[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[dvd-discuss]Vulnerability Is Discovered in Security for Smart Cards

To: <dvd-discuss(at)cyber.law.harvard.edu>
Subject: [dvd-discuss]Vulnerability Is Discovered in Security for Smart Cards
From: "Michael A Rolenz" <Michael.A.Rolenz(at)aero.org>
Date: Mon, 13 May 2002 12:32:25 -0700
Reply-to: dvd-discuss(at)cyber.law.harvard.edu
Sender: owner-dvd-discuss(at)cyber.law.harvard.edu

Here's another example of the futility of DRMs and other such mandated schemes...

Vulnerability Is Discovered in Security for Smart Cards
http://www.nytimes.com/2002/05/13/technology/13SMAR.html?todaysheadlines

San Francisco, May 12 --- Two University of Cambridge computer security
researchers plan to describe on Monday an ingenious and inexpensive attack
that employs a $30 camera flashgun and a microscope to extract secret
information contained in widely used smart cards. The newly discovered
vulnerability is reason for alarm, the researchers said, because it could
make it cost-effective for a criminal to steal information from the cards.

Smart cards are used for dozens of different applications, including
electronic identity protection, credit and debit cards and cellular phone
payment and identity systems.

The Cambridge researchers said they had discussed their discovery with a
number of card manufacturers, and several had acknowledged the
vulnerability. One company reported that its security testing teams had
already considered types of attacks similar to the one mounted by the
Cambridge team and that they believed their products were not vulnerable.
The researchers said they had also proposed a potential design change to the
companies that would protect against the attack. "This vulnerability may
pose a big problem for the industry," they wrote in their paper, "Optical
Fault Induction Attacks." The researchers argued the industry would need to
add countermeasures to the cards to increase their security.

The Cambridge group's discovery is one of two new smart card attacks that
will be introduced Monday evening in Oakland, Calif., at an Institute of
Electrical and Electronics Engineers symposium on security and privacy. A
team of researchers from I.B.M.'s Thomas J. Watson Laboratory in Yorktown
Heights, N.Y., said they would present a report at the conference based on
their discovery of a different vulnerability in subscriber identification
module, or S.I.M., cards. These are used in the type of digital cellphone
known as G.S.M., widely used in Europe and to a lesser extent here. The
vulnerability would make it possible for a criminal to find the secret
information stored in the card, steal the user's cellphone identity and make
free phone calls.

Smart cards are credit-card-like devices containing a microprocessor chip
and a small amount of computer memory for storing bits of electronic data
that represent money or other information that can be used to ensure
identity, like a code or a digitized retina scan or fingerprint. More widely
used in Europe than in the United States, the cards have long been promoted
as the key to a cashless society as well as for identity and authorization
applications. Some countries have begun using them for national identity
cards, and they have recently been discussed as a way of confirming
travelers' identities to speed airport security. The Pentagon has armed
soldiers with smart cards for online identity and physical access, and the
cards are in use in the United States in commercial services like the
American Express Blue credit card and the Providian Smart Visa Card.

Some of the information stored in the card is in the form of a number
composed of ones and zeros that cryptographers refer to as a "private key."
The security of such systems is compromised if the private key is revealed.

The researchers from Britain, Sergei Skorobogatov and Ross Anderson, who are
based at the University of Cambridge Computer Laboratory, discovered the
flaw after Mr. Skorobogatov found that he could interrupt the operation of
the smart card's microprocessor simply by exposing it to an electronic
camera flashbulb.

"This is a paper for an academic conference," said Alex Giakoumis, director
of product lines for the Atmel Corporation, a San Jose, Calif.-based maker
of smart cards.

The I.B.M. researchers' report also offers advice to the smart card industry
on how to protect against vulnerabilities.

Summarized by Copernic Summarizer

Prev by Date: RE: [dvd-discuss] So what is SonicBlue selling? DO I have to use to usethespyware?
Next by Date: [dvd-discuss]My apologies for HTML format
Previous by thread: [dvd-discuss]Tracking W/O Cookies...Spying startup sets off alarm bells
Next by thread: [dvd-discuss]My apologies for HTML format
Index(es):
- Date
- Thread