swc / ActivCard

[Michal Zalewski <lcamtuf () DIONE IDS PL>]

--

Standard disclaimer: this material contains my personal oppinions and
beliefs ONLY. It has nothing to do with my employer / company. I am
writing it as a private person. It doesn't have to be upright, nor doesn't
even pretend to provide objective / useful information. All statements
should be verified before claiming they are true. I can't and will not
take any responsibility for any use / misuse of this information, nor any
kind of damage / loss caused by any interpretation of it.

--

First of all, something light:

   Simple Web Counter, quite popular cgi application (distributed eg. on
   Linuxberg ftp) written by Ross Thompson, is vulnerable to stack buffer
   overflow when parsing ctr= parameter. Considered exploitable, exposes
   some ISP servers.

Then, something more juicy:

   Some time ago, we performed brief, comparative analysis of one-time
   passphrases returned by different tokens (SecurID and ActivCard,
   mainly) in short time periods (collecting successive one-time
   passwords returned by token).

   In ActivCard's case, we discovered something at least alarming.
   Before continuing, please note - although we tried to collect
   the most accurate and representative data and provide objective
   and realible informations, there's a chance we've made some mistakes.

   -- IMPORTANT STATEMENT --

   Thus, please threat this message as an attempt to start futher, more
   complete analysis *ONLY*. You shouldn't trust these statements
   before making sure they're true - and we can't take *ANY* kind of
   responsibility they are.

   -- END OF IMPORTANT STATEMENT --

   Theoretically, default ActivCard 8-digit display can handle up to
   100,000,000 combinations.

   First, while analysing output returned by different tokens kindly
   provided to us, we thought ActivCard uses alarmingly small (within
   around 1-2% of possible number space), but random positive increments in
   random length sequences. For example:

                                            .
   05314080                                 .
   06401172     < increment around 1.1M     : --- sequence of increments
   07332504     < increment around 0.9M     |
   08957912     < increment around 1.6M     |
   09134516     < increment around 0.2M    /
   00104910     < large decrement
   ...                                     \
                                            :
                                            .

   But that was only the first impression. We visualised output presented
   by tokens, and found it isn't looking really random:

   By calculating first derivate of collected values (over 100 samples),
   we discovered these increments are determined by simple functions,
   that looks pretty deterministic and periodic. For example, one of them
   (partially responsible for that huge decrements) has simple cycle of
   10). You can see it on graphics generated by our sample program (see
   below) as green peaks below X axis.

   To make sure we're not studying some rare set of conditions, we checked
   some other tokens, with different PIN codes. I guess all of them were
   previously synchronized to same server (most of them lost
   synchronisation in the meantime), that's why I'm asking other people to
   collect some information and try to verify these observatios.

   I included simple code to visualise one of our sample data portions. It
   should work on Linux/BSD box with svgalib installed:

   # gcc -lvga -lm vis.c -o vis
   # ./vis <DATA.in

   Actually, I guess you can use any other program, like gnuplot,
   Derive, Mathematica and so on to perform visualisation.

   Dark blue lines are discrete measurement points. White line connects
   values in these points, while green line shows delta (increments
   between previous and current value).

   Consequences?

   It make us think that it's quite easy to predict, at least in short
   term. It means, attacker, by intercepting short sequence of one-time
   passwords, can easily (at least with reasonable probability)
   predict next password, and enter it to obtain access to protected
   systems.

   Predictability of passwords is definetely against idea of such tokens.
   Of course, very often ability to sniff password means ability to
   intercept session, but by making such assumption in order to justify
   predictable output, we have to ask if we need such tokens at all,
   instead of static passwords?;)

   Even basing on our rough estimations and basic analysis, we were able
   to guess next number with about 35% chance within 100 attempts -
   while, if returned values meant to be indeterministic, this chance
   should be equal to 0.00001%. I guess in-depth analysis might
   expose more details about ActivCard algorithm - or prove we've made
   a mistake.

_______________________________________________________
Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=

Attachment: DATA.in
Description:

Attachment: vis.c
Description: