Skip to main content
SpringerLink
Log in
SpringerLink
Log in

Don’t Push It: Breaking iButton Security

  • Conference paper
  • First Online:
Foundations and Practice of Security (FPS 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8352))

Included in the following conference series:

Abstract

Maxims iButtons are small portable (steel) tokens that can be attached to objects (e.g., keys, fobs) and are deployed in various applications from access control to devices and buildings to asset management and electronic cash. So far, the security and privacy aspects of iButtons have been widely unexplored. The so-called Secure iButtons are advocated for security critical applications for e.g., micropayment, authentication or feature activation.

In this paper we present for the first time a detailed security analysis of the Secure iButtons DS1963S. Although no technical details are publicly available, Secure iButtons have a variety of physical and cryptographic built-in measures to protect against physical tampering as well as unauthorized access to cryptographic material. We developed methods to bypass all these protection mechanisms of the manufacturer. We present a differential fault attack and implementation attack on the SHA-1-enabled iButton (DS1963S chip). Beside the emulation and impersonation, our attacks succeed in extracting the secret keys stored in the iButton. Our methods allow an infinite rollback to the initial state, which is crucial when targeting micropayment systems based on iButtons. We also demonstrate our attacks on Maxims reference platform of a micropayment system. Our best attack requires a minimal financial invest and take less than ten minutes, including target preparation, while the pure attack on all eight 64-bit keys is completed in a few seconds.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    iButtons were originally invented in the year 1989 by Dallas Semiconductor Corp. After Maxim has been acquired by Maxim Integrated Products in 2001, the token continued under the brand name iButton.

  2. 2.

    A master devices initiates and controls the communication with at least one slave device. The communication channel establishes a half-duplex bidirectional serial channel.

  3. 3.

    FIPS 180-1 adds a final constant multi-block SHA-1 computations for each block. Since the iButton protocol only compute one block, the final FIPS 180 constants was removed for performance issues. The SCU can opt-in the constant when FIPA 180-1 conformance is required.

  4. 4.

    Appendix E shows the silicon layer and the content of the reverse-engineered ROM-ID and gives information about the memory structure.

References

  1. Aci touchaccess - an intelligent lock. http://acisecurity.com/product_sheets/touchaccess.pdf (Product information) Accessed 28 October 2012

  2. Almex ticketing station. http://www.hoeft-wessel.com/uploads/media/almex-station-e_01.pdf (Product information) Accessed 28 October 2012

  3. Corby 4300 sa datachip. http://www.corby.com/Sub_Products/product.php?wbprodpage_id=4300 (Product information) Accessed 28 October 2012

  4. Cs ikey. http://www.cstech.biz/product_brochure/Brochure%20-%20iKey.pdf (Product information) Accessed 28 October 2012

  5. Ds1904 rtc ibutton. http://www.maximintegrated.com/datasheet/index.mvp/id/2817/t/al (Datasheet) Accessed 28 October 2012

  6. Ds1923 hygrochron temperature/humidity logger ibutton with 8kb data-log memory. http://www.maximintegrated.com/datasheet/index.mvp/id/4379/t/al (Datasheet) Accessed 28 October 2012

  7. Ds1961s 1kb protected eeprom ibutton with sha-1 engine. http://www.maximintegrated.com/datasheet/index.mvp/id/3557 (Datasheet) Accessed 28 October 2012

  8. Ds1963s sha ibutton. http://www.maximintegrated.com/datasheet/index.mvp/id/2822/t/al (Datasheet) Accessed 28 October 2012

  9. Ds1977 password-protected 32kb eeprom ibutton. http://www.maximintegrated.com/datasheet/index.mvp/id/3951/t/al (Datasheet) Accessed 28 October 2012

  10. Ds2432 1kb protected 1-wire eeprom with sha-1 engine. http://www.maximintegrated.com/datasheet/index.mvp/id/2914/t/al (Datasheet) Accessed 28 October 2012

  11. Ebn pos systems. http://www.ebn-pos.com/products/all-in-one-pos-terminal.php Accessed 29 October 2012

  12. Imagecast precinct voting machine. http://www.dominionvoting.com/products Accessed 29 October 2012

  13. Overview of 1-wire technology and its use. http://pdfserv.maximintegrated.com/en/an/AN1796.pdf (Tutorial 1796) Accessed 28 October 2012

  14. Schlage mr-1967 electronic interconnected lockset. http://consumer.schlage.com/Service-Support/Documents/MR-1967_Electrtonic_Interconnected_Lockset.pdf (Product information) Accessed 28 October 2012

  15. Super micro computer, ibutton aoc-ibutton68. http://www.supermicro.nl/products/accessories/addon/aoc-ibutton68.cfm (Product information) Accessed 28 October 2012

  16. Super micro computer, raid controller. http://www.supermicro.nl/products/accessories/addon/AOC-USAS-H4iR.cfm (Product information) Accessed 28 October 2012

  17. Vectron pos colortouch. http://www.vectron.de/products/poscolortouch/index.php?l=en Accessed 29 October 2012

  18. Dsecash ecash evaluation kit. http://datasheets.maximintegrated.com/en/ds/DSECASH.pdf (2002) (Datasheet) Accessed 28 October 2012

  19. Belim leading technology. http://www.belbim.com.tr/en/Pages/Homepage.aspx (2010) Accessed 28 October 2012

  20. Courtois, N., O’Neil, S., Quisquater, J.J.. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds.) ISC, pp. 167–176

    Google Scholar 

  21. Eisenbarth, T., Kasper, T., Moradi, A., Paar, C., Salmasizadeh, M., Shalmani, M.T.M.: On the power of power analysis in the real world: a complete break of the Keeloq code hopping scheme. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 203–220. Springer, Heidelberg (2008)

    Google Scholar 

  22. Garcia, F.D., Gans, G.D.K., Muijrers, R., Rossum, P.V., Verdult, R., Schreur, R.W., Jacobs, B.: Dismantling mifare classic

    Google Scholar 

  23. Garcia, F.D., de Koning Gans, G., Verdult, R.: Exposing iclass key diversification. In: Brumley, D., Zalewski, M. (eds.) WOOT, pp. 128–136. USENIX Association. http://dblp.uni-trier.de/db/conf/uss/woot201

  24. Garcia, F.D., van Rossum, P., Verdult, R., Wichers Schreur, R.: Dismantling securememory, cryptomemory and cryptorf. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS ’10, pp. 250–259. ACM, New York (2010). http://doi.acm.org/10.1145/1866307.1866336

  25. Indesteege, S., Keller, N., Dunkelman, O., Biham, E., Preneel, B.: A practical attack on KeeLoq. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 1–18. Springer, Heidelberg (2008)

    Google Scholar 

  26. Linke, B.: Book of ibutton(r) standards. http://pdfserv.maximintegrated.com/en/an/AN937.pdf (2002) (Application Note 937) Accessed 28 October 2012

  27. Nohl, K., Evans, D., Starbug, S., Plötz, H.: Reverse-engineering a cryptographic rfid tag. In: Proceedings of the 17th Conference on Security Symposium, SS’08, pp. 185–193. USENIX Association, Berkeley (2008). http://dl.acm.org/citation.cfm?id=1496711.1496724

  28. Verdult, R., Garcia, F.D., Balasch, J.: Gone in 360 seconds: Hijacking with hitag2. In: USENIX Security Symposium, pp. 237–252. USENIX Association, August 2012

    Google Scholar 

  29. Wikipedia: Akbil (smart ticket). http://en.wikipedia.org/wiki/Akbil_(smart_ticket) (2013) accessed 01 July 2013

Download references

Author information

Authors and Affiliations

  1. Fraunhofer Institute for Secure Information Technology (FhG-SIT), Rheinstrasse 75, 64295, Darmstadt, Germany

    Christian Brandt & Michael Kasper

Authors
  1. Christian Brandt
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Michael Kasper
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Michael Kasper .

Editor information

Editors and Affiliations

  1. Dept. Commun. & Electronique, Télécom ParisTech, Paris, France

    Jean Luc Danger

  2. Concordia Institute for Information Syst Concordia University Research Chair Tier, Concordia University, Montreal, Québec, Canada

    Mourad Debbabi

  3. École des Mines, Nancy, France

    Jean-Yves Marion

  4. RST Department, Rm A105-2, Télécom SudParis, Evry, France

    Joaquin Garcia-Alfaro

  5. Dalhousie University, Halifax, Nova Scotia, Canada

    Nur Zincir Heywood

Appendices

Attack Related Commands

For our attack, we need a set of relevant 1-wire low-level commands. Those commands are Read Scratchpad, Write Scratpad, Copy Scratchpad, Erase Scratchpad, Read Authenticated Page, Compute First Secret and Compute Next Secret.

Furthermore, the cryptographic engine has seven SHA-1 command functions, namely the Compute First Secret, Compute Next Secret command for generation of new secrets, SignDataPage for signing and Validate Dat aPagefor HMAC verification. Furthermore, the engine offers a set of function to perform random generator operations and generation of challenges. Finally, the command Read Authenticated Page combines a read operation with a CRC and generation of the corresponding HMAC result. For a detailed description of the commands, we refer the interested reader to the iButton standard [8] and [26].

Resolved Secrets S0-S7 (Example)

The following table give an example for resolved secret \(S0\) - \(S7\) (Fig. 10).

Fig. 10.
figure 10

Resolved secrets S0-S7 from an iButton DS1963S device

Full size image

Tamper Protection Milling Aparatus with iButton

Fig. 11.
figure 11

Milling apparatus with iButton

Full size image

Akbil Micropayment System for Electronic Ticketing

The Akbil system [29] is an integrated micropayment for electronic tickets used for fare payment in public transport of Istanbul, Turkey. The system is currently being phased out, but still in use. Figure 12 shows a SCU access control gate to the metropolitan transportation system.

Fig. 12.
figure 12

Akbil SCU access control gate (left) and Ticketing Machine (right)

Full size image

ROM-ID Reverse Engineering

The figure shows the reverse engineered ROM-ID of a Secure iButton. The ROM-ID layout is reconstructed by the following drawing. Purple spots indicate a laser burned bit lane, representing a set bit value.

figure a

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Brandt, C., Kasper, M. (2014). Don’t Push It: Breaking iButton Security. In: Danger, J., Debbabi, M., Marion, JY., Garcia-Alfaro, J., Zincir Heywood, N. (eds) Foundations and Practice of Security. FPS 2013. Lecture Notes in Computer Science(), vol 8352. Springer, Cham. https://doi.org/10.1007/978-3-319-05302-8_23

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-05302-8_23

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-05301-1

  • Online ISBN: 978-3-319-05302-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation