[Music]
hi I'm Kevin Poulsen first threat level
Christopher turn knobs key is a hacker
who specializes in hacking smart cards
he was so good at this that he was
actually hired by a company that makes
smart cards for the satellite TV
industry to help them secure their
systems from satellite pirates he's now
working independently as a contractor
and last week he opened up his San Diego
laboratory exclusively to wired.com in
order to show us his latest technique
for circumventing the physical security
that protects smart cards from hackers
in the first place so today what we're
going to do is we're going to take out
this piece of metal we're gonna remove
it we're going to expose it to some
acids the first phase is going to remove
the epoxy and actually expose the chip
so this white stuff is going to come off
so basically the plastics broken down
now after about 10 minutes have gone by
first phase of exposure is going to be
to get to the actual device inside the
substrate we're going to put acetone
into these two beakers one is going to
be the the nitric rinse and then the
second beaker will be considered clean
and that'll be the final rinse in
ultrasonic we're gonna pull these out
and we're gonna stick them on the hot
plate with some fuming nitric acid hno3
I'm very very dangerous it's a very
aggressive acid so I'm gonna wash it I'm
gonna rinse it that piece is now
finished he's opened up enough just
removing the extra so the ultrasonic is
gonna basically give vibrations to this
and and clean off any residue that's
left you can see on the monitor it looks
good it looks beautifully clean we're
going to put the chip back in place if
you look at this chip there's basically
two layers and a top and a third top
layer as a security area so to touch the
metal down on that second layer where
we're going to burn a hole through it
but we're going to burn a very special
hole that that I will make with a mask
we just want to coat the top creating
basically a mask we'll give this some
time to dry and then we're going to use
a sewing type of needle being held by a
micro positioner to kind of scratch a
hole in this area and I really don't
need to open the whole area
but I basically want to touch this
middle area where their data bus is and
the side where there's a control line
that I'm after I'm just making a window
with the needle scratching there's nail
polish covering the this mesh and here's
the hole so we're gonna leave the needle
suck down where it is we're gonna pull
it out and this chip is prepped and
ready this time we're going to again use
this fume hood
we're going to use hydrofluoric acid and
we're going to put a drop of
hydrofluoric acid for 30 seconds the
first time hydrofluoric acid is
resistive to nail polish as well as Mars
magic marker then we're going to rinse
it in water we're going to then look at
it under there under this microscope
just to see how deep did it go did it do
anything yet and then we're going to do
very selected to selectively timed
etches of say 15 seconds the rate of
etch on this it depends on how much
hydrofluoric acid you have and how hot
the the hot plate is so now we'll rinse
it in acetone so I'm going to really
quick using UV light expose the lines of
this chip now we're going to I'm going
to sit on the bus with a needle eight
times I'm going to listen the yellow
line will be what we're touching on the
substrate the blue line represents reset
every time I reset the card we're going
to build a log of where the chip went
when it powered up and you're basically
going to see everything so we're gonna
take 800 hexadecimal samples so this is
just a sequential order of the samples
taken sample 500 hex simplified 20 and
what I saw at the period of time
anything in the chip I can see it right
here as we take more simples it's all
gonna fall into place and you'll see it
I could actually send a management
message for example into the chip and
east drop everything that chip did to
decrypt the message for example so if I
can see I can do anything I want to
right now I can control it or I can
listen I can I can read out the east
where if I wanted to I could read out
the ROM
anything goes at this point in time
versus glitching with a glitch err
you