SensePost is SecureData’s independent elite consulting arm, renowned for its expertise, 19 year track record and innovation on the frontlines of cybersecurity.

With team members that include some of the world’s most preeminent cybersecurity experts, SensePost has helped governments and blue-chip companies both review and protect their information security and stay ahead of evolving threats.

SensePost is also a prolific publisher of leading research articles and tools on cybersecurity which are widely recognised and used throughout the industry and feature regularly at industry conferences including BlackHat and DefCon.

Inside .NET Smart Card OS

44con - Kensington / London

Presentation by Behrang Fouladi at 44Con in 2012.

Inside .NET Smart Card OS

Presentation by Behrang Fouladi at 44Con in 2012.

The .NET smart card is widely used in Microsoft Windows based systems to provide two-factor authentication, secure storage of cryptographic keys and tamper proof execution of sensitive applications. However, it had an undocumented proprietary application binary format which was a major challenge for studying the card's operating system and virtual machine security. As a result, no public security research, which could help the consumers to understand and evaluate the risks of malicious code on .NET smart cards, was available before this work. This research aims to perform a detailed security evaluation of this platform to unveil possible vulnerabilities and provide recommendations to address those issues.

The following video shows exploitation of the "public key token spoofing" vulnerability on the .net smart card using the HiveMod tool which was presented by SensePost during 44Con 2012:

Help us spread the news and encourage others to engage in the world of hacking!

44con_2012_dotnet_smartcard.pdf