iKey Tokens and Smart Cards transmit PIN in plain text

ikey-smartcard-plaintext-pin (16887) The risk level is classified as MediumMedium Risk

Description:

Rainbow iKey and Smart Card series transmit a user's PIN in plain text. A remote attacker using a network sniffing tool could sniff the traffic in the communication channel between the smartcard or token and the smartcard driver and recover sensitive information.

Platforms Affected:

  • SafeNet, 330 Smart Card
  • SafeNet, 330g GSA compatible Smart Card
  • SafeNet, 330i Smart Card for the Identrus System
  • SafeNet, 330j Smart Card
  • SafeNet, 330m Biometric-enabled Smart Card
  • SafeNet, 330u User PIN unblocking Smart Card
  • SafeNet, Rainbow iKey 2032 series USB Token

Remedy:

Reportedly, the latest version of firmware is not affected by this vulnerability.

Safenet aquired iKey and Smart Card products. Please contact SafeNet, not Datakey, for information about this vulnerability. See References.

Consequences:

Obtain Information

References:

  • Full-Disclosure Mailing List, Wed Aug 04 2004 - 00:08:51 CDT, Clear text password exposure in Datakey's tokens and smartcards at http://archives.neohapsis.com/archives/fulldisclosure/2004-08/0091.html.
  • Safenet Web site, Datakey delivers comprehensive smart-card based solutions at http://www.safenet-inc.com/. (Safenet aquired iKey and Smart Card products. Please contact SafeNet.)
  • CVE-2004-1709: Datakey Rainbow iKey2032 USB token, when using the CIP client package, does not encrypt communications between the token and the driver, which could allow local users to obtain the PINs of other users.

Reported:

Aug 04, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page