Thinking Inside the Box: System-Level Failures of Tamper Proofing

Saar Drimer; Steven J. Murdoch; Ross Anderson

doi:10.1109/SP.2008.16

Thinking Inside the Box: System-Level Failures of Tamper Proofing

Saar Drimer, Steven J. Murdoch, Ross Anderson

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

PIN entry devices (PEDs) are critical security components in EMV smartcard payment systems as they receive a customer's card and PIN. Their approval is subject to an extensive suite of evaluation and certification procedures. In this paper, we demonstrate that the tamper proofing of PEDs is unsatisfactory, as is the certification process. We have implemented practical low-cost attacks on two certified, widely-deployed PEDs - the Ingenico 13300 and the Dione Xtreme. By tapping inadequately protected smartcard communications, an attacker with basic technical skills can expose card details and PINs, leaving cardholders open to fraud. We analyze the anti-tampering mechanisms of the two PEDs and show that, while the specific protection measures mostly work as intended, critical vulnerabilities arise because of the poor integration of cryptographic, physical and procedural protection. As these vulnerabilities illustrate a systematic failure in the design process, we propose a methodology for doing it better in the future. These failures also demonstrate a serious problem with the Common Criteria. So we discuss the incentive structures of the certification process, and show how they can lead to problems of the kind we identified. Finally we recommend changes to the Common Criteria framework in light of the lessons learned.

Original language	English
Title of host publication	2008 IEEE Symposium on Security and Privacy Proceedings
Publisher	Institute of Electrical and Electronics Engineers
Pages	281-295
Number of pages	15
ISBN (Print)	978-0-7695-3168-7
DOIs	https://doi.org/10.1109/SP.2008.16
Publication status	Published - 28 May 2008
Event	2008 IEEE Symposium on Security and Privacy - Berkeley, United States Duration: 18 May 2008 → 21 May 2008 https://www.ieee-security.org/TC/SP2008/oakland08.html

Publication series

Name	IEEE Symposium on Security and Privacy
Publisher	IEEE
ISSN (Print)	1081-6011
ISSN (Electronic)	2375-1207

Symposium

Symposium	2008 IEEE Symposium on Security and Privacy
Abbreviated title	SP 2008
Country/Territory	United States
City	Berkeley
Period	18/05/08 → 21/05/08
Internet address	https://www.ieee-security.org/TC/SP2008/oakland08.html

Access to Document

10.1109/SP.2008.16Licence: All Rights Reserved

https://ieeexplore.ieee.org/abstract/document/4531159Licence: All Rights Reserved

Cite this

@inproceedings{bf50b85949d84704b467cfd226a2adc0,

title = "Thinking Inside the Box: System-Level Failures of Tamper Proofing",

abstract = "PIN entry devices (PEDs) are critical security components in EMV smartcard payment systems as they receive a customer's card and PIN. Their approval is subject to an extensive suite of evaluation and certification procedures. In this paper, we demonstrate that the tamper proofing of PEDs is unsatisfactory, as is the certification process. We have implemented practical low-cost attacks on two certified, widely-deployed PEDs - the Ingenico 13300 and the Dione Xtreme. By tapping inadequately protected smartcard communications, an attacker with basic technical skills can expose card details and PINs, leaving cardholders open to fraud. We analyze the anti-tampering mechanisms of the two PEDs and show that, while the specific protection measures mostly work as intended, critical vulnerabilities arise because of the poor integration of cryptographic, physical and procedural protection. As these vulnerabilities illustrate a systematic failure in the design process, we propose a methodology for doing it better in the future. These failures also demonstrate a serious problem with the Common Criteria. So we discuss the incentive structures of the certification process, and show how they can lead to problems of the kind we identified. Finally we recommend changes to the Common Criteria framework in light of the lessons learned.",

author = "Saar Drimer and Murdoch, {Steven J.} and Ross Anderson",

year = "2008",

month = may,

day = "28",

doi = "10.1109/SP.2008.16",

language = "English",

isbn = "978-0-7695-3168-7",

series = "IEEE Symposium on Security and Privacy",

publisher = "Institute of Electrical and Electronics Engineers",

pages = "281--295",

booktitle = "2008 IEEE Symposium on Security and Privacy Proceedings",

address = "United States",

note = "2008 IEEE Symposium on Security and Privacy<br/>, SP 2008 ; Conference date: 18-05-2008 Through 21-05-2008",

url = "https://www.ieee-security.org/TC/SP2008/oakland08.html",

}

Drimer, S, Murdoch, SJ & Anderson, R 2008, Thinking Inside the Box: System-Level Failures of Tamper Proofing. in 2008 IEEE Symposium on Security and Privacy Proceedings. IEEE Symposium on Security and Privacy, Institute of Electrical and Electronics Engineers, pp. 281-295, 2008 IEEE Symposium on Security and Privacy
, Berkeley, California, United States, 18/05/08. https://doi.org/10.1109/SP.2008.16

Thinking Inside the Box: System-Level Failures of Tamper Proofing. / Drimer, Saar; Murdoch, Steven J.; Anderson, Ross.
2008 IEEE Symposium on Security and Privacy Proceedings. Institute of Electrical and Electronics Engineers, 2008. p. 281-295 (IEEE Symposium on Security and Privacy).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Thinking Inside the Box: System-Level Failures of Tamper Proofing

AU - Drimer, Saar

AU - Murdoch, Steven J.

AU - Anderson, Ross

PY - 2008/5/28

Y1 - 2008/5/28

N2 - PIN entry devices (PEDs) are critical security components in EMV smartcard payment systems as they receive a customer's card and PIN. Their approval is subject to an extensive suite of evaluation and certification procedures. In this paper, we demonstrate that the tamper proofing of PEDs is unsatisfactory, as is the certification process. We have implemented practical low-cost attacks on two certified, widely-deployed PEDs - the Ingenico 13300 and the Dione Xtreme. By tapping inadequately protected smartcard communications, an attacker with basic technical skills can expose card details and PINs, leaving cardholders open to fraud. We analyze the anti-tampering mechanisms of the two PEDs and show that, while the specific protection measures mostly work as intended, critical vulnerabilities arise because of the poor integration of cryptographic, physical and procedural protection. As these vulnerabilities illustrate a systematic failure in the design process, we propose a methodology for doing it better in the future. These failures also demonstrate a serious problem with the Common Criteria. So we discuss the incentive structures of the certification process, and show how they can lead to problems of the kind we identified. Finally we recommend changes to the Common Criteria framework in light of the lessons learned.

AB - PIN entry devices (PEDs) are critical security components in EMV smartcard payment systems as they receive a customer's card and PIN. Their approval is subject to an extensive suite of evaluation and certification procedures. In this paper, we demonstrate that the tamper proofing of PEDs is unsatisfactory, as is the certification process. We have implemented practical low-cost attacks on two certified, widely-deployed PEDs - the Ingenico 13300 and the Dione Xtreme. By tapping inadequately protected smartcard communications, an attacker with basic technical skills can expose card details and PINs, leaving cardholders open to fraud. We analyze the anti-tampering mechanisms of the two PEDs and show that, while the specific protection measures mostly work as intended, critical vulnerabilities arise because of the poor integration of cryptographic, physical and procedural protection. As these vulnerabilities illustrate a systematic failure in the design process, we propose a methodology for doing it better in the future. These failures also demonstrate a serious problem with the Common Criteria. So we discuss the incentive structures of the certification process, and show how they can lead to problems of the kind we identified. Finally we recommend changes to the Common Criteria framework in light of the lessons learned.

U2 - 10.1109/SP.2008.16

DO - 10.1109/SP.2008.16

M3 - Conference contribution

SN - 978-0-7695-3168-7

T3 - IEEE Symposium on Security and Privacy

SP - 281

EP - 295

BT - 2008 IEEE Symposium on Security and Privacy Proceedings

PB - Institute of Electrical and Electronics Engineers

T2 - 2008 IEEE Symposium on Security and Privacy<br/>

Y2 - 18 May 2008 through 21 May 2008

ER -

Thinking Inside the Box: System-Level Failures of Tamper Proofing

Abstract

Publication series

Symposium

Access to Document

Fingerprint

Cite this