|
Vulnerability iKey Affected Rainbow Technologies' iKey 1000 Description Following is based on a L0pht Research Labs Advisory by Kingpin. Rainbow Technologies' iKey 1000 is a portable USB (Universal Serial Bus) smartcard-like device providing authentication and digital storage of passwords, cryptographic keys, credentials, or other data. Using the legitimate user's PIN number and the physical USB key, access to the public and private data within the key will be granted. The iKey also allows administrator access using the MKEY (Master Key) password. Administrator access to the iKey, normally used for initialization and configuration, will allow all private information stored on the key to be accessed. This attack requires physical access to the device circuit board, which can be gained in under 30 seconds with no special tools and leaving no proof of attack. The tamper-proofing features in the device can be bypassed, making the device open to attack. The MKEY value is encoded and stored in memory as described in this advisory. By using any number of low-cost, industry-standard device programmers, the MKEY value can be changed to a user-defined value. This will allow the attacker to login to the iKey with administrator priviledges and access all public and private data. A homebrew device programmer can be built for under $10. The whole attack, as described in this advisory, can be completed in less than 2 minutes. Users must be aware that administrator access can easily be gained and should not trust the security of the token if it is not always directly in their possession. If a legitimate user loses their USB key, all data, including the private information, needs to be considered to have been potentially compromised and the credentials stored on the key should be treated appropriately. The MKEY is an administrative password that must be known by the trusted person or program that will initialize and configure the iKey. The MKEY password is an ASCII string up to 256 characters in length. The default factory setting is "rainbow". The ASCII string is MD5-hashed (RFC-1321), encoded, and stored into external memory. All data is stored on a Microchip 24LC64 Serial EEPROM. Only the upper 8-bytes of the MD5 hash, hereby referred to the 'hashed MKEY', are encoded and stored into the external memory with the scheme described in this advisory. The resultant 8-byte obfuscated value stored in the memory is hereby referred to as the 'obfuscated MKEY'. MD5 encode MKEY password -----> hashed MKEY --------> obfuscated MKEY Default: "rainbow" 0xCD13B6A6AF66FB77 0xD2DDB960B0D0F499 All PC applications that use the iKey will generate the hashed MKEY locally before sending it to the iKey device to login. The Rainbow API requires only the 8-byte hashed MKEY, not the MKEY password that created it, in order to login to the iKey device. Administrator access to the iKey can be gained in two ways: 1) Determine the hashed MKEY from the obfuscated MKEY which is stored in the external memory. 2) Encode a new obfuscated MKEY using a new MKEY password string and store it in the external memory. Rainbow's encoding scheme was determined by setting the hashed MKEY to a known value and observing the resultant obfuscated MKEY, which is located at address 0x8. After several iterations, it was evident that the scheme is a series of XORs and additions. Byte # 1 2 3 4 5 6 7 8 a) Hashed MKEY value, md5("rainbow") = CD13 B6A6 AF66 FB77 b) Obfuscated MKEY value in EEPROM = D2DD B960 B0D0 F499 b_1 = a_1 XOR 0x1F b_2 = a_2 XOR (a_1 + 0x01) b_3 = a_3 XOR 0x0F b_4 = a_4 XOR (a_3 + 0x10) b_5 = a_5 XOR 0x1F b_6 = a_6 XOR (a_5 + 0x07) b_7 = a_7 XOR 0x0F b_8 = a_8 XOR (a_7 + 0xF3) Example: 0xD2 = 0xCD XOR 0x1F 0xDD = 0x13 XOR (0xCD + 0x01) 0xB9 = 0xB6 XOR 0x0F 0x60 = 0xA6 XOR (0xB6 + 0x10) 0xB0 = 0xAF XOR 0x1F 0xD0 = 0x66 XOR (0xAF + 0x07) 0xF4 = 0xFB XOR 0x0F 0x99 = 0x77 XOR (0xFB + 0xF3) Setting the hashed MKEY to 0x0000000000000000 gave the necessary information to determine the encoding scheme. Bytes 1, 3, 5, and 7 are simply XORs with constant values and bytes 2, 4, 6, and 8 are XORs with constant values added to bytes of the hashed MKEY as described above. Byte # 1 2 3 4 5 6 7 8 a) Hashed MKEY value = 0000 0000 0000 0000 b) Obfuscated MKEY value in EEPROM = 1F01 0F10 1F07 0FF3 In order to read and write to the external Serial EEPROM, physical access to the component is needed. The iKey 1000 has an epoxy conformal coating over all of the IC's on the circuit board, including the Serial EEPROM. Physically removing the coating will be evident, but could be done by prying and scraping with a knife or using chemicals to dissolve the glue. The version of the iKey 1000 that we looked at has 8KB of external memory, but the printed circuit board allows for an expansion to 128KB. Because of this, there is an unpopulated area for the memory, located on the back of the circuit board. We make use of this unpopulated area to access the "protected" Serial EEPROM. The Microchip 24LC64 Serial EEPROM uses the I2C bus protocol to transfer data to the host. The PCB design of the iKey allows one to access the power, ground, clock, and data lines of the I2C bus by attaching probes or soldering small leads to the unpopulated memory footprint. Due to the nature of the I2C bus, which allows multiple devices to use common clock and data lines, one has access to the critical connections of the external Serial EEPROM which is covered by the conformal coating. To read the contents of the "protected" Serial EEPROM, one simply needs to attach the leads to a device programmer. While attaching probes to the memory is more difficult when the tamper-proofing features are correctly implemented, there is a clean avenue of communications available over the I2C bus, which is free of any preventative measures in this case. Serial EEPROMs are extremely common in the engineering industry and require minimal circuitry to read and write to. They are also notoriously insecure and as such often do not provide any type of security features. Thus, it is possible to attach a device programmer to the device, while it is still attached to the circuit board, and read and write at will. Given these known weaknesses, it would behoove vendors to take steps in properly restricting access to them when employed in security-related devices. Our experiments were carried out using the Needham's Electronics EMP-30 which costs $995, although a homebrew device programmer can be built with a handful of components for under $10. Other device programmers are available from a number of companies, ranging in cost from $25 to $1000. Once the obfuscated MKEY has been changed to a known value or the hashed MKEY has been determined, the attacker can login as administrator to the iKey device without knowing the legitimate user's credentials. The proof-of-concept tool, "iSpy", performs the following functions: 1) Retrieve and display configuration data for the inserted iKey 2) Convert obfuscated MKEY back into hashed MKEY 3) Login as Administrator using hashed MKEY 4) Retrieve all public and private data and export the directory hierarchy to DOS The tool expects the 8-byte obfuscated MKEY on the command-line, which is obtained from reading the external Serial EEPROM as described in this advisory. An example of the iSpy console output is shown below. The demonstration tool source code and compiled executable for Windows 9x/NT platforms can be found at: http://www.L0pht.com/advisories/ispy.zip Due to copyright restrictions, Rainbow Technologies' libraries and header files are not included. For further development and experimentation, the iKey 1000 PowerTools SDK are available from Rainbow's web page (http://www.rainbow.com/tech/ikey/index.html). C:\>ispy D2DDB960B0D0F499 kingpin@atstake.com @Stake L0pht Research Labs June 2000 OpenDevice: SUCCESS Magic = 5242544B DeviceHandle = 80 ClientHandle = 205408 Flags = 20000000 library_version = 2 driver_version = 256 ver_major = 0 ver_minor = 7 prod_code = 54 config = 0 header_size = 8 modulus_size = 0 mem_size = 8168 (bytes) capabilities = 11 SerialNumber = 0123466A00000249 CheckSum = FAD1 HwInfo = FFFF MaxPinRetries = 5 CurPinCounter = 5 CreateAccess = 0 DeleteAccess = 0 Obfuscated MKEY = D2 DD B9 60 B0 D0 F4 99 [...`....] Actual MKEY = CD 13 B6 A6 AF 66 FB 77 [.....f.w] Attempting iKey Administrator login... VerifyMasterKey: SUCCESS dir = 00000000 file = 00000001 dir = 000000C1 file = 000000C1 file = 0000BEEF dir = 0000FEED iSpy manuever complete. File system successfully exported. Solution The quick solution, although it does not remedy the core problem, is to be very aware of the physical security and location of the key at all times. The owner of the key should not leave the key unattended or loan it to a potentially untrustworthy colleague. If the key is unattended for any amount of time, the data could possibly have been compromised with the methods described in this advisory. Developers of such products should consider the following features for design and manufacture to aid in preventing common attacks: 1) Non-standard or hard-to-probe package types for integrated circuits, such as ball-grid-array (BGA) or silicon die wire-bonded to the PCB help deter the casual attacker, since the pins of the IC are either hidden or hard-to-access. 2) Unpopulated component areas on the PCB should be covered in epoxy or removed to prevent probing. 3) Use of microprocessors with non-volatile memory storage within the device. This will deter the casual attacker by requiring advanced techniques, such as delidding and microscopic inspection of the IC die, to determine the data stored in the memory. Rainbow Technologies was extremely responsive to L0pht advisory submission and acknowledged the security vulnerabilities with the iKey 1000. They responded quickly and professionally. More importantly, they used this as an opportunity to learn and improve upon their product based partly on the information in this advisory. This is a stance we encourage other vendors to engage in. Their press release, issued in response to the advisory, can be found at: http://www.rainbow.com/invest/pr000720.html