Robotic arm provides infosec automation for dodgy card readers
MWR debuts automated security evaluation to tidy PoS authentication vulnerabilities
Video Blighty-based infosec firm MWR InfoSecurity has created an automated fuzz tester to shore up vulnerabilities which may be affecting any device people are slotting their "Chip and Pin" cards into.
Most infosec researchers who have dug into the terminal-smartcard authentication procedure have found that vulnerabilities are often introduced during development. Talking to The Register, MWR's Piotr Osuch suggested there was a large number of undiscovered vulnerabilities affecting these devices.
The Europay, MasterCard and Visa (EMV) standard, also known as "Chip and Pin", is the banking industry's de-facto standard for authenticating smartcard transactions. MWR had previously demonstrated an attack against the standard at a session during the Black Hat Security Conference in 2012, using smartcards purchased for just £40.
New hardware and software from the company is now able to evaluate the security integrity of a device.
It includes a robotic arm which automates the extraordinarily tedious bother of inserting and retracting an emulated smart card, as well as a Python interface to allow on-the-fly monitoring and emulation of an EMV stream with the device.
There are also various predefined security tests to formalise the security evaluation procedure, which Osuch explained to The Register has previously required the reprogramming of the testing cards at every iteration of the test.
"Although the standard-defining EMV is in principle secure, our previous research proved that vulnerabilities can be introduced into the terminal-smartcard authentication procedure. So there is an urgent need to develop a structured and formal security evaluation approach to eliminate these potential vulnerabilities," explained the mysterious Nils, MWR's security researcher, who undertook the original research.
He continued that "In order to ensure the security integrity of an EMV-enabled terminal, we need to test it against a multitude of response vectors which have not been accounted for in the design stages. My colleague, Piotr, put a lot of effort into addressing the shortcomings from our 2012 research to help create this exceptionally complex, yet automated EMV fuzzing solution."
It can test target terminals, without knowing the source code of the EMV kernel, for potential vulnerabilities in a fast, controlled and reproducible manner – ensuring the security of a device before it is released. I am excited by the potential impact this research will have on the security of EMV protocol implementations, which are key to the security of card payment systems all over the world.
MWR claimed that as EMV is "based on the ISO 7816 standard, which secures inter-operation between smartcards and associated terminals, this fuzzing research can also be applied to other implementations where smartcards are used – such as subscriber identity modules (SIMs) and DTV decoders."
"There are doubts about the EMV standard, as it's quite broad and the implementation is very flexible," said Osuch. "Responsibility for the implementation lies with the developers," explained the researcher, and there do not exist secure development cycles which ensure an effective approach in finding vulnerabilities.
For instance, there are vulnerabilities in the level-two EMV kernels, but developers often don't have access to this – instead they are performing security tests on code, on simulated kernels, and without access to the hardware they are often working on a simulation which misses vulnerabilities by assuming that there has already been a fail-proof development process.
MWR's tool would aim to contribute towards a "structured and formal security evaluation to eliminate unexploited threats that exist in current devices used world-wide."
Asked if the tool would be of use to miscreants, Osuch confessed "it could be used to attack too, and make it easier to bypass the hardware issues, but it's designed to research what vulnerabilities may be present. Actually exploiting those vulnerabilities is non-trivial to automate." ®
Sponsored: From CDO to CEO