Full Report
Widespread use of smart phones by employees to perform work related activities has introduced the idea of using these devices as an authentication token. As an example of such attempts, RSA SecureID software tokens are available for iPhone, Nokia and the Windows platforms. Obviously, mobile phones would not be able to provide the level of tamper-resistance that hardware tokens would, but I was interested to know how easy/hard it could be for a potential attacker to clone RSA SecureID software tokens. I used the Windows version of the RSA SecurID Software Token for Microsoft Windows version 4.10 for my analysis and discovered the following issues:
Analysis Summary
# Tool/Technique: RSA SecurID Software Token (Windows Version 4.10) Analysis
## Overview
This summary analyzes security vulnerabilities discovered in the Windows version (4.10) of the RSA SecurID Software Token, focusing on the feasibility of cloning the token's secret seed and generating valid one-time passwords (OTPs) on a separate machine. The analysis focused on two main weaknesses: the calculability of the device serial number and the reliance on Windows Data Protection API (DPAPI) for local storage encryption.
## Technical Details
- Type: Tool (Authentication Software/Vulnerability Analysis Target)
- Platform: Microsoft Windows (Analysis performed on Windows XP virtual machines)
- Capabilities: Generates time-based one-time passwords (TOTP) as an authentication factor. The analysis revealed methods to bypass device binding and extract cryptographic material.
- First Seen: Analysis published May 17, 2012.
## MITRE ATT&CK Mapping
The exploitation techniques derived from this analysis align primarily with Credential Access and Defense Evasion tactics.
- **TA0006 - Credential Access**
- T1003 - OS Credential Dumping
- T1003.001 - LSASS Memory
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1560 - Archive Collected Data
- T1560.001 - Archive via Utility
## Functionality
### Core Capabilities
The software token's primary function is to generate OTPs based on a stored secret seed and time. The analysis focused on the components responsible for binding the token to a device and protecting the storage of this seed.
### Advanced Features
1. **Device Serial Number Calculation:** The token relies on a device serial number calculated using a derivative of the system's hostname and the current user's Windows Security Identifier (SID). This calculation: `device_serial_number=Left(SHA1(host_name+user_SID+“RSA Copyright 2008”),10)` allows a remote attacker with knowledge of these two local identifiers to recalculate the specific serial number used for binding.
2. **Token Database Theft and DPAPI Bypass:** The secret seed and associated cryptographic data are stored in an SQLite database (`RSASecurIDStorage`) protected by encryption mechanisms including DPAPI, which encrypts the `DatabaseKey` (user master key) and `CryptoChecksum` (machine master key). The analysis demonstrated that if an attacker successfully copies the database file along with the necessary user and machine DPAPI master keys, the token can be cloned offline on a different system.
## Indicators of Compromise
The indicators are based on the artifacts an attacker would need to collect from the victim machine to execute the cloning attack.
- File Hashes: Not specified in the article.
- File Names:
- `tokenstoreplugin.dll` (Component used for device serial number calculation)
- `RSASecurIDStorage` (SQLite database file containing token details)
- `%PROFILEDIR%\Application Data\Microsoft\Protect\%SID%` (Location of the user's DPAPI master key)
- `%WINDIR%\system32\Microsoft\Protect\` (Location of the machine's DPAPI master key)
- Registry Keys: Not explicitly detailed, but the Preferred file within the DPAPI protection directory holds the master key's GUID.
- Network Indicators: None directly associated with the token function itself, though DNS or RPC might be leveraged to discover hostnames.
- Behavioral Indicators:
- Access/Exfiltration of files related to the Microsoft Protect directory.
- Use of tools (like a conceptual successor to `lsadump`) to dump cryptographic material from the Local Security Authority Subsystem Service (LSASS) process to obtain machine key hashes/values required to manage LSA secrets (`DPAPI_SYSTEM` value).
## Associated Threat Actors
The article does not specify any known threat actors utilizing this specific technique; it details a vulnerability discovered through independent security research.
## Detection Methods
Detection would focus on identifying the steps required for a successful clone.
- Signature-based detection: Signatures for DLLs related to the RSA software, though unlikely to catch the data exfiltration itself.
- Behavioral detection: Monitoring for bulk copying or exfiltration of files from the `%USERPROFILE%` and `Microsoft\Protect\` directories, particularly combined with system information gathering (hostname, SID enumeration).
- YARA rules: Potentially rules targeting the structure or unique constants within the `RSASecurIDStorage` file or constants within `tokenstoreplugin.dll`.
## Mitigation Strategies
- **Binding Enhancement:** Use hardware-based binding mechanisms, such as **Trusted Platform Module (TPM)** bindings, to associate the token with unique hardware identifiers beyond easily obtainable software information (hostname/SID).
- **Privilege Restriction:** Ensure standard users do not have permissions allowing them to read or copy the critical DPAPI master key files required for offline decryption.
- **Host/User Enumeration Control:** Restrict the security setting that allows enumeration of SAM accounts and shares across Active Directory networks.
## Related Tools/Techniques
- **`newSID` (Sysinternals utility):** Mentioned as a tool that could be used by an attacker to change machine/user SIDs on the cloned system to convincingly match the victim's environment during the final setup stage (Step 4).
- **`lsadump`-like tools:** Tools capable of dumping hash values from LSASS, necessary for extracting machine keys or updating critical LSA secrets related to DPAPI system keys.
- **DPAPI Cracking/Exfiltration Tools:** Referencing prior research on DPAPI internals, indicating general tools that target the encryption mechanisms used by Microsoft for protecting credentials.