 Command echoed to the stolen card by the FunCard Stolen card sends the procedure byte A4 to the FunCard FunCard retransmits the procedure byte to the PoS PoS sends data to FunCard FunCard echoes data to stolen card Stolen card sends SW to FunCard FunCard transmits SW to PoS
Color Code:PoS FunCardFunCard Stolen CardStolen CardFunCardFunCard PoS
Assia Tria , Toulouse : 27 janvier 2016
Power Consuption During GetData
Confirms the modus operandi
Assia Tria , Toulouse : 27 janvier 2016
Power trace of the forgery during VerifyPIN command.
Note the absence of retransmission on the power trace beforethe sending of the SW
VerifyPIN Power Trace Analysis
Assia Tria , Toulouse : 27 janvier 2016
Having Finished All Experiments
We can ask the judge’s authorization to perform invasive analysis.
Authorization granted.
Assia Tria , Toulouse : 27 janvier 2016
Connection grid Stolen card module (outlined in blue)Stolen card’s chip FunCard module Welding of connection wires
Invasive Analysis
Assia Tria , Toulouse : 27 janvier 2016
FunCard module Genuine stolen card Welded wire
Invasive Analysis
Assia Tria , Toulouse : 27 janvier 2016
Original EMV Chip Clipped by Fraudster
Cut-out pattern over laid
Assia Tria , Toulouse : 27 janvier 2016
Wiring Diagram of the Forgery
Assia Tria , Toulouse : 27 janvier 2016
In Conclusion
Attackers of modern embedded IoT devices
• Use advanced tools
• Are very skilled engineers
• Are well aware of academic publications
• Use s/w and h/w anti-forensic countermeasures
If you do not design your IoT device with that in mind and if stakes are high enough, the device will be broken.
Assia Tria , Toulouse : 27 janvier 2016
Economical Damage
Cost of device replacement in the field
Cost of fraud (stolen money)
Damage to reputation
plus:
Forensic analysis cost. Here: 3 months of full time work.
Assia Tria , Toulouse : 27 janvier 2016
Thank for your
attention
Assia Tria , Toulouse : 27 janvier 2016
top related