How did the first known smartcard implementation attack (1996) extract a PIN without breaking any cryptographic algorithm?
Attackers monitored the smartcard's power consumption to detect when the retry counter was being written after a wrong PIN, then cut power before the write completed — keeping the counter at its original value for unlimited guesses.
* The 1996 power-off attack: spot the counter-decrement write by its current draw, then cut power before it finishes. *
The attack step by step:
- Smartcards store a 4-digit PIN and a retry counter (typically starts at 3)
- When a wrong PIN is entered, the card decrements the retry counter by writing to memory
- Writing to memory requires more electrical current than reading
- An external circuit monitors the card's power consumption
- When the power spike from the write operation is detected, the attacker immediately cuts power to the card
- The write never completes → the retry counter stays unchanged
- Repeat with the next PIN guess — unlimited attempts
Statistics:
- 4-digit PIN = 10,000 possibilities
- On average, found after n/2 = 5,000 attempts
- With the right equipment, the entire attack took only a few hours
The countermeasure: Decrement the retry counter before checking the PIN. If the PIN is correct, increment it back. This way, a power cut during the process always leaves the counter decremented.
Key lesson: This attack broke zero cryptography — it exploited the order of operations in the implementation. A perfect algorithm means nothing if the implementation leaks information through physical side channels.
Go deeper:
Side-channel attack (Wikipedia) — extracting secrets from physical behaviour, not the maths.