🔴 Security Vulnerability: PIN is hardcoded in the source code of the PC application

Question

mvondracek opened this issue 4 years ago · 0 comments

Severity: HIGH
Vulnerability Class: hardcoded credentials
Description: SimpleAPDU has hardcoded PIN=”0x01 0x02 0x03 0x04”. This means that all instances of this PC application used by all users have the same fixed PIN. Once this information leaks, the attacker knows the PIN of every user. A similar issue as in #5.
Exploit: Use a hardcoded PIN.
Remediation: The PIN must not be hardcoded in the source code of the PC application. The application must obtain the PIN exactly once before the secure session (key agreement) with the applet on the card is established. The PIN must be discarded when the secure session is correctly established to prevent subsequent memory dump attacks.
Location: simpleapdu/SimpleAPDU.java:125

Discovered by Team Emerald.