The Smart Card Detective: a hand-held EMV interceptor
Several vulnerabilities have been found in the EMV system (also known as Chip andPIN). Saar Drimer and Steven Murdoch have successfully implemented a relay attackagainst EMV using a fake terminal. Recently the same authors have found a method tosuccessfully complete PIN transactions without actually entering the correct PIN. Thepress has published this vulnerability but they reported such scenario as being hard toexecute in practice because it requires specialized and complex hardware.As proposed by Ross Anderson and Mike Bond in 2006, I decided to create a miniatureman-in-the-middle device to defend smartcard users against relay attacks.As a result of my MPhil project work I created a hand-held device, called
(SCD), which intercepts the communication between smartcard and terminal.The device has been built using a low cost ATMEL AT90USB1287 microcontroller andother readily available electronic components. The total cost of the SCD has been around
100, but an industrial version could be produced for less than
20.I implemented several applications using the SCD, including the defense against the relayattack as well as the recently discovered vulnerability to complete a transaction withoutusing the correct PIN.All the applications have been successfully tested on CAP readers and live terminals.Even more, I have performed real tests using the SCD at several shops in town.From the experiments using the SCD, I have noticed some particularities of the CAPprotocol compared to the EMV standard. I have also discovered that the smartcard doesnot follow the physical transport protocol exactly. Such ﬁndings are presented in detail,along with a discussion of the results.