[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : SafeWord e.Id Trivial PIN Brute-Force Vulnerability

Title: SafeWord e.Id Trivial PIN Brute-Force Vulnerability
Released by: @stake
Date: 14th December 2000
Printable version: Click here
Subject:     SafeWord e.Id Trivial PIN Brute-Force Vulnerability


Published:   December 14, 2000

Updated:     December 14, 2000

Remote:      No

Local:       Yes

Vulnerable Systems:

  Secure Computing e.iD Authenticator for Palm 2.0

   - Palm Palm OS 3.5.2

   - Palm Palm OS 3.3

Non-Vulnerable Systems:


  An attacker that obtains access to the "sceiddb.pdb" file, part of

  Secure Computing's e.iD Authenticator for Palm, can determine the

  user's PIN.

Problem Description:

  Secure Computing's SafeWord is a system of authentication services that

  supports among other authentication methods one-time password. The

  one-time passwords are generated by the authenticating user via

  a hardware or software token device from the users PIN number and

  a Token Key stored in the device. During authentication, a user-generated

  one-time password, or tokencode, is sent to the authentication server

  and the user is authenticated if the tokencode was generated from

  a valid PIN and Token Key. In this sort of authentication system,

  the security of the shard secret (the user's PIN) is critical.

  Secure Computing's e.iD Authenticator for Palm is a software token

  device for the SafeWord system that runs on the Palm Pilot. e.iD

  Authenticator for Palm uses a palm database (PDB) file called "sceiddb.pdb"

  containing an encrypted version of the user's PIN as well as the Token Key.

  The encrypted version of the user's PIN is used when the user attempts

  to change his PIN. Before the PIN can be changed the user must enter

  their current PIN. The entered PIN is encrypted and compared to the

  encrypted PIN. If they don't match the device will display a warning

  and refuse to change the PIN.

  PINs are from 2 to 8 digits in length. The encrypted PIN is always

  16 bytes. The encrypted PIN is found starting at address 0x7A to

  address 0x89 in the "sceiddb.pdb" file.

  As Palm Pilot and related devices are considered general purpose

  platforms and are not tamper-resistant devices there exist likely

  scenarios in which an attacker may obtain access to the "sceiddb.pdb"


  An attacker with access to the "sceiddb.pdb" file can obtain the

  user's PIN by encrypting every possible 8 digit PINs and comparing

  them with the encrypted PIN in the "sceiddb.pdb" file.

  @Stake has calculated the time required to obtain different length

  PIN numbers using a Pentium III 450MHz:

    PIN Length      Time to calculate PIN

        2               0.023 seconds

        3               0.23 seconds

        4               2.3 seconds

        5               23.3 seconds

        6               3.8 minutes

        7               38.8 minutes

        8               6.48 hours

  Once a user's PIN has been obtained an attacker can generate a valid

  tokencode if he can determine the most recent tokencode used by the

  user to authenticate to the SafeWord system.


  The are a number of likely scenarios that can allow an attacker to

  obtain access to the "sceiddb.pdb" file.

  * If an attacker obtains access to the user's Palm device he can copy

    via IrDA (infrared), or "beam", the "sceiddb.pdb" file. By default

    this file does not have the "Beam Lock" protection bit set. This

    bit tells the PalmOS not to allow the beaming of the file. But the

    "Beam Lock" protection can be easily disabled.

  * If an attacker obtains access to a computer the user uses to HotSync

    or backup his Palm device the attacker may find a copy of the

    "sceiddb.pdb" file. By default this file is configured not to be backed

    up. However, some third party utilities may ignore this and back it up,

    the user may have configured the file to be backed up, or the file may

    be pending download into the Palm device.

  The are also a number of likely scenarios that can allow an attacker to

  obtain the most recent tokencode used by the user to authenticate to

  the SafeWord system:

  * The attacker may monitor the network and extract the tokencode

    from non-encrypted authentication requests (e.g. telnet).

  * The attacker may obtain access to the machine the user is entering

    the tokencode in and read the keyboard output.

  * The attacker may view the tokencode as is being physically entered

    by the user ("shoulder surfing").


  @Stake has made available in source code and executable form a

  tool that will extract and extract via brute force the PIN number

  from a "sceiddb.pdb" file. It can be found at:



  There is no immediate fix for this vulnerability. To solve the problem

  would require the removal of the PIN change feature from the device.

  Secure Computing believes the added security and convenience of being

  able to change the PIN outweighs the risks of this vulnerability.

Mitigating Strategies:

  The are a number of mitigating strategies to minimize the risk of

  this vulnerability:

  * Ensure that the "Bean Lock" protection bit is set on the "sceiddb.pdb"

    file. It won't stop an attacker from beaming the file but it will

    slow him down.

  * Ensure that under no circumstances the the "sceiddb.pdb" file

    backed up onto or otherwise stored on the users desktop computer.

    Search the system for the "sceiddb.pdb" file to double check.

  * Maintain physical control of the Palm device at all times and do

    not allow unauthorized users access to it.

  * Replace e.iD Authenticator for Palm with a tamper resistant

    hardware device such as the SafeWord Silver 2000 or SafeWord Platinum


  * Add a "salt" to the encrypted PIN. The "salt" won't stop the

    PIN from being guessed by trying every combination but it will

    stop a precomputed dictionary attack that would speed up the

    extraction of the PIN from the "sceiddb.pdb" file.


  This vulnerability was disclose by @Stake, Inc.



  L0pht-20001214: SafeWord e.iD Palm Authenticator PIN Extraction by @stake


(C) 1999-2000 All rights reserved.