3 DES Fix TechFlash

Sagem EPP Multiple Power Fail Security Lockout Feature This Security Lockout feature may be encountered if the EPP is repeatedly powered on and off during a lengthy installation. SYMPTOMS: EPP Shows Version 000 3 DES Error - EPP Malfunction LED on Back of Sagem EPP will FLASH RED at 6 Hz (about 2 times a second) SOLUTION: Clear Security Lockout by applying Power to EPP and allow to sit 30 to 1 Hour. Observe that the EPP LED is now Green. Do not power off the Control Module. Reset the ATM. The Control Module Software will Restart when it receives a Power fail from the ATM. This will avoid turning the EPP LED Red again from a Power fail of the Control Module. Allowing the EPP to be Powered Up for 30 minutes will prevent the Count from incrementing inside the EPP. Note: Sagem EPPs will not be RMAd without performing this test for Reset. Date: 10/3/2006 From: Dave Allen Head of Technical Services Pi Systems International The Following is Sagems Document on this Security Feature
SW requirements specification for INT1318-4220. Page 83/83 Copyright SAGEM Denmark A/S - 2004 File date: 03-01-05 All rights reserved

Kuhn Attack counter measures

The mechanism in the Dallas Processor 5240 to prevent the Kuhn Attack is currently implemented as a SW solution, as the HW built in mechanism is not provided in the current Dallas processor release. Software actions A reset threshold value is hard coded in the software to 0xf0. Every processor reset will increment a Kuhn counter register by one. If the counter register > 0xb0 it will be decremented by one each 30 min. The counter is only decremented while the external power supply is connected to the module. If the counter reaches the threshold value, a delay of 30 min is activated. In this period no communication is possible with the EPP4. The red LED will give a visual indication by a 6Hz blink. TechFlash 10/05/06
Pi Systems Intl. LP 1555 Avenue S, Ste 108, Grand Prairie, TX 75050

Page 1
1-800-831-5723

3 DES Fix TechFlash

Sagem EPP Multiple Power Fail Security Lockout Feature The effect of this is that it is possible to do 64 power on resets with short time intervals within half an hour, after that the delay will take effect and raise the delay time to 30 min. If an attacker times the attack in an optimal way, it is possible to do 64 resets within the first 30 min and here after 1 reset per 30 min, or 17583 resets per year.

Recognizing this Security Feature in a 3 DES Fix Log

1. Log Error onto USB Thumb Drive with Debug Level Set to 9 on ATM settings 2. Open Thor.log with Word Pad. 3. Ctrl & F to search for Sagem click next until you see Receive Timer Expired or search for Receive Timer Expired

Log Excerpt

========Opened log file======== 17:56:39.548[0400]: *** creating property object Queues allocated. FreeAddr: 794720; FreeSpace: 253856 setting channel a to dce mode open(SYNC) returned devID 3[2] 17:56:40.041[0400]: port(b): 0 dev: 3 name: /dev/z85300 dce: open(SYNC) returned devID 4[99] 17:56:40.081[0400]: port(b): 1 dev: 4 name: /dev/z85305 dce: 17:56:40.089[0400]: port: 2 baud: 9600 parity: none stop: 1 dev: 5 name: /dev/ttyS0 17:56:40.631[0400]: RTS is HIGH *** setting _KeyBuff to >< *** cancelling any keypad command 17:56:40.793[0400]: [2:Keypad]XMT(001) /18 / *** unlocking keypad 17:56:41.120[0400]: [2:Keypad]XMT(004) /02 B8 03 BB / *** keypad resp2: ****************************************** *** pin block set to >< ****************************************** *** setting need EPP config state to: 1 ***** in AutoSync() 17:56:42.002[0400]: *** getting ad1 17:56:42.005[0400]: [0:ATM]XMT(005) /04 32 20 70 05 / 17:56:42.182[0803]: [0:ATM]RCV(001) /04 / *** in SetAd1() 17:56:42.222[0400]: ***** SetAd1(): ad1/ad2 no change *** out SetAd1() 17:56:42.223[0400]: atm: ad1: 32 17:56:42.224[0400]: ad2: 20 17:56:42.430[0400]: AutoSync completed, switching to IP Mode ========Closed log file======== DebugLog: Message [[Keypad:SAGEM] PortBackground: eppState:1, keyState:0, currMode:B9] repeated 10 times 17:56:48.981[0400]: [Keypad:SAGEM] Receive timer expired! Going IDLE state

1 0 data: 8

back to

TechFlash 10/05/06
Pi Systems Intl. LP 1555 Avenue S, Ste 108, Grand Prairie, TX 75050

Page 2
1-800-831-5723