When organized crime applies academic results powerpoint

When Organized Crime Applies Academic ResultsA Forensic Analysis of an In-Card Listening Device

Assia Triaassia.tria@cea.fr

David Naccache, Houda Ferradi, Rémi Géraud

Toulouse : 27 janvier 2016Assia Tria , Toulouse : 27 janvier 2016

15867 techniciens, ingénieurs,

chercheurs et collaborateurs

10 centres de recherche

4,3 Mds € de budget

1608 brevets prioritaires délivrés

et en vigueur en portefeuille

>650 dépôts de brevets prioritaires

150 start-up depuis 1984 dans

le secteur des technologies innovantes

45 Unités mixtes de recherche (UMR)

25 Laboratoires de recherche correspondants

Le Commissariat à l’Energie Atomique et aux Energies Alternatives

TechnologiesClés Génériques

Direction

de la Recherche

Technologique

Direction Générale du CEA

Défense Sécurité

Direction

des Applications

Militaires

Energie Nucléaire

Direction

de l’Energie

Nucléaire

Mission DAM : indépendance stratégique de la France

Mission DEN : indépendance énergétique de la France

Mission DRT : ré-industrialisation de la France par l’innovation

Recherche fondamentale

Direction des Sciences de la Matière

Direction des Sciences du Vivant

Assia Tria , Toulouse : 27 janvier 2016

3 Instituts

thématiques

1 Institut

de diffusionen régions

(2003)Saclay

(1967)Grenoble

(2005)Grenoble / Chambéry

280 M€ - 2100 pers. (1800 CEA)

80 M€ - 1000 pers. ( 800 CEA)

180 M€ - 1200 pers. (1000 CEA)

CEA TechRégions

(2012)

CEA-Tech acteur français majeur en recherche technologique

• ITSEF (CESTI)

– Evaluations (15p)

• LSOC laboratory

– 20p, Security for applications

• CMP – Gardanne: ENMSE – LETI

– Components Security (30p incl 6 CEA)

• Resources from other LETI’s dpts (1500 p)

– Design, Technology,

Characterization

Security in LETI and CEA-TECH PACA

Characterization of the Threats

• Implementing attacks on device

Evaluation of the security

• Common criteria, EMVCoevaluations

Improvement of the security

• Technology, architectures and software protections

Physical devices with physical access

from the attacker:

Crypto boards, HSM

Biometrics

Phones, smartphones

TPM, Trusted computing

Smarcards, e-passports,E-Id, RIFD

Goal of This Presentation

• Illustrate to what length white collar criminals cango to hack embedded electronic devices.

• To date, the following is the most sophisticatedsmart card fraud encountered in the field.

• Goal: raise awareness to the level of resistancethat IoT devices must have to resist real attacks inthe field.

Context

• A forensic assignments.

The Judicial Seizure

• What appears as an ISO/IEC 7816 smart card.

• The plastic body indicates that this is a VISA cardissued by Caisse d’Épargne (a French bank).

• Embossed details are:

– PAN5= 4978***********89;

– expiry date in 2013;

– and a cardholder name, hereafter abridged as P.S.

– The forgery’s backside shows a normally looking CVV.

• PAN corresponds to a Caisse d’Épargne VISA card.

PAN=Permanent Account Number (partially anonymized here).CVV=Card Verification Value.

The backside is deformed around the chip area.

Such a deformation is typically caused by heating. Heating (around 80°C) allows melting the potting glueto detach the card module.

Visual Inspection

The module looks unusual in two ways: • it is engraved with the inscription “FUN”;• glue traces (in red) clearly show that a foreign module was

implanted to replace the **89 card’s original chip

FUNCards

FUNCard’s Inner Schematics

Side-views show that forgery is somewhat thicker thana standard card (0.83mm).Extra thickness varies from 0.4 to 0.7mm suggesting theexistence of more components under the card module,besides the FUNcard.

FUNCard Under X-Ray

External memory (AT24C64) µ-controller (AT90S85515A)Connection wires Connection grid

FunCard vs. Forgery X-Ray

Forgery vs. FunCard

Stolen card module Connection wires added by fraudster Welding points added by the fraudster

Pseudo-Color Analysis

Materials may have the same color in the visible regionof the EM spectrum and thus be indistinguishable tothe Human eye. However, these materials may havedifferent properties in other EM spectrum parts. Thereflectance or transmittance spectra of these materialsmay be similar in the visible region, but differ in otherregions.

Pseudo-coloring uses information included in the near-infrared region (NIR) i.e. 800-1000nm to discriminatematerials beyond the visible region.

Stolen chip now clearly appears in green.Assia Tria , Toulouse : 27 janvier 2016

Forgery Structure Suggested so Far

Stolen card speaks to reader but instead of the reader the communicationIs intercepted by the fun card

What the stolen card says goes into theFUNcard

FUNCard talks to the reader

Electronic Analysis Attempt

It is possible to read-back FunCard code.

If the card is not locked

Attempted read-back failed. Device locked.

Anti-forensic protection by fraudster.

Magnetic Stripe Analysis

The magnetic stripe was read and decoded.

ISO1 and ISO2 tracks perfectly agree with embossed data.

ISO3 is empty, as is usual for European cards.

Electronic Information Query

Data exchanges between the forgery and the PoS weremonitored.

– The forgery responded with the following information:

– PAN = 4561**********79;

– expiry date in 2011;

– cardholder name henceforth referred to as H.D.

All this information is in blatant contradiction with dataembossed on the card.

The forgery is hence a combination of two genuine cards

Flashback 2010

The problem is here!

Flashback 2010

Modus Operandi Hypothesis

Problem with Hypothesis!

no visible signal activity here!

Back to X-Ray: Solution to Riddle!

no visible signal activity here!

Anti-Forensic Protection by Fraudster

Using Power Consumption Analysis

PoS sends the ISO command 00 A4 04 00 07 Command echoed to the stolen card by the FunCard Stolen card sends the procedure byte A4 to the FunCard FunCard retransmits the procedure byte to the PoS PoS sends data to FunCard FunCard echoes data to stolen card Stolen card sends SW to FunCard FunCard transmits SW to PoS

Color Code:PoS FunCardFunCard Stolen CardStolen CardFunCardFunCard PoS

Power Consuption During GetData

Confirms the modus operandi

Power trace of the forgery during VerifyPIN command.

Note the absence of retransmission on the power trace beforethe sending of the SW

VerifyPIN Power Trace Analysis

Having Finished All Experiments

We can ask the judge’s authorization to perform invasive analysis.

Authorization granted.

Connection grid Stolen card module (outlined in blue)Stolen card’s chip FunCard module Welding of connection wires

Invasive Analysis

FunCard module Genuine stolen card Welded wire

Invasive Analysis

Original EMV Chip Clipped by Fraudster

Cut-out pattern over laid

Wiring Diagram of the Forgery

In Conclusion

Attackers of modern embedded IoT devices

• Use advanced tools

• Are very skilled engineers

• Are well aware of academic publications

• Use s/w and h/w anti-forensic countermeasures

If you do not design your IoT device with that in mind and if stakes are high enough, the device will be broken.

Economical Damage

Cost of device replacement in the field

Cost of fraud (stolen money)

Damage to reputation

Forensic analysis cost. Here: 3 months of full time work.

Thank for your

attention

When organized crime applies academic results powerpoint

Devices & Hardware

Transcript of When organized crime applies academic results powerpoint

An Introduction to Academic Writing

Organized By - iktissadevents.com€¦ · International Exhibition for Transport and Logistics (TRANS4), organized by Al Baida Group at the Doha Exhibition Centre, Qatar. This major

Academic Writing

Edition 2.0 2015-03 INTERNATIONAL STANDARD NORME … · 2021. 1. 26. · This part of IEC 60670 applies to boxes, enclosures and parts of enclosures (hereafter called “boxes”

Pre-Columbian agricultural landscapes, ecosystem engineers ... · Pre-Columbian agricultural landscapes, ecosystem engineers, and self-organized ... Unité Mixte de ... ﬁelds gave

TRADE INDUCED MORTALITY - expertise.hec.caexpertise.hec.ca/actualiteeconomique/wp-content/... · The paper is organized as follows. Section 1 describes the data used in the analysis.

CAMPUS-WIDE ACADEMIC SOLUTION

PARTNERING RELATIONS – JUSTIFICATION AND SUCCESS …lib.tkk.fi/Diss/2006/isbn951228376X/isbn951228376X.pdf · the partnering success, precise goal setting with organized forms of

Qualität ist kein Zufall*fagot.alain.free.fr/formations/ALM-AEP.pdf · 2008-04-16 · Application Lifecycle Management (ALM) is the set of ... organized fashion. Integrated knowledge

แผนบริหารการสอนประจําบทที่ 4library.tru.ac.th/images/academic/book/b64504/06chap4.pdfผ สอนบรรยายโดยใช

Price Discrimination - Department of Economics · Price discrimination arises when a Þrm sells diﬀerent units of the same good at diﬀerent prices. This applies perfectly to cases

New Tetrahymena meiotic chromosome bouquet is organized by … · 2013. 2. 15. · Tetrahymena, meiotic prophase nuclei elongate immensely, and, within the elongated nucleus, chromosomes

NETANYA ACADEMIC COLLEGE

NUMÉRO 14 PRINTEMPS 2015 14 - Academic Commons

Pre-Columbian agricultural landscapes, ecosystem engineers ... · Pre-Columbian agricultural landscapes, ecosystem engineers, and self-organized patchiness in Amazonia Doyle McKeya,1,

Ibm academic initiative for cloud

夏日 優惠 - exholiday.comCruisetours, Celebrity Explorations, Repositioning, Transatlantic, and Transpacific cruises. Savings Offer applies to select sailings departing April 1,

جامعة حائل€¦ · 1—4.4 . Kingdom of Saudi Arabia National Commission for Academic Accreditation & Assessment . Kingdom of Saudi Arabia National Commission for Academic

Faculty of Bioscience Engineering Academic year 2010 ...lib.ugent.be/fulltxt/RUG01/001/789/877/RUG01-001789877_2012_000… · Faculty of Bioscience Engineering Academic year 2010

POST SHOW REPORT’19siemamaroc.com/doc/post_show_report.pdfPOST SHOW REPORT’19 Organized by Co located with Supporters Morocco SIEMA & Food Expo, organized by Elan Expo, is a unique

夏日優惠 - exholiday.comCruisetours, Celebrity Explorations, Repositioning, Transatlantic, and Transpacific cruises. Savings Offer applies to select sailings departing April 1,