Time Machines, Computer Memory, and Brute Force Attacks Against Smartcards 49
An anonymous reader writes "IEEE Spectrum reports on a method that exploits the decaying contents of unpowered computer memory to create an hourglass-like 'time machine' that rate limits brute force attacks against contactless smartcards and RFIDs. The paper takes an odd twist on the 'cold boot' attack reported four years ago at USENIX Security. Not quite as cool as a hot tub time machine though. "
Full paper (PDF).
What? (Score:5, Insightful)
Re:What? (Score:5, Informative)
Re: (Score:2)
Re: (Score:1)
> So the American public paid for this research, and now they have to pay again if they
> ever want to use the knowledge?
Not ever, no, because it's a patent. Once it's expired you'll be free to use it.
Re: (Score:1)
SRAM looses coherency
How can coherency possibly be set free? You make no sense at all.
for a few seconds/minutes after it looses power
Oh, a non-reader. Sorry, I now see that you meant "lose". "Loose" means to set free. If it loosed power, that would be an electrical short. Your mistake completely changed the meaning of what you were trying to say. I suggest you read less internet and more edited and proofread books so you don't look so uneducated. To paraphrase Twain, an aliterate has no advantage over an il
First Officer, report! (Score:4, Funny)
Just like putting too much air into a balloon.
Re: (Score:2)
Why do I have to decrypt the summary?
You don't. That compulsion can be completely ignored. For proof, see: Nearly all the other comments.
Re: (Score:1)
Re: (Score:1, Redundant)
well, i'm sold. thanks!
Re: (Score:2)
Neat trick... (Score:4, Interesting)
Taking advantage of the (statistically) predictable decay rate of data stored in the RFID's SRAM is a cute trick for rough timekeeping, I have to admit.
It makes me wonder, though, and some perfunctory googling isn't giving me the immediate gratification that I demand, is there anything reasonably practical that could modify the decay rate for SRAM, ideally in a way that would be practical for an attack? Does a strong magnetic field affect contemporary transistors in any useful way? Would a hit of radiation before each attack attempt sufficiently scramble the RAM contents before it also scrambled the nonvolatile memory storing the secret being attacked?
Re: (Score:1)
Taking advantage of the (statistically) predictable decay rate of data stored in the RFID's SRAM is a cute trick for rough timekeeping, I have to admit.
It makes me wonder, though, and some perfunctory googling isn't giving me the immediate gratification that I demand, is there anything reasonably practical that could modify the decay rate for SRAM, ideally in a way that would be practical for an attack?
I think temperature has some effect.
Re: (Score:2)
Running the devices hotter should increase the decay rate...
Re: (Score:3)
Re: (Score:1)
>Running the devices hotter should increase the decay rate...
Integrate a thermal fuse and that door is closed.
Re: (Score:2)
Thermal fuse means adding components. That costs money. The trick is that this is done without adding componets (well... 50 lines of code need to be stored somewhere...)
Rising the temperature or putting it in a microwave will increase the decay rate. But it will still hinder a brute force attack.
Re: (Score:2)
Re:Neat trick... (Score:4, Informative)
If the attacked has lengthy, exclusive access to the chip and sufficiently advanced resources, basically nothing will stop them cracking it. This technique is simply a software added trick that can be used with cheap existing RFID technology to prevent drive-by attacks, not dedicated cracking. The key is "cheap": nearly free, in fact, rather than a more complicated method (my first thought was to use a simple RCI circuit to detect if the card has had power in the last few seconds to achieve the same effect as this, but that of course would add complexity and cost and most importantly couldn't be used with existing chips. Also potentially crackable, but it would help).
Re: (Score:2)
If the attacked has lengthy, exclusive access to the chip and sufficiently advanced resources, basically nothing will stop them cracking it.
That's actually untrue. The trick is whether the memory can be read without powering up the chip; if not, then you can put in detection code (e.g., a rate limiter) that flushes the memory with crap if an attack is detected (which it's is easy to make the circuitry for). After that, the attacker might as well give up. Preventing reading the memory in unpowered state is the trick though, and the best techniques there tend to involve burying the secure memory elements under other parts of the chip so that you
Re: (Score:2)
Or in other words, simple measures are actually quite sufficient.
Like anything dealing with security, that depends entirely on the value of the secret being protected.
If this is a MiFARE card, learning the secret could get you and some friends a few free rides on the metro. If this is an access card, it might get you into a building. If this is a passport, it might get you into the country. If this is a banking card, you might get access to the customer's account. Pick the right customer, and it's suddenly very profitable. If this is a satellite card, it could be worth
Re: (Score:2)
Cooling will massively slow down this rate. Well known.
Has nothing to do with space time manipulation. (Score:2)
555 timer, not hot tub Eloi and hot tub Morlocks (Score:2)
Got nothing more to do with a time machine than your average lump of matter
Yeah, it has a lot more to do with the 555 timer, which was called "The IC Time Machine" when first sold [electronics.dit.ie], than it does with hot tub Eloi and hot tub Morlocks.
block dropping mini-game
Mr. Rogers [wikipedia.org] is coming to get you [slashdot.org].
Sounds like BS to me (Score:2)
Far too easy to manipulate from the outside. E.g. cooling will massively slow this "clock".
Re: (Score:1)
Far too easy to manipulate from the outside. E.g. cooling will massively slow this "clock".
I thought this too, but actually the rate limiting appears to be susceptible only to pulsed cooling/heating attacks in certain cases. Cooling the chip actually makes the adversary's job even harder because it slows down the hourglass---making the rate limiting even more punishing.
Re: (Score:2)
The objective appears to be hindering remote brute-force attacks against contactless cards that are still in the physical possession of the owner, not to create some non-existent "perfect defence".
Re: (Score:2)
If the existing algorithms and implementations are so bad as to make a brute force attack take less than some time period measured in ages of the universe, then they're doing it wrong.
Re: (Score:3, Insightful)
Unlike your top of line PC, there are a lot of constraints on an embedded chip especially one that cost pennies, can run on energy from the RF near field and amount of computation. Unlike white board software, this is real world Engineering where there is a trade-off between constraints/requirement/economic/physical that are opposite to each other. So might want to not mouth off without knowing the subject.
The chip is also highly observable and a lot of information can be deduced from the amount of time f
Re: (Score:3)
Which makes it harder, actually.
The "trick" is basically the card using the slow decay of unpowered memory to detect if the card has been powered on recently, and if so, force a small delay. The goal is basically to limit the rate of attacks with minimal impact on proper use (if the card reads properly every time, this has near-zero impact on proper use - it might annoy a bit if your card doesn't read right, having to wait a second or two to swipe again, but that's neither a terribly common case nor a signi