Running Custom Code On Cheap One-time Password Tokens

One-time passwords (OTP) are often used in America but not so much in Europe. For our unfamiliar readers, OTP tokens like the one shown above generate passwords that are only valid for one login session or transaction, making them invulnerable to replay attacks. [Dmitry] disassembled one eToken (Aladin PASS) he had lying around and managed to reprogram it for his own needs.

Obviously, these kind of devices don’t come with their schematics and layout files so [Dmitry] had to do some reverse engineering. He discovered six holes in a 3×2 arrangement on the PCB so he figured that they must be used to reprogram the device. However, [Dmitry] also had to find which microcontroller was present on the board as its only marking were “HA4450” with a Microchip logo. By cross-referencing the number of pins, package and peripherals on Microchip parametric search tool he deduced it was a PIC16F913. From there, it was just a matter of time until he could display what he wanted on the LCD.

We love seeing tiny consumer hardware hacked like this. Most recently we’ve been enthralled by the Trandscend Wi-Fi SD card hacking which was also one of [Dmitry’s] hacks.

41 thoughts on “Running Custom Code On Cheap One-time Password Tokens

  1. I’m from Sweden and all the major banks use something similar. My bank’s little box includes a credit/bank card reader as well. It can be used to log in to the bank, sign for online payments, log in to sites with sensitive information (such as doing your taxes) and so on.

    Surely other European countries have something similar as well?

    1. I know that some european country banks used them for a while, not sure if they still do, but the point is that yes they are in more european countries.
      But the world isn’t just US and (western-)europe so it’s a good thing it was briefly explained.

  2. Microchip is pretty standard with their programming pinouts, once he knew the programming pad layouts, he could just have used any programmer [set to 3.3V first] to read out the chip type ID.

  3. In Denmark we had a digital signature, then a OTP and now we get mailed a little card that includes codes. You get prompted with a number which you find on the little card and write the corresponding pass sequence into the browser. Different larger companies use OTP’s for VPN access.

  4. Such useful comments :/ Anyway, it was a nice hack and an interesting read. Always interesting to see how people find out what undocumented components are. Part of the fun!

  5. Seeing a strange model number on a chip with a familiar brand I would have assumed that they made something custom for the token manufacturer or at least something they don’t offer on the public market. I would have probably given up.

    Is this kind of thing common? Should I assume that all or most parts with strange model numbers are really just familiar ones with a strange label? Or did he just get really lucky?

    1. In my experience with various vendors over the years is that no one makes anything custom. They just re-use what they can to make custom solutions. That or they just whitelabel or OEM an existing product line for different customers. I would say if it looks like a duck and qucks like a duck but it’s painted purple…it’s probably still a duck.

  6. We’ve used SecureID for over 15 years, from the credit card-sized password generators to the key fobs we currently have for VPN access. Next time my key fob expires, maybe I’ll take a crack at it.

    1. They’re certainly used in the US, at least by 3 major banks that my employer uses. They’re not used by my credit union (where I keep my personal account), they use SMS instead.

  7. In the US the majority of special purpose login methods are via a Smart Card. One of the credit card companies did issue an easy pay method using them, but found that not that many bank companies were interested. Or people as well. The same device was first used by Sun Microsystems as a do-everything for their entire network and buildings. Eventually such widgets found their way to the cans made by Dallas Semiconductor and then Maxim. Those things were used briefly here, before the Smart Card device, outside of the US I believe they are.

    1. How are you going to log into a site and do a transaction with a smart card? You’d need a special smartcard reader on your computer, and each computer that you use, and each phone.

      This is for online banking, online, on a website.

    1. People would throw a fit if they had to enter a whole new code read from a display each time they gathered their mail.
      Then after the fit they would close their account and switch to another provider.

    1. Nope. While one time pad is also abbreviated “OTP,” that’s not what this is. A One Time Pad is a pre-generated list of values. One of the key differentiatiors is that a well-done one time pad can’t be predicted; the values should not come from any predictable sequence. In this case, this token generates a one-time *password* using a pre-defined algorithm (probably HOTP) applied to a shared key and a sequence counter. HOTP is defined in RFC 4226 (see RFC 6238 for another common One Time Password implementation).

      These key fobs are initially set up by taking the pre-shared key and generating a few (usually 3) consecutive values on the fob. The authentication backend then uses the algorithm to generate (basically) each possible outcome for every sequence number to find where in the set of possible outcomes the keyfob currently is at. That tells the backend where to start the sequence counter. Going forward, the backend authenticates by expecting one of the next several possible values (usually ten-ish) to account for the button being pushed inadvertently a couple of times. If the user provides a code from the near future, the counter is then resynchronized on the backend. If the user falls out of sync by hitting the button too many times outside of an authentication scenario, usually there’s an alternative means of authenticating to a system where the pairing process can be repeated, resyncing the counter. The counter also rolls over at some point (usually somewhere on the scale of tens of thousands), which is why it’s relatively easy to calculate most of the possibilities quickly.

    2. Nope. While one time pad is also abbreviated “OTP,” that’s not what this is. A One Time Pad is a pre-generated list of values. One of the key differentiatiors is that a well-done one time pad can’t be predicted; the values should not come from any predictable sequence. In this case, this token generates a one-time *password* using a pre-defined algorithm (probably HOTP) applied to a shared key and a sequence counter. HOTP is defined in RFC 4226 (see RFC 6238 for another common One Time Password implementation).

      These key fobs are initially set up by taking the pre-shared key and generating a few (usually 3) consecutive values on the fob. The authentication backend then uses the algorithm to generate (basically) each possible outcome for every sequence number to find where in the set of possible outcomes the keyfob currently is at. That tells the backend where to start the sequence counter. Going forward, the backend authenticates by expecting one of the next several possible values (usually ten-ish) to account for the button being pushed inadvertently a couple of times. If the user provides a code from the near future, the counter is then resynchronized on the backend. If the user falls out of sync by hitting the button too many times outside of an authentication scenario, usually there’s an alternative means of authenticating to a system where the pairing process can be repeated, resyncing the counter. The counter also rolls over at some point (usually somewhere on the scale of tens of thousands), which is why it’s relatively easy to calculate most of the possibilities quickly.

Leave a Reply to WhatnotCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.