Hacking an iButton

breadboard1

Maxim’s iButtons, which are small ICs in button-sized disks, are starting to show up in more and more places. They have a range of uses, from temperature loggers to identification, and all use the 1-wire protocol to communicate. Over a furrtek, they hacked an iButton used for buying things from vending machines and created an infinite money cheat. They built a small rig based on the ATmega8 to read and write data to the chip. The data was encrypted, so it wasn’t feasible to put an arbitrary amount on the card. Instead, they used a similar technique to the Boston subway hack and restored a previous state to the iButton after something was bought. They also created a hand-held device to backup and restore the contents of a button for portable hacking.

[Thanks furrtek]

27 thoughts on “Hacking an iButton

  1. As much as I like iButtons, this is the fault of whatever engineer decided that it was a good idea to use the NVRAM button instead of one of the secure buttons. The DS1961S or DS1991 would have been a much better choice.

    Otherwise, they may as well just use MMC cards.

  2. agreed, the secure buttons are more difficult to do anything with and i’ve noticed more and more companies using them instead. actually i’ve not even seen any nvram buttons for use with any security type situations around here. heck even arcade games use the secure ones, look at megatouch games, the use the secure buttons to determine which version of their software the machine is able to run.

  3. Remember that the person who has given you the iButton has most likely recorded your serial number and probably checks the audit records of who’s buying what and how much and how much money they actually pay in. You may just find yourself looking at something a lot more expensive if they figure out someone’s been messing with (read stealing from) their vending system.

  4. True that they may audit serial numbers and that stuff, but if there are self serve recharge machines, and you can just buy any DS1992 buttons from another source, and load $10 on one of them, then it would be a lot harder to track down.

    The epic fail is the replay attack working, because of no tracking whatsoever, between vending machines, or even on the one machine itself.

  5. As I remember each ibutton has a unique 64-bit id number so if the vending machine does log each transactions with the time and date then it would be only a waiting game before you were caught on CCTV once they realised what was going on!

  6. Nonsecure iButtons work great as a key (until they get skimmed of course).
    Anyway, You can buy an iButton-to-RJ11 cable off-the-shelf and hook up an emulator for more fun.

  7. They did not hack an iButton. The company that uses the damn thing were morons and used a cheap non protected ibutton. They “hacked” a moron system.

    it’s not hacking if the maker was a bag of retards and used a standard ibutton instead of a crypto one.

    Call me when they actually hack an ibutton instead of something that some idiot screwed up.

  8. Where are these ibuttons being used?

    And they probably arn’t monitoring the logs until after they notice a big difference in money/product. After all, they probably think these things are 100% secure, or not common knowledge like the coke soda trick.

  9. These are used as keys at my apartments, but I’m almost certain that they use the iButtons that only contain a fixed number. They claim that they’re unduplicatable. I want to prove them wrong, but I doubt they would appreciate my white-hat endeavors.

  10. It’s worth noting that maxim is very generous with sending out free sample parts, including many items from their ibutton line. check their website for details.

  11. About those used as keys: we are also building an even simpler device that can emulate a DS1990 with any serial number. So yes, they’re very easily duplicatable.

  12. i need to hack the i-button on my e-range key in order to get free golf range balls at the local course so I can practice for free. How do I go about this?

  13. Is ther anyone out there that can help me hack a DS1971-F5 i button
    I had a break in and the i button coder was stolen.
    I hope someone out there can help.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s