Smart card reader security
Peter Lebbing
peter at digitalbrains.com
Thu Nov 28 10:10:01 CET 2013
On 27/11/13 21:15, NdK wrote:
> Found:
>
> http://www.lightbluetouchpaper.org/2006/12/24/chip-pin-terminal-playing-tetris/
Meh. They just replaced all hardware inside and only re-used the shell of the
device.
While it illustrates the point they're making in the article, it's not nearly as
cool as modding the firmware of the actual hardware through a rogue firmware update.
And even then I'm missing some nice details: how did they take care of the
special sticker that is supposed to crack when you try to open the device? (It's
usually holographic to prevent reproduction). And did the case crack or snap
when disassembling, leaving obvious marks where it did? I'm not saying these are
sufficient methods to prevent access to the inside[1], I'm asking if they could
take care of these things. For all I know, the underside of the device in the
video is a mess of broken plastic with some strips of holographic sticker
keeping it all together.
They compare it to the hack on the voting machine. I absolutely disagree: that
hack is what I'm talking about, a rogue firmware update, throw in a little
electromagnetic emission analysis for extra goodness.
I could do the PIN pad hack. I certainly can't do the voting machine hack.
Again, it illustrates the point they're trying to make, but it's not spectacular.
[1] For instance, you could take two or more devices, and saw them through at
different places. Once you have them somewhat open, you can probably carefully
pry pieces apart until you have an undamaged specimen of each part of the case.
By the way, you could prevent access to the insides fairly well by filling it up
with polyurethane once assembled, obviously making sure you have sealed all gaps
like card insertion slot and keyboard :).
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
More information about the Gnupg-users
mailing list