Inside .NET Smart Card Operating System 44Con, September 2012

Behrang Fouladi, SensePost

behrang@sensepost.com

What is a smart card?

VS

What is a smart card?

Single Application Smart Cards

Multi-Application Smart Card

Access Control

Identification

Card Parking

Cashless Payments

Computer Access

Did you know?

• How many of you have Orange SIM cards?

• What applications are running on your SIM card?

• Any other apps working silently?

Example: SIM Tracker Applet

• Operators goal: sending the MMS/APN settings to the new handset • Can also be used for investigation purposes

In The News…

– Oyster card: Crypto-1 encryption algorithm attack, 2004

– Cambridge university: EMV relay attack, 2010

– Sykipot malware Targeting US DoD smart cards, 2011-2012

In The News…

Why?

Why?

• 8 billion smart cards by 2014

• The “Internet of Things”

• Chip-enabled mobile payments

• Hardware backdoors

• Malware is everywhere!

Smart Card Firewall

Multi-application Smart Card Platforms

MULTOS

.NET card

JavaCard

.NET Smart Card

• First .NET virtual machine on the chip

• Native support in Windows 7 and server 2008

• Used in:

– Smart card based corporate badges (Microsoft employees badge)

– Remote Access Control (USA DoD and UK MOD)

.NET smart card overview

.NET smart card security model

App Domain A

App Domain B

App Domain C

RSA Sig(A) RSA Sig(C)

RSA Sig(B)

Public Key Token

Code Access Security

Data Access Security

Card application development

?? Deployment & Debugging ??

Communication (APDU) ??

Card application development

.NET assembly

Converter Plug-in

Comm. Proxy

(1) Compiles program

(2) Conversion to card binary

(3) Signed card binary

(4) .NET remoting comm.

(5) APDU comm.

Vendor’s SDK

How secure is .NET card?

• Has EAL5+ certified Infenion chip

• EAL certification is widely used by smart card industry (EAL3 to EAL7)

• .NET card OS is designed to achieve EAL4+

• EAL4+ audit: – takes 6 to 9 months, costs high 10sk to low 100sk £

– includes independent penetration testing and source code review in some case

• No published vulnerabilities so far

Rev. Engineering For Vuln. Discovery

Smart Card Vuln. research

• No Chip OS binary is available

• Traditional tools (debuggers, disassemblers) are useless

• No publicly available testing tools

• Secure chips have sensors, shields, encryption

• ON-card bytecode/IL code verifier

“HiveMod” Tool

HiveMod

• Vulnerability research tool, for:

– .NET card binary (Hive format) visualization

– Card Binary manipulation

– Card binary Re-signing

.NET Card Binary

Compiler Header

Digital signature Header

Object counters Header

Namespaces reference table

Types reference table

Methods reference table

Fields reference table

Blob definitions

Type definitions

Method definitions

Program code (IL code)

RSA signature

HIVE manipulation/fuzzing

Manipulating Digital Signature Header

offset Field name size

32 SHA1 hash of the full assembly 20

52 Public key token 8

60 RSA modulus length 4 (len)

64 RSA public exponent 4

68 RSA modulus len

Compiler Header

Digital signature Header

Object counters Header

Namespaces reference table

Types reference table

Methods reference table

Fields reference table

Blob definitions

Type definitions

Method definitions

Program code (IL code)

RSA signature

Manipulating Digital Signature Header

PBKT=Reverse(Right(SHA1(RSA_modulus),8))

(Bypassing .NET card app Firewall) Old school attack: Public Key Token Spoofing

Attack Demo

Let’s use the HiveMod tool to test this vulnerability!

Manual testing vs. HiveMod

• Rev. engineering the SDK: ~2 months

• Hex editor for binary patching : Frustrating

• Modified card binary needs to be signed

• Destroying at least 10 cards: ~200 Euros

Real World Attack?

Employee corporate cafeteria

POS terminal

Attacker’s system

(1) Attacker plants malware in e-purse

Access control app

E-Purse app

GSM (data)

GSM (data)

(2) Payment

(3) Access control data exfiltration

(4) save

to card

(n

o G

SM access)

Fiction or Real?

Document available on the internet

Vendor’s Response

• “An attacker needs administration key to be able to upload his malicious application on the card, This Key is normally securely stored in a HSM or a smart card based controller”.

Vendor’s Response

• “Knowledge of the Public Key Token of the targeted application is required”.

Vendor’s Response

• “The targeted application must use private file-system storage for its data to be exposed. Therefore, internal (Application Domain) storage is immune to such attack”.

byte[] key={0xaf,0x09,0x45,0x12,....};

More Vulnerabilities...

• Unauthorized memory read in InitializeArray():

public static void InitializeArray(Array array,RuntimeFieldHandle fldHandle);

• Results: Partial memory dump

• Destroys the card (no reliable exploitation yet)

More Vulnerabilities...

Conclusions

• don’t worry!

• check the apps PKTs for tampering.

• Use a secure card management system

• Smart card apps can be patched/updated , but not the card’s OS!

• Smart cards OS and apps and card management software need pen tests too!

Closing words

• HiveMod Tool would be available to Smart Card vendors and security researchers (contact research@sensepost.com)

• I’d like to thank Dr. Kostas Markantonakis for supervising my research

Questions?