Penetration Testing mailing list archives
Re: Questions on GSM Penetration test
From: "Tom Buelens" <email () tombuelens com>
Date: Sun, 27 Jan 2002 22:00:25 +0100
What would you mean by "peal off"? Would that be some kind of physical tampering? Most smart cards often have some kind of "Tamper Resistant Sealing". Also if you try to peal of the adhesive coating, you will most probably break the delicate fuse wire which most Smart Card companies run in that adhesive coating, thereby making the whole smart-card completely useless.
"The Netherlands Organisation for Applied Scientific Research" has the tools for 'pealing' of the chip layer by layer (thus not the card). Again I do not know the exact technology they use but it is not just your ordenary knive and skrewdriver. More like elektron microscope and the likes. And I do not think they are the only ones on the planet who can. In this fase the are not interested in the working of the whole device as such. They just take the whole thing apart and 'write every thing down'. Later they reconstruct the device in simulators, like putting it in Orcad, and then the creative thinking process starts, I guess.
Tom, if what you are saying is correct, people can make large amounts of money, just copying smart cards with applications like "Pre Paid Telephone Cards", "Electronic Purses" etc.
So if you know how a device works you know how to abuse it. IMHO that sort of thinking is what the US calls DMCA. And that is just not right ! Remember "Security is a proces." (c) Bruce If the weakest link of your chain is a badly designed smardcard then what you are saying might be right but a simple trustrelationship between costumer and cashier can just as well be your weak point. What I'm trying to say is that knowing about the inner workings of a piece of technology does not implie you can (or will) abuse it to your or anybody else's advantage. But this discussion is starting to become a bit off topic. Happy cheers, Tom CISPP 27411 (I would have loved the number twenty four seven, four eleven :-) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Detecting if SecureIIS from Eeye is installed Sacha Faust (Jan 22)
- Re: Detecting if SecureIIS from Eeye is installed Ryan Permeh (Jan 23)
- Questions on GSM Penetration test ricci_ieong (Jan 24)
- Re: Questions on GSM Penetration test Tom Buelens (Jan 25)
- Re: Questions on GSM Penetration test M Lister (Jan 26)
- Re: Questions on GSM Penetration test Tom Buelens (Jan 27)
- Re: Questions on GSM Penetration test M Lister (Jan 27)
- Re: Questions on GSM Penetration test Tom Buelens (Jan 27)
- RE: Questions on GSM Penetration test Fernando Cardoso (Jan 28)
- Re: Questions on GSM Penetration test Wouter Slegers (Jan 31)
- Questions on GSM Penetration test ricci_ieong (Jan 24)
- Re: Detecting if SecureIIS from Eeye is installed Ryan Permeh (Jan 23)
- Re: Questions on GSM Penetration test Martin Tomasek (Jan 27)
- Re: Questions on GSM Penetration test John Adams (Jan 28)
- Message not available
- Re: Questions on GSM Penetration test Emmanuel Gadaix (Jan 27)