RSA SecurID SID800 Token vulnerable by design

Daniel Carosone dan at geek.com.au
Sun Sep 17 18:07:02 EDT 2006 

On Sat, Sep 16, 2006 at 11:40:55PM -0500, Travis H. wrote:
> This looks mildly interesting:
> http://www.projectblackdog.com/product.html

Yes, a friend lent me one of these to play with a while ago, they're
really quite cool. Lots of interesting possibilities - which was
entirely the point of the original development version.

> I guess it uses an autorun file on Windows; I wonder whether most systems
> allow you to effectively launch X.  

Yes. The usb client port starts up emulating a usb mass storage CDROM
device, and uses autorun to load a usb-ethernet driver and several
other bits of software onto the windows box to help it get further.

The irony is, of course, that this shouldn't work at all on a properly
secured machine (though you could still try and launch the program
manually if the lockdown had only gone as far as disabling autorun).
The very thing it relies on to work smoothly could also have been
abused to install keyloggers and other nasties on the desktop that
will sink the security of the device, or at least of the user session.

> The docs say it connects via ethernet over USB, so you're
> effectively a thin X client.

Pretty much; it offers a samba share to the host to run this and other
programs from.

It uses a cute covert-channel trick to switch to this mode.  It starts
up emulating a CD.  The autorun software on the CD (and the linux
hotplug script equivalent) have the task of passing some
configuration/environment information through to the blackdog.  The
first of these is a network address range for the private 'lan'
between them.  On the filesystem is a directory, with four
subdirectories, inside each of which are 256 files, 0-255.  The
autorun tool picks a network range, then reads one file from each
directory in order to 'tap out' the network address.  When this
happens, the blackdog disconnects from the usb and reconnects, this
time emulating a usb ethernet corresponding to the driver that was
prepared earlier, and things continue from there over this network.

> Good idea, still vulnerable to software surveillance and host OS.

Yeah, and physical keyloggers and similar tampering too, pretty much
unavoidable.

The important thing, though, is to keep in mind the separation between
the device/platform, and the default application. Plenty of alternate
applications, including potentially malicious ones, might not be
bothered by these concerns.

> No display.

There was a newer commercial variant due for imminent release about
the time I was looking at the device.  It had a more purpose-specific
software image, some extra flash/ram, and a small screen.  It had also
lost something in the process, I think the card reader for extra local
storage, in favour of a smaller case and a network storage concept.

--
Dan.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20060918/59156fb8/attachment.pgp>

More information about the cryptography mailing list