Category Archives: Physical Security

Study on the lifecycle of cryptographic algorithms 2016

cybernetica_ria_crypto_algorithms_report

This study is a natural continuation of three previous studies conducted in 2011, 2013 and 2015. The fourth version of cryptographic algorithms life cycle study published on June 9, has more than 10 authors and has 163 reference source. The 2016 report is the first one in its sequence to be written in English, because the study is unique on a global scale, and the previous versions has been of great international interest.

The foreword of the report has been written by Anto Veldre:

The Dutch DigiNotar case in 2011 demonstrated the hard choices a country faces if a PKI supporting its government’s IT systems is compromised. [..] Therefore, it was decided in 2011 to assemble a scientific task force to analyse the problems and risks that reliance on cryptography is posing on the sustainable functioning of our society.

Among the usual topics in cryptography, there is quite revealing section “Cryptographic protocols over radio connection”. For example, there the authors find that Estonian public transportation cards are vulnerable to various kinds of Denial of Service and cloning attacks:

The transportation cards in Tallinn are built on MIFARE Classic, whereas in Tartu MIFARE Ultralight C cards are used. However, even though both of the cards support cryptographic authentication, this functionality is not used. In both cases, the protocol running between the card and the reader is essentially the same, consisting of transmitting the card’s unique ID and a signature. [..] While this measure prevents unauthorised parties from issuing new cards, it does not stop the card cloning attack. [..] Cloning a card that carries a monthly ticket causes direct financial loss to the transportation service provider and must hence be urgently addressed.

Even though the ID fields of transportation cards are not writeable, other fields may be. This is for example the case with Tartu bus cards that allow e.g. the signature field to be overwritten by a standard app working on a regular NFC-capable smartphone. As a result, the card will become invalid, giving us a potential Denial of Service attack.

The report analyzes different radio frequency card technologies used for physical access control.  There are many problems – transparency issues, use of weak cryptography or no cryptography at all. The authors have also interviewed Hardmeier and G4S to study deployment issues. Some of the deployment issues revealed are quite disturbing:

Interview with a company installing NFC-based access control systems revealed that it is common practice to use same keys also in several installations, making e.g. door keys of one company work at the door of another company, too.

Links:
https://www.ria.ee/public/RIA/Cryptographic_Algorithms_Lifecycle_Report_2016.pdf
https://www.ria.ee/ee/eriik-2018-valmis-2016-aasta-kruptograafiliste-algoritmide-elutsukli-uuring.html
https://blog.ria.ee/ria-aastakonverentsi-i-sessiooni-otseblogi/

New cars stolen using smart key signal relay attack

brel_signal_amplifier

This Tuesday night the next BMW X5 got stolen from near a home in Laagri, Harju County. Over these past few weeks, three pricey cars have been stolen in Southern Estonia with total value exceeding €100,000. The police suspects an international organised grouping – probably, auto thieves from Latvia or Lithuania.

At end of October, car thieves from Lithuania were apprehended by the police. While investigating their tools, their eyes fell upon a gadget they nicknamed a «bowl». This is a device that amplifies the signal of an electronic car key so as to open the doors of a vehicle hundreds of metres off in the parking lot opens its doors and starts the engine. As you read this story, a bowl like this is being studied by experts in Tartu, Estonia. The devices are obtained on the black market or over the web where at one site above €9,000 is asked for the thing.

Another example. An individual goes home and leaves the car keys close to the door, on a shelf or in coat pocket. «This the crooks know very well. They place the «bowl» i.e. the device seeking the radio signals behind the individual’s front door and the «bowl» finds out the smartkey signal. The smartkey send signals to about a metre and a half,» said Toomas Jervson of Northern police prefecture

Mr Jervson says the solution for dear wheels owners is simple: if you have a smartkey, add an extra immobiliser. It may costs hundreds of euros, though.

What prevents thieves from relaying also the immobiliser’s signal? There are some immobilisers that try to regularly ping the token and cut the engine if the signal is lost. However, because of driving safety reasons this feature is illegal by EU law.

Links:
http://news.postimees.ee/3432227/new-car-theft-now-historically-easy

Security system of president’s new residence publicly available on the Internet

presidental_residence_err

Drawings of the security systems of Estonia’s new presidential residence in the Rocca al Mare district of Tallinn were for four days publicly available on the internet, news of the public broadcaster ERR reported.

The state real estate management company Riigi Kinnisvara AS (RKAS) that launched a tender for the renovation of the residence uploaded in the register of construction tenders the entire project documentation which among other things revealed the positions of movement sensors and surveillance cameras, how many household members would be given panic buttons with direct connection to the police, and where runs the cable the breaking of which would cut off electricity supply to the residence.

RKAS said in response to ERR news that surveillance cameras are only one part of the complex security system of the residence and that the project documentation did not include the part of the system classified as a state secret.

But spokeswoman for the Internal Security Service (ISS) Agnes Suurmets-Ots said such information definitely ought not to be publicly available. “We have to admit that it poses a security threat once such information has become public in a very regrettable way,” she said. The spokeswoman said she cannot at this point offer a comment on the measures that will be taken, but ISS certainly does not agree with RKAS chief’s opinion that the leak does not represent a security threat.

Access to the documents concerning the security of the residence has been restricted by now.

Links:
http://www.baltic-course.com/eng/real_estate/?doc=113253
http://uudised.err.ee/v/eesti/1e5083f8-df04-4afd-bbcf-b06eb8625208/presidendi-uue-residentsi-turvasusteem-rippus-avalikult-internetis
http://uudised.err.ee/v/eesti/9ba7d639-6d9f-4929-bdaf-915bcd85fecb/aeg-presidendi-uue-residentsi-plaanid-tuleb-nuud-umber-vaadata