IBM’s ZTIC

IBM Zone Trusted Information Channel (ZTIC) — ‘a banking server’s display on your keychain’.

IBM has introduced the Zone Trusted Information Channel (ZTIC), a hardware device that can counter [malware attacks on online banking] in an easy-to-use way. The ZTIC is a USB-attached device containing a display and minimal I/O capabilities that runs the full TLS/SSL protocol, thus entirely bypassing the PC’s software for all security functionality.

The ZTIC achieves this by registering itself as a USB Mass Storage Device (thus requiring no driver installation) and starting a “pass-through” proxy configured to connect with pre-configured (banking) Websites. After starting the ZTIC proxy, the user opens a Web browser to establish a connection with the bank’s Website via the ZTIC. From that moment on, all data transmitted between browser and server pass through the ZTIC; the SSL session is protected by keys maintained only on the ZTIC and, hence, is inaccessible to malware on the PC […].

In addition, all critical transaction information, such as target account numbers, is automatically detected in the data stream between browser and ZTIC. This critical information is then displayed on the ZTIC for explicit user confirmation: Only after pressing the “OK” button does the TLS/SSL connection continue. If any malware on the PC has inserted incorrect transaction data into the browser, it can be easily detected by the user at this moment.

This seems like quite a nice implementation, I think.

However, key management will be problematic. Each server’s public key will need to be stored on the ZTIC, and not be writable/modifiable by the possibly-infected PC, otherwise the “bad guys” could simply insert a cert for a malware proxy server on the PC and perform a man-in-the-middle attack on the TLS session. But for that to be viable, the SSL certs need to change very infrequently, or some new secure procedure to update the certs from a “safe” machine needs to be put in place. Tricky….

This entry was posted in Uncategorized and tagged , , , , , , , . Bookmark the permalink. Both comments and trackbacks are currently closed.

6 Comments

  1. vishal
    Posted November 6, 2008 at 13:15 | Permalink

    The “safe machines” for key updates can be located in bank branches, and you could use a combination of your ATM card and you pin to verify your identity and updated the keys on the ZTIC device.

  2. Colm MacCarthaigh
    Posted November 6, 2008 at 13:24 | Permalink

    the device can presume internet connectivity, so there’s no reason it can’t use a plain-old keyserver to fetch the keys (or rather key signatures) from the mothership central.

    They need to keep one root key safe indefinitely back at IBM, which they can use to sign both the key used to access their keyserver (which is more short-lived) and the keys you can fetch from that keyserver (the keys of individual banks).

    That’s not so much a new “safe” mechanism as regular PKI keyserver behaviour :-)

  3. Posted November 6, 2008 at 14:40 | Permalink

    Colm — oh yeah, good idea! duh ;)

  4. Craig Hughes
    Posted November 6, 2008 at 18:44 | Permalink

    Can’t malware on the PC MIT between the browser and the ZTIC? It might be hard to insert bogus transactions (though as we all know, users won’t actually be reading the display on the ZTIC before clicking “OK” after the first dozen or so times), but it can read lots of data, and then allow the baddies account access through other channels based on that information.

    I looked at building something similar for VPN access using a gumstix plugged into a USB port, but it still inevitably requires you to trust that the host PC is uncompromised.

  5. Posted November 6, 2008 at 18:54 | Permalink

    Craig —

    The malware can indeed MITM between the browser and the ZTIC, and yep, it could read the data. But it cannot perform writes (ie. generate transactions), without causing confirmation requests to appear on the ZTIC display, which definitely reduces the attack surface for a “bad guy”. (Whether or not users would OK the transactions without verifying them — well, there’s the problem really ;)

    Just thinking about my online banking system, “reads” are not valuable. if all “writes” required a ZTIC confirmation, there’s very little there that would remain to be useful to an attacker; no full account numbers, or addresses, are displayed for example.

  6. Stan Kaplan
    Posted December 8, 2010 at 00:56 | Permalink

    Has anyone implemented ZTIC? I have a banking client who is looking to my company to implement.

    Regards,

    Stan Kaplan Director of Business Development – Professional Services Champion Solutions Group 791 Park of Commerce Blvd., Suite 200 Boca Raton, FL 33487

    Office: (561) 997-2900, ext. 146 Office: (800) 771-7000, ext. 146 Cell: (561) 715-0999 Fax: (561) 997-4043

    http://www.championsg.com

    Email: [email protected]