Announcement

Collapse
No announcement yet.

Daniel Crowley - Black-Box Assessment of Smart Cards

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Daniel Crowley - Black-Box Assessment of Smart Cards

    Daniel Crowley - Black-Box Assessment of Smart Cards



    Daniel Crowley, Head of Research, X-Force Red, He/Him
    Presentation Title: Black-Box Assessment of Smart Cards
    Length of presentation: 45 minutes
    Demo, Tool

    You probably have at least two smart cards in your pockets right now. Your credit card, and the SIM card in your cell phone. You might also have a CAC, metro card, or the contactless key to your hotel room. Many of these cards are based on the same basic standards and share a common command format, called APDU.

    This talk will discuss and demonstrate how even in the absence of information about a given card, there are a series of ways to enumerate the contents and capabilities of a card, find exposed information, fuzz for input handling flaws, and exploit poor authentication and access control.


    SPEAKER BIO:

    Daniel Crowley is the head of research and a penetration tester for X-Force Red. Daniel denies all allegations regarding unicorn smuggling and questions your character for even suggesting it. Daniel is the primary author of both the Magical Code Injection Rainbow, a configurable vulnerability testbed, and FeatherDuster, an automated cryptanalysis tool. Daniel enjoys climbing large rocks and is TIME magazine's 2006 person of the year. Daniel has been working in the information security industry since 2004 and is a frequent speaker at conferences including Black Hat, DEF CON, Shmoocon, and SOURCE. Daniel does his own charcuterie and brews his own beer. Daniel's work has been included in books and college courses. Daniel also holds the noble title of Baron in the micronation of Sealand.

    Twitter @dan_crowley


    REFERENCES:

    Adam Laurie - ChAP.py: https://github.com/AdamLaurie/RFIDIOt
    Ivan Buetler - Smart Card APDU Analysis: https://www.blackhat.com/presentatio...sis_V1_0_2.pdf
    L1L1 - Cardpeek: http://pannetrat.com/Cardpeek
    petrs - pyAPDUFuzzer: https://github.com/petrs/pyAPDUFuzzer
    ISO 7816-4 standard: https://www.iso.org/standard/77180.html

Working...
X