@Stake Inc. L0pht Research Labs www.atstake.com www.L0pht.com Security Advisory Advisory Name: eToken Private Information Extraction and Physical Attack Release Date: May 4, 2000 Application: N/A Platform: Aladdin eToken USB Key 3.3.3.x Severity: An attacker can access all private information stored on the device without knowing the PIN number of the legitimate user. Author: Kingpin [kingpin@atstake.com] Vendor Status: Vendor contacted - response shown below Web: http://www.L0pht.com/advisories.html Overview: Aladdin Knowledge Systems' (http://www.ealaddin.com) eToken is a portable USB (Universal Serial Bus) authentication device providing complete access control for digital assets. eToken stores private keys, passwords or electronic certificates in a hardware token the size of a house key. The eToken makes use of two-factor authentication. Using the legitimate user's PIN number ("what you know") and the physical USB key ("what you have"), access to the public and private data within the key will be granted. The attack requires physical access to the device circuit board and will allow all private information to be read from the device without knowing the PIN number of the legitimate user. By using any number of low-cost, industry-standard device programmers to modify the unprotected external memory, the User PIN can be changed back to a default PIN. This will allow the attacker to successfully login to the eToken and access all public and private data. A homebrew device programmer could be built for under $10 and commercial device programmers are available from a number of companies ranging in cost from $25 to $1000. Users must be aware that the PIN number can be bypassed and should not trust the security of the token if it is not always directly in their possession. If a legitimate user loses their USB key, all data, including the private information, needs to be considered to have been compromised. The eToken device is also not tamper-evident. It is possible to open the device housing without evidence of tampering, allowing the attacker to gain physical access to the circuit board without the legitimate user's knowledge. Epoxy encapsulation and other tamper hindering techniques should be employed in the manufacturing of such hardware devices. Detailed Description: The legitimate user's PIN can be reset back to the default PIN by simply copying a particular 8-byte string from one area of the unprotected external memory to another. If necessary, the legitimate user's original PIN can be copied back into the external memory after the attack and no evidence of tampering will be apparent. All data on the eToken USB key is stored in an external memory. The 8KB flavor of the eToken uses an Atmel 25640 SPI Serial EEPROM (http://www.atmel.com). Serial EEPROMs are extremely common in the engineering industry and require minimal circuitry to read and write to. They are also notoriously insecure and often do not provide any type of security features. Due to the nature of Serial EEPROMs, it is possible to attach a device programmer to the device, while it is still attached to the circuit board, and read and write at will. Our experiments were carried out using the Needham's Electronics EMP-30 (http://www.needhams.com) which cost $995, although a homebrew device programmer could be built with a handful of components for under $10. Other device programmers are available from a number of companies, ranging in cost from $25 to $1000. A schematic of our findings can be found at: http://www.L0pht.com/advisories/etoken_schematic.pdf There are two PIN numbers associated with each eToken USB key, allowing either User or Administrator access. User access has complete control of the eToken file system, while Administrator is allowed to initialize the key, but not access private data. Both PINs, private data, and secret data are encrypted in some manner before being stored into the EEPROM. The public data is stored in plaintext and can be easily read by viewing the buffer of the Serial EEPROM. The 8-byte strings which determine the User and Administrator PINs are stored at location $10 and $18, respectively. By copying the 8-byte string stored at $20 into either of those areas, we return the PIN to its default state. The 8-byte string defining the encrypted version of the default PIN is unique for each eToken. Initial memory dump, with User PIN set to 66666666 and Admininstrator PIN set to 87654321: User PIN Admin PIN /-----------------\ /-----------------\ 00000010 7235 BAA8 5778 DE97 B7DD 9F01 121B 27A7 r5..Wx........'. 00000020 BE74 503B 3751 FA74 FFFF FFFF FFFF FFFF .tP;7Q.t........ \-----------------/ Default PIN string Memory dump, after modification, with the User PIN now set to the default: 00000010 BE74 503B 3751 FA74 B7DD 9F01 121B 27A7 .tP;7Q.t......'. 00000020 BE74 503B 3751 FA74 FFFF FFFF FFFF FFFF .tP;7Q.t........ Once the modified buffer is programmed back into the Serial EEPROM, the attacker can login to the eToken using the default PIN and make use of the legitimate user's credentials. Our proof-of- concept tool demonstrates quick extraction of all private, public, and configuration data from the key. The default PIN is 0xFFFFFFFFFFFFFFFF, which is 8 bytes of 0xFF, a non-printable character. To enter the default PIN on a Windows platform, hold the "Alt" key while typing "0255". Release the "Alt" key between characters. Repeat this 8 times. This sequence will enter a 0xFF character into the dialog box. The physical housing of the eToken consists of a two-piece plastic design. A combination of glue and two mechanical features hold the unit together. The mechanical features aren't externally visible, so if they are broken during disassembly, it won't be evident. Access to the circuit board can be obtained by heating the device with a heat gun or hair dryer, and carefully prying the two pieces apart using an X-acto knife and small screwdriver blade. When the attack is complete, crazy glue can be used to close the device without visible evidence of tampering. Pictures of the step-by-step operation can be found at: http://www.L0pht.com/advisories/etoken_images.html Temporary Solution: The quick solution, although it does not remedy the core problem, is to be very aware of the physical security and location of the key at all times. The owner of the key should, for no reason, leave the key unattended or loan it to a colleague. If the key is unattended for any amount of time, the data could possibly have been compromised due to the PIN being bypassed with the methods described in this advisory. A number of features could be added to the manufacturing process of the eToken to aid in tamper prevention. Because there is no reason for the circuitry to be accessed after key manufacture, encapsulating the IC's with epoxy or other material will prevent the easy manipulation that is currently possible. Enhancing the physical housing design to be tamper-evident and more difficult to open will also prevent an attacker from easily accessing the device internals without detection. These methods should be considered by all hardware vendors, since they help to raise the bar against common physical attacks. Vendor Response: Aladdin promptly acknowledged the security problems associated with the eToken as mentioned in this advisory. They informed us that version 3.3.3.x of their eToken is a demo and "proof-of-concept" product. We were unable to find any reference to version 3.3.3.x being a beta or demonstration product in any documentation. Additionally, we were unable to find this information on their web page or in the development kit. Conversations with an Aladdin sales associate led us to believe we were experimenting and developing with a fully-released and fully-functional product. Based on the following reasons, we felt it necessary to continue with the release of the advisory: 1) The product has been available for 2 years, 2) We were unable to find reference to it being a "proof-of-concept" tool, 3) It has been shipped in large quantities to commercial organizations. Press releases involving the eToken can be found at: http://www.ealaddin.com/news/1999/etoken/index.asp and http://www.ealaddin.com/news/2000/etoken/index.asp We do not know whether the production version (2.3.4.x), known as eToken R2, will also be considered a demo product or whether it will address the problems mentioned herein. eToken R2 has not yet been released. Proof-of-Concept Code: The proof-of-concept tool, known as "Heimlich", makes use of the PC/SC support of the eToken to perform the following functions: 1) Search USB ports for eToken 2) Retrieve and display configuration data for the inserted key 3) Login as User using the default PIN of 0xFFFFFFFFFFFFFFFF 4) Retrieve all public and private data and export the directory hierarchy to DOS The tool expects that the eToken User PIN has been reset to the default state, as described in this advisory. If the User PIN is not set to default, login to the eToken will be denied. The secret data areas are write-only and cannot be extracted using the PC/SC interface. The secret areas are used for private keys and other information that will never leave the key. Only the microprocessor on the key is allowed to have access to the secret information. However, the encrypted secret data is stored in the external Serial EEPROM and can be located in the memory dump for further analysis, if desired. The demonstration tool, in form of an application, has been written for the Windows 98 platform. Source code and compiled executable can be found at: http://www.L0pht.com/advisories/heimlich.zip Due to copyright restrictions, Aladdin's libraries and header files are not included. For further development and experimentation, obtain the eToken SDK from Aladdin. <--- cut here ---> Heimlich: Aladdin eToken USB Key Data Extractor kingpin@atstake.com @Stake L0pht Research Labs http://www.atstake.com eToken found on Slot 5 tokenId = 00 00 00 00 00 00 a6 23 slotid = 5 isConfigured = 1 verMajor = 3 verMinor = 27 color = 0 fsSize = 8088 publicSize = 3796 privateSize = 2576 secretSize = 512 freePublicSize = 2784 freePrivateSize = 2446 freeSecretSize = 496 secretGranularity = 16 fat = 10 maxfat = 100 maxAdmin = 255 maxUser = 255 Attempting eToken User login with Default PIN...Success! dir = 3f00 file = a000 file = 1234 file = 6666 dir = feed dir = beef file = beef dir = dead file = beef dir = face Heimlich maneuver complete. File system successfully exported. <--- cut here ---> kingpin@atstake.com [ For more advisories check out http://www.l0pht.com/advisories.html ] L-ZERO-P-H-T