12 January 2017
The IT security experts from TÜViT are among the 'good attackers': The staff of the IT hardware laboratory in Essen hack systematically into mini-format chips as found, for example, on credit cards. This they do to check whether these chips are protected from reading and manipulation.
Whatever the device - smartphone, new identity card, credit card or health insurance card – at its heart is a built-in chip with all relevant data, such as the identity of the owner, their fingerprints or the PIN code. It’s quite possible that this security controller or secure elements - the term for this mini-computer in chip format – has previously been scrutinised by the specialists from TÜViT. The IT hardware lab in Essen is the largest of its kind in the world in terms of the number of independent tests.
What happens there isn’t for the squeamish. The chips, many of which measure only a few square millimetres, are subjected to a rigorous stress test using physical attacks. For instance, TÜViT security expert Sebastian Kutzner uses a laser to shoot at several points on the silicone chip. This kind of “attack” makes it possible, for instance, to manipulate the information stored on the chip or the installed software or to generate errors in the program sequence on the chip’s processor in the processing of data. These tests are used to establish whether the information stored on the chip can be changed to enable unauthorised access to the highly securely stored sensitive data, as might take place in the case of the use a stolen bank card without knowledge of the PIN code.
© Udo GeislerDr. Patrick Bödeker, Director of Hardware Evaluation, shows the adapter board on which the chip to be examined is mounted.
Measuring power consumption can also be revealing. This can help determine which data the chip is currently engaged in processing. If it proves possible to use the current profiles recorded to extract the secret cryptographic keys, the data transferred between the card and the issuing bank, which are actually encrypted, might as a result be vulnerable to manipulation.
First independent testing institute for security controllers
Three of the world's largest manufacturers of security controllers - Infineon, NXP, Samsung - are bringing their prototypes, some of which are already in the development phase, to TÜViT. And the customers are no longer coming only from the banking sector or state institutions: car makers are also increasingly using security controllers, for example, to promote the development of safe automated driving. They are also being deployed in industrial facilities in the context of Industry 4.0 to support communication between machines. Another field is the issue of IT security for smartphones and tablet.
"The chips themselves are tamper-proof, and the data - and with it the chips themselves - can’t be copied. The data are transmitted in encrypted form, and communication with the host computer allows the authenticity of the card to be checked immediately"
“A complete hardware test for a security controller can take up to a year. We test in line with the worldwide standard for IT security, the Common Criteria. In the process we keep in very close touch with the manufacturer,” says Patrick Bödeker, Director of Hardware Evaluation at TÜViT. The graduate physicist has been with TÜViT since 1998; he has helped in the development and continuous expansion of the laboratory. Initially, criteria were developed for testing and initial measurement methods. At the time, TÜViT was the world’s first testing laboratory to conduct tests of a security controller with subsequent certification by the Federal Office for Security in Information Technology.
Chips are tamper-resistant
Since the laboratory was established, the industry and the attack methods have changed drastically. Where all relevant data were once stored on magnetic strips, all bank and credit cards in Germany are now equipped with a security controller. “The staff of our hardware laboratory would crack the cards of 1998 in just a few minutes,” Bödeker says with a grin.
Magnetic strips are easy to copy; in many cases, all the criminals had to do was to fit cash machines with a fake scanner. Once a customer had inserted their card into this dummy the data would be read from the magnetic strip; the offender would copy the card, enabling him to withdraw money easily later on. The chip-based technology is intended to minimise the risk of fraud. “The chips themselves are tamper-proof, and the data - and with it the chips themselves - can’t be copied. The data are transmitted in encrypted form, and communication with the host computer allows the authenticity of the card to be checked immediately,” explains Patrick Bödeker.
© Udo GeislerThe chips are subjected to various physical “attacks” in the lab. These include measurement of electronic radiation (above) and laser bombardment through the microscope. A staff member of TÜViT measures the electromagnetic radiation of the chip.
Awareness of IT security is on the increase
The security controllers are now so small that they can only be seen under a microscope. For this purpose, the premises of the laboratory are home to various different microscopes, oscilloscopes, laser devices and measuring probes.
Additional rooms were added two years ago, and the need for specialists is growing. 20 colleagues currently work in the IT hardware laboratory, some of whom have come to TÜViT fresh from courses in IT security at Bochum University. “The awareness of the importance of IT security has increased significantly in recent years; this is something we’ve also observed in the sector. At present, manufacturers from China in particular are surging onto the market, and, in the US too, cards with magnetic strips are gradually being replaced by those with chips. With this transition a huge market is opening up for us,” says Patrick Bödeker confidently.
YOU MAY ALSO LIKE
As the most recent cyber-attack on Deutsche Telekom has shown, a modern, digital world is unthinkable without sufficient IT security. To find out how TÜV NORD is getting involved in the area of cyber security, read the #explore articles “What is a 'good' hacker?” and “Digital Society Institute: research for improved IT security”.