When Organized Crime Applies Academic Results A Forensic Analysis of - - PowerPoint PPT Presentation

when organized crime applies academic results a forensic
SMART_READER_LITE
LIVE PREVIEW

When Organized Crime Applies Academic Results A Forensic Analysis of - - PowerPoint PPT Presentation

Apr 05, 2024 248 likes •716 views

When Organized Crime Applies Academic Results A Forensic Analysis of an In-Card Listening Device Houda Ferradi Information Security Group Ecole Normale Suprieure 1 Goal of This Presentation Illustrate to what length white collar

slide-1
SLIDE 1

When Organized Crime Applies Academic Results A Forensic Analysis of an In-Card Listening Device

Houda Ferradi Information Security Group Ecole Normale Supérieure

1

slide-2
SLIDE 2

Goal of This Presentation

  • Illustrate to what length white collar criminals can go to

hack embedded electronic devices.

  • To date, the following is the most sophisticated smart

card fraud encountered in the field. Goal Goal: raise aise awar aren enes ess to to the the le level el of

  • f res

esistan istance ce that that IoT

  • T

devices ices must st have to to resist ist real al attac acks in in the field ld.

2

slide-3
SLIDE 3

Context

A forensic assignments.

3

slide-4
SLIDE 4

Context

In May ay 2011 11: The French’s bankers Economic Interest Group (GIE Cartes Bancaires) noted that a dozen EMV cards, stolen in France a few months before, were being used in Belgium. The net loss caused by this fraud is estimated to stand below 600,000€, stolen

  • ver 7,000 transactions using 40 modified cards.

A forensic investigation was hence ordered by Justice

4

slide-5
SLIDE 5

The Judicial Seizure

5

slide-6
SLIDE 6

The Judicial Seizure

  • What appears as an ISO/IEC 7816 smart card.
  • The plastic body indicates that this is a VISA card issued by

Caisse d’Épargne (a French bank).

  • Embossed details are:
  • PAN5= 4978***********89;
  • expiry date in 2013;
  • and a cardholder name, hereafter abridged as P

.S.

  • The forgery’s backside shows a normally looking CVV

.

  • PAN corresponds to a Caisse d’ÉpargneVISA card.

PAN=Permanent Account Number (partially anonymized here). CVV=CardVerification Value.

6

slide-7
SLIDE 7

The backside is deformed around the chip area. Such a deformation is typically caused by heating. Heating (around 80°C) allows melting the potting glue to detach the card module.

Visual Inspection

7

slide-8
SLIDE 8

Visual Inspection

The module looks unusual in two ways: 1) it is engraved with the inscription “FUN”;

2) glue traces (in red) clearly show that a foreign module was implanted to replace the **89 card’s original chip

8

slide-9
SLIDE 9

FUNCards

9

slide-10
SLIDE 10

FUNCard’s Inner Schematics

10

slide-11
SLIDE 11

Side-views show that forgery is somewhat thicker than a standard card (0.83mm). Extra thickness varies from 0.4 to 0.7mm suggesting the existence

  • f more components under the card module, besides the

FUNcard.

11

slide-12
SLIDE 12

FUNCard Under X-Ray

 External memory (AT24C64)  µ-controller (AT90S85515A)  Connection wires  Connection grid

12

slide-13
SLIDE 13

FunCard vs. Forgery under X-Ray

13

slide-14
SLIDE 14

Forgery vs. FunCard

 Stolen card module  Connection wires added by fraudster Welding points added by the fraudster

14

slide-15
SLIDE 15

Pseudo-Color Analysis

Definition: Materials may have the same color in the visible region of the EM spectrum and thus be indistinguishable to the Human eye. However, these materials may have different properties in other EM spectrum parts. The reflectance or transmittance spectra of these materials may be similar in the visible region, but differ in in other her regio ions ns. Pseudo-coloring uses information included in the near-infrared region (NIR) i.e. 800-1000nm to discriminate materials beyond the visible region.

15

slide-16
SLIDE 16

Pseudo-Color Analysis

16

slide-17
SLIDE 17

Pseudo-Color Analysis

Stolen chip

17

slide-18
SLIDE 18

Forgery Structure Suggested so Far

18

slide-19
SLIDE 19

Forgery Structure Suggested so Far

Stolen card speaks to reader but instead of the reader the communication is intercepted by the fun card

19

slide-20
SLIDE 20

Forgery Structure Suggested so Far

What the stolen card says goes into the FUNcard

20

slide-21
SLIDE 21

Forgery Structure Suggested so Far

FUNCard talks to the reader

21

slide-22
SLIDE 22

Electronic Analysis Attempt

It is possible to read-back FunCard code if the card is not locked. Attempted read-back failed. Device locked. Anti-forensic protection by fraudster.

22

slide-23
SLIDE 23

Magnetic Stripe Analysis

The magnetic stripe was read and decoded. ISO1 and ISO2 tracks perfectly agree with embossed data. ISO3 is empty, as is usual for European cards.

23

slide-24
SLIDE 24

Electronic Information Query

Data exchanges between the forgery and the PoS were monitored.

  • The forgery responded with the following information:
  • PAN = 4561**********79;
  • expiry date in 2011;
  • cardholder name henceforth referred to as H.D.

All this information is in blatant contradiction with data embossed

  • n the card.

The forgery is hence a combination of two genuine cards

24

slide-25
SLIDE 25

Flashback 2010

25

slide-26
SLIDE 26

Flashback 2010

26

slide-27
SLIDE 27

The problem is here!

27

slide-28
SLIDE 28

Flashback 2010

28

slide-29
SLIDE 29

Flashback 2010

29

slide-30
SLIDE 30

Flashback 2010

30

slide-31
SLIDE 31

Modus Operandi Hypothesis

31

slide-32
SLIDE 32

Problem with Hypothesis!

no visible signal activity here!

32

slide-33
SLIDE 33

Back to X-Ray: Solution to Riddle!

no visible signal activity here!

33

slide-34
SLIDE 34

Anti-Forensic Protection by Fraudster

34

slide-35
SLIDE 35

Using Power Consumption Analysis

35

slide-36
SLIDE 36

 PoS sends the ISO command 00 A4 04 00 07  Command echoed to the stolen card by the FunCard  Stolen card sends the procedure byte A4 to the FunCard  FunCard retransmits the procedure byte to the PoS  PoS sends data to FunCard  FunCard echoes data to stolen card  Stolen card sends SW to FunCard  FunCard transmits SW to PoS

Color Code:

PoS FunCard FunCard Stolen Card Stolen Card FunCard FunCard PoS

36

slide-37
SLIDE 37

Power Consuption During GetData

Confirms the modus operandi

37

slide-38
SLIDE 38

Power trace of the forgery during VerifyPIN command. Note the absence of retransmission on the power trace before the sending of the SW

VerifyPIN Power Trace Analysis

38

slide-39
SLIDE 39

Having Finished All Experiments

We can ask the judge’s authorization to perform invasive analysis. Authorization granted.

39

slide-40
SLIDE 40

 Connection grid  Stolen card module (outlined in blue)  Stolen card’s chip  FunCard module  Welding of connection wires

Invasive Analysis

40

slide-41
SLIDE 41

 FunCard module  Genuine stolen card  Welded wire

Invasive Analysis

41

slide-42
SLIDE 42

Original EMV Chip Clipped by Fraudster

Cut-out pattern over laid

42

slide-43
SLIDE 43

Wiring Diagram of the Forgery

43

slide-44
SLIDE 44

Economical Damage

Cost of device replacement in the field Cost of fraud (stolen money) Damage to reputation plus: Forensic analysis cost. Here: 3 months of full time work.

44

slide-45
SLIDE 45

In Conclusion

Attackers of modern embedded IoT devices

  • Use advanced tools
  • Are very skilled engineers
  • Are well aware of academic publications
  • Use s/w and h/w anti-forensic countermeasures

If you do not design your IoT device with that in mind and if stakes are high enough, the devi vice ce will be brok

  • ken.

45