The smartcard industry says it is relatively unconcerned about the potential impact of a hack attack described in a paper by researchers from Cambridge University last month.
The attack, outlined in a paper by Sergei Skorobogatov and Ross Anderson, focuses light from a flashgun on to an exposed smartcard chip. The light causes glitches in the smartcard circuits, creating anomalous results that reveal important clues about the secure information that is held in the card (EETimes 20/7/02).
"The optical probing attack represents a new and devastating technique for attacking smartcards and other security processors," the Cambridge paper said.
"We anticipate that it could have a significant commercial effect on the industry in that it will force a through reappraisal of security claims and the introduction of new defensive technology."
But a spokesman for card chip maker Infineon Technologies says attacks of this type were first described at the EuroSmart conference in Marseilles, France, two years ago.
"At that time, we knew about this kind of attack and have hardened our chipcard controllers so they can in no way be affected by firing a flashgun over the top," the spokesman said.
Richard York, product manager for ARM's range of cryptographic accelerators for smartcard applications, said:
"They're doing a good job of showing that some of those attacks are worryingly easy to do. But most cards on the market are resistant to these kinds of attacks."
York points out that there is always a balance between the cost of hacking a smartcard and the value of the information that can be recovered from it: "The question is would the cards you could attack like that really be worth attacking because there's sensitive-enough information on them?
"The researchers are probably just making sure they're stressing the value of their work."
Randy Vanderhoof, acting CEO of the Smartcard Alliance, a US group of 100 companies in the smartcard market, said: "There are going to be attacks attempted. It is part of the ongoing battle between those designing security systems and those [seeking] vulnerabilities."