Computerworld News Wire
(New Zealand)
Monday, May 12, 1997

Anderson: The unmaking of Mondex

Tamper resistance is not to be relied upon, says a man show should know

by Russell Brown

AUCKLAND -- Ross Anderson is one of the world's foremost experts on secure banking systems. He works at the University of Cambridge Computer Laboratory, where consultancy clients include Microsoft and Intel. In 1991, he helped design UEPS, which is often regarded as the first real smartcard banking system, and has subsequently been adopted by Visa as the COPAC pre-paid card.

For the past four years, Anderson has concentrated on studying ``why cryptosystems fail in real life''. In that time he has produced numerous papers, including Why Cryptosystems Fail (1993) and last year's Tamper Resistance - a Cautionary Note, which was voted best paper at the Usenix Electronic Commerce Workshop. The paper concluded that electronic money systems were not viable without reconciliation to a shadow account as second line of defence.

Tamper Resistance was written with Markus Kuhn, the German student who rose to prominence by breaking BSkyB Europe's smartcard and writing Season 7, the Sky card emulator for the PC. BSkyB originally claimed its encryption system was unbreakable, but both PC emulators and pirate cards are available for the tenth generation of its card and it is estimated that between 5% and 10% of viewers in Europe use pirated technology. The Sky 11 card is apparently being prepared and is expected to last six months before it, too, is compromised.

In the course of research for `Tamper Resistance ...', Kuhn used techniques developed by Sky hackers to break the Dallas 502, the security chip used by the Bank of England. Since then, he and Anderson have written a further paper, `Low Cost Attacks on Tamper-Resistant Devices'.

I have been assured by people in the banks here that Mondex produced a rebuttal to `Tamper Resistance - a Cautionary Note', but no one has actually been able to show it to me. Can you comment on this?

If they had a rebuttal, I'm sure I would have seen it, but I haven't. The attacks described in my article should work as well against Mondex as against any other chip; they can't change the laws of physics.

In fact, I first mentioned in November 1995 at a Department of Trade and Industry meeting that we could reverse-engineer smartcards. I was referring to the work of Haroun Ahmed that is cited in my paper. People present asked whether we could break Mondex. I challenged Mondex to provide a dozen merchant cards and a letter saying that we would not be prosecuted under the Computer Misuse Act. They refused.

In fact, when they found out that the reverse engineering was done at our physics lab, they approached Haroun and offered him some money to do a ``friendly attacko'' on their chip

Once he had signed their NDA, they came back to me and offered a bottle of champagne if I could extract master keys from a customer card. However, they were not prepared to supply the cards and offered only a few weeks to do the attack. In addition, there usually aren't any master keys in customer cards but just in merchant cards -- with the exception of a key used for the card-to-card protocol. But no doubt that's called something other than a master key in their documentation.

So their response was a tactical one rather than an honest one. Its main effects were firstly to get me irritated at them and secondly to get me to team up with Markus Kuhn, as he had access to an electron beam tester at Erlangen, which I needed now that Mondex had ``sterilised'' our access to the physics lab's electron beam machine. It also led me to encourage Markus to attack the Dallas DS5002 chip, as we had heard that this chip would be used in the next generation of Mondex merchant terminals.

What's your reponse to a related rumour that you had to apologise to Mondex?

Bullshit.

Mondex has been reluctant to publicly acknowledge concerns raised about the viability of its security model -- but is it your impression that changes are being made behind the scenes?

Yes -- in a number of articles they have claimed that the production cards will move from DES to public key.

More specifically, will Mondex be eventually limited to small demominations and/or will reconciliation of transactions be introduced?

I understand that MasterCard plans to limit it to amounts of the order of $100. They still claim they won't reconcile but I understand that in a number of countries they will be forced to by the central bank.

I have a copy of an Australian due diligence report which says an evaluation by Cambridge University of the tamper-resistance of the 3109 chip was due to be published in Q1 1997. Do you know anything about this?

I know nothing about it, but it could well be Haroun Ahmed's long awaited report. Just bear in mind that this isn't the renowned Cambridge security group but an elderly physicist who doesn't even have email. Mondex's original motive in signing him up appears to have been to stop me getting access to his equipment.

My reading is that it's an attempt to sow uncertainty and doubt. They will be able to claim, sort of truthfully, that Mondex was evaluated at Cambridge, and many people will -- incorrectly -- perceive that as an endorsement from our group. It isn't. But it's unlikely that an evaluation done without any security experts will be of value. Attacks of the kind that Markus and I and pay-TV hackers have been devising on other chips just won't occur to people with no security background.

Knowing what you do about current avenues of attack on smartcards, what would be your estimate of the likely time and budget required to compromise a Hitachi 3101-based Mondex card to the point where value could be added by the attacker? How would the equation change with the supposedly more robust 3109?

Given the resources available at an organisation such as Intel or Sandia, about two days for either. No possibility of a defence.

Given a commercial reverse engineering firm such as Semiconductor Insights, two to four weeks and maybe $100,000 for either. They were alleged to have reverse engineered the Sky10 ASIC in the course of a piracy trial in the UK recently.

Mondex claims ``purse classes'' and on-card transaction records are an important part of its detection model -- but could these also be altered by an attacker?

Intrusion detection systems are never perfect and rely to a great extent on ``security through obscurity''. For example, if a mobile phone cloner knows that you alarm an account whenever the device doesn't phone home regularly, then he can just call ``home'' once a day for a few seconds and stay off your watch list.

They also rely on the tamper-resistance or at least ``tamper-evidentness'' of the audit trail. An attacker who gets complete access to the Mondex card's contents can clearly get at all of the intrusion detection machinery that's embedded in the card, and write any audit trail he likes into his forged cards; they would probably report a completely innocuous transaction record to the ATM whenever they're used in one.

Also, the claims of intrusion detection via audit trails are not consistent with the claims of privacy through a lack of them. This issue has already been raised in the UK through a complaint to the trading standards office and Mondex lost; they no longer advertise their card here as providing untraceable electronic cash.

Has anything else happened recently that has a bearing on the Mondex security issues?

The spread of nanotechnology means that a rapidly growing number of sites have the equipment on hand to break chips -- such as ion beam workstations. Tamper resistance at the chip level is getting further and further away.

I have also recently been looking at the physical robustness of smart cards. These devices were originally devised for limited life use in French pay telephones -- maximum 50 calls -- and limited life use as French bank cards -- expected use three times a week for two years, or say 300 insertions. The failure rate for bankcards is about 1%.

I recently got hold of some cards used in a building access control system. They had been used several times a day and accumulated 2000 and more cycles. The failure rate was as high as 15%, especially when cards were used in a variety of climates -- hot and sticky outside, cold and dry inside. The gold is completely worn away and the underlying contacts have become pitted and started to come away at the edges.

Now, as Mondex is not accounted, they have a problem when somebody turns up at a bank counter and complains about a dead card. I understand that at the Swindon trial, their procedure is that the first time you complain, they give you whatever you say was in the card; the second time, they tell you to jump in the river.

Anyway, the dangers of using a non-robust payment technology in a high-volume application where there is no robust recovery mechanism should be obvious. In fact, I expect it will be this rather than chip break-ins which will condemn the Mondex system to the scrapheap.

Further information and full texts of papers can be had from Anderson's home page at http://www.cl.cam.ac.uk/users/rja14/


Copyright © 1997 by IDG Communications, Ltd. All Rights Reserved. Reprinted with permission.