Digipass Instrumentation for Fun and Profit - DefCamp 2012
description
Transcript of Digipass Instrumentation for Fun and Profit - DefCamp 2012
![Page 2: Digipass Instrumentation for Fun and Profit - DefCamp 2012](https://reader034.fdocuments.net/reader034/viewer/2022042515/54bd12234a795959428b471d/html5/thumbnails/2.jpg)
About me
PhD in information security, CEH
Penetration tester at KPMG Romania
Web apps
Infrastructure
Mobile apps
Source code reviews
+ some other annoying stuff
Always like to prove my point…
2
![Page 3: Digipass Instrumentation for Fun and Profit - DefCamp 2012](https://reader034.fdocuments.net/reader034/viewer/2022042515/54bd12234a795959428b471d/html5/thumbnails/3.jpg)
What is this all about?
3
The FUN part
![Page 4: Digipass Instrumentation for Fun and Profit - DefCamp 2012](https://reader034.fdocuments.net/reader034/viewer/2022042515/54bd12234a795959428b471d/html5/thumbnails/4.jpg)
What is this all about?
4
![Page 5: Digipass Instrumentation for Fun and Profit - DefCamp 2012](https://reader034.fdocuments.net/reader034/viewer/2022042515/54bd12234a795959428b471d/html5/thumbnails/5.jpg)
Our subject(s)
5
![Page 6: Digipass Instrumentation for Fun and Profit - DefCamp 2012](https://reader034.fdocuments.net/reader034/viewer/2022042515/54bd12234a795959428b471d/html5/thumbnails/6.jpg)
Our subject(s)
Digipass = security token
Disconnected, display, keypad
Used for:
User authentication (2nd factor) - OTP
Transaction signing (e.g. Internet Banking)
Vendors: Vasco, CryptoCard, RSA, etc
6
![Page 7: Digipass Instrumentation for Fun and Profit - DefCamp 2012](https://reader034.fdocuments.net/reader034/viewer/2022042515/54bd12234a795959428b471d/html5/thumbnails/7.jpg)
What is this all about? (still the fun part)
7
A machine that simulates human behavior when using a digipass
Brains • Command the machine
• Keep track of the logic
state
• Select the desired muscles
and send the necessary
signals
• Read an image from the
eyes
• Interpret the image and
make the next move
Neurons
• Transport the signal from
the brain to muscles
• Give the muscles the
necessary power/energy to
action
Muscles
• Push when powered on
• Release when powered
off
Eyes
• Provide images for
the brain
• Tell the brain what
is happening outside
![Page 8: Digipass Instrumentation for Fun and Profit - DefCamp 2012](https://reader034.fdocuments.net/reader034/viewer/2022042515/54bd12234a795959428b471d/html5/thumbnails/8.jpg)
OK… But why?
Motivation
8
![Page 9: Digipass Instrumentation for Fun and Profit - DefCamp 2012](https://reader034.fdocuments.net/reader034/viewer/2022042515/54bd12234a795959428b471d/html5/thumbnails/9.jpg)
The profit part
Remember the old rounding attacks against Internet Banking apps?
When working with two decimals most banks do the rounding to the closest value
8.3478 EUR ~= 8.35 EUR
8.3436 EUR ~= 8.34 EUR
max profit = 0.005 EUR
About rounding attacks:
“Assymetric Currency Rounding” by M'Raïhi, Naccache and Tunstall of Gemalto – 2001 - http://tinyurl.com/d5akdkk
“Is Your Online Bank Vulnerable To Currency Rounding Attacks?”, Mitja Kolsek of ACROSSecurity - 2012 – http://tinyurl.com/6wpg7ew
9
![Page 10: Digipass Instrumentation for Fun and Profit - DefCamp 2012](https://reader034.fdocuments.net/reader034/viewer/2022042515/54bd12234a795959428b471d/html5/thumbnails/10.jpg)
Rounding in currency exchange (1)
10
Use the Internet Banking application to transfer money between your own
accounts (e.g. RON -> EUR)
RON EUR EUR
(rounded)
Exchange rate
(RON / EUR rounded)
4.40 1 1.00 4.40 Official
2 0.4545 0.45 4.44
1 0.2272 0.23 4.34
0.5 0.1136 0.11 4.54
0.05 0.0113 0.01 5
0.03 0.0068 0.01 3
0.023 0.0052 0.01 2.3 The best
0.02 0.0045 0.00 not good
100 * (0.023 RON -> 0.01 EUR) => 2.3 RON = 1 EUR
![Page 11: Digipass Instrumentation for Fun and Profit - DefCamp 2012](https://reader034.fdocuments.net/reader034/viewer/2022042515/54bd12234a795959428b471d/html5/thumbnails/11.jpg)
Rounding in currency exchange (2)
11
![Page 12: Digipass Instrumentation for Fun and Profit - DefCamp 2012](https://reader034.fdocuments.net/reader034/viewer/2022042515/54bd12234a795959428b471d/html5/thumbnails/12.jpg)
The Bank said…
Known issue but we have the digipass to protects us:
1. User initiates currency exchange in IB application
2. Application sends challenge code to user
3. User inputs code into digipass
4. User reads digipass response
5. User sends the response to IB application
6. Application finalizes the transaction
12
![Page 13: Digipass Instrumentation for Fun and Profit - DefCamp 2012](https://reader034.fdocuments.net/reader034/viewer/2022042515/54bd12234a795959428b471d/html5/thumbnails/13.jpg)
The Bank said…
Known issue but we have the digipass to protects us:
1. User initiates currency exchange in IB application
2. Application sends challenge code to user
3. User inputs code into digipass
4. User reads digipass response
5. User sends the response to IB application
6. Application finalizes the transaction
13
Now automated!
We can make lots of transactions automatically
![Page 14: Digipass Instrumentation for Fun and Profit - DefCamp 2012](https://reader034.fdocuments.net/reader034/viewer/2022042515/54bd12234a795959428b471d/html5/thumbnails/14.jpg)
How much?
C1 = minimum amount of currency 1 (e.g. 0.023 RON)
C2 = minimum amount of currency 2 (e.g. 0.01 EUR)
Ex_b = exchange rate for buying C2 with microtransactions (e.g. 2.3). Ex_b = C1 / C2
Ex_s = exchange rate for selling C2 (e.g. 4.4) – real exchange rate – fixed by the Bank
Ex_b Ex_s
x RON y EUR z RON
14
z = y * Ex_s = (x / Ex_b) * Ex_s = x * (Ex_s / Ex_b)
multiplication rate = Ex_s / Ex_b
transactions required = x / C1
Currency 1 Multiplication
rate
Initial
amount (x)
Final
amount (y)
Gain Transactions
required
RON 4.4 / 2.3 = 1.9 100 RON 190 RON 90 RON ~ 20 EUR 100 / 0.023 = 4347
![Page 15: Digipass Instrumentation for Fun and Profit - DefCamp 2012](https://reader034.fdocuments.net/reader034/viewer/2022042515/54bd12234a795959428b471d/html5/thumbnails/15.jpg)
How the Banks should protect themselves
Limit the number of transactions that can be performed in a given time
Limit the minimum currency amount that can be exchanged in a transaction
Monitor for suspicious transactions (very small amounts)
State in the contract that such transactions are illegal
Introduce a small fee for currency exchange operations (e.g. 0.01 EUR)
15
![Page 16: Digipass Instrumentation for Fun and Profit - DefCamp 2012](https://reader034.fdocuments.net/reader034/viewer/2022042515/54bd12234a795959428b471d/html5/thumbnails/16.jpg)
Behind the curtains…
16
Back to the FUN part
![Page 17: Digipass Instrumentation for Fun and Profit - DefCamp 2012](https://reader034.fdocuments.net/reader034/viewer/2022042515/54bd12234a795959428b471d/html5/thumbnails/17.jpg)
External vs Internal instrumentation
Internal instrumentation (direct electrical connections):
Pros:
more reliable and faster
almost error free
Cons:
might not be always possible – some digipasses
deactivate if opened
must know the pinout of LCD screen (lots of pins!)
sensitive soldering required
mistakes can lead to deactivation
External instrumentation:
Pros:
No interference with digipass’s internals
Can be applied to any digipass model
Cons:
Pretty slow (but good for the “low and slow” approach)
Some (mechanics) errors occur on pressing buttons (resolvable by a more professional construction)
OCR process needs special (lightning) conditions to produce correct results
17
![Page 18: Digipass Instrumentation for Fun and Profit - DefCamp 2012](https://reader034.fdocuments.net/reader034/viewer/2022042515/54bd12234a795959428b471d/html5/thumbnails/18.jpg)
Electric diagram
18
D3 D2 D1 D0 Sx Digipass
key
0001 S1 0
0010 S2 1
0011 S3 2
0100 S4 3
0101 S5 4
0110 S6 5
0111 S7 6
1000 S8 7
1001 S9 8
1010 S10 9
1011 S11 =
1100 S12 S
1101 S13 ON/OFF
![Page 19: Digipass Instrumentation for Fun and Profit - DefCamp 2012](https://reader034.fdocuments.net/reader034/viewer/2022042515/54bd12234a795959428b471d/html5/thumbnails/19.jpg)
Optical Character Recognition
19
Original Cleared
background
Blurred Threshold applied OCR-ized
gocr / ocrad
7169309
-_16g309
1757450
1_5_G50
043i __ i_ì
OG3i _i_i
9a__641 4
9__6G1G
![Page 20: Digipass Instrumentation for Fun and Profit - DefCamp 2012](https://reader034.fdocuments.net/reader034/viewer/2022042515/54bd12234a795959428b471d/html5/thumbnails/20.jpg)
10 transactions / minute (6 seconds / transaction)
max 21600 transactions / day
enter PIN, type challenge code, read response image, do OCR
Our previous example:
100 RON 190 RON (gain ~20 EUR)
=> 4347 transactions * 6 sec/trans = 26082 sec = 7h:14m:42 s
Maximum amount to multiply per day:
21600 * 0.023 RON = 496.8 RON => final: 943.9 RON
gain 447 RON ~= 101 EUR/day
Money making machine?
Current performance
20
![Page 21: Digipass Instrumentation for Fun and Profit - DefCamp 2012](https://reader034.fdocuments.net/reader034/viewer/2022042515/54bd12234a795959428b471d/html5/thumbnails/21.jpg)
Photo gallery
21
![Page 22: Digipass Instrumentation for Fun and Profit - DefCamp 2012](https://reader034.fdocuments.net/reader034/viewer/2022042515/54bd12234a795959428b471d/html5/thumbnails/22.jpg)
The first POC
22
![Page 23: Digipass Instrumentation for Fun and Profit - DefCamp 2012](https://reader034.fdocuments.net/reader034/viewer/2022042515/54bd12234a795959428b471d/html5/thumbnails/23.jpg)
Development stages (1)
23
![Page 24: Digipass Instrumentation for Fun and Profit - DefCamp 2012](https://reader034.fdocuments.net/reader034/viewer/2022042515/54bd12234a795959428b471d/html5/thumbnails/24.jpg)
Development stages (2)
24
![Page 25: Digipass Instrumentation for Fun and Profit - DefCamp 2012](https://reader034.fdocuments.net/reader034/viewer/2022042515/54bd12234a795959428b471d/html5/thumbnails/25.jpg)
Development stages (3)
25
![Page 26: Digipass Instrumentation for Fun and Profit - DefCamp 2012](https://reader034.fdocuments.net/reader034/viewer/2022042515/54bd12234a795959428b471d/html5/thumbnails/26.jpg)
Development stages (4)
26
![Page 27: Digipass Instrumentation for Fun and Profit - DefCamp 2012](https://reader034.fdocuments.net/reader034/viewer/2022042515/54bd12234a795959428b471d/html5/thumbnails/27.jpg)
Final version - back
27
![Page 28: Digipass Instrumentation for Fun and Profit - DefCamp 2012](https://reader034.fdocuments.net/reader034/viewer/2022042515/54bd12234a795959428b471d/html5/thumbnails/28.jpg)
Final version - front
28
![Page 29: Digipass Instrumentation for Fun and Profit - DefCamp 2012](https://reader034.fdocuments.net/reader034/viewer/2022042515/54bd12234a795959428b471d/html5/thumbnails/29.jpg)
Demo
29
![Page 30: Digipass Instrumentation for Fun and Profit - DefCamp 2012](https://reader034.fdocuments.net/reader034/viewer/2022042515/54bd12234a795959428b471d/html5/thumbnails/30.jpg)
Thank you!
QUESTIONS ?
30
Adrian Furtunǎ, PhD, CEH
http://pentest-tools.com