Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Time Machines, Computer Memory, and Brute Force Attacks Against Smartcards

Unknown Lamer posted more than 2 years ago | from the one-too-many-questions dept.

Security 49

An anonymous reader writes "IEEE Spectrum reports on a method that exploits the decaying contents of unpowered computer memory to create an hourglass-like 'time machine' that rate limits brute force attacks against contactless smartcards and RFIDs. The paper takes an odd twist on the 'cold boot' attack reported four years ago at USENIX Security. Not quite as cool as a hot tub time machine though. " Full paper (PDF).

cancel ×

49 comments

Sorry! There are no comments related to the filter you selected.

It's time. (-1)

Anonymous Coward | more than 2 years ago | (#40901333)

I'm the ownermentment Madow! I fuckin' farted directly out of my own asshole!

Wow! Wow! Wow! Such a thing! Such a thing indeed!

Turn to dust and die now!

Re:It's time. (-1)

Anonymous Coward | more than 2 years ago | (#40901567)

Fucking Niggers! They are a united force of yo-dum! Dumbass monkey unevolved ape coon jigaobos! Fuckthat shit. White man FTW!

Expect a Visit from a Friend. (-1)

Anonymous Coward | more than 2 years ago | (#40901399)

"I'm very sorry, but I really do have to use the little boy's room, and if I don't shut up right now, I really could go on for a solid week about Nuclear Weapons and Nerve Gas [kuro5hin.org] ."

I Am Absolutely Serious When I Point Out That Just A Few Days Ago I Tried The Following New Busker's Schtick:

MAD DOCTOR MIKE

ASK ME A QUESTION

Before I go on, let me point out that I really am a Solar Astronomer. It's just that Life is what happens when you're busy making other plans [geometricvisions.com] .

So some cute young thing tools up on her Velocipede to ask:

"What would happen if the Sun went out?"

The happy news is that I got a bus ticket out of it. That would be like me asking modus how to be a CyberStalker.

Anyway, a good three solid hours after I stepped away from my own table, I pointed out to Kuro5hin's Almost But Not Quite Yet Newest Member:

"Now you too have Obsessive-Compulsive Disorder [coldandhungry.org] ."

The reason I am Homeless Like Me [dulcineatech.com] is not because I am in any way symptomatic, but because I am Swimming to Patagonia [dulcineatech.com] because that is The Land Where the Penguin Knows Her Name.

Yes, Really: Penguins really do know their names, just like cats and dogs do.

I figure naming all of Patagonia's penguins might - just might - be a far better use of my time than spending the rest of my days sweating the fact that the roads and streets all over the Pacific Northwest really don't run from Northwest to Southwest, or from Northeast to Southwest as all the streetsigns assert they do.

It's just that borking all your traffic signs is just what you need to also bork an armed insurrection.

Go Look At Google Maps If You Don't Believe Me.

Occupy WHAT Now?

FUCK THAT!

The President's Analyst starring The Immortal James Coburn will set you back just nine and a half bucks on DVD. C'mon, you'd spend half that much on an unprotected buttfuck from one of my many newfound friends down at the Rescue Mission [dulcineatech.com] .

"Would you like to watch a movie?" asked Tani, then a graduate student in Clinical Psychology at the University of Colorado in Boulder.

"I have The President's Analyst."

"NO SHIT?!?!"

"That's my all-time favorite movie!"

"Is it because it speaks to your paranoia?"

I found myself quite puzzled, because while The President's Analyst sinks it to the Paranoia-Laden Hilt, strangeley that has never been the reason.

I know now the reason:

Coburn's Psychoanalyst character knew too much.

So do I right now.

Everybody else will as well, but only if they learn to use Search Engines the way I learned to use Search Engines.

Now that she has her PhD, while strictly speaking she is "Doctor Newell", she still prefers to be referred to as "Tani".

Tani was one of the very first people with whom I correspended regularly after publishing my first explanation of Suicide Cults [geometricvisions.com] shortly after the Heaven's Gate Mass Suicide in San Diego in the Spring of 1997.

The entire world recoiled in horror as it tried to contemplate how it could possibly be that more than thirty talented young web designers could be duped into eating Phenobarbital-laced Applesauce and Pudding, then washing their dessert down with hard liquor, shortly after having dropped their - litterally speaking - last dimes on brand-new Nike Sneakers [softwareproblem.net] so as to be properly dressed for the occasion.

But I myself recoiled in far worse horror because I learned how to pull that same stunt off myself when I joined the Human Potential Movement during the Summer of 1984 by enrolling in the Lifespring Course [softwareproblem.net] .

As Der Reichskannzler himself so lucidly explained, mass murder as well as mass suicide are not even difficult to initiate [softwareproblem.net] .

Hitler denoted it as "The Big Lie". While Hitler was completely correct, my own take of it back during 1984 was that no matter how vehemently any of us - in my dear friend Chuck Lundquist's parlance - "Cult Course" students objected, the - yes really - "Facilitator" was always able to leverage his many supporters found among us students.

I'll be writing up "HOWTO Put an End to All Life on Earth Forever" sometime in the future. I don't want to be too specific, but maybe RIGHT NOW would be a good time to get The Chemical Preparation of the VX Nerve Agent Area Denial Weapon [wikipedia.org] OFF OF FUCKING WIKIPEDIA????

*FACEPALM*

Kids These Days [dulcineatech.com] .

Coburn's character knew too much because the President undburned the Affairs of State upon him.

I know too much because I pay attention [softwareproblem.net] .

ProTip:

Q: Why couldn't ESR get a trademark on "Open Source"?

A: Because it's what Irish Baby Bacon uses to learn all about Nuclear Weapons and Nerve Gas.

Q: I'm not sure I follow your argument. Please elucidate.

A: The Walls Have Ears [dulcineatech.com]

Fill In The Blank:

Dr. Strangelove:Fail Safe :: The President's Analyst:WHAT NOW?

Like the Cheshire Cat, I shall disappear leaving nothing but my :-) [tubgirl.com]

What? (4, Insightful)

jhoegl (638955) | more than 2 years ago | (#40901457)

Why do I have to decrypt the summary?

Re:What? (0)

osu-neko (2604) | more than 2 years ago | (#40901495)

Why do I have to decrypt the summary?

You could try reading the article, perhaps?

Re:What? (5, Informative)

Baloroth (2370816) | more than 2 years ago | (#40901733)

SRAM looses coherency in a statistically predictable pattern for a few seconds/minutes after it looses power. That means an otherwise powerless and clockless RFID chip can detect when it was powered on recently, and deny access attempts until at least a few seconds after the last access, rendering brute-force attempts vastly less practical (those normally use thousands of access attempts a second). Also, potentially annoying the hell out of anyone for whom the card doesn't work the first time, but security has always been a tradeoff with practicality (and if it is just a matter of seconds, not a huge deal).

Re:What? (0)

Anonymous Coward | more than 2 years ago | (#40902071)

Also, potentially annoying the hell out of anyone for whom the card doesn't work the first time, but security has always been a tradeoff with practicality (and if it is just a matter of seconds, not a huge deal).

If you RTFA, you'll see it already addresses that:
"Unlike cruder present-day RFID defense measures—such as France’s e-passports that punish every successive failed RFID read with an increasingly longer lag, causing frustrating wait times for travelers and customs officials—TARDIS would theoretically permit standard occasional communications but severely constrain the tsunami of failed attempts that are the hallmark of a hostile attack."

Re:What? (0)

Anonymous Coward | more than 2 years ago | (#40902197)

It only cost $0.00 for the company that owns the patent. An on-chip/external capacitor or even a crudely made DRAM cell on chip might be cheaper than paying the licensing fee for everyone else.

Re:What? (1)

biodata (1981610) | more than 2 years ago | (#40903625)

I don't get this. So the American public paid for this research, and now they have to pay again if they ever want to use the knowledge? The original paper says this: "This research is supported by NSF grants CNS- 0831244, CNS-0845874, CNS-0923313, CNS-0964641, SRC task 1836.074, Gigascale Systems Research Center, and a Sloan Research Fellowship.", so how does a private corporation get to own a patent on this idea?

Re:What? (0)

Anonymous Coward | more than 2 years ago | (#40903813)

that happens with a lot of stuff, too.

Re:What? (1)

Threni (635302) | more than 2 years ago | (#40903839)

> So the American public paid for this research, and now they have to pay again if they
> ever want to use the knowledge?

Not ever, no, because it's a patent. Once it's expired you'll be free to use it.

Re:What? (0)

Anonymous Coward | more than 2 years ago | (#40903335)

I think you mistyped "SPAM"...

Re:What? (0)

mcgrew (92797) | more than 2 years ago | (#40904829)

SRAM looses coherency

How can coherency possibly be set free? You make no sense at all.

for a few seconds/minutes after it looses power

Oh, a non-reader. Sorry, I now see that you meant "lose". "Loose" means to set free. If it loosed power, that would be an electrical short. Your mistake completely changed the meaning of what you were trying to say. I suggest you read less internet and more edited and proofread books so you don't look so uneducated. To paraphrase Twain, an aliterate has no advantage over an illiterate.

First Officer, report! (3, Funny)

MobileTatsu-NJG (946591) | more than 2 years ago | (#40901937)

Just like putting too much air into a balloon.

Re:What? (1)

VortexCortex (1117377) | more than 2 years ago | (#40901941)

Why do I have to decrypt the summary?

You don't. That compulsion can be completely ignored. For proof, see: Nearly all the other comments.

Please consider Mitt Romney (-1)

Anonymous Coward | more than 2 years ago | (#40901559)

Please consider Mitt Romney when you vote for president in November. The current administration (Barack Hussein Obama) has instituted failed policies that have driven the unemployment rate to 8.2% and has left millions of your fellow Americans without jobs. On top of that, he has increased the food stamp handouts and welfare roles with the intent to make people dependent on an enormous federal government. He has attempted to destroy our nations economy and is actively hostile to corporations or any people of means, as they do not fit into his 'socialistic vision' for America. Mitt will return our economy to its former vim and vigor, and we can all hope to attain what he has already done. We cannot afford four more years of economic destruction and becoming reliant on Big Brother Government policies. It would be our undoing. Thank you for your consideration.

Mitt Romney staple = IT guys with rip off sales g (-1)

Anonymous Coward | more than 2 years ago | (#40901583)

Mitt Romney staples = IT guys with rip off sales goals that they need to hit our there hours get cut and they lose there health care

Re:Mitt Romney staple = IT guys with rip off sales (0)

CheshireDragon (1183095) | more than 2 years ago | (#40904157)

excellent use of the word THERE...

Re:Please consider Mitt Romney (0, Redundant)

retchdog (1319261) | more than 2 years ago | (#40901701)

well, i'm sold. thanks!

Re:Please consider Mitt Romney (-1)

Anonymous Coward | more than 2 years ago | (#40901787)

The real unemployment is more like 16-20%. See, after a year of being unemployed, they figure you gave up actively looking for a job and therefore shouldn't be included. And the number of disability claims is going up since it's easier to qualify for disability than it is to find a job. Plus all the people that chose to retire instead of looking for work and a lot of employees still have jobs but their hours were cut back.

Me? I'm employed full time but I spend half my time posting to slashdot. Not sure how that factors in, but if my boss catches me, I'll be unemployed for a year!

Re:Please consider Mitt Romney (-1, Offtopic)

xQx (5744) | more than 2 years ago | (#40902445)

Sorry to burst your little bubble there, but America has spiralling debt, high unemployment and a stagnating economy because it is no longer productive on a global stage.

For many years we got fat and rich with merchant bankers who added pseudo value by moving money about in the global economy, and by being the central world bank thanks to the convenience of the rest of the world using US dollars as an intermediary currency.

But we fucked that up. We didn't know, or didn't care while the rest of the world pissed their money up against the wall lending it to us so we could buy McMansions. Now, without an ever increasing credit market, there is no money coming in. We've lost the last couple of real export industries we had.

America just isn't any better than anyone else in the world at doing anything of value. We used to be innovators, now China, India and Ireland innovate. We used to be a finance hub, now London, Hong Kong and Singapore are too. We used to make stuff. Now you can't even make an iPad without China's help.

The only reason why we aren't as fucked up as Europe is because we can print money and inflate ourselves out of debt.

Our leaders are pointing the finger at Europe to distract the masses from the fact that we are in almost as bad a position as them. And good on them, we need all the positive sentiment we can get in your markets at the moment. Even if it is just ignorant optimism.

You can blame Obama, but, as you saw when you elected him - changing our leader won't solve the structural problems that exists. Only by waking the fuck up and either lowering our standard of living to match the lower national income - or swallowing our pride, learning to become good at something, and WORKING for a living will we increase our employment figures.

You want to know the really dirty little secret about Indian outsourcing? If I could hire an Indian for exactly the same price as an American, I'd hire the Indian. They are more passionate, more driven and have a better work ethic than the fat lazy, self-entitled locals.

Just look at Australia. Anyone on a half decent income in Australia pays about 38% tax. That's after a 30% company tax, a 10% sales tax and payroll taxes.
They have huge healthcare costs, huge social policies, but they're richer than us - why? Because they're still exporting something.

The cost base isn't our issue, and our 'socialist' policies are nothing compared with the rest of the western world.

The problem is, if America were a potential employee, we'd be that fat lazy bum who used to be great at college football, but is now, basically, unemployable.

The rest of the world loves Obama, he's the best leader we've had in years - he knows America needs to be aware of it's place on the world stage. You guys hate him, because he oversold himself - but if you've learnt anything (and oh how obvious it is that you haven't) learn this - Our leader ain't your problem mate - you are.

Re:Please consider Mitt Romney (1)

CheshireDragon (1183095) | more than 2 years ago | (#40904243)

I wonder when our nations checks are going to bounce. We keep writing them, but they aren't worth a dime. I want a check book like that.

Neat trick... (3, Interesting)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#40901575)

Taking advantage of the (statistically) predictable decay rate of data stored in the RFID's SRAM is a cute trick for rough timekeeping, I have to admit.

It makes me wonder, though, and some perfunctory googling isn't giving me the immediate gratification that I demand, is there anything reasonably practical that could modify the decay rate for SRAM, ideally in a way that would be practical for an attack? Does a strong magnetic field affect contemporary transistors in any useful way? Would a hit of radiation before each attack attempt sufficiently scramble the RAM contents before it also scrambled the nonvolatile memory storing the secret being attacked?

Re:Neat trick... (1)

BradleyUffner (103496) | more than 2 years ago | (#40901593)

Taking advantage of the (statistically) predictable decay rate of data stored in the RFID's SRAM is a cute trick for rough timekeeping, I have to admit.

It makes me wonder, though, and some perfunctory googling isn't giving me the immediate gratification that I demand, is there anything reasonably practical that could modify the decay rate for SRAM, ideally in a way that would be practical for an attack?

I think temperature has some effect.

Re:Neat trick... (1)

chriso11 (254041) | more than 2 years ago | (#40901601)

Running the devices hotter should increase the decay rate...

Re:Neat trick... (0)

Anonymous Coward | more than 2 years ago | (#40901657)

But how much of an effect will it have before you start damaging the chip?

Re:Neat trick... (2)

fredprado (2569351) | more than 2 years ago | (#40901723)

If you keep it hot but within working parameters that should do the trick. Working temperature ideally shouldn't get higher than 70 C.

Re:Neat trick... (1)

Anonymous Coward | more than 2 years ago | (#40901703)

>Running the devices hotter should increase the decay rate...

Integrate a thermal fuse and that door is closed.

Re:Neat trick... (1)

leuk_he (194174) | more than 2 years ago | (#40902945)

Thermal fuse means adding components. That costs money. The trick is that this is done without adding componets (well... 50 lines of code need to be stored somewhere...)

Rising the temperature or putting it in a microwave will increase the decay rate. But it will still hinder a brute force attack.

Re:Neat trick... (1)

allanw (842185) | more than 2 years ago | (#40901927)

Probably has some kind of exponential dependence on temperature as well, so I imagine there has to be a table storing the decay rate across temperature and voltage which also has to be specific for each manufactured chip.

Thermite (0)

Anonymous Coward | more than 2 years ago | (#40901645)

Thermite will work.

Re:Neat trick... (0)

Anonymous Coward | more than 2 years ago | (#40901691)

Okay,I've downloaded the "payload". What's next?

1. download PDF
2. open document
3. ??
4. profit !!

my passcode is "grenade"

Re:Neat trick... (3, Informative)

Baloroth (2370816) | more than 2 years ago | (#40901853)

If the attacked has lengthy, exclusive access to the chip and sufficiently advanced resources, basically nothing will stop them cracking it. This technique is simply a software added trick that can be used with cheap existing RFID technology to prevent drive-by attacks, not dedicated cracking. The key is "cheap": nearly free, in fact, rather than a more complicated method (my first thought was to use a simple RCI circuit to detect if the card has had power in the last few seconds to achieve the same effect as this, but that of course would add complexity and cost and most importantly couldn't be used with existing chips. Also potentially crackable, but it would help).

Re:Neat trick... (1)

dkf (304284) | more than 2 years ago | (#40903491)

If the attacked has lengthy, exclusive access to the chip and sufficiently advanced resources, basically nothing will stop them cracking it.

That's actually untrue. The trick is whether the memory can be read without powering up the chip; if not, then you can put in detection code (e.g., a rate limiter) that flushes the memory with crap if an attack is detected (which it's is easy to make the circuitry for). After that, the attacker might as well give up. Preventing reading the memory in unpowered state is the trick though, and the best techniques there tend to involve burying the secure memory elements under other parts of the chip so that you can't just grind them off and peek with an electron microscope. Of course, at that point the attacker has also invested many thousands in a decent microelectronics lab, and will need to break into a lot of chips just in order to recover their costs...

Or in other words, simple measures are actually quite sufficient.

Re:Neat trick... (1)

plover (150551) | more than 2 years ago | (#40907473)

Or in other words, simple measures are actually quite sufficient.

Like anything dealing with security, that depends entirely on the value of the secret being protected.

If this is a MiFARE card, learning the secret could get you and some friends a few free rides on the metro. If this is an access card, it might get you into a building. If this is a passport, it might get you into the country. If this is a banking card, you might get access to the customer's account. Pick the right customer, and it's suddenly very profitable. If this is a satellite card, it could be worth millions on the black market.

The other thing to keep in mind, is that all of these activities will get you in a roughly equal amount of trouble: fraudulent devices and theft add up to about the same punishment regardless of how much money is stolen. A bad guy has incentive to hit the richest target, not the poorest, since the risk to him is the same.

Re:Neat trick... (1)

gweihir (88907) | more than 2 years ago | (#40902101)

Cooling will massively slow down this rate. Well known.

Re:Neat trick... (0)

Anonymous Coward | more than 2 years ago | (#40903359)

From telephone cards in the 90s I remember just doing 30 seconds of microwaving nicely reset things.

If only there were a biometric... (-1)

Anonymous Coward | more than 2 years ago | (#40901639)

If only there were a biometric capability....one from say the right hand...or the forehead...something to truely regulate commercial activity...you know "buying and selling"...you can see it coming...666

informat1Ve trollTroll (-1)

Anonymous Coward | more than 2 years ago | (#40901751)

may do, may not is EFNet, and 7ou with aNy sort poor priorities,

Has nothing to do with space time manipulation. (1)

VortexCortex (1117377) | more than 2 years ago | (#40901935)

Got nothing more to do with a time machine than your average lump of matter...

Re:Has nothing to do with space time manipulation. (0)

Anonymous Coward | more than 2 years ago | (#40902339)

I think "clock" would be a better name for it. Wording is obviously to sensationalize the article.

555 timer, not hot tub Eloi and hot tub Morlocks (1)

tepples (727027) | more than 2 years ago | (#40903739)

Got nothing more to do with a time machine than your average lump of matter

Yeah, it has a lot more to do with the 555 timer, which was called "The IC Time Machine" when first sold [electronics.dit.ie] , than it does with hot tub Eloi and hot tub Morlocks.

block dropping mini-game

Mr. Rogers [wikipedia.org] is coming to get you [slashdot.org] .

software must live on hardware (0)

Anonymous Coward | more than 2 years ago | (#40901961)

it's simply physics, finally

Sounds like BS to me (1)

gweihir (88907) | more than 2 years ago | (#40902095)

Far too easy to manipulate from the outside. E.g. cooling will massively slow this "clock".

Re:Sounds like BS to me (1)

Anonymous Coward | more than 2 years ago | (#40902181)

Far too easy to manipulate from the outside. E.g. cooling will massively slow this "clock".

I thought this too, but actually the rate limiting appears to be susceptible only to pulsed cooling/heating attacks in certain cases. Cooling the chip actually makes the adversary's job even harder because it slows down the hourglass---making the rate limiting even more punishing.

Re:Sounds like BS to me (1)

Sabriel (134364) | more than 2 years ago | (#40902217)

The objective appears to be hindering remote brute-force attacks against contactless cards that are still in the physical possession of the owner, not to create some non-existent "perfect defence".

Re:Sounds like BS to me (1)

pipedwho (1174327) | more than 2 years ago | (#40902399)

If the existing algorithms and implementations are so bad as to make a brute force attack take less than some time period measured in ages of the universe, then they're doing it wrong.

Re:Sounds like BS to me (3, Insightful)

Anonymous Coward | more than 2 years ago | (#40902461)

Unlike your top of line PC, there are a lot of constraints on an embedded chip especially one that cost pennies, can run on energy from the RF near field and amount of computation. Unlike white board software, this is real world Engineering where there is a trade-off between constraints/requirement/economic/physical that are opposite to each other. So might want to not mouth off without knowing the subject.

The chip is also highly observable and a lot of information can be deduced from the amount of time for the processing and power profile during execution.

Re:Sounds like BS to me (2)

gman003 (1693318) | more than 2 years ago | (#40905593)

Which makes it harder, actually.

The "trick" is basically the card using the slow decay of unpowered memory to detect if the card has been powered on recently, and if so, force a small delay. The goal is basically to limit the rate of attacks with minimal impact on proper use (if the card reads properly every time, this has near-zero impact on proper use - it might annoy a bit if your card doesn't read right, having to wait a second or two to swipe again, but that's neither a terribly common case nor a significant impact on real users).

Chilling it actually makes it worse for you, as the card will detect itself as "having been powered up recently" for longer than it would normally, so you limit your attack rate even more.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?