On 30th of May the Council issued its general approach on the Cybersecurity act which is currently examined by the ITRE Committee of the European Parliament.
Eurosmart, the voice of the European Digital Security industry, welcomes the Council proposal to carry out mandatory penetration testing (also known as Ethical Hacking) for assurance level “high” while evaluating the resistance level to potential attack of a product or a service.
Penetration testing or ethical hacking is the only rigorous way to evaluate the robustness of an ICT product and to check that the necessary security functionalities referring to the state-of-the-art are correctly implemented.
“Our digital world is more and more interconnected, it processes a huge quantity of sensitive personal data. The Cybersecurity act must consciously tackle these evolving risks.” – explained Stefane Mouille, President of Eurosmart. “Products and services are continuously exposed to the threat of high skilled malicious attackers who can exploit unchecked vulnerabilities. The European Cybersecurity model cannot suffer from a lack of seriousness when evaluating products, with no strategic ethical hacking process the detection of ICT product vulnerabilities remains impossible. Such vulnerabilities undermine the European cybersecurity which would run the risk of massive Cyberattacks.”
The Digital Security Industry has a long track record in performing ethical hacking while evaluating their products. Eurosmart is one of the founding father of SOG-IS, coordinating the development of high level certificates. Therefore, Ethical hacking is a proof of excellence of the Digital Security Industry in Europe as well as a unique asset for European players in a global market.
Eurosmart urges the European Parliament and the members of ITRE Committee to take penetration testing and ethical hacking into consideration and to extend it to level “substantial”. This is a fundamental element to make the European Digital single market the safest possible environment both for citizens and for the Industry.
Ethical Hacking (pen-testing – penetration testing) is the act of locating weaknesses and vulnerabilities of devices and information systems by anticipating the intent, actions and skills of malicious hackers. Ethical Hacking is done on a defensive purpose with the objective to improve the security of devices and information systems, and to give assurance that they will resist to attacks with similar intent, actions and skills once released and operated.
Eurosmart has noted the publication from Gildas Avoine (Rennes University, INSA Rennes) and Loïc Ferreira (Orange Labs) on the potential Vulnerability on the SCP02 protocol that has been published yesterday on the TCES Website.
This new publication reports a known attack but applied in a new context.
For a long time, Eurosmart has been recommending that additional security measures be added to SCP02, such as, e.g., pre-encrypting sensitive data, or restricting the usage to trusted environments, or other means that are appropriate to enhance the security of SCP02.
Please find here below a Q&A developing more in detail the questions that you may have as Eurosmart technology end-user.
Eurosmart is committed in developing, promoting and maintaining the appropriate security level for its products, solutions and protocols.
What is retrieved is the said plaintext (not the key) and from only one card.
A pre-encrypted data cannot be retrieved in clear.
The conditions for performing the attack on SCP02 are as follows:
· Attacker must be able to intercept and modify messages between server and card in open environment;
· Attacker must be able to perform precise timing measurement (wrong padding or good padding) with access either to the device or ability to load spy malware;
· The same plain text must be sent enciphered several (around 128 times to disclose one single byte of information) times (either to different cards with different keys or to the same card with different session keys).
Attack is not applicable to the electrical personalization of banking applets (all sensitive data are over encrypted).
Attack is not applicable if personalization is done in a secure place (personalization place is usually certified by schemes or performed in trusted environments).
Attack is not applicable if personalization done by OTA through SCP80/SCP81 secure channel.
Attack is not applicable over data that are encrypted using the Data Encryption Key (DEK).
For ongoing programs using SCP02, the GlobalPlatform Security Task Force recommends the following simple rules:
· Use ICV encryption recommendation from GPC_FAQ_021;
· Encrypt all sensitive data transmitted in SCP02 using the Data Encryption Key (DEK) or any applet key;
· Disable SCP02 if there is no need to update the card in the field;
· Add SCP03 in the card platform to be able to smoothly switch to AES crypto.
Restricting the use of SCP02 to trusted environment can also be considered as a valid alternative.
GlobalPlatform has issued in March 2018 a security informative note about the evolution of the trends related to the Secure Channel Protocol 02 (a.k.a. SCP02) specified in the Card Specification document.
GlobalPlatform organization set as deprecated this protocol in the current version of GlobalPlatform specification (Card Specification v2.3.1).
Refer to the GlobalPlatform recommendations as described in the informative note: https://www.globalplatform.org/documents/Security_Informative_Note1_FINAL.pdf
Eurosmart, ‘The Voice of the Digital Industry’ among the European and National Institutions and the Brussels eco-system, is proud to welcome three new members as part of our association.
The Association, through these three memberships, gains critical and technical competence in three different areas: firstly, in the biometry technology sector with Bactech; secondly in the Common Criteria & IT & Security certification scheme with Internet of Trust; finally, in functional Conformity testing in ePass, Edl, eID, NFC and EMV payment means as well as the Mobile ePassport & Mobile eDL with KEOLABS.
"Eurosmart has actively supported the SOGIS MRA for over 20 years and offers a unique position to address the challenges of todays’ digital market security certification. Internet of Trust is already involved in the definition and operation of several global certification schemes and this membership is the opportunity to contribute to the convergence between proven practices and the ENISA new mandate in the near future” Claire Loiseaux -CEO of Internet of Trust- said.
“Being part of Eurosmart is a strategic evolution for KEOLABS: given that we represent a 40 employees’ SME, following the decision makers activity has become harder, particularly regarding the dematerialization of the physical documents on the Mobile phone,” Michael Leplatois -Predisent of KEOLABS- said.
“Apple transformed the biometric technologies from a ‘police & justice’ topic into a ‘cool technology’ for the end users, making their life simpler. Eurosmart working group on Biometry technologies is a key moment to bring the security knowledge from forensic labs towards the commercial devices makers. Bactech is proud to bring its 20 years expertise on biometrics and biometric systems performance & security evaluation lab capabilities to this lasting and renowned industry association” Claude Barral- CEO of Bactech- said.
“As Eurosmart President, I am extremely honored and proud to count three new SMEs experts in Cyber Security, Digital Identities, Security Certification scheme, Biometry technologies and Conformity testing of critical infrastructures.
This shows that EU big companies and EU SME are extremely complementary: we have to keep in mind that the 95% of the Cyber Security, Digital Identities and Biometry technologies providers are SME’s in Europe” Stefane Mouille, President of Eurosmart, added
Eurosmart, the Voice of the Digital Security Industry, is an international non-profit association located in Brussels, representing the Digital Security Industry for multisector applications. Founded in 1995, the association is committed to expanding the world’s Digital secure devices market, developing smart security standards and continuously improving the quality of security applications.
Members are manufacturers of secure element, semiconductors, smart cards, secure software, High Security Hardware and terminals, biometric technology providers, system integrators, application developers and issuers.
Eurosmart members are companies (Fingerprint Cards, Gemalto, Giesecke+Devrient, GS TAG, IDEMIA, IN GROUPE, Infineon Technologies, Inside Secure, Internet of Trust, Linxens, Nedcard, NXP Semiconductors, +ID, Real Casa de la Moneda, Samsung, Sanoïa, STMicroelectronics, Toshiba, Trusted Objects, WISekey, Winbond), laboratories (CEA-LETI, KEOLABS), research organisations (Fraunhofer AISEC), associations (SCS Innovation cluster, Smart Payment Association, Mobismart, Danish Biometrics).
Director of operations
Mobile: +32 471 34 59 64Read more
Eurosmart, SPA and SIMalliance joint statement pointing out that used smart cards are not to be considered Electrical and Electronic Waste.
In recent months, customers of the smart card industry have raised the question, whether smart cards and smart card based products (e.g. SIM cards, payment cards, electronic passports, electronic ID cards, health insurance cards) would fall under the scope of the WEEE Directives. The industry is aware of the fact, that at least some Member State authorities, i.e. national WEEE registers, have published opinions indicating that smart cards are in scope of the WEEE Directive, although different interpretations still apply in other Member States. This is raising severe objections within industry and subject matter experts, caused by strong concerns about clearly identifiable security and privacy risks.
In this paper, we discuss this subject from a legal perspective (first chapter), while also considering security and privacy (second chapter) and political aspects (third chapter).
Investigating the legal situation after the first WEEE Directive 2002/96/EC, industry states that smart cards do not fall within the scope of this directive – in line with a former FAQ of European commission. Many arguments are outlined below:
If electrical or electronic parts of smart cards or similar products are mere components of the cards or similar products and not EEE in terms of the WEEE Directive, such cards or products are not within the scope of Category 3 of Annex IA to the WEEE Directive.
· The scope of the WEEE Directive is limited to the categories set out in Annex IA to the WEEE Directive. Whereas Annex IB to the WEEE Directive contains a not exhaustive list of examples, a product is within the scope of the regulation only if it can be assigned to one of the categories according to Annex IA to the WEEE Directive.
· Thus, the scope of the categories cannot be widened by an extensive interpretation of the binding categories according to Annex IA to the WEEE Directive. (cf. German Federal Administrative Court, Ruling of 21 February 2008, Case 7 C 43.07 and Ruling of 23 September 2010, Case 7 C 20.09).
· Against this background smart cards and similar products like electronic passports or health insurance cards are not “IT and telecommunications equipment” as such products are not used for the collection, storage, processing, presentation or communication of information but for other purposes like payment or identification. Moreover, the user of these products has no direct access to the data incorporated and cannot use the card for the purposes mentioned in Annexes IA and IB to the WEEE Directive.
If electrical or electronic parts of smart cards are considered EEE themselves (e.g. chip or RFID tag), the complete smart card product would be exempted from the scope of the WEEE Directive: The card or passport provides additional functionality, which is not dependent on electric currents or electromagnetic fields (e.g. regarding information shown on the card or passport for identification or security purposes like photo, signature, name, address, validity, passport or credit card number). The card or passport therefore is not mere packaging but another product that, in general, does not fall within the scope of the WEEE Directive. EEE being part of such product is exempted from the scope according to Article 2 (1) of the WEEE Directive.
Additionally, the required current demand cannot be assigned to the card, which often acts as a passive device in a respond-functionality only, but to the reading device (ATM, handset, contactless terminal...) exclusively. Note that smart cards do not include batteries, but receive their energy from an external electromagnetic field. Also from this angle, the card is not an electronic device in the definition of EEE.
Industry is convinced that all the above legally holds at until the recast of the current directive. This is based on the assumption that the new Directive 2012/19/EU only applies to EEE that has been within the scope of former Directive 2002/96/EC, i.e. not to smart cards. Looking forward, there are—apart from pure legislation—strong arguments, why smart cards should not fall under the scope of WEEE. This should as well fit in the same manner to (contactless) chips. Following this argument, according to the WEEE Directive from 2012, if the Chip does not fall under the directive, then the smart cards as such does not fall under the Directive either, see the table below:
Smart Cards are in this sense:
|EEE||2002 WEE Directive||2012 WEEE Directive|
|Equipment which is part of another type of equipment that is excluded from or does not fall within the scope of this Directive||Excluded: “the equipment concerned is part of another type of equipment that does not fall within the scope of the Directive”.||Excluded: “Equipment which is specifically designed and installed as part of another type of equipment that is excluded from or does not fall within the scope of this Directive, which can fulfil its function only of it is part of that equipment”.|
Industry develops, produces and markets the products involved in accordance with highest standards to ensure best possible data protection and security features and prevent misuse. Industry is concerned about the idea of consumers disposing of highly sensitive products like credit cards or health cards at WEEE collection facilities.
Industry acknowledges that manufacturers and distributors could implement take-back schemes to ensure both, return of used or waste products and adequate recycling. However, take-back schemes on a one-to-one basis would not eliminate the severe risk of unlawful usage of waste cards. This especially holds true, when considering that – according to the WEEE Directive – distributors will be obliged to take-back waste products originally placed on the market by another manufacturer as long as the latter equipment is of equivalent type and has fulfilled the same functions as the cards supplied by the distributor. Even in this case, the risk of unlawful usage of waste cards cannot be excluded as sensitive waste products will be accessible for an uncontrollable number of persons.
Do we really want staff canteens (in their role as “distributor” of food payment cards) to take back credit cards (seen as an “equipment of equivalent type”)? Do we really want to see piles of health cards at public waste collection points? Data privacy is rightfully deemed as a high value, not only since recent events. The smart card industry is striving to protecting these data in the best possible manner. These efforts should not be made obsolete by opening new security and privacy gaps.
It is also worth mentioning that the inclusion of smart cards would not bring forward the initial environmental goals of WEEE. Smart cards account for a negligible amount of electronic waste only. Yet, in a realistic scenario, even this amount would not be reached by far: Following privacy considerations as mentioned in the previous paragraph, it is presumable that consumers will not return the smart cards even if obliged to protect their private data. Hence, the realistic benefit from an inclusion of smart cards in WEEE would hardly be observable. This needs to be put in comparison to—due to high security requirements—highly cumbersome (and still error-prone) take-back efforts, whose environmental harm would even offset the benefits. For these cases, the legislator might foresee the definition of a certain threshold, below which goods would not need to be registered.
With the advent of multi-application cards, it is worth mentioning that previously clearly separated product classes meanwhile dilute. For example, SIM cards more and more carry credit card functionalities, transit cards include payment functionalities, etc. Hence, a clear and consistent legislation for all smart cards should be targeted. Taking all this into consideration, industry has sought clarification on this topic from the European Commission. The smart card industry is convinced that the task to define EU-wide prerequisites for the disposal of highly sensitive products like smart cards will be carefully assessed by the European Commission taking into consideration full data protection and benefit for the environment, although an official and final feedback is still awaited. The smart card industry will continue to avoid security and privacy risks in the interest of the user—within and beyond the WEEE Directive.
Eurosmart, the Voice of the Digital Security Industry, is an international non-profit association located in Brussels, representing the Digital Security Industry for multisector applications. Founded in 1995, the association is committed to expanding the world’s Digital secure devices market, developing smart security standards and continuously improving the quality of security applications.Members are manufacturers of secure elements, semiconductors, smart cards, secure software, High Security Hardware and terminals, biometric technology providers, system integrators, application developers and issuers.Eurosmart members are companies (Fingerprint Cards, Gemalto, Giesecke & Devrient, GS TAG, Idema, Imprimerie Nationale, Infineon Technologies, Inside Secure, Internet of Trust, Linxens, Nedcard, NXP Semiconductors, +ID, Real Casa de la Moneda, Samsung, Sanoïa, STMicroelectronics, Toshiba, Trusted Objects, WISekey, Winbond), laboratories (CEA-LETI, Keolabs), research organisations (Fraunhofer AISEC), associations (SCS Innovation cluster, Smart Payment Association, Mobismart, Danish Biometrics).
For more information, please visit http://www.simalliance.org Contacts: 29/30 Fitzroy Square- London W1T 6LQ, United Kingdom.
SIMalliance is a non-profit industry association founded in 2000 aiming to simplify secure element (SE) implementation to drive the creation, deployment and management of secure mobile services. SIMalliancepromotes the essential role of the SE in delivering secure mobile applications and services across all devices that can access wireless networks. By identifying and addressing SE-related technical issues, and both clarifying and recommending existing technical standards relevant to SE implementation, the SIMalliance aims to promote an open SE ecosystem to facilitate and accelerate delivery of secure mobile applications globally.SIMalliance members are Eastcompeace, Fundamenture, Gemalto, Giesecke & Devrient, Incard, KONA I, IDEMIA, Valid, Watchdata and Wuhan Tianyu.
For more information, please visit www.smartpaymentassociation.com Contact: Smart Payment Association e.V. - PO Box 800729- D-81607 Munich, Germany email@example.com
The Smart Payment Association (SPA) is the trade body of the smart payment industry. A non-profit organization founded in 2004, the association now counts six members including the three founding members Giesecke & Devrient, Gemalto, IDEMIA, Austria Card, and Incard. The SPA works in partnership with global standards bodies, its own vendor community, and an expanding ecosystem of established and emerging brands offering an ever-growing portfolio of advisory and support services.
The proposal for a Cybersecurity Act is a matter of European industrial policy and economic growth as well as being of importance for European digital sovereignty and societal choices.
The level of resistance to potential attacks on European encryption solutions will be key to the technical transposition of articles 7 and 8 of the European Union Charter of Fundamental Rights.
The Cybersecurity Act is part of the new social contract for the digital age. Therefore, we will bear the responsibility for drawing up fair provisions which uphold the interests of European citizens, Member States, European industry, the European Institutions and the digital single market. We must make sure that the process of establishing confidence in products through a new ENISA-led certification framework is beneficial, first and foremost, to European citizens.
With this vision in mind, Eurosmart invites both co-legislators to take 5 critical points into account when considering the initial proposal from the European Commission.
· Firstly, clear legal definitions of essential terms referring to IT and security ecosystems (aka “cybersecurity”).
· Secondly, fair and open European governance during the preparation phase of candidate European certification schemes.
· Thirdly, a well-defined European certification objective that is apt for each level of certification. Above all, the co-legislators should ensure that the ‘substantial’ and ‘high’ levels require mandatory penetration testing (“pentest” or “ethical hacking”) of the product by Conformity Assessment bodies (CABs) whilst a product is being evaluated.
· Fourthly, European standards must be the basisfor the preparation of a new candidate European certification scheme.
· And finally ENISA’s “Intellectual Property Rights” (IPR policy) should be spelled out in the Cybersecurity act.