Entries Tagged "cloning"

Page 2 of 3

The Ill Effects of Banning Security Research

The Indian police are having trouble with SIM card cloning:

Police had no idea that one SIM card could be used simultaneously from two handsets before the detention of Nazir Ahmed for interrogation. Nazir was picked up from Morigaon after an SMS from his mobile number in the name of ISF-IM claimed responsibility for Thursday’s blasts in Assam.

Nazir had a Reliance connection and an Eve handset. Each handset of this particular model has a unique International Mobile Equipment Identity (IMEI) number. Cops found that two IMEI numbers were using the same SIM. Accordingly there were two record sheets of calls and SMSes from Nazir’s mobile number. The record of the SMS to the media was found in only one sheet, which forced police to believe that Nazir’s SIM might have been cloned and someone else was using the duplicate card, with or without the owner’s knowledge.

“We stumbled upon this technological surprise that Nazir Ahmed’s SIM card was used in two handsets,” Assam IG (Law and Order) Bhaskarjyoti Mahanta said.

So far, not that interesting. There are lots of vulnerabilities in technological systems, and it’s generally a race between the good guys and the bad guys to see who finds them first. It’s the last sentence of this article that’s significant:

The experts said no one has actually done any research on SIM card cloning because the activity is illegal in the country.

If the good guys can’t even participate, the bad guys will always win.

Posted on November 6, 2008 at 6:26 AMView Comments

How to Clone and Modify E-Passports

The Hackers Choice has released a tool allowing people to clone and modify electronic passports.

The problem is self-signed certificates.

A CA is not a great solution:

Using a Certification Authority (CA) could solve the attack but at the same time introduces a new set of attack vectors:

  1. The CA becomes a single point of failure. It becomes the juicy/high-value target for the attacker. Single point of failures are not good. Attractive targets are not good.

    Any person with access to the CA key can undetectably fake passports. Direct attacks, virus, misplacing the key by accident (the UK government is good at this!) or bribery are just a few ways of getting the CA key.

  2. The single CA would need to be trusted by all governments. This is not practical as this means that passports would no longer be a national matter.
  3. Multiple CA’s would not work either. Any country could use its own CA to create a valid passport of any other country. Read this sentence again: Country A can create a passport data set of Country B and sign it with Country A’s CA key. The terminal will validate and display the information as data from Country B.This option also multiplies the number of ‘juicy’ targets. It makes it also more likely for a CA key to leak.

    Revocation lists for certificates only work when a leak/loss is detected. In most cases it will not be detected.

So what’s the solution? We know that humans are good at Border Control. In the end they protected us well for the last 120 years. We also know that humans are good at pattern matching and image recognition. Humans also do an excellent job ‘assessing’ the person and not just the passport. Take the human part away and passport security falls apart.

EDITED TO ADD (10/13): More information.

Posted on September 30, 2008 at 12:24 PMView Comments

UK Electronic Passport Cloned

The headline says it all: “‘Fakeproof’ e-passport is cloned in minutes.”

Does this surprise anyone? This is what I wrote about electronic passports two years ago in The Washington Post:

The other security mechanisms are also vulnerable, and several security researchers have already discovered flaws. One found that he could identify individual chips via unique characteristics of the radio transmissions. Another successfully cloned a chip. The State Department called this a “meaningless stunt,” pointing out that the researcher could not read or change the data. But the researcher spent only two weeks trying; the security of your passport has to be strong enough to last 10 years.

This is perhaps the greatest risk. The security mechanisms on your passport chip have to last the lifetime of your passport. It is as ridiculous to think that passport security will remain secure for that long as it would be to think that you won’t see another security update for Microsoft Windows in that time. Improvements in antenna technology will certainly increase the distance at which they can be read and might even allow unauthorized readers to penetrate the shielding.

Posted on August 8, 2008 at 4:59 AMView Comments

Hacking Mifare Transport Cards

London’s Oyster card has been cracked, and the final details will become public in October. NXP Semiconductors, the Philips spin-off that makes the system, lost a court battle to prevent the researchers from publishing. People might be able to use this information to ride for free, but the sky won’t be falling. And the publication of this serious vulnerability actually makes us all safer in the long run.

Here’s the story. Every Oyster card has a radio-frequency identification chip that communicates with readers mounted on the ticket barrier. That chip, the “Mifare Classic” chip, is used in hundreds of other transport systems as well — Boston, Los Angeles, Brisbane, Amsterdam, Taipei, Shanghai, Rio de Janeiro — and as an access pass in thousands of companies, schools, hospitals, and government buildings around Britain and the rest of the world.

The security of Mifare Classic is terrible. This is not an exaggeration; it’s kindergarten cryptography. Anyone with any security experience would be embarrassed to put his name to the design. NXP attempted to deal with this embarrassment by keeping the design secret.

The group that broke Mifare Classic is from Radboud University Nijmegen in the Netherlands. They demonstrated the attack by riding the Underground for free, and by breaking into a building. Their two papers (one is already online) will be published at two conferences this autumn.

The second paper is the one that NXP sued over. They called disclosure of the attack “irresponsible,” warned that it will cause “immense damages,” and claimed that it “will jeopardize the security of assets protected with systems incorporating the Mifare IC.” The Dutch court would have none of it: “Damage to NXP is not the result of the publication of the article but of the production and sale of a chip that appears to have shortcomings.”

Exactly right. More generally, the notion that secrecy supports security is inherently flawed. Whenever you see an organization claiming that design secrecy is necessary for security — in ID cards, in voting machines, in airport security — it invariably means that its security is lousy and it has no choice but to hide it. Any competent cryptographer would have designed Mifare’s security with an open and public design.

Secrecy is fragile. Mifare’s security was based on the belief that no one would discover how it worked; that’s why NXP had to muzzle the Dutch researchers. But that’s just wrong. Reverse-engineering isn’t hard. Other researchers had already exposed Mifare’s lousy security. A Chinese company even sells a compatible chip. Is there any doubt that the bad guys already know about this, or will soon enough?

Publication of this attack might be expensive for NXP and its customers, but it’s good for security overall. Companies will only design security as good as their customers know to ask for. NXP’s security was so bad because customers didn’t know how to evaluate security: either they don’t know what questions to ask, or didn’t know enough to distrust the marketing answers they were given. This court ruling encourages companies to build security properly rather than relying on shoddy design and secrecy, and discourages them from promising security based on their ability to threaten researchers.

It’s unclear how this break will affect Transport for London. Cloning takes only a few seconds, and the thief only has to brush up against someone carrying a legitimate Oyster card. But it requires an RFID reader and a small piece of software which, while feasible for a techie, are too complicated for the average fare dodger. The police are likely to quickly arrest anyone who tries to sell cloned cards on any scale. TfL promises to turn off any cloned cards within 24 hours, but that will hurt the innocent victim who had his card cloned more than the thief.

The vulnerability is far more serious to the companies that use Mifare Classic as an access pass. It would be very interesting to know how NXP presented the system’s security to them.

And while these attacks only pertain to the Mifare Classic chip, it makes me suspicious of the entire product line. NXP sells a more secure chip and has another on the way, but given the number of basic cryptography mistakes NXP made with Mifare Classic, one has to wonder whether the “more secure” versions will be sufficiently so.

This essay originally appeared in the Guardian.

Posted on August 7, 2008 at 6:07 AMView Comments

Washington DC Metro Farecard Hack

Clever:

Thieves took a legitimate paper Farecard with $40 in value, sliced the card’s magnetic strip into four lengthwise pieces, and then reattached one piece each to four separate defunct paper Farecards. The thieves then took the doctored Farecards to a Farecard machine and added fare, typically a nickel. By doing so, the doctored Farecard would go into the machine and a legitimate Farecard with the new value, $40.05, would come out.

My guess is that the thieves were caught not through some fancy technology, but because they had to monetize their attack. They sold Farecards on the street at half face value.

Posted on July 22, 2008 at 12:29 PMView Comments

Cloned Trucks

Criminals are using cloned trucks to bypass security:

Savvy criminals are using some of the country’s most credible logos, including FedEx, Wal-Mart, DirecTV and the U.S. Border Patrol, to create fake trucks to smuggle drugs, money and illegal aliens across the border, according to a report by the Florida Department of Law Enforcement.

[…]

In August 2006, the Texas Department of Public Safety, on a routine traffic stop, found 3,058 pounds of marijuana and 204 kilograms of cocaine in a “cloned” Wal-Mart semi-trailer, driven by a man wearing a Wal-Mart uniform.

In another case, a truck painted with DirecTV and other markings was pulled over in a routine traffic stop in Mississippi and discovered to be carrying 786 pounds of cocaine.

This is the same problem as fake uniforms, and the more general problem of fake credentials. It’s very hard to solve.

EDITED TO ADD (2/6): Here’s someone who puts on a red shirt and predends to be a Target employee so he can steal stuff:

Police in North Miami Beach are looking for a man they say likes to pose as a Target employee while stealing pricey iPods, and the man allegedly knows so much about the store, he’s even helped customers who thought he was a real employee.

[…]

Investigators say McKenzie simply walks into the stores, wearing a red polo shirt, and pretends he works there. North Miami Beach police officials say he has extensive knowledge of Target procedures and has even assisted customers.

Posted on February 6, 2008 at 12:37 PMView Comments

License Plate Cloning

It’s a growing problem in the UK:

“There are different levels of cloning. There is the simple cloning, just stealing a plate to drive into say the Congestion Charge zone or evade a speed camera.

“It ranges up to a higher level which is the car criminal who wants to sell on a stolen car.”

Tony Bullock’s car was cloned even though his plates were not physically stolen, and he was threatened with prosecution after “his” car was repeatedly caught speeding in Leicester.

He said: “It was horrendous. You are guilty until you can prove you’re not. It’s the first time that I’ve thought that English law is on its head.”

Metropolitan Police Federation chairman Glen Smyth said the problem has grown because of the amount of camera-based enforcement of traffic offences, which relies on computer records on who owns which car.

Posted on June 11, 2007 at 1:52 PMView Comments

Cloning RFID Chips Made by HID

Remember the Cisco fiasco from BlackHat 2005? Next in the stupid box is RFID-card manufacturer HID, who has prevented Chris Paget from presenting research on how to clone those cards.

Won’t these companies ever learn? HID won’t prevent the public from learning about the vulnerability, and they will end up looking like heavy handed goons. And it’s not even secret; Paget demonstrated the attack to me and others at the RSA Conference last month.

There’s a difference between a security flaw and information about a security flaw; HID needs to fix the first and not worry about the second. Full disclosure benefits us all.

EDITED TO ADD (2/28): The ACLU is presenting instead.

Posted on February 28, 2007 at 12:00 PMView Comments

Sidebar photo of Bruce Schneier by Joe MacInnis.