COMMAND

    iKey

SYSTEMS AFFECTED

    Rainbow Technologies' iKey 1000

PROBLEM

    Following is based on a  L0pht Research Labs Advisory by  Kingpin.
    Rainbow  Technologies'  iKey  1000  is  a  portable USB (Universal
    Serial  Bus)  smartcard-like  device  providing authentication and
    digital storage of passwords, cryptographic keys, credentials,  or
    other  data.   Using  the  legitimate  user's  PIN  number and the
    physical USB  key, access  to the  public and  private data within
    the  key  will  be  granted.   The  iKey also allows administrator
    access using the MKEY (Master Key) password.  Administrator access
    to the iKey, normally  used for initialization and  configuration,
    will  allow  all  private  information  stored  on  the  key to be
    accessed.

    This attack requires physical access to the device circuit  board,
    which can be gained in under 30 seconds with no special tools  and
    leaving no proof of attack.   The tamper-proofing features in  the
    device can  be bypassed,  making the  device open  to attack.  The
    MKEY value is  encoded and stored  in memory as  described in this
    advisory.   By  using  any  number  of low-cost, industry-standard
    device  programmers,  the   MKEY  value  can   be  changed  to   a
    user-defined value.  This will allow the attacker to login to  the
    iKey  with  administrator  priviledges  and  access all public and
    private  data.   A  homebrew  device  programmer  can be built for
    under $10.  The whole  attack, as described in this  advisory, can
    be completed in less than 2 minutes.

    Users must be aware that administrator access can easily be gained
    and should not trust the security of the token if it is not always
    directly in their  possession.  If  a legitimate user  loses their
    USB key, all data, including the private information, needs to  be
    considered  to   have  been   potentially  compromised   and   the
    credentials stored on the key should be treated appropriately.

    The MKEY is an administrative  password that must be known  by the
    trusted person or program  that will initialize and  configure the
    iKey.  The MKEY password is  an ASCII string up to 256  characters
    in length.  The default  factory setting is "rainbow".   The ASCII
    string is MD5-hashed (RFC-1321), encoded, and stored into external
    memory.  All data is stored on a Microchip 24LC64 Serial EEPROM.

    Only the  upper 8-bytes  of the  MD5 hash,  hereby referred to the
    'hashed MKEY',  are encoded  and stored  into the  external memory
    with the scheme described in this advisory.  The resultant  8-byte
    obfuscated value stored in the memory is hereby referred to as the
    'obfuscated MKEY'.

                               MD5                encode
                MKEY password -----> hashed MKEY --------> obfuscated MKEY
        
        Default:  "rainbow"       0xCD13B6A6AF66FB77      0xD2DDB960B0D0F499

    All PC  applications that  use the  iKey will  generate the hashed
    MKEY locally before sending it to  the iKey device to login.   The
    Rainbow API  requires only  the 8-byte  hashed MKEY,  not the MKEY
    password that created  it, in order  to login to  the iKey device.
    Administrator access to the iKey can be gained in two ways:

      1) Determine the hashed MKEY  from the obfuscated MKEY which  is
         stored in the external memory.
      2) Encode a new obfuscated MKEY using a new MKEY password string
         and store it in the external memory.

    Rainbow's encoding  scheme was  determined by  setting the  hashed
    MKEY to a known value and observing the resultant obfuscated MKEY,
    which is located at address 0x8. After several iterations, it  was
    evident that the scheme is a series of XORs and additions.

                                             Byte # 1 2  3 4  5 6  7 8
             a) Hashed MKEY value, md5("rainbow") = CD13 B6A6 AF66 FB77
             b) Obfuscated MKEY value in EEPROM   = D2DD B960 B0D0 F499
        
                 b_1 = a_1 XOR 0x1F
                 b_2 = a_2 XOR (a_1 + 0x01)
                 b_3 = a_3 XOR 0x0F
                 b_4 = a_4 XOR (a_3 + 0x10)
                 b_5 = a_5 XOR 0x1F
                 b_6 = a_6 XOR (a_5 + 0x07)
                 b_7 = a_7 XOR 0x0F
                 b_8 = a_8 XOR (a_7 + 0xF3)
        
        Example: 0xD2 = 0xCD XOR 0x1F
                 0xDD = 0x13 XOR (0xCD + 0x01)
                 0xB9 = 0xB6 XOR 0x0F
                 0x60 = 0xA6 XOR (0xB6 + 0x10)
                 0xB0 = 0xAF XOR 0x1F
                 0xD0 = 0x66 XOR (0xAF + 0x07)
                 0xF4 = 0xFB XOR 0x0F
                 0x99 = 0x77 XOR (0xFB + 0xF3)

    Setting the hashed MKEY  to 0x0000000000000000 gave the  necessary
    information to determine the encoding scheme.  Bytes 1, 3, 5,  and
    7 are simply XORs  with constant values and  bytes 2, 4, 6,  and 8
    are XORs with  constant values added  to bytes of  the hashed MKEY
    as described above.

                                           Byte # 1 2  3 4  5 6  7 8
             a) Hashed MKEY value               = 0000 0000 0000 0000
             b) Obfuscated MKEY value in EEPROM = 1F01 0F10 1F07 0FF3

    In order to read and write to the external Serial EEPROM, physical
    access to the  component is needed.   The iKey 1000  has an  epoxy
    conformal  coating  over  all  of  the  IC's on the circuit board,
    including the Serial EEPROM.  Physically removing the coating will
    be evident, but could be done by prying and scraping with a  knife
    or using chemicals to dissolve the glue.  The version of the  iKey
    1000 that we looked at has 8KB of external memory, but the printed
    circuit board allows for an expansion to 128KB.  Because of  this,
    there is an unpopulated area  for the memory, located on  the back
    of the circuit  board.  We  make use of  this unpopulated area  to
    access the "protected" Serial EEPROM.

    The Microchip 24LC64  Serial EEPROM uses  the I2C bus  protocol to
    transfer data to the host.  The PCB design of the iKey allows  one
    to access the power, ground, clock, and data lines of the I2C  bus
    by attaching probes  or soldering small  leads to the  unpopulated
    memory footprint.  Due to the nature of the I2C bus, which  allows
    multiple  devices  to  use  common  clock  and data lines, one has
    access to the critical  connections of the external  Serial EEPROM
    which is covered by the  conformal coating.  To read  the contents
    of the "protected" Serial EEPROM,  one simply needs to attach  the
    leads  to  a  device  programmer.   While  attaching probes to the
    memory is  more difficult  when the  tamper-proofing features  are
    correctly implemented, there is  a clean avenue of  communications
    available over  the I2C  bus, which  is free  of any  preventative
    measures in this case.

    Serial EEPROMs  are extremely  common in  the engineering industry
    and require minimal circuitry to read and write to.  They are also
    notoriously insecure and as such often do not provide any type  of
    security  features.   Thus,  it  is  possible  to  attach a device
    programmer  to  the  device,  while  it  is  still attached to the
    circuit  board,  and  read  and  write  at will. Given these known
    weaknesses, it  would behoove  vendors to  take steps  in properly
    restricting  access  to  them  when  employed  in security-related
    devices.

    Our experiments were carried  out using the Needham's  Electronics
    EMP-30 which  costs $995,  although a  homebrew device  programmer
    can be built with  a handful of components  for under $10.   Other
    device  programmers  are  available  from  a  number of companies,
    ranging in cost from $25 to $1000.

    Once the obfuscated MKEY has been changed to a known value or  the
    hashed  MKEY  has  been  determined,  the  attacker  can  login as
    administrator to  the iKey  device without  knowing the legitimate
    user's credentials.

    The  proof-of-concept   tool,  "iSpy",   performs  the   following
    functions:

      1) Retrieve and display configuration data for the inserted iKey
      2) Convert obfuscated MKEY back into hashed MKEY
      3) Login as Administrator using hashed MKEY
      4) Retrieve all public and private data and export the directory
         hierarchy to DOS

    The tool expects the  8-byte obfuscated MKEY on  the command-line,
    which  is  obtained  from  reading  the  external Serial EEPROM as
    described in this advisory.  An example of the iSpy console output
    is shown below.

	The demonstration  tool source  code and  compiled executable  for
    Windows 9x/NT platforms can be found at:

        http://www.L0pht.com/advisories/ispy.zip

    Due to copyright restrictions, Rainbow Technologies' libraries and
    header  files  are  not  included.   For  further  development and
    experimentation, the iKey 1000  PowerTools SDK are available  from
    Rainbow's web page (http://www.rainbow.com/tech/ikey/index.html).

    C:\>ispy D2DDB960B0D0F499
    
    kingpin@atstake.com
    @Stake L0pht Research Labs
    June 2000
    
    OpenDevice: SUCCESS
    
    Magic = 5242544B
    DeviceHandle = 80
    ClientHandle = 205408
    Flags = 20000000
    library_version = 2
    driver_version = 256
    ver_major = 0
    ver_minor = 7
    prod_code = 54
    config = 0
    header_size = 8
    modulus_size = 0
    mem_size = 8168 (bytes)
    capabilities = 11
    SerialNumber = 0123466A00000249
    CheckSum = FAD1
    HwInfo = FFFF
    MaxPinRetries = 5
    CurPinCounter = 5
    CreateAccess = 0
    DeleteAccess = 0
    
    Obfuscated MKEY = D2 DD B9 60 B0 D0 F4 99   [...`....]
    Actual MKEY     = CD 13 B6 A6 AF 66 FB 77   [.....f.w]
    
    Attempting iKey Administrator login...
    
    VerifyMasterKey: SUCCESS
    
    dir  = 00000000
    file = 00000001
    dir  = 000000C1
    file = 000000C1
    file = 0000BEEF
    dir  = 0000FEED
    
    iSpy manuever complete. File system successfully exported.

SOLUTION

    The quick solution, although it does not remedy the core  problem,
    is to be very aware of  the physical security and location of  the
    key at all times.  The owner  of the key should not leave the  key
    unattended or  loan it  to a  potentially untrustworthy colleague.
    If the key is  unattended for any amount  of time, the data  could
    possibly have been compromised with the methods described in  this
    advisory.

    Developers of such products should consider the following features
    for design and manufacture to aid in preventing common attacks:

      1) Non-standard  or hard-to-probe  package types  for integrated
         circuits,  such  as  ball-grid-array  (BGA)  or  silicon  die
         wire-bonded to the PCB help deter the casual attacker,  since
         the pins of the IC are either hidden or hard-to-access.

      2) Unpopulated component areas on  the PCB should be covered  in
         epoxy or removed to prevent probing.

      3) Use of microprocessors with non-volatile memory storage within
         the device.  This will deter the casual attacker by requiring
         advanced  techniques,  such  as  delidding  and   microscopic
         inspection of the IC die, to determine the data stored in the
         memory.

    Rainbow Technologies  was extremely  responsive to  L0pht advisory
    submission and acknowledged the security vulnerabilities with  the
    iKey  1000.   They  responded  quickly  and  professionally.  More
    importantly, they used this as an opportunity to learn and improve
    upon  their  product  based  partly  on  the  information  in this
    advisory.  This is a  stance we encourage other vendors  to engage
    in. Their press release, issued  in response to the advisory,  can
    be found at:

        http://www.rainbow.com/invest/pr000720.html