The SLE4442 is one of the most widely used smartcard sesigns around. It has 256 bytes of storage and a 3 byte (thats over 16 million possibilities) security code. Get the code wrong 3 times and the card becomes unwritable. Several hacks have been developed, but unless you have an amazing amount of cash, equipement and skill, its no use. Now, a small Chinese company (1 man, if I understand his shaky English) is offering a small piece of hardware that finds the security code in just a few seconds. Just HOW this hardware works (supposing it does) is an interesting question. Since it supports wireless chips, it cannot use timing or power usage statistics. My initial guess is that the lockout takes longer to process than a detect and (if wrong) reset of the chip. This is essentially a brute force attack and would take (one asssumes) more than a couple of seconds. The exact detail of the PSC (the security code) input is obviouslly not discussed in detail by the makers. Maybe the 3 bytes can be attacked in turn? that would mean a maximum of 256x3 attempts. The Kinkos attack actually read the data as it went through the bus so it just read the right numbers first time. Flylogic went the expensive route and found a raft of probable attacks including taking the thing apart and forcing the OK flag to be set (see where the duck is looking). At the end of the day, Setchief seems to offer the best route, but I cannot find any reviews good or bad. Anyone?
