[ SOURCE: http://www.secureroot.com/security/advisories/9771431105.html ] Subject: SafeWord e.Id Trivial PIN Brute-Force Vulnerability BUGTRAQ ID: 2105 Published: December 14, 2000 Updated: December 14, 2000 Remote: No Local: Yes Vulnerable Systems: Secure Computing e.iD Authenticator for Palm 2.0 - Palm Palm OS 3.5.2 - Palm Palm OS 3.3 Non-Vulnerable Systems: Summary: An attacker that obtains access to the "sceiddb.pdb" file, part of Secure Computing's e.iD Authenticator for Palm, can determine the user's PIN. Problem Description: Secure Computing's SafeWord is a system of authentication services that supports among other authentication methods one-time password. The one-time passwords are generated by the authenticating user via a hardware or software token device from the users PIN number and a Token Key stored in the device. During authentication, a user-generated one-time password, or tokencode, is sent to the authentication server and the user is authenticated if the tokencode was generated from a valid PIN and Token Key. In this sort of authentication system, the security of the shard secret (the user's PIN) is critical. Secure Computing's e.iD Authenticator for Palm is a software token device for the SafeWord system that runs on the Palm Pilot. e.iD Authenticator for Palm uses a palm database (PDB) file called "sceiddb.pdb" containing an encrypted version of the user's PIN as well as the Token Key. The encrypted version of the user's PIN is used when the user attempts to change his PIN. Before the PIN can be changed the user must enter their current PIN. The entered PIN is encrypted and compared to the encrypted PIN. If they don't match the device will display a warning and refuse to change the PIN. PINs are from 2 to 8 digits in length. The encrypted PIN is always 16 bytes. The encrypted PIN is found starting at address 0x7A to address 0x89 in the "sceiddb.pdb" file. As Palm Pilot and related devices are considered general purpose platforms and are not tamper-resistant devices there exist likely scenarios in which an attacker may obtain access to the "sceiddb.pdb" file. An attacker with access to the "sceiddb.pdb" file can obtain the user's PIN by encrypting every possible 8 digit PINs and comparing them with the encrypted PIN in the "sceiddb.pdb" file. @Stake has calculated the time required to obtain different length PIN numbers using a Pentium III 450MHz: PIN Length Time to calculate PIN 2 0.023 seconds 3 0.23 seconds 4 2.3 seconds 5 23.3 seconds 6 3.8 minutes 7 38.8 minutes 8 6.48 hours Once a user's PIN has been obtained an attacker can generate a valid tokencode if he can determine the most recent tokencode used by the user to authenticate to the SafeWord system. Scenarios: The are a number of likely scenarios that can allow an attacker to obtain access to the "sceiddb.pdb" file. * If an attacker obtains access to the user's Palm device he can copy via IrDA (infrared), or "beam", the "sceiddb.pdb" file. By default this file does not have the "Beam Lock" protection bit set. This bit tells the PalmOS not to allow the beaming of the file. But the "Beam Lock" protection can be easily disabled. * If an attacker obtains access to a computer the user uses to HotSync or backup his Palm device the attacker may find a copy of the "sceiddb.pdb" file. By default this file is configured not to be backed up. However, some third party utilities may ignore this and back it up, the user may have configured the file to be backed up, or the file may be pending download into the Palm device. The are also a number of likely scenarios that can allow an attacker to obtain the most recent tokencode used by the user to authenticate to the SafeWord system: * The attacker may monitor the network and extract the tokencode from non-encrypted authentication requests (e.g. telnet). * The attacker may obtain access to the machine the user is entering the tokencode in and read the keyboard output. * The attacker may view the tokencode as is being physically entered by the user ("shoulder surfing"). Exploit: @Stake has made available in source code and executable form a tool that will extract and extract via brute force the PIN number from a "sceiddb.pdb" file. It can be found at: http://www.atstake.com/research/advisories/2000/eidextract.zip Solutions: There is no immediate fix for this vulnerability. To solve the problem would require the removal of the PIN change feature from the device. Secure Computing believes the added security and convenience of being able to change the PIN outweighs the risks of this vulnerability. Mitigating Strategies: The are a number of mitigating strategies to minimize the risk of this vulnerability: * Ensure that the "Bean Lock" protection bit is set on the "sceiddb.pdb" file. It won't stop an attacker from beaming the file but it will slow him down. * Ensure that under no circumstances the the "sceiddb.pdb" file backed up onto or otherwise stored on the users desktop computer. Search the system for the "sceiddb.pdb" file to double check. * Maintain physical control of the Palm device at all times and do not allow unauthorized users access to it. * Replace e.iD Authenticator for Palm with a tamper resistant hardware device such as the SafeWord Silver 2000 or SafeWord Platinum devices. * Add a "salt" to the encrypted PIN. The "salt" won't stop the PIN from being guessed by trying every combination but it will stop a precomputed dictionary attack that would speed up the extraction of the PIN from the "sceiddb.pdb" file. Credit This vulnerability was disclose by @Stake, Inc. References: advisory: L0pht-20001214: SafeWord e.iD Palm Authenticator PIN Extraction by @stake http://www.atstake.com/research/advisories/2000/a121400-1.txt