Security is an endless cat and mouse game

20 August 2012

Dr Erik Poll is not really known as a security expert but more as a professional hacker. ‘You can only make something secure once you know where its weak points are.’ Within Sentinels he worked on the security of smart cards and on a system that makes software leak proof.

Dr Erik Poll, project leader of JASON and involved in PINPASJC 

Together with Dr Jaap-Henk Hoepman, Poll was project leader of the Sentinels project JASON. This resulted in a platform that can be used to make an entire software system completely secure, he explains. ‘Not by adding a few lines of code at the last minute as embellishment but by integrally interlacing the right security with the code at the right places.’ Errors are easily made in software, he says. ‘A leak usually arises in a single line of code. Something that was simply missed by a programmer. After completing the code, you can use Jason to indicate on which fronts the system must be made secure and who must be allowed to gain access where. The platform then integrates the required code at the right locations.’

Within the Sentinels project Poll worked closely with industry. ‘Chess IT was closely involved with Jason. This company is specialised in payment terminals such as parking meters. We looked at how you should make something like that secure. How do you ensure that these ticket-dispensing machines cannot be hacked to read the personal details of bank cards?’ In order to realise a good collaboration, researchers from the university spent one day a week working at Chess.

Hack hit the headlines

The second project that Poll was involved in, PINPASJC, focused on the security of chip cards, such as those used in chipknips, smart transit cards and passports. Making such systems secure is a completely different type of work. For example, the Digital Security research group of Radboud University Nijmegen where Poll works, hit the headlines when the Dutch smart transit card (ov-chipkaart) and more recently electronic car keys were hacked. ‘You must first of all do your best to crack something like this as only then do you know how you can make it secure.’

There is still a lot of confusion about the security of this type of contactless smart card, says Poll. ‘People are particularly afraid that these cards can be read remotely.’ Yet this anxiety is unfounded he says. ‘You can only read these things from a distance of 30 metres using an enormous antenna.’ And so you only really need to be worried if attackers gain physical access to such the chip. ‘In a lab they will then strip it and investigate how everything works.’

There are various ways to do that. ‘Fifteen years ago you could tell from the energy consumption of such card whether a 0 or a 1 was being written.’ And what can a miscreant do with this knowledge? ‘While the software is running, he changes the voltage at the right moment, from 5 volts to 2.5 V for example. Then the software continues to run but can briefly write no ones. A criminal can then specifically change ones to zeros. If you do that at the right moment the payments system thinks that a pin code has been entered, for example, even though that is not the case.’

Firing a laser

This simple method no longer works that well. Thanks to smarter hardware the energy peaks no longer reveal that much. However, attackers have also progressed. ‘A more modern method is to fire a laser at a chip. The chips now contain several controls and therefore you need to do the same thing two or three times for a chip to perform the desired operation.’ It is also possible to protect against these attacks. ‘For example, a hardware solution is to place an extra light sensor on the chip. As soon as somebody removes the topmost layer or starts to fire lasers at the chip, the chip switches itself off. At a software level cheaper possibilities exist such as allowing a program to check the most important operations. We are mainly working on that.’

Security is an endless cat and mouse game, says Poll. ‘The attackers are becoming increasingly smarter. This means that the defence needs to be smarter as well. And that forces the attacker to innovate. Within the Netherlands a mountain of expertise has been acquired to strengthen the defence. Sentinels is one of the catalysts that has accelerated progress in the discipline in recent years, says Poll. ‘Such a programme attracts people, also from abroad. Security is becoming an increasingly bigger problem with increasingly more complex questions. Fortunately there is a strong community in the Netherlands capable of tackling these questions.’


Photo: Sjoerd van der Hucht Fotografie
Text: Sonja Knols, IngenieuSe
Translation: NST