@Stake Inc.
                          L0pht Research Labs
                    www.atstake.com     www.L0pht.com


                           Security Advisory       

       
        Advisory Name: eToken Private Information Extraction and
                       Physical Attack
         Release Date: May 4, 2000
          Application: N/A
             Platform: Aladdin eToken USB Key 3.3.3.x
             Severity: An attacker can access all private information
                       stored on the device without knowing the PIN number
                       of the legitimate user.
               Author: Kingpin [kingpin@atstake.com]
        Vendor Status: Vendor contacted - response shown below
                  Web: http://www.L0pht.com/advisories.html
                     

Overview:

        Aladdin Knowledge Systems' (http://www.ealaddin.com) eToken is a
portable USB (Universal Serial Bus) authentication device providing 
complete access control for digital assets. eToken stores private keys, 
passwords or electronic certificates in a hardware token the size of a 
house key. The eToken makes use of two-factor authentication. Using the 
legitimate user's PIN number ("what you know") and the physical USB key 
("what you have"), access to the public and private data within the key 
will be granted. 

        The attack requires physical access to the device circuit board
and will allow all private information to be read from the device without 
knowing the PIN number of the legitimate user. By using any number of 
low-cost, industry-standard device programmers to modify the unprotected 
external memory, the User PIN can be changed back to a default PIN. This 
will allow the attacker to successfully login to the eToken and access all 
public and private data. A homebrew device programmer could be built for 
under $10 and commercial device programmers are available from a number of 
companies ranging in cost from $25 to $1000.

        Users must be aware that the PIN number can be bypassed and should
not trust the security of the token if it is not always directly in their
possession. If a legitimate user loses their USB key, all data, including 
the private information, needs to be considered to have been compromised.

        The eToken device is also not tamper-evident. It is possible to open 
the device housing without evidence of tampering, allowing the attacker to 
gain physical access to the circuit board without the legitimate user's 
knowledge. Epoxy encapsulation and other tamper hindering techniques should
be employed in the manufacturing of such hardware devices.


Detailed Description:

        The legitimate user's PIN can be reset back to the default PIN by 
simply copying a particular 8-byte string from one area of the 
unprotected external memory to another. If necessary, the legitimate 
user's original PIN can be copied back into the external memory after
the attack and no evidence of tampering will be apparent. 

        All data on the eToken USB key is stored in an external memory.
The 8KB flavor of the eToken uses an Atmel 25640 SPI Serial EEPROM
(http://www.atmel.com). Serial EEPROMs are extremely common in the 
engineering industry and require minimal circuitry to read and write 
to. They are also notoriously insecure and often do not provide any 
type of security features. Due to the nature of Serial EEPROMs, it is 
possible to attach a device programmer to the device, while it is still 
attached to the circuit board, and read and write at will. Our 
experiments were carried out using the Needham's Electronics EMP-30 
(http://www.needhams.com) which cost $995, although a homebrew device 
programmer could be built with a handful of components for under
$10. Other device programmers are available from a number of companies,
ranging in cost from $25 to $1000. A schematic of our findings can be
found at: http://www.L0pht.com/advisories/etoken_schematic.pdf

        There are two PIN numbers associated with each eToken USB key,
allowing either User or Administrator access. User access has complete 
control of the eToken file system, while Administrator is allowed to 
initialize the key, but not access private data. 

        Both PINs, private data, and secret data are encrypted in some 
manner before being stored into the EEPROM. The public data is stored 
in plaintext and can be easily read by viewing the buffer of the 
Serial EEPROM. 

        The 8-byte strings which determine the User and Administrator 
PINs are stored at location $10 and $18, respectively. By copying the 
8-byte string stored at $20 into either of those areas, we return the 
PIN to its default state. The 8-byte string defining the encrypted
version of the default PIN is unique for each eToken.

        Initial memory dump, with User PIN set to 66666666 and 
        Admininstrator PIN set to 87654321:

             User PIN            Admin PIN
         /-----------------\ /-----------------\
00000010 7235 BAA8 5778 DE97 B7DD 9F01 121B 27A7 r5..Wx........'.
00000020 BE74 503B 3751 FA74 FFFF FFFF FFFF FFFF .tP;7Q.t........
         \-----------------/
         Default PIN string

        Memory dump, after modification, with the User PIN now 
        set to the default:

00000010 BE74 503B 3751 FA74 B7DD 9F01 121B 27A7 .tP;7Q.t......'.
00000020 BE74 503B 3751 FA74 FFFF FFFF FFFF FFFF .tP;7Q.t........

        Once the modified buffer is programmed back into the Serial 
EEPROM, the attacker can login to the eToken using the default PIN 
and make use of the legitimate user's credentials. Our proof-of-
concept tool demonstrates quick extraction of all private, public, 
and configuration data from the key.
 
        The default PIN is 0xFFFFFFFFFFFFFFFF, which is 8 bytes of 
0xFF, a non-printable character. To enter the default PIN on a 
Windows platform, hold the "Alt" key while typing "0255". Release 
the "Alt" key between characters. Repeat this 8 times. This 
sequence will enter a 0xFF character into the dialog box.

        The physical housing of the eToken consists of a two-piece 
plastic design. A combination of glue and two mechanical features 
hold the unit together. The mechanical features aren't externally
visible, so if they are broken during disassembly, it won't be 
evident. Access to the circuit board can be obtained by heating the 
device with a heat gun or hair dryer, and carefully prying the two 
pieces apart using an X-acto knife and small screwdriver blade. 
When the attack is complete, crazy glue can be used to close the 
device without visible evidence of tampering. Pictures of the 
step-by-step operation can be found at:
        http://www.L0pht.com/advisories/etoken_images.html


Temporary Solution:

        The quick solution, although it does not remedy the core problem,
is to be very aware of the physical security and location of the key
at all times. The owner of the key should, for no reason, leave the 
key unattended or loan it to a colleague. If the key is unattended for 
any amount of time, the data could possibly have been compromised due
to the PIN being bypassed with the methods described in this advisory. 

        A number of features could be added to the manufacturing process
of the eToken to aid in tamper prevention. Because there is no reason 
for the circuitry to be accessed after key manufacture, encapsulating 
the IC's with epoxy or other material will prevent the easy manipulation 
that is currently possible. Enhancing the physical housing design to be 
tamper-evident and more difficult to open will also prevent an attacker 
from easily accessing the device internals without detection. These
methods should be considered by all hardware vendors, since they help
to raise the bar against common physical attacks.


Vendor Response:

        Aladdin promptly acknowledged the security problems associated 
with the eToken as mentioned in this advisory. They informed us that 
version 3.3.3.x of their eToken is a demo and "proof-of-concept" 
product.

        We were unable to find any reference to version 3.3.3.x being a 
beta or demonstration product in any documentation. Additionally, we 
were unable to find this information on their web page or in the 
development kit. Conversations with an Aladdin sales associate led us 
to believe we were experimenting and developing with a fully-released 
and fully-functional product. 

        Based on the following reasons, we felt it necessary to continue
with the release of the advisory: 1) The product has been available 
for 2 years, 2) We were unable to find reference to it being a 
"proof-of-concept" tool, 3) It has been shipped in large quantities to 
commercial organizations.

        Press releases involving the eToken can be found at:
        http://www.ealaddin.com/news/1999/etoken/index.asp and 
        http://www.ealaddin.com/news/2000/etoken/index.asp

        We do not know whether the production version (2.3.4.x), known 
as eToken R2, will also be considered a demo product or whether it 
will address the problems mentioned herein. eToken R2 has not yet 
been released.


Proof-of-Concept Code:
         
        The proof-of-concept tool, known as "Heimlich", makes use of the 
PC/SC support of the eToken to perform the following functions:

        1) Search USB ports for eToken
        2) Retrieve and display configuration data for the inserted key
        3) Login as User using the default PIN of 0xFFFFFFFFFFFFFFFF
        4) Retrieve all public and private data and export the directory 
           hierarchy to DOS

        The tool expects that the eToken User PIN has been reset to the
default state, as described in this advisory. If the User PIN is not 
set to default, login to the eToken will be denied.

        The secret data areas are write-only and cannot be extracted 
using the PC/SC interface. The secret areas are used for private keys
and other information that will never leave the key. Only the
microprocessor on the key is allowed to have access to the secret
information. However, the encrypted secret data is stored in the 
external Serial EEPROM and can be located in the memory dump for 
further analysis, if desired.

        The demonstration tool, in form of an application, has been 
written for the Windows 98 platform. Source code and compiled
executable can be found at: 
        http://www.L0pht.com/advisories/heimlich.zip 

        Due to copyright restrictions, Aladdin's libraries and header
files are not included. For further development and experimentation,
obtain the eToken SDK from Aladdin. 


<--- cut here --->

Heimlich: Aladdin eToken USB Key Data Extractor

kingpin@atstake.com
@Stake L0pht Research Labs
http://www.atstake.com

eToken found on Slot 5

tokenId = 00 00 00 00 00 00 a6 23
slotid = 5
isConfigured = 1
verMajor = 3
verMinor = 27
color = 0
fsSize = 8088
publicSize = 3796
privateSize = 2576
secretSize = 512
freePublicSize = 2784
freePrivateSize = 2446
freeSecretSize = 496
secretGranularity = 16
fat = 10
maxfat = 100
maxAdmin = 255
maxUser = 255

Attempting eToken User login with Default PIN...Success!

dir = 3f00
file = a000
file = 1234
file = 6666
dir = feed
dir = beef
file = beef
dir = dead
file = beef
dir = face

Heimlich maneuver complete. File system successfully exported.

<--- cut here --->


kingpin@atstake.com 

  [ For more advisories check out http://www.l0pht.com/advisories.html ]
                                         L-ZERO-P-H-T