Running Custom Code on Cheap One-time Password Tokens

One-time passwords (OTP) are often used in America but not so much in Europe. For our unfamiliar readers, OTP tokens like the one shown above generate passwords that are only valid for one login session or transaction, making them invulnerable to replay attacks. [Dmitry] disassembled one eToken (Aladin PASS) he had lying around and managed to reprogram it for his own needs.

Obviously, these kind of devices don’t come with their schematics and layout files so [Dmitry] had to do some reverse engineering. He discovered six holes in a 3×2 arrangement on the PCB so he figured that they must be used to reprogram the device. However, [Dmitry] also had to find which microcontroller was present on the board as its only marking were “HA4450″ with a Microchip logo. By cross-referencing the number of pins, package and peripherals on Microchip parametric search tool he deduced it was a PIC16F913. From there, it was just a matter of time until he could display what he wanted on the LCD.

We love seeing tiny consumer hardware hacked like this. Most recently we’ve been enthralled by the Trandscend Wi-Fi SD card hacking which was also one of [Dmitry's] hacks.

Comments

  1. sneakypoo says:

    I’m from Sweden and all the major banks use something similar. My bank’s little box includes a credit/bank card reader as well. It can be used to log in to the bank, sign for online payments, log in to sites with sensitive information (such as doing your taxes) and so on.

    Surely other European countries have something similar as well?

  2. Karl says:

    Microchip is pretty standard with their programming pinouts, once he knew the programming pad layouts, he could just have used any programmer [set to 3.3V first] to read out the chip type ID.

  3. K!P says:

    They are pretty common used in in Europe, altough lately phone app’s or SMS codes take up a part of the use.

  4. Eirinn says:

    In Denmark we had a digital signature, then a OTP and now we get mailed a little card that includes codes. You get prompted with a number which you find on the little card and write the corresponding pass sequence into the browser. Different larger companies use OTP’s for VPN access.

  5. eatmebatmelady says:

    ehh “used in usa, not much in europe” thats complete bullshit

  6. SonicBroom says:

    Such useful comments :/ Anyway, it was a nice hack and an interesting read. Always interesting to see how people find out what undocumented components are. Part of the fun!

  7. Me says:

    Seeing a strange model number on a chip with a familiar brand I would have assumed that they made something custom for the token manufacturer or at least something they don’t offer on the public market. I would have probably given up.

    Is this kind of thing common? Should I assume that all or most parts with strange model numbers are really just familiar ones with a strange label? Or did he just get really lucky?

    • Paul says:

      In my experience with various vendors over the years is that no one makes anything custom. They just re-use what they can to make custom solutions. That or they just whitelabel or OEM an existing product line for different customers. I would say if it looks like a duck and qucks like a duck but it’s painted purple…it’s probably still a duck.

    • Alex says:

      I’d probably have done the same. This is a bit of an eye-opener for me.

    • AS says:

      Probably was one of the pre-programmed chips that microchip does. (You can order a lot of MCUs with your code already on them).

  8. Phil says:

    If you have an account with HSBC tell them you have lost yours(in bank) and they just hand you another. No questions, no paperwork etc :)

  9. Jerry Tremble says:

    We’ve used SecureID for over 15 years, from the credit card-sized password generators to the key fobs we currently have for VPN access. Next time my key fob expires, maybe I’ll take a crack at it.

  10. Will says:

    Yea I think the author has it wrong – they’re widely used in Europe but not used at all in the US

  11. maxmeazle says:

    Look at this from Marcan42, a USB token singing!!! http://www.youtube.com/watch?v=QiTNlSgk-xY

  12. In the US the majority of special purpose login methods are via a Smart Card. One of the credit card companies did issue an easy pay method using them, but found that not that many bank companies were interested. Or people as well. The same device was first used by Sun Microsystems as a do-everything for their entire network and buildings. Eventually such widgets found their way to the cans made by Dallas Semiconductor and then Maxim. Those things were used briefly here, before the Smart Card device, outside of the US I believe they are.

  13. SadE54 says:

    Hmmm, it can be a good start to implement the OTP protocol for Gmail authentification !
    Nicer and more practical than a phone in fact

    • Whatnot says:

      People would throw a fit if they had to enter a whole new code read from a display each time they gathered their mail.
      Then after the fit they would close their account and switch to another provider.

  14. razorgecko says:

    Great job, this is areally cool hack! Of course it serves no purpose but it is cool non the less!

  15. freak says:

    I’m not sure where you’re getting your information, but all the major banks in Norway use OTP chips too. I’ve had one of these for 10 years or so.

  16. rogier21 says:

    Do your universities use them in the US? In Netherlands they use them everywhere to login the network, students just need the password.

  17. Ron says:

    OTP = One Time Pad, not One Time Password. It comes from the days of encryption codes being provided on paper pads (think post-its)

  18. Ren says:

    So is there a cheap source for these fobs?
    I have not seen one used in this part of the U.S.A.

  19. necsuss says:

    In spain we are primitives…your bank give you a card paper with numbers. Sad and cheap :-)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 93,979 other followers