COMMAND
iKey
SYSTEMS AFFECTED
Rainbow Technologies' iKey 1000
PROBLEM
Following is based on a L0pht Research Labs Advisory by Kingpin.
Rainbow Technologies' iKey 1000 is a portable USB (Universal
Serial Bus) smartcard-like device providing authentication and
digital storage of passwords, cryptographic keys, credentials, or
other data. Using the legitimate user's PIN number and the
physical USB key, access to the public and private data within
the key will be granted. The iKey also allows administrator
access using the MKEY (Master Key) password. Administrator access
to the iKey, normally used for initialization and configuration,
will allow all private information stored on the key to be
accessed.
This attack requires physical access to the device circuit board,
which can be gained in under 30 seconds with no special tools and
leaving no proof of attack. The tamper-proofing features in the
device can be bypassed, making the device open to attack. The
MKEY value is encoded and stored in memory as described in this
advisory. By using any number of low-cost, industry-standard
device programmers, the MKEY value can be changed to a
user-defined value. This will allow the attacker to login to the
iKey with administrator priviledges and access all public and
private data. A homebrew device programmer can be built for
under $10. The whole attack, as described in this advisory, can
be completed in less than 2 minutes.
Users must be aware that administrator access can easily be gained
and should not trust the security of the token if it is not always
directly in their possession. If a legitimate user loses their
USB key, all data, including the private information, needs to be
considered to have been potentially compromised and the
credentials stored on the key should be treated appropriately.
The MKEY is an administrative password that must be known by the
trusted person or program that will initialize and configure the
iKey. The MKEY password is an ASCII string up to 256 characters
in length. The default factory setting is "rainbow". The ASCII
string is MD5-hashed (RFC-1321), encoded, and stored into external
memory. All data is stored on a Microchip 24LC64 Serial EEPROM.
Only the upper 8-bytes of the MD5 hash, hereby referred to the
'hashed MKEY', are encoded and stored into the external memory
with the scheme described in this advisory. The resultant 8-byte
obfuscated value stored in the memory is hereby referred to as the
'obfuscated MKEY'.
MD5 encode
MKEY password -----> hashed MKEY --------> obfuscated MKEY
Default: "rainbow" 0xCD13B6A6AF66FB77 0xD2DDB960B0D0F499
All PC applications that use the iKey will generate the hashed
MKEY locally before sending it to the iKey device to login. The
Rainbow API requires only the 8-byte hashed MKEY, not the MKEY
password that created it, in order to login to the iKey device.
Administrator access to the iKey can be gained in two ways:
1) Determine the hashed MKEY from the obfuscated MKEY which is
stored in the external memory.
2) Encode a new obfuscated MKEY using a new MKEY password string
and store it in the external memory.
Rainbow's encoding scheme was determined by setting the hashed
MKEY to a known value and observing the resultant obfuscated MKEY,
which is located at address 0x8. After several iterations, it was
evident that the scheme is a series of XORs and additions.
Byte # 1 2 3 4 5 6 7 8
a) Hashed MKEY value, md5("rainbow") = CD13 B6A6 AF66 FB77
b) Obfuscated MKEY value in EEPROM = D2DD B960 B0D0 F499
b_1 = a_1 XOR 0x1F
b_2 = a_2 XOR (a_1 + 0x01)
b_3 = a_3 XOR 0x0F
b_4 = a_4 XOR (a_3 + 0x10)
b_5 = a_5 XOR 0x1F
b_6 = a_6 XOR (a_5 + 0x07)
b_7 = a_7 XOR 0x0F
b_8 = a_8 XOR (a_7 + 0xF3)
Example: 0xD2 = 0xCD XOR 0x1F
0xDD = 0x13 XOR (0xCD + 0x01)
0xB9 = 0xB6 XOR 0x0F
0x60 = 0xA6 XOR (0xB6 + 0x10)
0xB0 = 0xAF XOR 0x1F
0xD0 = 0x66 XOR (0xAF + 0x07)
0xF4 = 0xFB XOR 0x0F
0x99 = 0x77 XOR (0xFB + 0xF3)
Setting the hashed MKEY to 0x0000000000000000 gave the necessary
information to determine the encoding scheme. Bytes 1, 3, 5, and
7 are simply XORs with constant values and bytes 2, 4, 6, and 8
are XORs with constant values added to bytes of the hashed MKEY
as described above.
Byte # 1 2 3 4 5 6 7 8
a) Hashed MKEY value = 0000 0000 0000 0000
b) Obfuscated MKEY value in EEPROM = 1F01 0F10 1F07 0FF3
In order to read and write to the external Serial EEPROM, physical
access to the component is needed. The iKey 1000 has an epoxy
conformal coating over all of the IC's on the circuit board,
including the Serial EEPROM. Physically removing the coating will
be evident, but could be done by prying and scraping with a knife
or using chemicals to dissolve the glue. The version of the iKey
1000 that we looked at has 8KB of external memory, but the printed
circuit board allows for an expansion to 128KB. Because of this,
there is an unpopulated area for the memory, located on the back
of the circuit board. We make use of this unpopulated area to
access the "protected" Serial EEPROM.
The Microchip 24LC64 Serial EEPROM uses the I2C bus protocol to
transfer data to the host. The PCB design of the iKey allows one
to access the power, ground, clock, and data lines of the I2C bus
by attaching probes or soldering small leads to the unpopulated
memory footprint. Due to the nature of the I2C bus, which allows
multiple devices to use common clock and data lines, one has
access to the critical connections of the external Serial EEPROM
which is covered by the conformal coating. To read the contents
of the "protected" Serial EEPROM, one simply needs to attach the
leads to a device programmer. While attaching probes to the
memory is more difficult when the tamper-proofing features are
correctly implemented, there is a clean avenue of communications
available over the I2C bus, which is free of any preventative
measures in this case.
Serial EEPROMs are extremely common in the engineering industry
and require minimal circuitry to read and write to. They are also
notoriously insecure and as such often do not provide any type of
security features. Thus, it is possible to attach a device
programmer to the device, while it is still attached to the
circuit board, and read and write at will. Given these known
weaknesses, it would behoove vendors to take steps in properly
restricting access to them when employed in security-related
devices.
Our experiments were carried out using the Needham's Electronics
EMP-30 which costs $995, although a homebrew device programmer
can be built with a handful of components for under $10. Other
device programmers are available from a number of companies,
ranging in cost from $25 to $1000.
Once the obfuscated MKEY has been changed to a known value or the
hashed MKEY has been determined, the attacker can login as
administrator to the iKey device without knowing the legitimate
user's credentials.
The proof-of-concept tool, "iSpy", performs the following
functions:
1) Retrieve and display configuration data for the inserted iKey
2) Convert obfuscated MKEY back into hashed MKEY
3) Login as Administrator using hashed MKEY
4) Retrieve all public and private data and export the directory
hierarchy to DOS
The tool expects the 8-byte obfuscated MKEY on the command-line,
which is obtained from reading the external Serial EEPROM as
described in this advisory. An example of the iSpy console output
is shown below.
The demonstration tool source code and compiled executable for
Windows 9x/NT platforms can be found at:
http://www.L0pht.com/advisories/ispy.zip
Due to copyright restrictions, Rainbow Technologies' libraries and
header files are not included. For further development and
experimentation, the iKey 1000 PowerTools SDK are available from
Rainbow's web page (http://www.rainbow.com/tech/ikey/index.html).
C:\>ispy D2DDB960B0D0F499
kingpin@atstake.com
@Stake L0pht Research Labs
June 2000
OpenDevice: SUCCESS
Magic = 5242544B
DeviceHandle = 80
ClientHandle = 205408
Flags = 20000000
library_version = 2
driver_version = 256
ver_major = 0
ver_minor = 7
prod_code = 54
config = 0
header_size = 8
modulus_size = 0
mem_size = 8168 (bytes)
capabilities = 11
SerialNumber = 0123466A00000249
CheckSum = FAD1
HwInfo = FFFF
MaxPinRetries = 5
CurPinCounter = 5
CreateAccess = 0
DeleteAccess = 0
Obfuscated MKEY = D2 DD B9 60 B0 D0 F4 99 [...`....]
Actual MKEY = CD 13 B6 A6 AF 66 FB 77 [.....f.w]
Attempting iKey Administrator login...
VerifyMasterKey: SUCCESS
dir = 00000000
file = 00000001
dir = 000000C1
file = 000000C1
file = 0000BEEF
dir = 0000FEED
iSpy manuever complete. File system successfully exported.
SOLUTION
The quick solution, although it does not remedy the core problem,
is to be very aware of the physical security and location of the
key at all times. The owner of the key should not leave the key
unattended or loan it to a potentially untrustworthy colleague.
If the key is unattended for any amount of time, the data could
possibly have been compromised with the methods described in this
advisory.
Developers of such products should consider the following features
for design and manufacture to aid in preventing common attacks:
1) Non-standard or hard-to-probe package types for integrated
circuits, such as ball-grid-array (BGA) or silicon die
wire-bonded to the PCB help deter the casual attacker, since
the pins of the IC are either hidden or hard-to-access.
2) Unpopulated component areas on the PCB should be covered in
epoxy or removed to prevent probing.
3) Use of microprocessors with non-volatile memory storage within
the device. This will deter the casual attacker by requiring
advanced techniques, such as delidding and microscopic
inspection of the IC die, to determine the data stored in the
memory.
Rainbow Technologies was extremely responsive to L0pht advisory
submission and acknowledged the security vulnerabilities with the
iKey 1000. They responded quickly and professionally. More
importantly, they used this as an opportunity to learn and improve
upon their product based partly on the information in this
advisory. This is a stance we encourage other vendors to engage
in. Their press release, issued in response to the advisory, can
be found at:
http://www.rainbow.com/invest/pr000720.html