Random projects

Many Hardware Security Modules (HSMs) use smart cards to store cryptographic material, export the Storage Master Key (SMK), application keys, and authenticate Security Officers and Crypto Officers.

These smartcards are often stored in Tamper Evident Bags (TEB) to provide a chain of custody and prove that no-one has read or otherwise tampered with the card. Unfortunately this is not secure; it's trivial to read the card through the TEB in a way that is almost undetectable.

If you need to mail a smart card, or store it in a safe, it should be placed in a hard-shell case, which should be sealed with tamper evident seals, and then placed in a TEB. My standard suggestion for this was to use (clear) PCMCIA card holders and foil tamper evident seals, but it is increasingly hard to find the clear PCMCIA card holders - the Pelican 0915 SD Memory Card Case or Pelican 1040 Micro Case both look like they might work (the SD Card case doesn't have a clear front, which is unfortunate).

This is surprisingly easy to do. I had done this in 2010, but since I deleted the writeup, I am redoing it here.

An HSM smart card is just a "standard" smart card and the contact layout is almost exactly the same as an 8-pin DIP (dual in-line package). I took a cheap USB smart card reader ($20 on Amazon), and removed it from its packaging.

I soldered a cheap 8-pin DIP socket onto the reader slide contacts (the "cheap" through-hole DIP sockets work better than the better quality milled ones, as the tips are sharper). Smart card readers have a switch which is activated when the card in inserted (bottom right of the second picture above) - I bridged across this with a small pushbutton, to allow me to activate it on demand.

The "points" of the DIP socket can now be placed outside the bag, just above the contacts. Pressing down and "wiggling" the reader will make the points pierce the bag, and make contact with the smart card, allowing the card to be read through the bag - these holes are tiny, and difficult to see, especially if done carefully and above the bag label.

If you know where to look, this attack is detectable - a better resourced attacker could easily replace the (large) 8 pin DIP with something like 7X Tungsten Cat Whisker Fine Probes. I only have much larger die probes (and only a small number of these), but even with these the plastic seems to self-heal after poking them through. 

In summary, don't just trust a tamper evident bad - they are primarily designed for protecting deposits, or chain-of-custody of evidence, not protecting something like a smart card. Instead, seal the smart card in a hard-shell case, place numbered and signed tamper evident seals on all sides of the case, and then place this entire set in a (numbered and signed) tamper evident bag. 

I've put a video demonstrating reading the card here: https://www.youtube.com/watch?v=oMDpXdDU1G4&feature=youtu.be

Output:

Tue Mar 24 09:57:49 2020
 Reader 0: Gemalto PC Twin Reader 00 00
 Event number: 49
 Card state: Card inserted,
 ATR: 3B 2A 00 80 65 A2 01 02 01 31 72 D6 43

ATR: 3B 2A 00 80 65 A2 01 02 01 31 72 D6 43
+ TS = 3B --> Direct Convention
+ T0 = 2A, Y(1): 0010, K: 10 (historical bytes)
 TB(1) = 00 --> VPP is not electrically connected
+ Historical bytes: 80 65 A2 01 02 01 31 72 D6 43
 Category indicator byte: 80 (compact TLV data object)
 Tag: 6, len: 5 (pre-issuing data)
 Data: A2 01 02 01 31
 Tag: 7, len: 2 (card capabilities)
 Selection methods: D6
 - DF selection by full DF name
 - DF selection by partial DF name
 - DF selection by file identifier
 - Short EF identifier supported
 - Record number supported
 Data coding byte: 43
 - Behaviour of write functions: write OR
 - Value 'FF' for the first byte of BER-TLV tag fields: invalid
 - Data unit in quartets: 8

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B 2A 00 80 65 A2 01 02 01 31 72 D6 43
3B 2A 00 80 65 A2 01 .. .. .. 72 D6 43
 Gemplus MPCOS EMV 4 Byte sectors
3B 2A 00 80 65 A2 01 02 01 31 72 D6 43
 MPCOS-EMV 64K Functional Sample
 THALES nShield Security World
 THALES NCIPHER product line

Tue Mar 24 09:57:50 2020
 Reader 0: Gemalto PC Twin Reader 00 00
 Event number: 50
 Card state: Card removed,

Tue Mar 24 09:57:51 2020
 Reader 0: Gemalto PC Twin Reader 00 00
 Event number: 51
 Card state: Card inserted,
 ATR: 3B 2A 00 80 65 A2 01 02 01 31 72 D6 43

ATR: 3B 2A 00 80 65 A2 01 02 01 31 72 D6 43
+ TS = 3B --> Direct Convention
+ T0 = 2A, Y(1): 0010, K: 10 (historical bytes)
 TB(1) = 00 --> VPP is not electrically connected
+ Historical bytes: 80 65 A2 01 02 01 31 72 D6 43
 Category indicator byte: 80 (compact TLV data object)
 Tag: 6, len: 5 (pre-issuing data)
 Data: A2 01 02 01 31
 Tag: 7, len: 2 (card capabilities)
 Selection methods: D6
 - DF selection by full DF name
 - DF selection by partial DF name
 - DF selection by file identifier
 - Short EF identifier supported
 - Record number supported
 Data coding byte: 43
 - Behaviour of write functions: write OR
 - Value 'FF' for the first byte of BER-TLV tag fields: invalid
 - Data unit in quartets: 8

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B 2A 00 80 65 A2 01 02 01 31 72 D6 43
3B 2A 00 80 65 A2 01 .. .. .. 72 D6 43
 Gemplus MPCOS EMV 4 Byte sectors
3B 2A 00 80 65 A2 01 02 01 31 72 D6 43
 MPCOS-EMV 64K Functional Sample
 THALES nShield Security World
 THALES NCIPHER product line

Tue Mar 24 09:57:51 2020
 Reader 0: Gemalto PC Twin Reader 00 00
 Event number: 52
 Card state: Card removed

I have a Westover Scientific P5000 fiber scope. I like the device itself, but the last time ThermoFisher released software for it was 2010, and it required Windows® XP or Vista Operating System (or, with much fighting, possibly Windows 2000). Based on the price of the device this is annoying, but ThermoFisher seems to often abandon their products.

Anyway, I haven't been able to find a nicer fiber-scope, and it was really annoying me that I could no longer use this one - it's basically just a camera and some funny optics, and so I decided to try and fix it (the other alternative was tidying my office,  and that sounded like less fun...) I ended up swapping out the sensor and electronics for a cheap webcam module. Here is my build journey in case anyone else wants to do the same...

It uses Torx screws (for some reason the optics module uses security Torx).

Inside is an optics package, a small sensor board, and a larger video to USB board. Connecting the two boards together is a flat-flex cable. It uses the same cable that the Raspberry Pi camera module uses; I was initially excited, hoping that this might be a standard pinout, and I could just slap a Raspberry Pi in intead, but no such luck. I pulled out the electronics, and then took apart a Logitech webcam, hoping that I could replace the sensor module with the guts from the Logitech - this almost worked, but like the fiber scope the webcam has two boards, and the connector on the sensor board faces "forward", which would get in the way of the optics package. The connector seems to be 0.2mm pitch, and so it wasn't really fesiable to desolder it and run nrew traces or move it to the back of the board.

Instead I found a small USB webcam module - ELP megapixel Super Mini 720p USB Camera Module with 120degree Lens and replaced the sensor and electronics with this. Unfortunatly it did require carving a way a little bit of the casing with a Dremel tool, and I got a  bit impatient and cut all the way through, but it still looks and works well.

Picture of the optics module. It is basically a microscope, and a blue illumination LED, with a 45-degree beamsplitter to allow the LED to illuminate the front surface of the fiber. The LED sits in the front, and seems to be powered by ~3.3V

The webcam module - this was $29USD from Amazon. The webcam module I chose has a 120 degree field of view, but this isn't really important, because I remove all of the optics and am only using the sensor. The module itself on a (I'm guessing?) standard size PCB, but has "slots" to allow the outer part of the board to be removed.

Finding a handy 3.3V source to power the LED. There is a handly looking set of contacts (lower left), unfortunatly they are GND and USB 5V. Probing around I found a handy 3.3V supply

Snipping off the "break away" outer board. I'm assuming that both the outside and inside boards are a standard size

Removing the original sensor mount from the sensor board. The adapter screws into the back of the optics package, and protects to sensor. I used a heat gun to heat up the mounting glue, and popped it off. After removing the lens assembly from the new webcam module, it slides nicely into this mount, and a dab of hotglue holds it nicely in position. The adapter has some slots to allow fine-tuning of the sensor position.

In order to make this particular webcam module fit, I had to trim the case slightly with a Dremel tool - I'm sure I could have found a smaller camera module (I considered using an endoscope, but that seemed like more trouble than I wanted to deal with). I got somewhat impatient / over-enthusiastic, and ground through the edge of the case, but a smaller board or a bit more patience should solve this. I also added some pennies to give the unit a slightly nicer heft. 

As it now contains a standard webcam, this now works perfectly on Linux and Apple macOS X devices without any sort of drivers

We have a Joule sous vide which recently developed an issue - the motor which drives the impeller started sounding like it was struggling, and then one day it just stopped in mid cook. 

We do not have particularly hard water, but I tried the standard "run it in a vinegar / water solution" - this made a tiny improvement, but not enough to make a useful difference. I looked some online, but wasn't able to find any repair instructions - there were a number of posts showing that bits are glued in, and so it cannot be disassembled easily. 

 Anyway, I was not happy throwing it away, so I decided to try fix it - this worked for me, it may or may not work for you as well. Obviously, do this at your own risk, I take no responsibility for, well, anything...

 Firstly, get some thin silicon oil - I use "Super Lube 56104 Silicone Oil 100 CST" - you are looking for something thin, silicone grease won't work for this.

Flip the Joule over, and use some tape to block off the water outlet - I used Kapton tape because it was handy, and knew that the adhesive would survive the oil.

Remove the impeller - it has a small hole in it specifically for using a fork to pop the impeller off.

Squirt a little bit of the oil in (another advantage of Kapton tape is that you can see the liquid level) - I filled it to around 1/2 way up the water exit hole. Now, leave it to sit for a few hours. Every now and then wiggle the shaft - it is remarkably stiff, and so can take a fair bit of force, but don't push too hard or you might bend it. Basically, you want to try get some of the oil to slide down the shaft so it lubricates the seal.

After a few hours I was getting impatient, and so I bent a paperclip into a small hook, chucked it in a drill, and used this to spin the impeller for a while. After I'd done this the shaft was noticeably easier to turn, so I flipped it over and tested it -- and it now runs like new...

I've long been a fan of the Airconsole portable Wifi / Bluetooth to Serial devices. They always work well, they connect to anything, and it is really nice to be able to have a console connection without having to ballanve your laptop on the edge of a rack / router / whatever.

They recently released the Airconsole LE - a portable, long battery life BLE based unit. Unfortunatly it is much larger than it needs to be - and I mainly carry a console server for emergency use. If it takes up too much space in my bag, I won't carry it, and then it is of no use.

Don't get me wrong - Get Console / Airconsole are still awesome, this particular prodict of theirs could just be even better!

The huge majority of this size comes from the comically large RJ45 connector - I get that they built it ruggedly so that it would survive being knocked about / used as a handle for carrying switches around, etc, but this is taking it a bit far!!

I ended up disassembling it and using a dremel tool to cut away the majority of the strain releif on the back of the connector.

I then printed a 3D case out of glow-in-the-dark fillament. Partly this was because this was what was already loaded in my printer, but also so that it might be a little easier to find in the depths of my bag. It is now almost 1/2 as long, and much thiner and narrower as well (the new case slides competely inside the old one :-)