Rss

    Archives for : attack

    No need to bypass security with a boot disk – 17 year old Windows exploit found

    The problem has been discovered in the Virtual DOS Machine (VDM) introduced in 1993 to support 16-bit applications (real mode applications for 8086). VDM is based on the Virtual 8086 Mode (VM86) in 80386 processors and, among other things, intercepts hardware routines such as BIOS calls. Google security team member Tavis Ormandy has found several vulnerabilities in this implementation that allow an unprivileged 16-bit program to manipulate the kernel stack of each process via a number of tricks. This potentially enables attackers to execute code at system privilege level.

    In addition to the unpatched hole in Internet Explorer, a now published hole in Windows allows users with restricted access to escalate their privileges to system level – and this is believed to be possible on all 32-bit versions of Windows from Windows NT 3.1 up to, and including Windows 7. While the vulnerability is likely to affect home users in only a minor way, the administrators of corporate networks will probably have their hands full this week.

    The problem is caused by flaws in the Virtual DOS Machine (VDM) introduced in 1993 to support 16-bit applications (real mode applications for 8086). VDM is based on the Virtual 8086 Mode (VM86) in 80386 processors and, among other things, intercepts hardware routines such as BIOS calls. Google security team member Tavis Ormandy has found several vulnerabilities in this implementation that allow an unprivileged 16-bit program to manipulate the kernel stack of each process via a number of tricks. This potentially enables attackers to execute code at system privilege level.

    Ormandy has also published a suitable exploit which functions under Windows XP, Windows Server 2003 and 2008, Windows Vista and Windows 7. When tested by the The H’s associates at heise Security, the exploit opened a command prompt in the system context, which has the highest privilege level, under Windows XP and Windows 7. No patch has become available, although Ormandy reports that Microsoft was already informed of the hole in mid 2009. The developer decided to publish the information regardless because, in his opinion, there is a simple workaround: to disable the MS-DOS subsystem.

    The workaround requires users to start the group policy editor and enable the “Prevent access to 16-bit applications” option in the Computer ConfigurationAdministrative TemplatesWindows ComponentsApplication Compatibility section. When tested with these settings by the heise Security team, the exploit no longer functioned. The settings reportedly don’t cause any major compatibility problems for most users while no 16-bit applications are being used.

    Update – The above option is only available through the group policy editor on Windows 2003 systems. Some versions of Windows do not include a group policy editor. As an alternative, users can also create a registry key under HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsAppCompat with a D-Word value of VDMDissallowed = 1. Under Windows XP, to prevent the system from being vulnerable to the exploit, users can place the following text:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsAppCompat]

    “VDMDisallowed”=dword:00000001

    into a file called vdmdisallow.reg and double click the file. Windows will then automatically import the key (admin rights are required to perform this action).

    Update 2 - Microsoft has now confirmed the privilege escalation hole in Windows. The company says that it wants to complete its investigation of the vulnerability and will then decide whether, how and when to close it.

    See Also:

    REDMOND — When it rains, it pours. Especially in the Seattle area. Tavis Ormandy has published full details on a privilege escalation hack of all versions of Windows including Windows 7.

    The exploit takes advantage of a bug in the Windows implementation of the ‘virtual DOS machine’ used to run legacy 16-bit programs. The exploit can be avoided by turning the VDM ‘feature’ off but the danger of course is that enough Windows lusers won’t know about the bug and/or bother turning the ‘feature’ off.

    16-bit applications need BIOS support; the Windows kernel supports virtual BIOS interrupts in its ‘Virtual-8086’ mode monitor code. The code is implemented in two stages. The #GP trap handler transitions to the second stage when CS:EIP faults with specific ‘magic’ values.

    The transition requires (subsequent to authentication) restoring the context and the call stack from the faulting trap frame. But the authentication process is flawed, relying as it does on three incorrect assumptions.

    • Setting up a VDM context requires SeTcbPrivilege.The barrier to getting a VDM context can be subverted by requesting the NT VDM subsystem and then using CreateRemoteThread() to run code in the context of the VDM subsystem. The VDM subsystem already has the necessary flag set.
    • Ring 3 (unprivileged) code cannot install arbitrary code segment selectors.Using the two least significant bits of CS/SS to calculate the privilege of a task doesn’t work when it comes to Virtual-8086 mode. The 20-bit addressing (by adding CS << 4 to the 16-bit IP) is also used to map onto the protected linear Virtual-8086 address space. If CS can be set to an arbitrary value, then the privilege calculation can be circumvented.
    • Ring 3 (unprivileged) code cannot forge a trap frame.Returns to user mode are through IRET. An invalid context can cause IRET to fail pre-commit, which in turn forges a trap frame. And even with address randomisation it’s trivial to use NtQuerySystemInformation() to obtain the address of the second stage BIOS handler.

    Affected Systems

    This bug dates back 17 years and affects all systems released since 27 July 1993 – Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Windows 7. See the links below for further details.

    See Also
    MITRE: CVE-2010-0232
    Windows plagued by 17-year-old privilege escalation bug
    NEOPHASIS: Trap Handler Allows Users to Switch Kernel Stack

    WPA cracking is getting quicker

    I was reading some posts on the Full-disclosure mailing list and came across the some posts relating to WPA hacking (WPA attack improved to 1min). After spending hundreds of hours using the AIR tools to crack WEP encryption and looking into networks as part of my previous job, I was very interested to see how things are progressing.

    The thread mentioned the paper “A Practical Message Falsification Attack on WPA” posted on http://bit.ly/8qwQt.

    It was a coincidence as I was only taking to one of the executives at work about how easy WEP is to crack and what you can do/discover once you are in.

    I hope you enjoy the paper.

    —– Update —–

    Once this was posted I received many message s and a few more links for the post.

    So here thet are:

    http://www.youtube.com/watch?v=ZeCVkWMUSzE

    http://www.crn.com.au/News/154177,researchers-crack-wpa-encryption-in-60-seconds.aspx

    http://www.renderlab.net/projects/WPA-tables/
    http://205.127.87.136:6969/torrents
    /wpa_psk-h1kari_renderman.torrent?95896A255A82D1FE8B6A2BFFC098B735058B30D7
    http://www.churchofwifi.org/Project_Display.asp?PID=90
    http://jwis2009.nsysu.edu.tw/location/paper/A%20Practical%20Message%20Falsification%20Attack%20on%20WPA.pdf – Though will only help with TKIP

    Thanks to

    Oliver from ethicalhack.org

    Michael from SA Government

    Tim from CQR Consulting

    —– End Update ——


    SQL Injection Cheat Sheets

    From Pentestmonkey.net, this is a great list of SQL Injection cheat sheets.

    Some more Links:

    SQL Injection Attacks by Example

    Pangolin – Automatic SQL Injection Tool

    SQL Injection Attacks Exploiting Unverified User Data Input

    SQL Injection Cheat Sheet

    EFT Syetms and Device Considerations

    EFT devices and systems differ depending on hardware vendor, country and bank / payment aggregator.
    Below is a list of things you may like to consider. This list is off the top of my head so it is probably not complete.

    Looking at the products and relationships us usually a good start.

    Things to consider:

    • Card skimming methods
    • Some EFT POS devices restrict the connection of a skimmer
    • Review levels of associated fraud
    • Review devices and EFT methods
    • Review terminal identification (merchant and customer)
    • Manual processing. (internal and external)
    • eCommerce products
    • PC based software
    • Dedicated server services (Nobil, etc.)
    • Web based engine (Custom objects, Web pop-ups, etc)
    • Authorisation / identification methods (Merchant and customer)
    • TCPIP session hijacking / session spoofing
    • Direct Debit as well as Credit Cards.
    • Swift (methods and controls)
    • Telegraphic transfer (methods and controls)
    • Payment aggregator relationships (eg. Payment Tech, manual processing, cheque scanning, etc.)
    • Internet banking facilities (attack / penetration,  Certificate registration / management, ISP SLA’s, etc.)
    • Implementation of Smart Card and / or alternative customer recognition devices.
    • Outsourcing and associated risks / service level agreements
    • Payment processing
    • Payment clearance
    • Payment switching
    • Reporting (segregation of merchant / customers / aggregators / partners / local / international)
    • Fraud detection and reporting
    • 3rd party acquiring risks
    • Single merchant ID many businesses
    • Allows moneys to be laundered if the payment aggregator does not place appropriate controls on the merchant.
    • Encryption used
    • Internet / trusted partner / inter-bank / extranet
    • Private and / or public certificates
    • Single use certificates
    • Client side certificates
    • Remittance advice processes and controls.
    • EFT disaster recovery and manual fall back procedures (associated security and reconciliation risks)
    • Trusted partner relationships, SLA’s, liabilities and risks.
    • EFT regulatory / legal requirements (inter-bank and government)
    • Refund processing / authorisation. (policies, procedures, controls, etc.)
    • CVV, CVV-2 / CVC-2 processing and management. (http://www.atlanticpayment.com/CVV.htm)
    • Fraud detection mechanism (neural networks, inter-bank / department customer checks, etc)
    • Supported card schemes (AMEX/Visa/Mastercard/Discover/etc )
    • Review EFT floor limits (corporate and SME merchants)
    • Review the ability to withhold merchant settlement until the presence of fraud has been determined.
    • Review customer identification details. Such as (This varies around the world depending on local regulations / privacy laws)
    • Review real-time and batched processing methods and controls (sequence numbers, access to raw data, etc.)
    • Review processing with and without expiry dates. (exception controls and policies)
    • Review exception / fraud reports.
    • Review payment store and forward policies and procedures.
    • Review Pre-Auth and Completion controls.
    • Token based payment (eCash, etc)
    • Merchant reconciliation, reporting methods and controls (paper, Internet, email, PDF, Fax, etc.) and associated security.
    • Real time gross settlement policies, procedures and controls. (IT and amounts)
    • Card issuing policies and procedures. (customer ID checks, etc)
    • Banking infrastructure (ingress / egress) controls and security. (Web, partner, payment switches, outsourced infrastructure, monitoring / reporting.)
    • Use of Internet technologies for inter-bank transfers and remote equipment.
    • Physical security and controls of devices, ATM,s, line encryptors, etc.

    DNS Hack Needs Patching – Serious Problem

    This has been kept under wraps by the Operating System and Hardware vendors for the last few weeks and now patches have finally been released for many Operating Systems, DNS software applications and Hardware devices.
    If you provide or rely on DNZ services (external and Internal) you should consider quickly patching your servers/devices.

    Although Internal DNS servers may not be exposed to an Internet attack, we see many more internal attacks within larger organisations which involve rogue server or services being established within the firewalled trusted network. As a result, this lifts the threat level of internal systems/services and therefore the need for effective timely patching.

    Also consider asking the question of your hosting facility, upstream ISP or DNS provider to see if they have patched their DNS servers and forwarders.

    http://www.doxpara.com/?p=1162 This link also has a DNS checker.
    http://afp.google.com/article/ALeqM5hwFqcnWAuDWlcqfvfyHu5PGG9RMQ
    http://www.kb.cert.org/vuls/id/800113

    This is a full list of vendor patch links
    http://www.betanews.com/article/Major_fix_to_DNS_vulnerability_impacts_Windows_Debian/1215551008

    Good Luck

    Breaking VISA PIN

    Below is an article I found recently. This one of the most comprehensive descriptions of PIN Verification Value (PVV) hacking.

    I thought I would replicate it here for my local reference.

    As comments have been made regarding the grammar used in the original text, I have corrected some of the obvious errors whilst maintaining the context of the original material.

    http://69.46.26.132/~biggold1/fastget2you/tutorial.php

    ——– Original Text ———-

    Foreword
    Have you ever wonder what would happen if you lose your credit or debit card and someone finds it. Would this person be able to withdraw cash from an ATM guessing, somehow, your PIN? Moreover, if you were who finds someone’s card would you try to guess the PIN and take the chance to get some easy money? Of course the answer to both questions should be “no”. This work does not deal with the second question, it is a matter of personal ethics. Herewith I try to answer the first question.

    All the information used for this work is public and can be freely found in Internet. The rest is a matter of mathematics and programming, thus we can learn something and have some fun. I reveal no secrets. Furthermore, the aim (and final conclusion) of this work is to demonstrate that PIN algorithms are still strong enough to provide sufficient security. We all know technology is not the weak point.

    This work analyses one of the most common PIN algorithms, VISA PVV, used by many ATM cards (credit and debit cards) and tries to find out how resistant is to PIN guessing attacks. By “guessing” I do not mean choosing a random PIN and trying it in an ATM. It is well known that generally we are given three consecutive trials to enter the right PIN, if we fail ATM keeps the card. As VISA PIN is four digit long it’s easy to deduce that the chance for a random PIN guessing is 3/10000 = 0.0003, it seems low enough to be safe; it means you need to lose your card more than three thousand times (or losing more than three thousand cards at the same time 🙂 until there is a reasonable chance of losing money.

    What I really meant by “guessing” was breaking the PIN algorithm so that given any card you can immediately know the associated PIN. Therefore this document studies that possibility, analyzing the algorithm and proposing a method for the attack. Finally we give a tool which implements the attack and present results about the estimated chance to break the system. Note that as long as other banking security related algorithms (other PIN formats such as IBM PIN or card validation signatures such as CVV or CVC) are similar to VISA PIN, the same analysis can be done yielding nearly the same results and conclusions.


    VISA PVV algorithm


    One of the most common PIN algorithms is the VISA PIN Verification Value (PVV). The customer is given a PIN and a magnetic stripe card. Encoded in the magnetic stripe is a four digit number, called PVV. This number is a cryptographic signature of the PIN and other data related to the card. When a user enters his/her PIN the ATM reads the magnetic stripe, encrypts and sends all this information to a central computer. There a trial PVV is computed using the customer entered PIN and the card information with a cryptographic algorithm. The trial PVV is compared with the PVV stored in the card, if they match the central computer returns to the ATM authorization for the transaction. See in more detail.

    The description of the PVV algorithm can be found in two documents linked in the previous page. In summary it consists in the encryption of a 8 byte (64 bit) string of data, called Transformed Security Parameter (TSP), with DES algorithm (DEA) in Electronic Code Book mode (ECB) using a secret 64 bit key. The PVV is derived from the output of the encryption process, which is a 8 byte string. The four digits of the PVV (from left to right) correspond to the first four decimal digits (from left to right) of the output from DES when considered as a 16 hexadecimal character (16 x 4 bit = 64 bit) string. If there are no four decimal digits among the 16 hexadecimal characters then the PVV is completed taken (from left to right) non decimal characters and decimalizing them by using the conversion A->0, B->1, C->2, D->3, E->4, F->5. Here is an example:

    Output from DES: 0FAB9CDEFFE7DCBA

    PVV: 0975

    The strategy of avoiding decimalization by skipping characters until four decimal digits are found (which happens to be nearly all the times as we will see below) is very clever because it avoids an important bias in the distribution of digits which has been proven to be fatal for other systems, although the impact on this system would be much lower. See also a related problem not applying to VISA PVV.

    The TSP, seen as a 16 hexadecimal character (64 bit) string, is formed (from left to right) with the 11 rightmost digits of the PAN (card number) excluding the last digit (check digit), one digit from 1 to 6 which selects the secret encrypting key and finally the four digits of the PIN. Here is an example:

    PAN: 1234 5678 9012 3445
    Key selector: 1
    PIN: 2468

    TSP: 5678901234412468

    Obviously the problem of breaking VISA PIN consists in finding the secret encrypting key for DES. The method for that is to do a brute force search of the key space. Note that this is not the only method, one could try to find a weakness in DEA, many tried, but this old standard is still in wide use (now been replaced by AES and RSA, though). This demonstrates it is robust enough so that brute force is the only viable method (there are some better attacks but not practical in our case, for a summary see LASEC memo and for the dirty details see Biham & Shamir 1990, Biham & Shamir 1991, Matsui 1993, Biham & Biryukov 1994 and Heys 2001).

    The key selector digit was very likely introduced to cover the possibility of a key compromise. In that case they just have to issue new cards using another key selector. Older cards can be substituted with new ones or simply the ATM can transparently write a new PVV (corresponding to the new key and keeping the same PIN) next time the customer uses his/her card. For the shake of security all users should be asked to change their PINs, however it would be embarrassing for the bank to explain the reason, so very likely they would not make such request.

    Preparing the attack


    A brute force attack consists in encrypting a TSP with known PVV using all possible encrypting keys and compare each obtained PVV with the known PVV. When a match is found we have a candidate key. But how many keys we have to try? As we said above the key is 64 bit long, this would mean we have to try 2^64 keys. However this is not true. Actually only 56 bits are effective in DES keys because one bit (the least significant) out of each octet was historically reserved as a checksum for the others; in practice those 8 bits (one for each of the 8 octets) are ignored.

    Therefore the DES key space consists of 2^56 keys. If we try all these keys will we find one and only one match, corresponding to the bank secret key? Certainly not. We will obtain many matching keys. This is because the PVV is only a small part (one fourth) of the DES output. Furthermore the PVV is degenerated because some of the digits (those between 0 and 5 after the last, seen from left to right, digit between 6 and 9) may come from a decimal digit or from a decimalized hexadecimal digit of the DES output. Thus many keys will produce a DES output which yields to the same matching PVV.

    Then what can we do to find the real key among those other false positive keys? Simply we have to encrypt a second different TSP, also with known PVV, but using only the candidate keys which gave a positive matching with the first TSP-PVV pair. However there is no guarantee we won’t get again many false positives along with the true key. If so, we will need a third TSP-PVV pair, repeat the process and so on.

    Before we start our attack we have to know how many TSP-PVV pairs we will need. For that we have to calculate the probability for a random DES output to yield a matching PVV just by chance. There are several ways to calculate this number and here I will use a simple approach easy to understand but which requires some background in mathematics of probability.

    A probability can always be seen as the ratio of favorable cases to possible cases. In our problem the number of possible cases is given by the permutation of 16 elements (the 0 to F hexadecimal digits) in a group of 16 of them (the 16 hexadecimal digits of the DES output). This is given by 16^16 ~ 1.8 * 10^19 which of course coincides with 2^64 (different numbers of 64 bits). This set of numbers can be separated into five categories:

    Those with at least four decimal digits (0 to 9) among the 16 hexadecimal digits (0 to F) of the DES output.

    Those with exactly only three decimal digits.

    Those with exactly only two decimal digits.

    Those with exactly only one decimal digit.

    Those with no decimal digits (all between A and F).

    Let’s calculate how many numbers fall in each category. If we label the 16 hexadecimal digits of the DES output as X1 to X16 then we can label the first four decimal digits of any given number of the first category as Xi, Xj, Xk and Xl. The number of different combinations with this profile is given by the product 6 i-1 * 10 * 6j-i-1 * 10 * 6k-j-1 * 10 * 6 l-k-1 * 10 * 1616-l where the 6’s come from the number of possibilities for an A to F digit, the 10’s come from the possibilities for a 0 to 9 digit, and the 16 comes from the possibilities for a 0 to F digit. Now the total numbers in the first category is simply given by the summation of this product over i, j, k, l from 1 to 16 but with i < j < k < l. If you do some math work you will see this equals to the product of 104/6 with the summation over i from 4 to 16 of (i-1) * (i-2) * (i-3) * 6i-4 * 16 16-i ~ 1.8 * 1019.

    Analogously the number of cases in the second category is given by the summation over i, j, k from 1 to 16 with i < j < k of the product 6i-1 * 10 * 6j-i-1 * 10 * 6k-j-1 * 10 * 616-k which you can work it out to be 16!/(3! * (16-13)!) * 103 * 6 13 = 16 * 15 * 14/(3 * 2) * 103 * 613 = 56 * 104 * 613 ~ 7.3 * 1015. Similarly for the third category we have the summation over i, j from 1 to 16 with i < j of 6 i-1 * 10 * 6j-i-1 * 10 * 616-j which equals to 16!/(2! * (16-14)!) * 102 * 614 = 2 * 103 * 615 ~ 9.4 * 1014. Again, for the fourth category we have the summation over i from 1 to 16 of 6i-1 * 10 * 616-i = 160 * 615 ~ 7.5 * 1013. And finally the amount of cases in the fifth category is given by the permutation of six elements (A to F digits) in a group of 16, that is, 616 ~ 2.8 * 1012.

    I hope you followed the calculations up to this point, the hard part is done. Now as a proof that everything is right you can sum the number of cases in the 5 categories and see it equals the total number of possible cases we calculated before. Do the operations using 64 bit numbers or rounding (for floats) or overflow (for integers) errors won’t let you get the exact result.

    Up to now we have calculated the number of possible cases in each of the five categories, but we are interested in obtaining the number of favorable cases instead. It is very easy to derive the latter from the former as this is just fixing the combination of the four decimal digits (or the required hexadecimal digits if there are no four decimal digits) of the PVV instead of letting them free. In practice this means turning the 10’s in the formula above into 1’s and the required amount of 6’s into 1’s if there are no four decimal digits. That is, we have to divide the first result by 104, the second one by 103 * 6, the third one by 102 * 62 , the fourth one by 10 * 63 and the fifth one by 64 . Then the number of favorable cases in the five categories are approximately 1.8 * 1015, 1.2 * 1012, 2.6 * 1011 , 3.5 * 1010, 2.2 * 109 respectively.

    Now we are able to obtain what is the probability for a DES output to match a PVV by chance. We just have to add the five numbers of favorable cases and divide it by the total number of possible cases. Doing this we obtain that the probability is very approximately 0.0001 or one out of ten thousand. Is it strange this well rounded result? Not at all, just have a look at the numbers we calculated above. The first category dominates by several orders of magnitude the number of favorable and possible cases. This is rather intuitive as it seems clear that it is very unlikely not having four decimal digits (10 chances out of 16 per digit) among 16 hexadecimal digits. We saw previously that the relationship between the number of possible and favorable cases in the first category was a division by 10^4, that’s where our result p = 0.0001 comes from.

    Our aim for all these calculations was to find out how many TSP-PVV pairs we need to carry a successful brute force attack. Now we are able to calculate the expected number of false positives in a first search: it will be the number of trials times the probability for a single random false positive, i.e. t * p where t = 2^56, the size of the key space. This amounts to approximately 7.2 * 10^12, a rather big number. The expected number of false positives in the second search (restricted to the positive keys found in the first search) will be (t * p) * p, for a third search will be ((t * p) * p) * p and so on. Thus for n searches the expected number of false positives will be t * p^n.

    We can obtain the number of searches required to expect just one false positive by expressing the equation t * p^n = 1 and solving for n. So n equals to the logarithm in base p of 1/t, which by properties of logarithms it yields n = log(1/t)/log(p) ~ 4.2. Since we cannot do a fractional search it is convenient to round up this number. Therefore what is the expected number of false positives if we perform five searches? It is t * p^5 ~ 0.0007 or approximately 1 out of 1400. Thus using five TSP-PVV pairs is safe to obtain the true secret key with no false positives.

    The attack


    Once we know we need five TSP-PVV pairs, how do we get them? Of course we need at least one card with known PIN, and due to the nature of the PVV algorithm, that’s the only thing we need. With other PIN systems, such as IBM, we would need five cards, however this is not necessary with VISA PVV algorithm. We just have to read the magnetic stripe and then change the PIN four times but reading the card after each change.

    It is necessary to read the magnetic stripe of the card to get the PVV and the encrypting key selector. You can buy a commercial magnetic stripe reader or make one yourself following the instructions you can find in the previous page and links therein. Once you have a reader see this description of standard magnetic tracks to find out how to get the PVV from the data read. In that document the PVV field in tracks 1 and 2 is said to be five character long, but actually the true PVV consists of the last four digits. The first of the five digits is the key selector. I have only seen cards with a value of 1 in this digit, which is consistent with the standard and with the secret key never being compromised (and therefore they did not need to move to another key changing the selector).

    I did a simple C program, getpvvkey.c, to perform the attack. It consists of a loop to try all possible keys to encrypt the first TSP, if the derived PVV matches the true PVV a new TSP is tried, and so on until there is a mismatch, in which case the key is discarded and a new one is tried, or the five derived PVVs match the corresponding true PVVs, in which case we can assume we got the bank secret key, however the loop goes on until it exhausts the key space. This is done to assure we find the true key because there is a chance (although very low) the first key found is a false positive.

    It is expected the program would take a very long time to finish and to minimize the risks of a power cut, computer hang out, etc. it does checkpoints into the file getpvvkey.dat from time to time (the exact time depends on the speed of the computer, it’s around one hour for the fastest computers now in use). For the same reason if a positive key is found it is written on the file getpvvkey.key. The program only displays one message at the beginning, the starting position taken from the checkpoint file if any, after that nothing more is displayed.

    The DES algorithm is a key point in the program, it is therefore very important to optimize its speed. I tested several implementations: libdes, SSLeay, openssl, cryptlib, nss, libgcrypt, catacomb, libtomcrypt, cryptopp, ufc-crypt. The DES functions of the first four are based on the same code by Eric Young and is the one which performed best (includes optimized C and x86 assembler code). Thus I chose libdes which was the original implementation and condensed all relevant code in the files encrypt.c (C version) and x86encrypt.s (x86 assembler version). The code is slightly modified to achieve some enhancements in a brute force attack: the initial permutation is a fixed common steep in each TSP encryption and therefore can be made just one time at the beginning. Another improvement is that I wrote a completely new setkey function (I called it nextkey) which is optimum for a brute force loop.

    To get the program working you just have to type in the corresponding place five TSPs and their PVVs and then compile it. I have tested it only in UNIX platforms, using the makefile Makegetpvvkey to compile (use the command “make -f Makegetpvvkey”). It may compile on other systems but you may need to fix some things. Be sure that the definition of the type long64 corresponds to a 64 bit integer. In principle there is no dependence on the endianness of the processor. I have successfully compiled and run it on Pentium-Linux, Alpha-Tru64, Mips-Irix and Sparc-Solaris. If you do not have and do not want to install Linux (you don’t know what you are missing 😉 you still have the choice to run Linux on CD and use my program, see my page running Linux without installing it.

    Once you have found the secret bank key if you want to find the PIN of an arbitrary card you just have to write a similar program (sorry I have not written it, I’m too lazy 🙂 that would try all 10^4 PINs by generating the corresponding TSP, encrypting it with the (no longer) secret key, deriving the PVV and comparing it with the PVV in the magnetic stripe of the card. You will get one match for the true PIN. Only one match? Remember what we saw above, we have a chance of 0.0001 that a random encryption matches the PVV. We are trying 10000 PINs (and therefore TSPs) thus we expect 10000 * 0.0001 = 1 false positive on average.

    This is a very interesting result, it means that, on average, each card has two valid PINs: the customer PIN and the expected false positive. I call it “false” but note that as long as it generates the true PVV it is a PIN as valid as the customer’s one. Furthermore, there is no way to know which is which, even for the ATM; only customer knows. Even if the false positive were not valid as PIN, you still have three trials at the ATM anyway, enough on average. Therefore the probability we calculated at the beginning of this document about random guessing of the PIN has to be corrected. Actually it is twice that value, i.e., it is 0.0006 or one out of more than 1600, still safely low.

    Results


    It is important to optimize the compilation of the program and to run it in the fastest possible processor due to the long expected run time. I found that the compiler optimization flag -O gets the better performance, thought some improvement is achieved adding the -fomit-frame-pointer flag on Pentium-Linux, the -spike flag on Alpha-Tru64, the -IPA flag on Mips-Irix and the -fast flag on Sparc-Solaris. Special flags (-DDES_PTR -DDES_RISC1 -DDES_RISC2 -DDES_UNROLL -DASM) for the DES code have generally benefits as well. All these flags have already been tested and I chose the best combination for each processor (see makefile) but you can try to fine tune other flags.

    According to my tests the best performance is achieved with the AMD Athlon 1600 MHz processor, exceeding 3.4 million keys per second. Interestingly it gets better results than Intel Pentium IV 1800 MHz and 2000 MHz (see figures below, click on them to enlarge). I believe this is due to some I/O saturation, surely cache or memory access, that the AMD processor (which has half the cache of the Pentium) or the motherboard in which it is running, manages to avoid. In the first figure below you can see that the DES breaking speed of all processors has more or less a linear relationship with the processor speed, except for the two Intel Pentium I mentioned before. This is logical, it means that for a double processor speed you’ll get double breaking speed, but watch out for saturation effects, in this case it is better the AMD Athlon 1600 MHz, which will be even cheaper than the Intel Pentium 1800 MHz or 2000 MHz.

    In the second figure we can see in more detail what we would call intrinsic DES break power of the processor. I get this value simply dividing the break speed by the processor speed, that is, we get the number of DES keys tried per second and per MHz. This is a measure of the performance of the processor type independently of its speed. The results show that the best processor for this task is the AMD Athlon, then comes the Alpha and very close after it is the Intel Pentium (except for the higher speed ones which perform very poor due to the saturation effect). Next is the Mips processor and in the last place is the Sparc. Some Alpha and Mips processors are located at bottom of scale because they are early releases not including enhancements of late versions. Note that I included the performance of x86 processors for C and assembler code as there is a big difference. It seems that gcc is not a good generator of optimized machine code, but of course we don’t know whether a manual optimization of assembler code for the other processors (Alpha, Mips, Sparc) would boost their results compared to the native C compilers (I did not use gcc for these other platforms) as it happens with the x86 processor.

    Update

    Here is an article where these techniques may have been used.

    http://redtape.msnbc.com/2008/08/could-a-hacker.html

    How to Build a Low-Cost, Extended-Range RFID Skimmer Filed under: RFID

    http://www.eng.tau.ac.il/~yash/kw-usenix06/index.html </a>

    Check it Out…

    here is a local copy.

    How to Build a Low-Cost, Extended-Range RFID Skimmer

    Also some of the supporting documents.

    A Practical Relay Attack on ISO 14443 Proximity Cards

    S4100 Multi-Function Reader Module Data Sheet

    Security Analysis of a Cryptographically-Enabled RFID’s

    Antenna Circuit Design for RFID Applications

    ISO 14443

    FAQ Interoperability

    Bluetooth – Security

    Redirected from Bluetooth

     

    Source

    1 Bluetooth
    2 Wireless- History
    3 Wireless- Technologies
    4 Bluetooth- Technical Introduction
    5 Bluetooth- Advantages
    6 Bluetooth- Applications
    7 Bluetooth- Security Issues
    7.1 The SNARF attack
    7.2 The BACKDOOR attack
    7.3 The BLUEBUG attack
    7.4 Bluejacking
    7.5 Warnibbling
    8 Future of Bluetooth
    9 See also:
    10 Reference List

    Bluetooth

    Bluetooth is a new technology that utilises radio frequency waves as a way to communicate wirelessly between digital devices. It sets up personal area networks that incorporate all of a persons digital devices into one system for both convergence and convenience.

    Wireless- History

    Many people put the invention of [wireless] radio down to Guglielmo Marconi, who in 1895 sent the first radio telegraph transmission across the English Channel. Only twelve years later radio began being used in the public sphere. [Mathias, p.2] Up until then however, many wireless pioneers conducted trials across lakes where the antenna used to transmit the signal was longer than the distance across the lake. [Brodsky, p. 3] After its introduction the main use of wireless radio was for military communications where its first use was for the Boer War. [Flichy, p. 103] The invention of broadcast radio ensured the feasibility of wireless technologies. [Morrow, p. 2] By the 1920s, radio had become a well-recognised mass medium. [Flichy, p. 111] From the 1980s until now, wireless communications have been through several stages, from 1G (analogue signal), 2G (digital signal) and 3G (always on, faster data rate). [Lightman and Rojas, p. 3] The history of Bluetooth is a much more recent one, with the first Bluetooth-enabled products coming into existence in 2000. Named after Harald Blatand the first, king of Denmark around twelve hundred years ago, who joined the Danish and Norwegian kingdoms, Bluetooth technology is founded on this same unifying principle of being able to unite the computer and telecommunication industr[ies]. [Ganguli, p. 5] In 1994 the Ericsson Company began looking into the idea of replacing cables connecting accessories to mobile phones and computers with wireless links, and this became the main inspiration behind Bluetooth. [Morrow, p. 10]

    Wireless- Technologies

    Bluetooth is not the only wireless technology currently being developed and utilised. Other wireless technologies, including 802.11b, otherwise known as Wi-Fi, Infrared Data Association (IrDA), Ultra- Wideband Radio (UWB), and Home RF are being applied to similar technologies that Bluetooth use with mixed results. 802.11 is the most well known technology, excluding Bluetooth, and uses the same radio frequency, meaning that they are not compatible as they cause interference with each other. 802.11 is being implemented into universities in the US, Japan and China, as well as food and beverage shops where they are being used to identify students and customers. Even airports have taken up the 802.11 technology, with airports all over America, and three of Americas most prominent airlines promoting the use of it. [Lightman and Rojas, p. 202-3] Infrared Data Association is extremely inferior to that of Bluetooth. Its limitations include only being able to communicate point-to-point, needing a line of sight, and it has a speed of fifty- six kilobytes per second, whereas Bluetooth is one megabyte per second. [Ganguli, p. 17] The Ultra- Wideband Radio is superior to that of Bluetooth in that it can transmit at greater lengths (up to 70 metres), with only half of the power that Bluetooth uses. [Ganguli, p.17] HomeRF is a technology that is not very well known. It is used for data and voice communication and targeted for the residential market segment and does not serve enterprise- class WLANs, public access systems or fixed wireless Internet access. [Ganguli, p.17-18]

    Bluetooth- Technical Introduction

    Bluetooth is a short- range radio device that replaces cables with low power radio waves to connect electronic devices, whether they are portable or fixed. The Bluetooth device also uses frequency hopping to ensure a secure, quality link, and it uses ad hoc networks, meaning that it connects peer-to-peer. It can be operated worldwide and without a network because it uses the unlicensed Industrial- Scientific Medical (ISM) band for transmission that varies with a change in location. [Ganguli, p. 25-6] The Bluetooth user has the choice of point-to-point or point-to-multipoint links whereby communication can be held between two devices, or up to eight. [Ganguli, p. 96] When devices are communicating with each other they are known as piconets, and each device is designated as a master unit or slave unit, usually depending on who initiates the connection. However, both devices have the potential to be either a master or a slave. [Swaminatha and Elden, p. 49]

    Bluetooth- Advantages

    There are many advantages to using Bluetooth wireless technologies including the use of a radio frequency, the inexpensive cost of the device, replacing tedious cable connections, the low power use and implemented security measures. The use of an unlicensed radio frequency ensures that users do not need to gain a license in order to use it. Unlike Infrared which needs to have a line of sight in order to work, Bluetooth radio waves are omnidirectional and do not need a clear path. The device itself is relatively cheap and easy to use, one can be bought for around ten American dollars, and this price is currently decreasing. Compare this to the expensive cost of implementing hundreds of cables and wires into an office and there is no competition. Of course, this is the main reason for the take -up in Bluetooth -enabled devices; it does away with cables. Another of Bluetooths advantages is its low power use, ensuring that battery operated devices such as mobile phones and personal digital assistants wont have their battery life drained with the use of it. This low power consumption also guarantees minimal interruption from other radio operated and wireless devices that operate at a higher power. Bluetooth has several enabled security measures that ensures a level of privacy and security, including frequency hopping, whereby the device changes radio frequency sixteen hundred times per second. Also within the security tools are encryption and authentification mechanisms that guarantee little interference by unauthorised hackers. [Ganguli, p. 330] One of the best advantages of Bluetooth devices, especially the hands free device that connects to a mobile phone, is that it removes radiation from the brain region. [Tsang, p.1]

    Bluetooth- Applications

    The applications that are in development or current use for the Bluetooth technology include such areas as automotive, medical, industrial equipment, output equipment, digital -still cameras, computers, and communications systems. [Lightman and Rojas, p. 201] Bluetooth is an ad hoc network user, and therefore it may be used for social networking, i.e. people can meet and share files or link their Bluetooth devices together to play games or other such activities. [Smyth, p. 70] Using Bluetooth, a mobile phone can become a three- way phone, where at home it connects to a landline for cheaper calls, on the move it acts as a mobile phone and when it comes in contact with another Bluetooth-enabled phone it acts as a walkie- talkie. This walkie- talkie option allows for free interaction and communication, as Bluetooth is not connected to any telecommunications network. [Gupta, p.1] Bluetooth also allows automatic synchronization of your desktop, mobile computer, notebook and your mobile phone for the user to have all of their data managed as one. [Gupta, p.1]

    Bluetooth- Security Issues

    Bluetooth has several threats which range in level of risk and how widespread the action is. These threats have the ability to provide criminals with sensitive information on both corporate and personal levels. The only way to avoid such threats is for manufacturers, distributors, and consumers to be provided with more information on how they are committed, current attack activity and how to combat them. This information can be used on a technical level for manufacturers, it can be used by distributors at retail levels to teach consumers the risks and it can be used directly by consumers to be aware of the threats. The outcome of such research will allow end users of Bluetooth products to have an upper hand in this wireless warfare. Bluetooth security is in early stages with regards to both the attackers, their techniques and consumers understanding of these attacks. Some research has been conducted into what the attackers are doing and how they do it. Adam Laurie of A.L Digital Ltd http://www.thebunker.net/release-bluestumbler.htm is leading the research race in Bluetooth security and is often linked to academic resources. Laurie’s research has uncovered the following capabilities of Bluetooth attacks:

    • Confidential data such as the entire phone book, calender and the phone’s IMEI.
    • Complete memory contents of some mobile phones can be accessed by a previously trusted (“paired”) device that has since been removed from the trusted list.
    • Access can be gained to the AT command set of the device, giving full access to the higher level commands and channels, such as data, voice and messaging.

    Attacks on Bluetooth devices at this stage are relatively new to consumers, and therefore are not widely seen as a real threat. Attacks such as the Bluejack attack are probably more recognised by consumers due to its perceived humorous and novelty nature as well as the ease to Bluejack someone. Users who allow their phone to be Bluejacked open the door to more serious attacks, such as the Backdoor attack which have a low level of awareness amongst consumers as attackers can attach to the device with out the users knowledge. Corporations are starting to understand the risks Bluetooth devices pose, Michael Ciarochi (in Brewin 2004) stated that ‘Bluetooth radios were included in laptop PCs that were being configured by an IT Engineer. It raises the possibility of opening a wireless back door into data stored on the PCs. Such a security weakness would be extremely attractive to hackers. Although Bluetooth invites hackers to such attacks; Bluetooth Venders are playing down the risks, Brewin (2004) said that ‘Bluetooth advocates last week dismissed growing security fears about the short-range wireless technology, saying any flaws are limited to a few mobile-phone models. They also detailed steps that users can take to secure Bluetooth devices’. There are many methods of Bluetooth attacks, the Snarf, the Backdoor, Bluebug, Bluejack and Warnibbling attack are the only recognised attacks at this early stage. Below are explanations of such attacks.

    The SNARF attack

    It is possible for attackers to connect to the device without alerting the user, once in the system sensitive data can be retrieved, such as the phone book, business cards, images, messages and voice messages.

    http://www.salzburgresearch.at/research/gfx/bluesnarf_cebit2004.pdf

    Local Copy: BlueSnarf_CeBIT2004.pdf

    The BACKDOOR attack

    The backdoor attack is a higher concern for Bluetooth users; it allows attackers to establishing a trust relationship through the “pairing” mechanism, but ensuring that the user can not see the target’s register of paired devices. In doing this attackers have access to all the data on the device, as well as access to use the modem or internet; WAP and GPRS gateways may be accessed without the owner’s knowledge or consent.

    The BLUEBUG attack

    This attack gives access to the AT command set, in other words it allows the attacker to make premium priced phone calls, allows the use of SMS, or connection the internet. Attackers can not only use the device for such fraudulent exercises it also allows identity theft to impersonate the user.

    Bluejacking

    Dibble (2004) explained that ‘Just as SMS was spawned, there’s a new craze that’s spreading across parts of Europe. Reportedly, it’s more prominent in the UK, but popular elsewhere too’. Bluejacking allows attackers to send messages to strangers in public via Bluetooth. When the phones ‘pair’ the attacked can write a message to the user. Although it may seem harmless at first, there is a downside. Once connected the attacker may then have access to any data on the users Bluetooth device, which has obvious concerns. Powell (2004: 22) explained that ‘Users can refuse any incoming message or data, so Bluejackers change their username to a short barb or compliment to beat you to the punch. For example, you might receive something along the lines of “Incoming message from: Dude, you’ve been Bluejacked.” Or, “Incoming message from: ROI is overrated.” Bluejacking is regarded as a smaller threat to Bluetooth as users being attacked are aware they have been Bluejacked. This does not mean however that they are aware that sensitive information is being accessed and used in a malicious manner.

    http://www.bluejackq.com/

    Warnibbling

    Warnibbling is a hacking technique using Redfang, or similar software that allows hackers to reveal corporate or personal sensitive information. Redfang allows hackers to find Bluetooth devices in the area, once found, the software takes you through the process of accessing any data that is stored on that device. Redfang also allows non-discoverable devices to be found. Whitehouse explains when testing Redfang ‘One of the first obstacles we had to overcome was the discovery of non-discoverable devices (it was surprising to see the number of devices that dont by default implement this security measure)’. http://www.atstake.com/research/reports/acrobat/atstake_war_nibbling.pdf

    Future of Bluetooth

    Further information, and somewhat speculation is required for consumers and Bluetooth stakeholders on the future of Bluetooth. Such information will provide a clearer understanding of why security of Bluetooth must be improved. Luo and Lee (2004) provide a short term prediction of where Bluetooth is heading, Europe and Asian countries already offer electronic newspapers, subway tickets, and car parking fees via wireless devices. Collins (2003) says that Bluetooth devices ‘appear to be more secure than 802.11 wireless LANs. However, this situation may not last, as the Bluetooth technology becomes more widespread and attracts greater interest from the hacking community’.

    http://www.arraydev.com/commerce/jibc/0402-10.htm

    See also:

    Reference List

    • Brodsky, I. (1995) Wireless: The Revolution in Personal Telecommunications, Massachussetts, USA: Artech House Inc, ISBN 0890067171 (Erin Watson)
    • Collins, G. (2003) Bluetooth Security. Byte.com [Online], Available: Academic Search Elite, ISSN:0360-5280 [Accessed 6/9/04]. (Ben Henzell)
    • Dibble, T (2003) ‘Bluejack city: a new wireless craze is spreading through Europe’ [Online]. Available: http://www.sys-con.com/Wireless/article.cfm?id=710 [Accessed 4/8/04. (Ben Henzell)
    • Finn, E. (2004) Be carefull when you cut the cord. Popular Science [Online], vol. 264, issue. 5, p30. Available: Ebsco Host: Academic Search Elite, ISSN:0161-7370 [Accessed 6/9/04]. (Ben Henzell)
    • Flichy, P. (1995) Dynamics of Modern Communication, London: Sage Publications, ISBN 0803978502 (Erin Watson)
    • Ganguli, M. (2002) Getting Started with Bluetooth, Ohio: Premier Press, ISBN 1931841837 (Erin Watson)
    • Gupta, P. 1999. Bluetooth Technology: What are the Applications?. http://www.mobileinfo.com/Bluetooth/applic.htm (accessed August 23, 2004). (Erin Watson)
    • Laurie, B & L (2003) Serious flaws in Bluetooth security lead to disclosure of personal data [Online]. Available: http://www.thebunker.net/release-bluestumbler.htm [Accessed 4th Aug 2004]. (Ben Henzell)
    • Lightman, A. and Rojas, W. (2002) Brave New Unwired World, New York, USA: John Wiley and Sons, Inc., ISBN 0471441104 (Erin Watson)
    • Luo, X. Lee, C. (2004). Micropayments in Wireless M-Commerce: Issues, Security, and Trend[Online]. Available: http://www.arraydev.com/commerce/jibc/0402-10.htm [Accessed 4/8/2004] (Ben Henzell)
    • Morrow, R. (2002) Bluetooth Operation and Use, New York, USA: The McGraw- Hill Companies, ISBN 007138779X (Erin Watson)
    • Powell, W. (2004) The Wild Wild Web T+D [Online], Vol. 58, issue. 1, p22. Available: Academic Search Elite, ISSN:1535-7740 [Accessed 6/9/04]. (Ben Henzell)
    • Smyth, P. (ed.)(2004) Mobile and Wireless Communications: Key Technologies and Future Applications, London, UK: The Institute of Electrical Engineers, ISBN 0863413684 (Erin Watson)
    • Swaminatha, T. and Elden, C. (2003) Wireless Security and Privacy: Best Practices and Design Techniques, Massachussetts, USA: Pearson Education, Inc., ISBN 0201760347 (Erin Watson)
    • Tsang, W. et al. Date unknown. Bluetooth Applications. http://ntrg.cs.tcd.ie/undergrad/4ba2.01/group3/applications.html (accessed August 23, 2004). (Erin Watson)
    • Whitehouse, O. (2003).’War Nibbling: Bluetooth Insecurity’ [Online]. Available: http://www.atstake.com/research/reports/acrobat/atstake_war_nibbling.pdf [Accessed 9/8/04] (Ben Henzell)

    Erin Watson 08:47, 8 Sep 2004 (EST) –nhenzell 12:30, 8 Sep 2004 (EST)