The last blog post was a brief introduction into smart cards, and some of the more basic hardware (Gemalto Reader) and software (SCS-3) used to read/write to cards.
Continuing with EMV as an example, I want to now touch on more specialised hardware.
I introduce… the smart card detective.
The Smart Card Detective (SCD)
The SCD is a card-size device that can communicate with a smart card and a card reader simultaneously. It can be used to emulate a card, to act as a terminal and also to monitor or modify the communication between a smart card and a reader. The software is intended for EMV, but it can be adapted for any smartcard application.
The SCD is not cheap and costs £480(GBP) before postage. Compared to the Gemalto Reader that came in at under £20(GBP). But then the SCD has the advantage of having the capability of Man-in-The-Middle attacking smart cards (you dont get this feature on the Gemalto Readers). This makes researching smart card vulnerabilities a whole lot easier. Instead of guessing/brute-forcing APDUs/AIDs we can simply sniff a conversation between card and reader, and then attempt to reverse/understand the protocol/applications.
The SCD offers full control over all the communication layers, from the physical layer (clock and bit transmission) up to the terminal application layer. The SCDs features include:
- Create custom EMV transactions.
- Analyse and log any smartcard transaction.
- Create DDA/CDA signatures with existing cards.
- Emulate a terminal or CAP reader.
- Read/control card data from a PC like a smartcard reader (via the USB port).
Why Should Government/Commercial Entities by Interested?
- Protect your cards against tampered or untrusted terminals.
- Log information about transactions to keep your own records.
- Use DDA/CDA cards to make electronic signatures and verify card presence.