Aladdin eToken Allows Physical Access to Data

 
Aladdin eToken Allows Physical Access to Keys
Reported May 05, 2000 by
L0pht
VERSIONS EFFECTED
  • Aladdin Knowledge Systems eToken

DESCRIPTION

Aladdin Knowledge Systems manufactures a hardware-based universal serial bus (USB) electronic token system based on smart card technology that is used for data integrity, authentication, and encryption.

Using simple hand tools and widely available chip manipulation tools, eToken can be completely compromised without the end user becoming aware of the breach.

By opening the hardware device and connecting the circuitry to an external reader, the user"s personal identification number can be reset to its default settings where all data can then be extracted from the device. Once the device has been compromised in this manner, the user"s legitimate password can then be restored and the device can be reassembled without any evidence of tampering.

DEMONSTRATION

L0pht made a utility available that can prove the concept described in this bulletin. The tool extracts information from an eToken provided the token has a default user password.

VENDOR  RESPONSE

Aladdin Knowledge Systems was made aware of this issue, however no public response had been issued by the company at the time of this writing.

CREDITS
Discovered and reported by L0pht

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish