DEF CON Forum Site Header Art


No announcement yet.

Daniel Crowley - Black-Box Assessment of Smart Cards

  • Filter
  • Time
  • Show
Clear All
new posts

  • Daniel Crowley - Black-Box Assessment of Smart Cards

    Daniel Crowley - Black-Box Assessment of Smart Cards

    Daniel Crowley, Head of Research, X-Force Red, He/Him
    Presentation Title: Black-Box Assessment of Smart Cards
    Length of presentation: 45 minutes
    Demo, Tool

    You probably have at least two smart cards in your pockets right now. Your credit card, and the SIM card in your cell phone. You might also have a CAC, metro card, or the contactless key to your hotel room. Many of these cards are based on the same basic standards and share a common command format, called APDU.

    This talk will discuss and demonstrate how even in the absence of information about a given card, there are a series of ways to enumerate the contents and capabilities of a card, find exposed information, fuzz for input handling flaws, and exploit poor authentication and access control.


    Daniel Crowley is the head of research and a penetration tester for X-Force Red. Daniel denies all allegations regarding unicorn smuggling and questions your character for even suggesting it. Daniel is the primary author of both the Magical Code Injection Rainbow, a configurable vulnerability testbed, and FeatherDuster, an automated cryptanalysis tool. Daniel enjoys climbing large rocks and is TIME magazine's 2006 person of the year. Daniel has been working in the information security industry since 2004 and is a frequent speaker at conferences including Black Hat, DEF CON, Shmoocon, and SOURCE. Daniel does his own charcuterie and brews his own beer. Daniel's work has been included in books and college courses. Daniel also holds the noble title of Baron in the micronation of Sealand.

    Twitter @dan_crowley


    Adam Laurie -
    Ivan Buetler - Smart Card APDU Analysis:
    L1L1 - Cardpeek:
    petrs - pyAPDUFuzzer:
    ISO 7816-4 standard: