iKey Tokens and Smart Cards transmit PIN in plain text
| ikey-smartcard-plaintext-pin (16887) |  Medium Risk |
Description:
Rainbow iKey and Smart Card series transmit a user's PIN in plain text. A remote attacker using a network sniffing tool could sniff the traffic in the communication channel between the smartcard or token and the smartcard driver and recover sensitive information.
Consequences:
Obtain Information
Remedy:
Reportedly, the latest version of firmware is not affected by this vulnerability.
Safenet aquired iKey and Smart Card products. Please contact SafeNet, not Datakey, for information about this vulnerability. See References.
References:
- Full-Disclosure Mailing List, Wed Aug 04 2004 - 00:08:51 CDT: Clear text password exposure in Datakey's tokens and smartcards.
- Safenet Web site: Datakey delivers comprehensive smart-card based solutions. (Safenet aquired iKey and Smart Card products. Please contact SafeNet.)
- CVE-2004-1709: Datakey Rainbow iKey2032 USB token, when using the CIP client package, does not encrypt communications between the token and the driver, which could allow local users to obtain the PINs of other users.
Platforms Affected:
- SafeNet 330 Smart Card
- SafeNet 330g GSA compatible Smart Card
- SafeNet 330i Smart Card for the Identrus System
- SafeNet 330j Smart Card
- SafeNet 330m Biometric-enabled Smart Card
- SafeNet 330u User PIN unblocking Smart Card
- SafeNet Rainbow iKey 2032 series USB Token
Reported:
Aug 04, 2004
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net