@Stake Inc.
                          L0pht Research Labs
                    www.atstake.com     www.L0pht.com


                           Security Advisory


        Advisory Name: iKey 1000 Administrator Access and Data Compromise
         Release Date: July 20, 2000
          Application: N/A
             Platform: Rainbow Technologies' iKey 1000
             Severity: An attacker can login as administrator and
                       access all private information stored on
                       the device with no detection by the
                       legitimate user.
               Author: Kingpin [kingpin@atstake.com]
         Contributors: Brian Carrier [bcarrier@atstake.com]
                       DilDog [dildog@atstake.com]
        Vendor Status: Vendor contacted - response shown below
                  Web: http://www.L0pht.com/advisories.html


Overview:

  Rainbow Technologies' iKey 1000 (http://ikey.rainbow.com) is a
portable USB (Universal Serial Bus) smartcard-like device providing
authentication and digital storage of passwords, cryptographic keys,
credentials, or other data. Using the legitimate user's PIN number and the
physical USB key, access to the public and private data within the key will
be granted. The iKey also allows administrator access using the MKEY
(Master Key) password. Administrator access to the iKey, normally used for
initialization and configuration, will allow all private information stored
on the key to be accessed.

  This attack requires physical access to the device circuit board,
which can be gained in under 30 seconds with no special tools and leaving
no proof of attack. The tamper-proofing features in the device can be
bypassed, making the device open to attack. The MKEY value is encoded and
stored in memory as described in this advisory. By using any number of
low-cost, industry-standard device programmers, the MKEY value can be
changed to a user-defined value. This will allow the attacker to login to
the iKey with administrator priviledges and access all public and private
data. A homebrew device programmer can be built for under $10. The whole
attack, as described in this advisory, can be completed in less than 2
minutes.

  Users must be aware that administrator access can easily be gained
and should not trust the security of the token if it is not always directly
in their possession. If a legitimate user loses their USB key, all data,
including the private information, needs to be considered to have been
potentially compromised and the credentials stored on the key should be
treated appropriately.


Detailed Description:

  The MKEY is an administrative password that must be known by the
trusted person or program that will initialize and configure the iKey. The
MKEY password is an ASCII string up to 256 characters in length. The
default factory setting is "rainbow". The ASCII string is MD5-hashed
(RFC-1321), encoded, and stored into external memory. All data is stored on
a Microchip 24LC64 Serial EEPROM.

  Only the upper 8-bytes of the MD5 hash, hereby referred to the
'hashed MKEY', are encoded and stored into the external memory with the
scheme described in this advisory. The resultant 8-byte obfuscated value
stored in the memory is hereby referred to as the 'obfuscated MKEY'.


                       MD5                encode
        MKEY password -----> hashed MKEY --------> obfuscated MKEY

Default:  "rainbow"       0xCD13B6A6AF66FB77      0xD2DDB960B0D0F499


  All PC applications that use the iKey will generate the hashed MKEY
locally before sending it to the iKey device to login. The Rainbow API
requires only the 8-byte hashed MKEY, not the MKEY password that created
it, in order to login to the iKey device. Administrator access to the iKey
can be gained in two ways:

        1) Determine the hashed MKEY from the obfuscated MKEY
           which is stored in the external memory.

        2) Encode a new obfuscated MKEY using a new MKEY password
           string and store it in the external memory.

  Rainbow's encoding scheme was determined by setting the hashed MKEY
to a known value and observing the resultant obfuscated MKEY, which is
located at address 0x8. After several iterations, it was evident that the
scheme is a series of XORs and additions.


                                     Byte # 1 2  3 4  5 6  7 8
     a) Hashed MKEY value, md5("rainbow") = CD13 B6A6 AF66 FB77
     b) Obfuscated MKEY value in EEPROM   = D2DD B960 B0D0 F499

         b_1 = a_1 XOR 0x1F
         b_2 = a_2 XOR (a_1 + 0x01)
         b_3 = a_3 XOR 0x0F
         b_4 = a_4 XOR (a_3 + 0x10)
         b_5 = a_5 XOR 0x1F
         b_6 = a_6 XOR (a_5 + 0x07)
         b_7 = a_7 XOR 0x0F
         b_8 = a_8 XOR (a_7 + 0xF3)

Example: 0xD2 = 0xCD XOR 0x1F
         0xDD = 0x13 XOR (0xCD + 0x01)
         0xB9 = 0xB6 XOR 0x0F
         0x60 = 0xA6 XOR (0xB6 + 0x10)
         0xB0 = 0xAF XOR 0x1F
         0xD0 = 0x66 XOR (0xAF + 0x07)
         0xF4 = 0xFB XOR 0x0F
         0x99 = 0x77 XOR (0xFB + 0xF3)


  Setting the hashed MKEY to 0x0000000000000000 gave the necessary
information to determine the encoding scheme. Bytes 1, 3, 5, and 7 are
simply XORs with constant values and bytes 2, 4, 6, and 8 are XORs with
constant values added to bytes of the hashed MKEY as described above.


                                   Byte # 1 2  3 4  5 6  7 8
     a) Hashed MKEY value               = 0000 0000 0000 0000
     b) Obfuscated MKEY value in EEPROM = 1F01 0F10 1F07 0FF3


  In order to read and write to the external Serial EEPROM, physical
access to the component is needed. The iKey 1000 has an epoxy conformal
coating over all of the IC's on the circuit board, including the Serial
EEPROM. Physically removing the coating will be evident, but could be done
by prying and scraping with a knife or using chemicals to dissolve the
glue. The version of the iKey 1000 that we looked at has 8KB of external
memory, but the printed circuit board allows for an expansion to 128KB.
Because of this, there is an unpopulated area for the memory, located on
the back of the circuit board. We make use of this unpopulated area to
access the "protected" Serial EEPROM.

  The Microchip 24LC64 Serial EEPROM uses the I2C bus protocol to
transfer data to the host. The PCB design of the iKey allows one to access
the power, ground, clock, and data lines of the I2C bus by attaching probes
or soldering small leads to the unpopulated memory footprint. Due to the
nature of the I2C bus, which allows multiple devices to use common clock
and data lines, one has access to the critical connections of the external
Serial EEPROM which is covered by the conformal coating. To read the
contents of the "protected" Serial EEPROM, one simply needs to attach the
leads to a device programmer. While attaching probes to the memory is more
difficult when the tamper-proofing features are correctly implemented,
there is a clean avenue of communications available over the I2C bus, which
is free of any preventative measures in this case.

  Serial EEPROMs are extremely common in the engineering industry and
require minimal circuitry to read and write to. They are also notoriously
insecure and as such often do not provide any type of security features.
Thus, it is possible to attach a device programmer to the device, while it
is still attached to the circuit board, and read and write at will. Given
these known weaknesses, it would behoove vendors to take steps in properly
restricting access to them when employed in security-related devices.

  Our experiments were carried out using the Needham's Electronics
EMP-30 which costs $995, although a homebrew device programmer can be built
with a handful of components for under $10. Other device programmers are
available from a number of companies, ranging in cost from $25 to $1000.

  Once the obfuscated MKEY has been changed to a known value or the
hashed MKEY has been determined, the attacker can login as administrator to
the iKey device without knowing the legitimate user's credentials.


Temporary Solution:

  The quick solution, although it does not remedy the core problem,
is to be very aware of the physical security and location of the key at all
times. The owner of the key should not leave the key unattended or loan it
to a potentially untrustworthy colleague. If the key is unattended for any
amount of time, the data could possibly have been compromised with the
methods described in this advisory.

  Developers of such products should consider the following features
for design and manufacture to aid in preventing common attacks:

        1) Non-standard or hard-to-probe package types for
           integrated circuits, such as ball-grid-array (BGA) or
           silicon die wire-bonded to the PCB help deter the casual
           attacker, since the pins of the IC are either hidden or
           hard-to-access.

        2) Unpopulated component areas on the PCB should be covered
           in epoxy or removed to prevent probing.

        3) Use of microprocessors with non-volatile memory storage
           within the device. This will deter the casual attacker
           by requiring advanced techniques, such as delidding and
           microscopic inspection of the IC die, to determine the
           data stored in the memory.


Vendor Response:

  Rainbow Technologies was extremely responsive to our advisory
submission and acknowledged the security vulnerabilities with the iKey
1000. They responded quickly and professionally. More importantly, they
used this as an opportunity to learn and improve upon their product based
partly on the information in this advisory. This is a stance we encourage
other vendors to engage in.

  Their press release, issued in response to this advisory, can be
found at:

  http://www.rainbow.com/invest/pr000720.html


Proof-of-Concept Code:
  
  The proof-of-concept tool, "iSpy", performs the following
functions:

       1) Retrieve and display configuration data for the inserted iKey
       2) Convert obfuscated MKEY back into hashed MKEY
       3) Login as Administrator using hashed MKEY
       4) Retrieve all public and private data and export the directory
          hierarchy to DOS

  The tool expects the 8-byte obfuscated MKEY on the command-line,
which is obtained from reading the external Serial EEPROM as described in
this advisory. An example of the iSpy console output is shown below.

  The demonstration tool source code and compiled executable for
Windows 9x/NT platforms can be found at:

  http://www.L0pht.com/advisories/ispy.zip

  Due to copyright restrictions, Rainbow Technologies' libraries and
header files are not included. For further development and experimentation,
the iKey 1000 PowerTools SDK are available from Rainbow's web page
(http://www.rainbow.com/tech/ikey/index.html).


<--- cut here --->

C:\>ispy D2DDB960B0D0F499

kingpin@atstake.com
@Stake L0pht Research Labs
June 2000

OpenDevice: SUCCESS

Magic = 5242544B
DeviceHandle = 80
ClientHandle = 205408
Flags = 20000000
library_version = 2
driver_version = 256
ver_major = 0
ver_minor = 7
prod_code = 54
config = 0
header_size = 8
modulus_size = 0
mem_size = 8168 (bytes)
capabilities = 11
SerialNumber = 0123466A00000249
CheckSum = FAD1
HwInfo = FFFF
MaxPinRetries = 5
CurPinCounter = 5
CreateAccess = 0
DeleteAccess = 0

Obfuscated MKEY = D2 DD B9 60 B0 D0 F4 99   [...`....]
Actual MKEY     = CD 13 B6 A6 AF 66 FB 77   [.....f.w]

Attempting iKey Administrator login...

VerifyMasterKey: SUCCESS

dir  = 00000000
file = 00000001
dir  = 000000C1
file = 000000C1
file = 0000BEEF
dir  = 0000FEED

iSpy manuever complete. File system successfully exported.

<--- cut here --->


kingpin@atstake.com

  [ For more advisories check out http://www.l0pht.com/advisories.html ]
                                         L-ZERO-P-H-T