Aladdin eToken Allows Physical Access to Keys
Reported May 05, 2000 by L0pht
Aladdin Knowledge Systems manufactures a hardware-based universal serial bus (USB) electronic token system based on smart card technology that is used for data integrity, authentication, and encryption.
Using simple hand tools and widely available chip manipulation tools, eToken can be completely compromised without the end user becoming aware of the breach.
By opening the hardware device and connecting the circuitry to an external reader, the user"s personal identification number can be reset to its default settings where all data can then be extracted from the device. Once the device has been compromised in this manner, the user"s legitimate password can then be restored and the device can be reassembled without any evidence of tampering.
L0pht made a utility available that can prove the concept described in this bulletin. The tool extracts information from an eToken provided the token has a default user password.
Aladdin Knowledge Systems was made aware of this issue, however no public response had been issued by the company at the time of this writing.