Bugtraq mailing list archives
SafeWord e.Id Trivial PIN Brute-Force Vulnerability
From: Elias Levy <aleph1 () SECURITYFOCUS COM>
Date: Fri, 15 Dec 2000 12:20:17 -0800
Subject: SafeWord e.Id Trivial PIN Brute-Force Vulnerability
BUGTRAQ ID: 2105
Published: December 14, 2000
Updated: December 14, 2000
Remote: No
Local: Yes
Vulnerable Systems:
Secure Computing e.iD Authenticator for Palm 2.0
- Palm Palm OS 3.5.2
- Palm Palm OS 3.3
Non-Vulnerable Systems:
Summary:
An attacker that obtains access to the "sceiddb.pdb" file, part of
Secure Computing's e.iD Authenticator for Palm, can determine the
user's PIN.
Problem Description:
Secure Computing's SafeWord is a system of authentication services that
supports among other authentication methods one-time password. The
one-time passwords are generated by the authenticating user via
a hardware or software token device from the users PIN number and
a Token Key stored in the device. During authentication, a user-generated
one-time password, or tokencode, is sent to the authentication server
and the user is authenticated if the tokencode was generated from
a valid PIN and Token Key. In this sort of authentication system,
the security of the shard secret (the user's PIN) is critical.
Secure Computing's e.iD Authenticator for Palm is a software token
device for the SafeWord system that runs on the Palm Pilot. e.iD
Authenticator for Palm uses a palm database (PDB) file called "sceiddb.pdb"
containing an encrypted version of the user's PIN as well as the Token Key.
The encrypted version of the user's PIN is used when the user attempts
to change his PIN. Before the PIN can be changed the user must enter
their current PIN. The entered PIN is encrypted and compared to the
encrypted PIN. If they don't match the device will display a warning
and refuse to change the PIN.
PINs are from 2 to 8 digits in length. The encrypted PIN is always
16 bytes. The encrypted PIN is found starting at address 0x7A to
address 0x89 in the "sceiddb.pdb" file.
As Palm Pilot and related devices are considered general purpose
platforms and are not tamper-resistant devices there exist likely
scenarios in which an attacker may obtain access to the "sceiddb.pdb"
file.
An attacker with access to the "sceiddb.pdb" file can obtain the
user's PIN by encrypting every possible 8 digit PINs and comparing
them with the encrypted PIN in the "sceiddb.pdb" file.
@Stake has calculated the time required to obtain different length
PIN numbers using a Pentium III 450MHz:
PIN Length Time to calculate PIN
2 0.023 seconds
3 0.23 seconds
4 2.3 seconds
5 23.3 seconds
6 3.8 minutes
7 38.8 minutes
8 6.48 hours
Once a user's PIN has been obtained an attacker can generate a valid
tokencode if he can determine the most recent tokencode used by the
user to authenticate to the SafeWord system.
Scenarios:
The are a number of likely scenarios that can allow an attacker to
obtain access to the "sceiddb.pdb" file.
* If an attacker obtains access to the user's Palm device he can copy
via IrDA (infrared), or "beam", the "sceiddb.pdb" file. By default
this file does not have the "Beam Lock" protection bit set. This
bit tells the PalmOS not to allow the beaming of the file. But the
"Beam Lock" protection can be easily disabled.
* If an attacker obtains access to a computer the user uses to HotSync
or backup his Palm device the attacker may find a copy of the
"sceiddb.pdb" file. By default this file is configured not to be backed
up. However, some third party utilities may ignore this and back it up,
the user may have configured the file to be backed up, or the file may
be pending download into the Palm device.
The are also a number of likely scenarios that can allow an attacker to
obtain the most recent tokencode used by the user to authenticate to
the SafeWord system:
* The attacker may monitor the network and extract the tokencode
from non-encrypted authentication requests (e.g. telnet).
* The attacker may obtain access to the machine the user is entering
the tokencode in and read the keyboard output.
* The attacker may view the tokencode as is being physically entered
by the user ("shoulder surfing").
Exploit:
@Stake has made available in source code and executable form a
tool that will extract and extract via brute force the PIN number
from a "sceiddb.pdb" file. It can be found at:
http://www.atstake.com/research/advisories/2000/eidextract.zip
Solutions:
There is no immediate fix for this vulnerability. To solve the problem
would require the removal of the PIN change feature from the device.
Secure Computing believes the added security and convenience of being
able to change the PIN outweighs the risks of this vulnerability.
Mitigating Strategies:
The are a number of mitigating strategies to minimize the risk of
this vulnerability:
* Ensure that the "Bean Lock" protection bit is set on the "sceiddb.pdb"
file. It won't stop an attacker from beaming the file but it will
slow him down.
* Ensure that under no circumstances the the "sceiddb.pdb" file
backed up onto or otherwise stored on the users desktop computer.
Search the system for the "sceiddb.pdb" file to double check.
* Maintain physical control of the Palm device at all times and do
not allow unauthorized users access to it.
* Replace e.iD Authenticator for Palm with a tamper resistant
hardware device such as the SafeWord Silver 2000 or SafeWord Platinum
devices.
* Add a "salt" to the encrypted PIN. The "salt" won't stop the
PIN from being guessed by trying every combination but it will
stop a precomputed dictionary attack that would speed up the
extraction of the PIN from the "sceiddb.pdb" file.
Credit
This vulnerability was disclose by @Stake, Inc.
References:
advisory:
L0pht-20001214: SafeWord e.iD Palm Authenticator PIN Extraction by @stake
http://www.atstake.com/research/advisories/2000/a121400-1.txt
Current thread:
- SafeWord e.Id Trivial PIN Brute-Force Vulnerability Elias Levy (Dec 16)