Running Custom Code on Cheap One-time Password Tokens

One-time passwords (OTP) are often used in America but not so much in Europe. For our unfamiliar readers, OTP tokens like the one shown above generate passwords that are only valid for one login session or transaction, making them invulnerable to replay attacks. [Dmitry] disassembled one eToken (Aladin PASS) he had lying around and managed to reprogram it for his own needs.

Obviously, these kind of devices don’t come with their schematics and layout files so [Dmitry] had to do some reverse engineering. He discovered six holes in a 3×2 arrangement on the PCB so he figured that they must be used to reprogram the device. However, [Dmitry] also had to find which microcontroller was present on the board as its only marking were “HA4450″ with a Microchip logo. By cross-referencing the number of pins, package and peripherals on Microchip parametric search tool he deduced it was a PIC16F913. From there, it was just a matter of time until he could display what he wanted on the LCD.

We love seeing tiny consumer hardware hacked like this. Most recently we’ve been enthralled by the Trandscend Wi-Fi SD card hacking which was also one of [Dmitry's] hacks.

39 thoughts on “Running Custom Code on Cheap One-time Password Tokens

  1. I’m from Sweden and all the major banks use something similar. My bank’s little box includes a credit/bank card reader as well. It can be used to log in to the bank, sign for online payments, log in to sites with sensitive information (such as doing your taxes) and so on.

    Surely other European countries have something similar as well?

    1. I know that some european country banks used them for a while, not sure if they still do, but the point is that yes they are in more european countries.
      But the world isn’t just US and (western-)europe so it’s a good thing it was briefly explained.

      1. **ALL** major banks?

        really? the UKs biggest bank, (lloyds TSB) which is so big that it’s been forced to split into two separate companies doesn’t use them.

      1. No this isn’t a pincard, this is a thing to create ‘TAN’ codes I think the name is, the numbers you need to do payment with online banking.

    2. For my old German bank they used to give you a printed list of one time codes you used (and crossed off when you did) for online banking until they moved to this system.

  2. Microchip is pretty standard with their programming pinouts, once he knew the programming pad layouts, he could just have used any programmer [set to 3.3V first] to read out the chip type ID.

  3. In Denmark we had a digital signature, then a OTP and now we get mailed a little card that includes codes. You get prompted with a number which you find on the little card and write the corresponding pass sequence into the browser. Different larger companies use OTP’s for VPN access.

  4. Such useful comments :/ Anyway, it was a nice hack and an interesting read. Always interesting to see how people find out what undocumented components are. Part of the fun!

  5. Seeing a strange model number on a chip with a familiar brand I would have assumed that they made something custom for the token manufacturer or at least something they don’t offer on the public market. I would have probably given up.

    Is this kind of thing common? Should I assume that all or most parts with strange model numbers are really just familiar ones with a strange label? Or did he just get really lucky?

    1. In my experience with various vendors over the years is that no one makes anything custom. They just re-use what they can to make custom solutions. That or they just whitelabel or OEM an existing product line for different customers. I would say if it looks like a duck and qucks like a duck but it’s painted purple…it’s probably still a duck.

    2. Probably was one of the pre-programmed chips that microchip does. (You can order a lot of MCUs with your code already on them).

  6. If you have an account with HSBC tell them you have lost yours(in bank) and they just hand you another. No questions, no paperwork etc :)

  7. We’ve used SecureID for over 15 years, from the credit card-sized password generators to the key fobs we currently have for VPN access. Next time my key fob expires, maybe I’ll take a crack at it.

    1. They’re certainly used in the US, at least by 3 major banks that my employer uses. They’re not used by my credit union (where I keep my personal account), they use SMS instead.

  8. In the US the majority of special purpose login methods are via a Smart Card. One of the credit card companies did issue an easy pay method using them, but found that not that many bank companies were interested. Or people as well. The same device was first used by Sun Microsystems as a do-everything for their entire network and buildings. Eventually such widgets found their way to the cans made by Dallas Semiconductor and then Maxim. Those things were used briefly here, before the Smart Card device, outside of the US I believe they are.

    1. How are you going to log into a site and do a transaction with a smart card? You’d need a special smartcard reader on your computer, and each computer that you use, and each phone.

      This is for online banking, online, on a website.

  9. Hmmm, it can be a good start to implement the OTP protocol for Gmail authentification !
    Nicer and more practical than a phone in fact

    1. People would throw a fit if they had to enter a whole new code read from a display each time they gathered their mail.
      Then after the fit they would close their account and switch to another provider.

  10. I’m not sure where you’re getting your information, but all the major banks in Norway use OTP chips too. I’ve had one of these for 10 years or so.

  11. Do your universities use them in the US? In Netherlands they use them everywhere to login the network, students just need the password.

  12. OTP = One Time Pad, not One Time Password. It comes from the days of encryption codes being provided on paper pads (think post-its)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s