Sunday, September 5, 2010

Web Laundry (In)Security

Disclaimer: This article is for informational purposes only. The author shall not be liable for any misuse or misconduct resulting from the use of the information provided within.


My apartment building recently switched from coin-op laundry machines to a stored value system using smartcards. The way it works is they have a central dispensing machine that you can use to purchase a card as well as fill up existing cards using a credit card. Each washer/dryer then has a reader interface that will decrement the stored value after starting the machine.

Being the curious type I stuck the card into my smartcard reader to see what chip they were using. A quick google search of the ATR revealed it was a member of the Atmel CryptoMemory family, AT88SC0404C. After pulling the datasheet from Atmel. I began exploring the security mechanisms they had in place.

Before I go any further I should explain that the remaining portion of this article doesn't explain an attack on the Atmel CryptoMemory parts in any way. If that is what you're after I recommend reading Tarnovsky's blog or an attack on the CryptoMemory algorithm here. With that out of the way let's forge on.

After reading through the datasheet I found that this card had a configuration page and 4 user-pages each consisting of 128bytes. I dumped the config using the following APDU. 

After spending some time hand parsing the response I came up with this config.
By looking at the above we can pick out a few things. First of all the 0x27 fill is probably a security measure because we haven't authenticated in any way. Secondly, bit 4 of the DCR byte tells us that we only have 4 attempts to verify any of the eight passwords before we're locked out. Also, by looking at AR registers [0,3] we can see that all user pages do not require a password but they do require authentication. Here is another interesting tidbit from the datasheet:


Seems simple enough, verify the write 7 password, program the configuration, then blow a one time programmable fuse to prevent anyone from changing the data. So, let's read the fuse byte!


This is where things start to fall apart. According to the datasheet a fuse byte of 0x27 means only the SEC bit is blown which is done by Atmel during manufacturing to lock the lot code. With the proper write 7 password we can change the configuration (HINT: maybe removing the authentication enable bits from AR bytes?)

Ok, now we just need to guess the write 7 password. The password is 24 bits... That gives us 16,777,216 attempts to brute force it. At 4 attempts per card that will take 4,194,304 cards or 2,097,152 cards on average... There must be an easier way... My next idea was to sniff the traffic between the reader and card to get an idea of what kind of data is being passed back and forth, then after wading through the paper above, implement the algorithm to crack the cipher itself. Then I found this little diddy in the datasheet:
.
                    
Surely you would think the engineer(s) implementing this weren't negligent enough to leave the default password... you would be wrong.























Now that we can read/write the config page all we have to do is set AR bits 4-7 to disable the password and authentication check then we can dump the user pages. I found a few things by dumping the user pages. Page 0 contains some string constants and doesn't look to be related to the stored value in any way. Page 1 looks to have all the goodies. By dumping the card before and after use I can see the bytes that change. There appears to be a sequence of 36 bytes that differ between dumps starting at 0x5c. There is also a 1 byte counter that increments by 1 as the stored value is decremented. I've yet to decode how the stored value is encoded on the card so I'll leave that as an exercise for the reader.

At this point an attacker could fill up the card and dump the contents. Then after using the card until there is no value left they could restore the dump rather than paying to refill the card. I don't want to promote fraud (or get sued) so I will not provide dumps of the user pages. Below is a proof of concept video to prove how easily it can be done.

I wrote the application below in C# to assist in working with  the Atmel CryptoMemory line. Although I've only tested it on a AT88SC0404C it should work with any chipset in the family. The software provides the ability to dump the config to the terminal, read the fuse byte, and backup and restore the entire card including the config and user pages. Be warned! Since the fuse byte is completely unlocked all fields in the config page are writable. Even the ATR! On a few occasions I overwrote the ATR to all zeros accidentally (due to a bug in the application.) This caused the cards to respond with all zero ATRs which broke ISO-7816-3 compliance so they no longer work in my reader. It may be possible to recover them using the synchronous 2-wire serial interface but I haven't tried yet. The software should work with any compatible PC/SC reader.



Web Laundry claims 40,000 installations on there website. I can only assume that there are millions of cards in service with the same configuration. I'm unsure why they would pay ~$1.05/pc (qty 5k) for a part that has moderate security measures but then leave the default password set when you could buy an SLE4442 for $0.39/pc (qty 10k). Furthermore, the cost to change the password is effectively nothing since they are writing the ID (+0x19) bytes when they dispense the card from the machine. I can only imagine it was the marketing department that came up with the slogan on the card: "Unmatched Security and Cutting Edge Technology".




THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

AtmelCrypto.zip

This software is provided free of charge under the creative commons license. If you find this software useful please consider making a secure donation using the link to the right to support future research.

71 comments:

  1. That's a nice piece of work :)
    But tell a newbie one thing, how do you manage to find which chip it was using?
    What kind of software do you use to explore the card? ToolSet Pro ???
    Thanks.
    Keep up the good work.

    ReplyDelete
  2. Out of curiosity, how would one run the software that you had posted yesterday?

    ReplyDelete
  3. So does the fuse byte "blow" the fuse when set to something, or is it merely an indicator of whether the fuse has been physically blown?

    ReplyDelete
  4. Don't answer my first post.
    RTFM I know :D
    Is this the right APDU command?
    80 C0 02 A4 0D Chip Inf | GEMPLUS MPCOS-EMV | Get Info
    ? thnx

    @mad engineer: Compile, download visual C# Studio Express 2010 <- NOT 2008, it will give errors

    ReplyDelete
  5. @YaBa - Yeah I used Toolset pro to do the initial analysis and proof of concept. After sticking the card in the reader scard toolset pro will show the ATR, 3b b2 11 00 10 80 00 04. Googled that to get the family (Atmel CryptoMem) then pulled the datasheet.

    @haywire - The fuse byte can both be read or written. When writing it (1->0) it will blow and cannot effectively be reversed. I recommend the tarnovsky blog link above. He was able to reset the fuse (0->1) by decapping and using UV light (on another chipset in this family).

    @mad - YaBa is right, i used c# vs express 2010.

    ReplyDelete
  6. Can you publish an executable version also?

    ReplyDelete
  7. This might help some people:
    smartcard-atr.appspot.com
    Given the ATR, it will help to identify the card.

    ReplyDelete
  8. @troll - I won't publish the binary for liability reasons. I'm currently trying to figure out if I can safely publish the source which is why I took it down. This is all new to me :) You shouldn't have any trouble compiling in visual studio express 2010 though.

    ReplyDelete
  9. Hans Viksler Can i get the source please? thanks

    ReplyDelete
  10. Added the source back by popular demand :)

    ReplyDelete
  11. @Hans
    You can't just give the candy and then take it back :D lol ;)

    ReplyDelete
  12. /* Look for smartcard reader */
    string[] readers = iCard.ListReaders();

    "Exception was unhandled: SCardEstablishContext error: -2146435043"

    If you are going to release the source make sure it compiles as is first.

    ReplyDelete
  13. @markermanx5 - It does compile, that is a run-time error. Is your reader plugged in and PC/SC compatible? Please read the blob above about NO expressed or implied warranties. In other words, no support :) However, if you want to provide better error handling I'd be happy to pick up the changes and re-post?

    ReplyDelete
  14. Some people never learn...
    U get this for free, and still complain?!?! duh

    @Hans, are you familiar with Bus Pirate!? It can read those kind of cards too, among other stuff.

    ReplyDelete
  15. @YaBa - Yeah, I own a bus pirate. I've used it to read the synchronous memory cards like the stored value card from fedex/kinkos. I haven't tried reading this card in sync mode though.

    Also, I found an old card that was originally sent from Web Laundry when they installed it and it was properly locked down with the fuse set to 0x20. Seems like it is just the cards stocked in this machine that aren't properly configured.

    ReplyDelete
  16. @Hans - I need your help, i've spent the last 2 hours looking for the technical specs of Gemplus GemClub Memo card.
    I just know a few APDU commands. I would like to learn more about this type of card.
    Any help would be great.
    (Note: The card is in user mode, I don't know how to auth)
    I'm considering in buying a season 2 interface to study, but some PDF would really be great.
    Thanks in advance.

    ReplyDelete
  17. I'm getting an odd error.

    I've got a computer with a "Broadcom Corp Contacted SmartCard reader". I can read the config. When I try to backup, I get "SCardTransmit error: -2146435025".

    ReplyDelete
  18. @YaBa - http://jwamicha.files.wordpress.com/2010/09/gemclubmemo.pdf

    Hope this helps! Have you found a nice season 2 interface? I was looking for one some time back but couldn't find what I wanted. Ideally I'd like a board with a passthrough to a card slot with a pic micro attached to the CLK RST DAT lines to sniff traffic as well as drive the lines (if there is no card inserted). From what I've seen it sounds like I'll need to roll my own...

    ReplyDelete
  19. @dividebyzerowned - Step through each APDU sent using visual studio express. By looking at the return code from the card you can get a good idea of what might be failing.

    ReplyDelete
  20. @Hans: Thanks a lot, but, I insisted on Google, and found a DocStoc version. And then, asked on that blog about the file, the author posted it today. But hey, I really apreciate your help and work.
    Regarding Season 2, i'm still looking around in sat foruns and shops (electronicasuiza.com might help).
    However... my "tests" card is now almost dead, i've locked CSC0, CSC1 and CSC2 :| :| :|
    Can read it, but nothing else.
    Can it be unlocked with some mumbo jumbo magic code? or is it trashed forever?
    thnx

    ReplyDelete
  21. @Hans

    The controller for the card reader I'm using is actually integrated into this computer's TPM; apparently it's not fully PC/SC compliant.

    Reading the config is fine, but the data pages are 128-byte strings of null bytes.

    ReplyDelete
  22. My card has all four fuses blown (security byte 0x20). Wondering if you could help me understand the authentication process and how does one compute the challenge and get a good verify crypto command going? If it isn't possible and its just a fancy name for a password please tell me... I've been trying to understand ATMEL's idea of authentication, but cannot seem to get a good grasp on it.

    Thanks in advance!

    ReplyDelete
  23. This comment has been removed by the author.

    ReplyDelete
  24. So i have the problem of always getting SW=6E00 (command class is not supported). I get it with your application as well as my c# ports of SMACADU and my APDU scanner. Now matter what value I use for the class I always get the same SW=6E00 response. Have any of you ran into this problem or any ideas on something I may be over looking?

    ReplyDelete
  25. The fill byte (for bytes not allowed to be accessed) equals the fuse byte. So as soon as you see a $27 as the fill byte, you know your fuse is good to go. ;)

    ReplyDelete
  26. Well I have a problem. When I use gscriptor default password is working fine. But when I use your program it gives me "Access Denied" Ans Fuse shows "20"
    Any help?

    ReplyDelete
  27. If somebody has a working HexDump of Web laundry card could you send it to kolob at ukr.net
    Thanks a lot

    ReplyDelete
  28. My card looks same as yours but ATR revealed it's a Gemplus GemClub Memo.

    I compile your app but it won't select the card; has an error Failed to get ATR: SW=6D00. I read the PDF specs on my card, but it's like Greek to me. I even got the ToolSet pro demo. Am I supposed to do a scan to get the hex values? Kinda hard with a demo version. I'm trying to see if they left the default password and fuse unblown like yours.

    And then would I modify your AtmelCryptoMem.cs file for my card?

    I'm so lost... yet I feel I'm walking down the right path. It would probably help if I had basic knowledge of smart card technology.

    ReplyDelete
    Replies
    1. Hey, just curious. Did you ever find a solution to this? I have the same type of card and am trying to see if I can accomplish this.

      Delete
  29. what is the program you used?

    ReplyDelete
  30. @Hans Viksler

    Hi!
    Why don't you blow only the FAB and CMA fuses so you won't overwrite the ATR and FAB configuration?

    Thanks for this article

    ReplyDelete
  31. I am getting this error..

    SCardConnect error: -2146434970

    ReplyDelete
  32. When I compile and try to install, it keeps throwing errors on Windows. It compiles fine without errors, and installs fine as well, but will not run for the life of me. I've tried on Windows 7 64 and XP 32 with no luck. Using Visual C# 2010. If anyone is willing to share the executable please contact me runfrugal at gmail.com

    ReplyDelete
  33. @Hans, awesome work on this and thanks for the utility.

    Like a few others, I have multiple cards and they all have a fuse state of 0x20 (totally blown).

    I've found a company where I can buy a few SCs with the exact same chipset and I'm wondering what your thoughts are on finding a dump of a card and loading it onto one of these empty cards. Do you see any problems with this working? The idea is to build-a-card that I can start playing around with.

    If so and you're not too busy, would you mind sending me one of your dumps?

    Thanks for your time!

    ReplyDelete
  34. Has anyone been able to get this software to work with a fuse of 20?

    I'm getting an 'Access denied'.

    kevincfunk at gmail

    ReplyDelete
  35. @Kevin, after sending that message a few months back I messed around with it but never got anywhere.

    Lately I've been trying to find / buy someone's older card with the unblown fuse (all the new ones at my complex are blown).

    If you make any headway hit me up-- I think we're in the same boat.

    knksmith57 [at] gmail

    ReplyDelete
  36. It compiles with success only on winxp 32 bits visual C# express 2010 and the compile version works in all platforms .

    The question is : how you have to deal with the non-iso compliant C8 pin ?

    ReplyDelete
  37. could readd the compiled exe again

    ReplyDelete
  38. This comment has been removed by the author.

    ReplyDelete
  39. This comment has been removed by the author.

    ReplyDelete
  40. i think i see the problem that im facing. i see that the program uses GEMCARD info. i have been using a normal iso programmer 3.68 i guess that will not work and i need to get a programmer like the ones in the video ?

    ReplyDelete
  41. Excellent post! I must thank you for this informative read. I hope you will post again soon.Laundry Machine Manufacturers In Hyderabad

    ReplyDelete
  42. Hi there
    I just tried but my write7 password is not the default do any know of a way to pick the password up.

    ReplyDelete
  43. I have enjoyed reading your articles because this is blog which there is the description about security.

    Car Removal | Scrap My Car | Get Cash for Junk Cars

    ReplyDelete
  44. Love to read it,Waiting For More new Update and I Already Read your Recent Post its Great Thanks.
    Chaffey Cleaners

    ReplyDelete
  45. Very inspirational to hear about someone pursuing their dream and becoming successful instead of following the traditional path.
    Astropay

    ReplyDelete
  46. We are the honored guests who visit blog locales like yours is extraordinary, thanks a lot.This is One of the best posts. This gives a great deal of data uniquely those heading for informist Thanks for sharing this post.
    Cms website

    ReplyDelete
  47. I think mimicking popular posts on other blogs is one of the best ways to get a good idea which will be popular.Such a lovely blog you have shared here with us. Really nice. My security services 1300 788 828 is security monitoring company that provides cheap venue security, business security, Alarm systems, event security, building construction site security, crowd control services and helps to hire friendly personal security officer, security technician, private bodyguard in Sydney, Brisbane, Canberra and The Gold Coast Australia.

    ReplyDelete
  48. Thanks for the valuable feedback. I think that strategy is sound and can be easily replicable.Great posts. I love this article.
    Visit - White card

    ReplyDelete
  49. Such a lovely blog you have shared here with us. Good line, nice image this post and will be effectively. Thanks for sharing.
    -------------------------
    Outdoor security cameras

    ReplyDelete
  50. hello the application keeps giving me an error:
    Connected to Dell Smart Card Reader Keyboard 0
    Failed to get ATR: SW=6D00
    Any help?

    ReplyDelete
  51. HIello

    I have 3 Miele self service laundry where clients pay for the service, using SLE4442 cards.
    Miele sells those cards, but in a very high price.
    I’ve already tried cards with the same SLE4442 chip but the payments machine doesn’t accept them because the only ones that work are the ones sold by Miele… I read and read and read and find out the ATR code for the cards that work. My question is if it is possible having the machine recognition codes do "format" blank cards that can be used on the machine

    ReplyDelete
  52. Hey,

    Thanks for the great post. Does anyone have a working executable? After I build and compile the source I am always getting an error. atticusasher at gmail

    ReplyDelete
  53. Welcome to Express Laundry Kenya. We are the best and professional laundry services in Kenya. Learn How TLaundry services in Kenyao Use Self Service Laundry. It involves simple steps for you to enjoy a hassle-free experience to clean your clothing. You will love the freshly clean and soft feel of your clothes cleaned by Express Laundry Services.Express laundry

    ReplyDelete
  54. For anyone looking for a compiled binary, here it is: https://file.globalupload.io/vDNL2HXUNk.zip

    I compiled it without installing Visual Studio by following https://stackoverflow.com/questions/18286855/how-can-i-compile-and-run-c-sharp-program-without-using-visual-studio#


    Seems like the write 7 password for my card was changed from the default 605734. Anyone have an idea how to brute force the password?

    ReplyDelete
    Replies
    1. any chance you can get me a link to the compiled version and source? thanks!

      Delete
  55. You can make your business hit only if you prove to provide the best of services that can keep your clients comfortable and satisfied. We Provide the best on demand courier delivery app development with courier delivery app script. Just contact us and we will help you walk through it all.

    ReplyDelete
  56. Yescards New Generation 2020 à vendre :


    * Classic Test - 50 EURO -> Plafond 5000 EURO; retrait journalier de 500EURO, valable 28 jours, + 50EURO, TTC = 100EURO

    * Visa classique - 150 EURO -> Plafond 12000 EURO; retrait journalier de 900EURO, valable 2 mois + 50EURO, TTC = 200EURO

    * Mastercard Classic 200 EURO -> Plafond 15000 EURO; retrait journalier de 1200 EURO, valable 2 mois + 50EURO, TTC = 250EURO

    * Gold VISA - 300 EURO -> Plafond 25000 EURO; retrait journalier de 1500 EURO, valable 3 mois + 50EURO, TTC = 350EURO

    * Gold Mastercard- 350 EURO -> Plafond 32500 EURO; retrait journalier de 1800 EURO, valable 3 mois + 50EURO, TTC = 400EURO

    * Visa Platinum - 400 EURO -> Plafond 48000 EUR; retrait journalier de 2000 EURO, valable 4 mois + 50 EURO, TTC = 450 EURO

    * Platinum Mastercard - 450 EURO -> Plafond 62000 EURO; retrait journalier de 2500 EURO, validité 4 mois + 50EURO, TTC = 500EURO

    * Visa Infinity - 600 EURO -> Plafond 75000 EURO; retrait journalier de 3000 EURO , validité de 6 mois + 50EURO, TTC = 650EURO


    Nous acceptons :

    Recharge PCS
    Paypal

    Contact : deepcard2k20@gmail.com


    ReplyDelete
  57. There's a good deal of variety in every casino, and you can usually find something which will attract every gambler. To know more about online gaming, browse this site.

    ReplyDelete
  58. The fire watch security guard must be knowledgeable in basic fire safety laws and practices and must have adequate training and experience with fire safety equipment. To learn more about fire watch services, visit on hyperlinked site.

    ReplyDelete
  59. Fire watch service is necessary for every workplace to ensure safe working conditions. Fire Watch Services is a great asset to the organization. To get more info about fire watch services, visit this hyperlink site.

    ReplyDelete
  60. Commercial Fire Watch provides patrol for business properties that are located in schools, residential communities, and office buildings. You are curious to know more about fire watch security guards, discover here.

    ReplyDelete
  61. Fire Watch Guards is generally tasked as a primary response force in case of an emergency. These guards are used as a temporary setup where the guard is tasked to patrol and inspect the entire property for potential or existing fire hazards (real fires). Get more details about fire alarm system on this link.

    ReplyDelete
  62. The financial advisory industry is also home to many different specialties, including asset allocation, individual investment management, pension and retirement, and real estate finance. There are also alternative education programs that can help individuals learn about personal finance, investments, estate planning, and asset allocation. If you are curious to know more about business operations, here you can get more information about it.

    ReplyDelete
  63. Plus, you don't need to worry about having to learn complex computer code in order to operate your ecommerce businesses. Another important consideration when planning how to start a small business at home is networking. Get more interesting details about how to start a small business check out this site.

    ReplyDelete