I've a question,
If exist some extra component on a electronic circuit, Is it a security thread? for example in a VGA card, If exist a component except its standard component on it, Is it a security threat?
Is there any paper about this? I've searched the web, but up to now, couldn't find a proper paper.
Thanks
There has been some new coverage of examples of something similar being done with routers, such as this article from the guardian:
The NSA routinely receives – or intercepts – routers, servers and other computer network devices being exported from the US before they are delivered to the international customers. The agency then implants backdoor surveillance tools, repackages the devices with a factory seal and sends them on.
(...)
Eventually, the implanted device connects back to the NSA.
(...)
It is quite possible that Chinese firms are implanting surveillance mechanisms in their network devices. But the US is certainly doing the same.
There's a little more (and also some blury images purported to be of NSA operatives in action) in this techradar article.
These deal with bigger components though - as in whole routers getting tampered with - not just a small circuit or card, so this may not be exactly what you are looking for(?). Still it gives an indication of not just what is possible, but also of some of the motivations that exist; it's a pretty brazen act for the NSA (or anyone else) to intercept and tamper with hardware in this way, yet it does happen.
Related
These are many articles on internet, researches on the point that their is need to make IoT communication more secure. What are the difference in IoT communication and conventional communication, that there arise need of so much extra research, emergence of new communication protocols etc.. I may be missing some crucial point here.
IoT devices are cheap, small and have limited processing power. Therefore, their software typically doesn't contain the security features of desktop operating systems (implementing an SSL protocol is just not possible on many devices, because they don't have enough capacity). Despite that, IoT devices such as smartwatches transmit highly sensitive information, such as the whereabouts of its wearer and things like his night-time activities...
Additionally, many cheap IoT devices come with one preinstalled, unchangeable software. Or software that never gets any updates after the product is launched. This makes it easy for hackers to abuse these devices once a security leak is found in the code.
I was always wonder what would it be my first question on StackOverflow since everything I'm looking for is already asked. (Find only one similar here Bluetooth data transfer between two countries )
BACKGROUND STORY:
From when it comes I’m a fan of Nokia N-GAGE. It’s a Nokia’s phone from 2003 with dedicated games. In its heyday 2003-2007, it has single-player, multi-player via Bluetooth and using a dedicated internet service N-GAGE ARENA for compete with people all over world.
N-GAGE ARENA servers were disabled about 2008 and as far i understand It isn't even worth trying to resurrect such a infrastructure. Mainly because it requires modifying the code of each game and that's illegal.
Multiplayer mode using Bluetooth work fine, but requires opponent 5m away max.
Nokia sold 1mln copy of this phone, and still are people all over world collecting n-gage games. I have a dream, I want to reactivate the possibility of playing multiplayer with people from all over the world.
PROBLEM DESCRIPTION:
I want to use the Bluetooth multiplayer mode by extending the usual N-GAGE to N-GAGE Bluetooth connection with an additional 3 elements. Two N-GAGEs, instead of connecting directly to each other as host-join, connect via a PC / smartphone applications that communicates with the server that transmits full data sent from the game of one user to game of the opponent.
I admit that I do not have full knowledge of technical limitations. In my opinion, as a software engineer, it is theoretically possible, but I want to consult you, people more familiar with the subject. Maybe someone is working on a similar project and can comment.
WHAT DO I KNOW:
The application would have to transmit all data from the Bluetooth connection so as not to disturb the illusion of a direct connection between N-GAGEs.
The application must enable the selection of an opponent on the basis of the game. The choice itself could be made on the basis of some kind of chat in which users first define what they are playing, who’s the host, and then the connection is made.
WHAT DO I WANT TO KNOW:
Does what I describe is even possible?
Is such capturing Bluetooth connection and forwarding is even possible?
Does the development of technology in these 15 years allow me to transfer Bluetooth connection real time through 2 additional devices and Internet connection?
I WOULD BE GREATFUL FOR:
Any technical tips, literature that can help me to understand my limitations.
Any constructive criticism. Of course before I start doing such a project I have to confirm that isn't a utopia. For me It’s a side project, I’m able to spend years on it, but don’t want to get to dead end after all effort.
Does what I describe is even possible?
Yes, yes it does. Your hardest part will be setting up a tranceiver to interpret the I/O. Your failure point would be super-encrypted messages and making transmission difficult...
If it's clear I/O you can signal this through any server and output it back to the tranciever to output. Confusing but possible just not sure of the design or how bluetooth sends its data.
Is such capturing Bluetooth connection and forwarding is even possible?
If a connection is possible then forwarding it is too. Considering this piping the transports.
Does the development of technology in these 15 years allow me to transfer Bluetooth connection real time through 2 additional devices and Internet connection?
Bluetooth real-time no... with added network latency, you're looking at anything from 1-200ms~. you may be able to improve it?
Overall I think if you can:
Connect the device to PC, and have PC talk back to device through blue-tooth
Read the data that goes in and out
Encryption proves little or none at all to be able to signal the data properly, tricky to explain you'll know though if there's a wall.
All should be possible it doesn't overly go against the grains but do more homework this is very valid.
I am trying to develop a custom cryptographically secure protocol for authenticating through an RFID smart card, all I can find over the internet are generic info on how write static Tags into the card.
For my project I need for the reader to send a Challenge nonce to the card (fixed length random bytes), then the card should send back the challenge encrypted with the hard-coded key (for example with AES CBC) or an hash HMAC.
The problem is: how can I program the card to do such behavior? I can write the code to do so, but how to "flash" it to the card. Also the code for the reader is not a problem (I want to use an Arduino with a reader module).
And then has a passive chip enough power to do this kind of calculations or is better to use an active one, considering that the distance would be few centimeters, such as behind a door?
A passive tag can't do this. Those just hold serial numbers that they spit out back.
You need some smarter card. You have basically two choices:
1) Choose a general-purpose card that fit your needs
The authentication scheme you describe is very widely used, and implemented by virtually all general-purpose smart cards, whether with contact or contactless (RF) interfaces (or both). If you go this way, you don't need to program the card with your own code, you just need to get the specs and initialize the card with the key value you want by sending the appropriate commands. And actually, with these cards, there are often generic tools available to initialize them. Easy.
Mifare (by NXP), for example is very widely used, easily available, and cards are cheap (drawback: it is certainly not the most secure cards ever made). You could use Mifare Classic - with proprietary NXP security protocol - specs here (be careful, the reader must be compatible) or Mifare UltraLight C, with open 3DES crypto - specs here. There are other variants, as well (e.g. Mifare Plus, which uses AES). Just don't go for the simple Mifare Ultralight, which doesn't provide authentication means. You'll see that for all these type of cards, there is a builtin authentication scheme that can functionally fulfill your needs (it is actually a mutual authentication, so it does more that what you require, but it's fine).
FeliCa (made by Sony), ACOS3 (made by ACS - specs here) are other possibilities, although I'm less familiar with it.
2) Get programmable cards
There are some, but it is not very easy to find for contactless and they are very expensive. You can lookup:
BasicCard (ZeitControl), which exist with dual interface. Those cards are programmable in Basic, and there are some kits available (but I'm not familiar with it either).
JavaCard (any manufacturer), which is a standard, but those are hard to find for small volumes. A few online shops seem to have some, though. These cards are programmable in Java (actually a subset of Java). There are tools available for the development phase (from Oracle, or even as Eclipse Plugins, for example). Then, for loading your custom applet in the smart card, you need to get familiar with GlobalPlatform, which is another (publicy available) standard, describing the way applications are managed in a smart card. This would be too broad to describe in detail here, though. You can find resources on the internet, but this road is definitely the most difficult.
Note, that NFC just describes the communication method and tells nothing about the intelligence available on other side.
More intelligence is needed (the command you seem to look for is called EXTERNAL AUTHENTICATE in ISO 7816-4), but does not help for your range problem, since the weaker the field, the less power is available. The idea of having communication through the door will only work for doors which are so weak, that a high-tech electronic protection won't improve overall security. The maximum distance achievable with standard field strength (heart pacemakers and similar devices limit that one) with nothing more than air between suffices typically for something like 10 centimeters. So for me it seems that your reader has to be on the outside and needs to be mechanically hardened against tampering itself.
(What would help, is a "card" with its own power source, so the field is only required for communication. As far as I know, this is mostly provided by a sort of external sleeve.)
What dim fails to mention is the product group of so-called native cards, which are typically only programmable with significant manufacturer support (non-disclosure agreement, probably fee involved), but luckily contain functionality for most use cases already, in your case the commands Get Challenge and External Authenticate.
I'm doing a grad-school software engineering project and I'm looking for the protocol that governs communications between ATMs and bank networks.
I've been googling for quite a while now, and though I'm finding all sorts of interesting information about ATMs, I'm surprised to find that there seems to be no industry standard for high-level communications.
I'm not talking about 3DES or low-level transmission protocols, but something along the lines of an Interface Control Document; something that governs the sequence of events for various transactions: verify credentials, withdrawal, check balance, etc.
Any ideas? Does anything like this even exist?
I can't believe that after all this time the banks and ATM manufacturers are still just making this up as they go.
A shorter question: if I wanted to go into the ATM software manufacturing business, where would I start looking for standards?
Well, there are lots of interbank networks. I would guess that each of them communicate differently. The stickers on the ATM (Cirrus, STAR, Pulse, etc...) identify which network the machine participates in. I do believe, though, that the "structure" of the message is dictated by an ISO standard. Cirrus is a Mastercard owned network and PLUS is a Visa owned network... I'd scour their sites to see if they publish any API details.
Edit, by request:
Have a look at the following ISOs 15022, 20022, 9362 and 4217 -- http://en.wikipedia.org/wiki/Category:Financial_routing_standards
ISO 8583 is dominant.
Also, take a look at EMV.
The ATM to bank link can be proprietary or standard. It is only upstream where inter-organisation wire level interoperability is needed, that standards become always necessary.
ISO 15022 definitely doesn't cover ATM to bank. So far, it covers further upstream. And is now superseded by ISO 20022 - "originally named ISO 15022 2nd edition".
ISO 20022 covers the total scope of financial services, and acts as a super forum for ISO financial services protocols.
There are two basic protocols, ISO8563 and IFX (a financial XML subset) but many banks us protocols supplied by the vendor, because these include Device driver protocols that drive the ATM 'States', There is also a reporting protocol where the ATM reports its cash and usage statii.
which API or library on which mobile OS is to be used when one needs to write a code to use the phone's IrDA to create the necessary impulses to remote control consumer electronics e.g. a HDD media player?
Is maybe a certain mobile OS better suited for that kind of application than others?
First you need to know that IrDA is not the best choice for remote control. It can be done, but IrDA is by design high speed/low range, you can emulate low speeds but ranges (IMO) are far from practical usage (Nokia e50 is able to control digital camera shutter from 2-3m... with very, very careful aiming). The amount of hacking needed to achieve this is shown here, you basically need to trick IrDA to send correct impulses with correct frequency.
The second thing is that CIR remote control is not as simple as you might think. There are countless standards that differ in used frequency, modulation, wavelength, command codes and so on. You need to know what you want to support. LIRC site can be very helpful in determining that http://lirc.sourceforge.net/remotes/. Approachable explanation of what it all means is available here: http://www.sbprojects.com/knowledge/ir/ir.htm
As for ready made libraries and platforms... I honestly don't know. I've seen it done on PocketPC (nevo among others) and Symbian S60 (irRemote). Haven't seen working J2ME app yet.
Last time I needed the IR remote I hacked it together using IR diode, AVR ATTiny and surprisingly short piece of assembly :)