September 24, 2016

RSA SecurID Software Token Cloned and Rendered Useless

(LiveHacking.Com) – The use of two-factor authentication has grown as the simple username & password method has proved to be insufficient for more sensitive systems. From online banking to employee access to business networks two-factor authentication is become more the norm, even Google optionally offers two step authentication to its service like Gmail. In two-factor authentication a token is needed which can only be generated by something in possession of the user. In the past this has been a special hardware device which churns out the right numbers during login. However the widespread use of smart phones allows these devices to be used as an authentication token generator. For example, RSA SecureID software token programs are available for iPhone, Nokia and the Windows platforms.

Security researcher Behrang Fouladi has posted details of how he has been able to clone the software token from RSA’s SecurID two-factor authentication system on the Windows platform. On the Windows platform the SecurID software token program uses a hard drive plug-in with unique device serial number. If the same user tries to install the software on a different computer, the user cannot import software tokens into the application because the hard drive plug-in on the second computer has a different serial number. This means that only one user on one computer can be authorized to generate the tokens.

Fouladi has managed to reverse engineer the hard disk plugin and discover that the serial number is formed from the system’s host name and current user’s windows security identifier (SID). An attacker, with access to these values, can easily calculate the target token’s device serial number and bypass the plug-in which ties the software to just one machine.  The SecureID device serial number calculation can be represented with the following formula: device_serial_number=Left(SHA1(host_name+user_SID+“RSA Copyright 2008”),10)

Fouladi’s how-to goes on to explain how the token information, including the secret seed value, is stored in a SQLite database and the steps needed to decrypt the information in that database. “When the above has been performed, you should have successfully cloned the victim’s software token and if they run the SecurID software token program on your computer, it will generate the exact same random numbers that are displayed on the victim’s token,” he wrote.

Behrang has proved his technique by installing two instances of the software  (A and B) on two separate Windows XP virtual machines and attempted to clone token B on the virtual machine that was running token A. Using his method, token B was successfully cloned on the machine running token A.