Datakey Token/SmartCard Cleartext Transmission PIN Exposure

2004-08-06T02:37:00
ID OSVDB:8384
Type osvdb
Reporter OSVDB
Modified 2004-08-06T02:37:00

Description

Vulnerability Description

Datakey's Rainbow iKey USB Token and Smart Card contain a flaw that may lead to an unauthorized password exposure. The issue is due to the communication channel between the token and the driver being plaintext. By sniffing communication channel between smartcard/token and smartcard driver, a remote attacker can retrive the user password, resulting in a loss of confidentiality.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, Datakey has released a new firmware to address this vulnerability.

Short Description

Datakey's Rainbow iKey USB Token and Smart Card contain a flaw that may lead to an unauthorized password exposure. The issue is due to the communication channel between the token and the driver being plaintext. By sniffing communication channel between smartcard/token and smartcard driver, a remote attacker can retrive the user password, resulting in a loss of confidentiality.

References:

Vendor URL: http://www.datakey.com/home.php Packet Storm: http://packetstormsecurity.org/0408-advisories/datakeyPassword.txt Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2004-08/0091.html ISS X-Force ID: 16887