$ Advisories $

Release Application Platforms Severity

7.20.00 Rainbow Technologies' iKey 1000 Administrator Access and Data Compromise Rainbow Technologies' iKey 1000 USB Hardware Token An attacker can login as administrator and access all private information stored on the device with no detection by the legitimate user.

Rainbow Technologies' iKey 1000 is a portable USB (Universal Serial Bus) smartcard-like device providing authentication and digital storage of passwords, cryptographic keys, credentials, or other data. This attack requires physical access to the device circuit board, which can be gained in under 30 seconds with no special tools and leaving no proof of attack. Administrator access to the iKey, using the MKEY (Master Key) password, is normally used for initialization and configuration, and will allow all private information stored
on the key to be accessed. By using any number of low-cost, industry-standard device programmers, the MKEY value can be recovered or changed to a new user-defined value. This will allow the attacker to login to the iKey with administrator priviledges and access all public and private data.
Full Details
iSpy, Proof-of-concept tool for Win9x/NT, source code included (31kB)
iKey 1000 Schematic .PDF (12kB)

Release Application Platforms Severity

5.4.00 Aladdin eToken Private Information Extraction and Physical Attack Aladdin eToken USB Key 3.3.3.x An attacker can access all private information
stored on the hardware token device without knowing the PIN number of the legitimate
user.

Aladdin Knowledge Systems' eToken is a portable USB (Universal Serial Bus) authentication device providing access control
for digital assets. The attack requires physical access to the device circuit board and will allow all private information to be
read from the device without knowing the PIN number of the legitimate user. By using any number of low-cost, industry-standard
device programmers, ranging from under $10 to $1000, to modify the unprotected external memory, the User PIN can be changed
back to the default PIN. The proof-of-concept tool below demonstrates the quick extraction of all private, public, and
configuration data from the key after a successful login using the default PIN.
Aladdin claims version 3.3.3.x of their eToken is a demo and "proof-of-concept" product. Based on the following reasons, we felt it necessary to continue with the release of the advisory: 1) The product has been available for 2 years, 2) We were unable to find reference to it being a "proof-of-concept" tool, 3) It has been shipped in large quantities to commercial organizations.
Full Details
Heimlich, Proof-of-concept tool for Win98, source code included (50kB) Updated 5.14.00
eToken Schematic .PDF (9kB)
Physical Attack Images

Release Application Platforms Severity

4.10.00 CRYPTOAdmin 4.1 server with CRYPTOCard PT-1 token 1.04 Server software on any environment and token software on Palm Computing Platform device, any hardware, any OS An attacker can determine the private PIN
number of a users token within a matter of minutes and clone the challenge/response
scheme of the legitimate user.

CRYPTOCard's CRYPTOAdmin software is a challenge/response user authentication administration system. The PT-1 token,
which runs on a PalmOS device, generates the one-time-password response. A PalmOS .PDB file is created for each user and
loaded onto their Palm device. By gaining access to the .PDB file, the legitimate user's PIN can be determined through a series
of DES decrypts-and-compares. Using the demonstration tool below, the PIN can be determined in under 5 minutes on a
Pentium III 450MHz.
CRYPTOCard Corporation was extremely responsive to our advisory submission. Their comments and recommendations are
included.
Full Details
DeCRYPTO, Proof-of-concept tool for Win9x (71kB)

Release Application Platforms Severity

9.10.98 AT&T Model 1320 and various other
answering machines N/A Users can access supervisory functions of various
answering machines.

Many consumer answering machines have very flawed security systems to protect the remote access of messages they store.
Often times, supervisory access can be obtained with a simple selection of keystrokes.
Full Details

Last updated 7.19.00

Release	Application	Platforms	Severity
7.20.00	Rainbow Technologies' iKey 1000 Administrator Access and Data Compromise	Rainbow Technologies' iKey 1000 USB Hardware Token	An attacker can login as administrator and access all private information stored on the device with no detection by the legitimate user.
Rainbow Technologies' iKey 1000 is a portable USB (Universal Serial Bus) smartcard-like device providing authentication and digital storage of passwords, cryptographic keys, credentials, or other data. This attack requires physical access to the device circuit board, which can be gained in under 30 seconds with no special tools and leaving no proof of attack. Administrator access to the iKey, using the MKEY (Master Key) password, is normally used for initialization and configuration, and will allow all private information stored on the key to be accessed. By using any number of low-cost, industry-standard device programmers, the MKEY value can be recovered or changed to a new user-defined value. This will allow the attacker to login to the iKey with administrator priviledges and access all public and private data. Full Details iSpy, Proof-of-concept tool for Win9x/NT, source code included (31kB) iKey 1000 Schematic .PDF (12kB)

Release	Application	Platforms	Severity
9.10.98	AT&T Model 1320 and various other answering machines	N/A	Users can access supervisory functions of various answering machines.
Many consumer answering machines have very flawed security systems to protect the remote access of messages they store. Often times, supervisory access can be obtained with a simple selection of keystrokes. Full Details