INSIGHTS, NEWS & DISCOVERIES
FROM IOACTIVE RESEARCHERS

Wednesday, December 7, 2011

Automating Social Engineering: Part Three

PHASE 2: Ruses
Once we have enough information about the employees and company in question, we can begin to make some sense of the information and start crafting our ruses. It is worth noting that this stage currently does not have a lot of since it does require a lot of human intuition and information processing. Certainly as we continue developing the tool we will be able to automate more and create some decision making systems capable of creating useful ruses, but for now a key factor of this phase is to look for key ideas and useful information in order to help us generate our attack as realistic and trustworthy as possible.

Tuesday, November 8, 2011

Automating Social Engineering: Part Two

Phase 1: Info Gathering Phase (Reconnaissance)

As with any other type of penetration test, we need to gather information. The only difference here is that instead of looking for operating system types, software versions, and vulnerabilities, we're searching for information about the company, their employees, their social networking presence, et cetera.

Tuesday, November 1, 2011

Automating Social Engineering: Part One

Since the original conceptualization of computer security, and perhaps even before, social engineering has been in existence. One could say that social engineering began when societies began, whether it was realized or not. It is now time to give some of this work to scripts and applications to make it a little more interesting…

Monday, October 3, 2011

Windows Vulnerability Paradox


For those who read just the first few lines, this is not a critical vulnerability. It is low impact but interesting, so keep reading.
This post describes the Windows vulnerability I showed during my Black Hat USA 2011 workshop “Easy and Quick Vulnerability Hunting in Windows”.

Easy and Quick Vulnerability Hunting in Windows


I'm glad to start this new blog for IOA Labs by publishing the video demonstrations and updated slides of my Black Hat USA 2011 workshop. I hope you like it, please send me your feedback, questions, etc. We will continue posting cool materials from our researchers very soon, keep tuned!

Sunday, March 20, 2011

Blackhat TPM Talk Follow-up

Since speaking at BlackHat DC 2009, there have been several inquiries in regards to the security of the SLE66PE series smartcard family.

Here are some issues that should be pointed out:

We have heard, "..it took 6 months to succeed.."

The reality is it took 4 months to tackle obsticles found in any <200nm device such as:

  1. Capitance/load of probe needles when chip is running.

  2. Powering the device inside the chamber of a FIB workstation.

  3. Level-shifting a 1.8v core voltage following what we learned in #1 above.

  4. Cutting out metal layers without creating electrical shorts.

  5. Other more minute issues regarding the physical size of the die.


Upon overcoming the points above,  the actual analysis required no more than approximately 2 months time.  

In addition, these techniques listed above apply to all devices in the <200nm category (SecureAVR, SmartMX, ST21, ST23).

 We have heard, "..you said the Infineon SLE66 was the best device out there in the market.."

The Infineon SLE66PE is a very secure device however, it (as do it's competitors) all have their strengths and weaknesses.

Some examples of weaknesses are:

  1. Layout of all Infineon SLE50/66 'P' or 'PE' are very modular by design.

  2. Lack of penalty if active shield is opened.

  3. Begin runtime from a CLEAR (unencrypted) ROM which is 'invisible' to the user.

  4. CPU core is based on a microcode/PLA type implementation.

  5. Power-on-reset always begins running from the externally supplied clock.

  6. Current design is based on a previous 600nm version designed around 1998.

  7. 3 metal layer design for "areas of interest" (4th layer is the active shield).


Some examples of strengths are:

  1. 'PE' family used bond-pads located up the middle of the device.

  2. ROMKey must be loaded before begin attacked (else you just see their clear ROM content).

  3. MED is quite powerful if used properly for EEPROM content.

  4. Mesh is consistent across the device and divided into sections.

  5. Auto-increment of memory base address.

  6. Mixing of physical vs. virtual address space for MED / memory fetch.


No device is perfect.  All devices have room for improvement.  Some things to consider when choosing a smartcard are:

  • Does CPU ever run on external clock?

  • What is the penalty for an active-shield breach?

  • What is the fabrication process geometry?

  • How many metal layers is the device?

  • List of labs who might have evaluated this device and their capabilities.


Lastly, just because the device has been Common Criteria certified does not mean much to an attacker armed with current tools.  This is a common-oversight.

There is an ST23 smartcard device which has recently been certified EAL-6+ and the device has an active-shield with almost 1 micron wide tracks and a 1-2 micron spacing!!!  This makes a person scratch there head and say, "WTH????"

We have some new content to post soon on the blog.  Be sure and tune in for that.  We will tweet an alert as well.