Dr Markus Kuhn
ISO 7816 smartcard interface monitor
In July 2000, I produced a little printed-circuit-board adapter to help in experiments involving the ISO 7816 contact smartcard interface. At one end, this little PCB has the shape of an ISO 7816 smartcard, including all eight contacts. The other end can be fitted with a smartcard connector. All eight pins of the smartcard end and the card connector end are linked via a row of jumpers and have test pins. This way, the device can be used in pass-through mode, to passively eavesdrop on ISO 7816 smartcard data traffic, or you can open each line and pass it via external electronics, which then can interfere in real-time with the smartcard communication. You can also just use one end at a time, to build either a smartcard interface or a card emulator.
The device also can be fitted with a current-sensing SMD resistor (~10 Ω) in the ground line of the smartcard contact, such that it can be used for power-analysis attack on smartcards, and an SMD capacitor across the card-interface power supply.
This little adapter card has seen a lot of action in many smartcard related research projects at the department's Security Group. Most famously, my former PhD students Steven Murdoch and Saar Drimer used it to demonstrate several serious defects in the Chip & PIN (EMV) banking card protocol, and in this context it was seen several times on TV.
Rather than using specialized PCB layout software, I simply drew the layout of this simple board using a normal vector drawing program, the Unix/X11 classic xfig. The drawing can be laser printed onto a transparency. Make two copies and place one onto each side of an A4-sized PCB covered on both sides with copper and photoresist. This will result in four adapter boards.
Make sure you use 0.8 mm thick PCB material, which is about half the thickness of regular PCBs. The ISO 7816 smartcard defines the card to be 0.76 mm thick, and 0.8 mm works just as well, but anything much thicker is unlikely to fit into many smartcard slots.
The design can be produced as a single-sided or double-sided board. As a double-sided board, you get a ground plane on top (good EMC practice) along with labels next to the test pins.
Note: The adapter also has space for adding a few more optional components, namely (a) a buffer amplifier for the current-sense voltage, and an associated DC-DC power-supply converter, and (b) a chip to convert between TTL and RS-232 levels to, an old trick to build a very simple smartcard emulator. See README.txt for details on the intended components. We've never actually populated those places. Regarding the amplifier, it is much easier to get excellent power-analysis signals merely by using a very short (~10 cm) coax cable directly into the port of a digital storage oscilloscope. Regarding the trick of using a voltage converter to connect to an RS-232 port, that only works with certain clock frequencies, and while it was practical on some early pay-TV set-top boxes, it was not with many EMV terminals, where we had to implement a UART clocked by the card interface on a separate FPGA board.
- Be careful when printing PDFs from Adobe Reader, which by default rescales every PDF it prints onto the printable area of your printer, which is usually a bit smaller than the full A4 size of 297 × 210 mm! Make sure to switch off any scaling in the Print dialog box of Adobe Reader when printing transparencies for making PCBs. (Or even better, cut out the PDF step and send the provided PostScript files directly to you PostScript printer.)
- If you use the laser printed transparencies, use the reversed an inverted version of the file, such that you can put the toner side directly onto the photo resist, and such that only the parts where you want to remove copper are exposed.
- On the smartcard contact side, the front centimetre or so is meant to be covered with some insulating film (e.g., sticky tape), to avoid wiping contacts touching any of the conductive parts of the PCB when it is inserted into a smartcard interface.