Didier Stevens

Thursday 26 March 2009

Poken Peek

Filed under: Encryption,My Software,RFID — Didier Stevens @ 7:35

OK, after getting side-tracked by /JBIG2Decode PDFs, let’s get back on the smartcard and RFID track.

The Poken is a little USB stick you keep on your keychain. You link it to your online identities. To befriend other Poken owners, you just have to hold your Pokens together for a second, and they’ll exchange IDs through RFID. The Poken is popular in The Netherlands, not only among children, but adults too. No more need to exchange business cards.

My 2 guinea pig Pokens were delivered last week. If you want to meet them in person, come to Brucon for my workshop.

20090325-175438

When plugged into a PC, the Poken simulates a USB memory stick containing 3 files:

  • autorun.inf
  • help.txt
  • Start_Poken.html

Start_Poken.html (started by autorun.inf or by you) will navigate to the Poken website and automatically login to your Poken account. It contains a URL with the necessary data to identify you to the Poken website. Having your Poken lost or stolen is an issue (as explained in the Poken FAQ), because of the auto-login feature.

But loosing physical control over your Poken is not the only way to get your account compromised. The URL is actually the only thing needed to gain access to your account. And because this URL uses the HTTP protocol (the Poken site doesn’t support HTTPS), it’s easy to intercept on insecure networks. Insecure networks are not the only issue. Because all the data is in the URL, it will also leave a copy of the URL in different systems on a network, for example in proxy logs.

To prevent unwanted access to your account, disable auto-login for your account (it was enabled by default for my account).

20090325-180505

I was told by the Poken help-desk that they will support HTTPS in the future. But the current Pokens are hard-coded to use HTTP.

When I read the Poken FAQ stating that your data is protected by a “very advanced encryption method” (sic), I interpret that all the data is encrypted with a cipher like AES.
But this isn’t the case. Not all the data is encrypted. Your Poken ID (a 4-byte integer that uniquely identifies your Poken) is not encrypted. And neither are the IDs of the Pokens you befriend. Your personal account data entered on the Poken site is not stored on your Poken. The link between a Poken ID and an account is kept in the database of the Poken web site and is visible for its owner.

The data of a Poken is stored in the URL in file Start_Poken.html:

    URL=http://p.poken.ch/u/ABCDEFGH...

The path (ABCDEFGH…) is encoded in BASE64 (more precisely, a BASE64 variant compatible with URL encoding). I’ve identified the purpose of some of the first 96 bytes of data. It contains your Poken ID and various counters. 2 4-byte integers are changing with each use and appear to be random. These could be a (cryptographic) hash to guarantee the authenticity of the Poken data.
The rest of the data is used to store the IDs of the Pokens you befriended. There is room for 64 records (friends) of 16 bytes each. If you befriend more than 64 Pokens without connecting to the Poken site, the old records get overwritten by new records (like in a circular buffer) and you lose friends.

I’ve a tip for you: if you can’t connect to the Poken web site while befriending more than 64, connect your Poken to your laptop and backup file Start_Poken.html. Later, when you’ve access to the Poken site, open the backuped files in the order you backed them up. Each file will update your data. And after that, use your Poken.

The 16 byte record contains the befriended Poken ID, a status byte (discreet befriending), 3 bytes that look like a timestamp and 8 bytes that appear to be random. These 8 bytes could be a (cryptographic) hash to guarantee the authenticity of befriended Poken data and prevent spoofing or replaying.
So not all the data is encrypted: the Poken IDs are in cleartext. As the link between a Poken ID and the account is safely protected by the Poken web site, even if your data is stolen or intercepted, not much would be disclosed. Traffic analysis could be applied if data of several Pokens is intercepted during an event. Since most people make their friend list public, they shouldn’t care about the interception of the Poken IDs they befriended anyways.

And how about the strenght of the encryption? Well, contrary to what is stated in the Poken FAQ, I don’t believe it is state of the art. Modern, secure ciphers like AES work with blocks of at least 128 bits (16 bytes). In the Poken data, we have blocks of maximum 64 bits (8 bytes). 64 bit encryption is not state of the art anymore. For comparison, DES (and 3DES) work on 64 bits block. You shouldn’t use DES anymore, because it can be brute-forced, although that’s still not trivial to do.

Conclusion: the biggest risk of using a Poken is getting your account compromised, but this can be mitigated. And the encryption of the data on a Poken is not designed to protect your data, but to prevent fraud with the befriending process. The cipher isn’t AES or an equivalent cipher. Yet it is possible to build a small USB device that uses AES to encrypt all data: the YubiKey does it.

20090325-175502

8 Comments »

  1. [...] over pokens had ik het over het wat/hoe/waarom van pokens. Didier Stevens heeft het in zijn post over de techniek die gebruikt wordt en de security issues die hiermee gepaard [...]

    Pingback by Poken Review « BnafetS & LtsirK — Friday 27 March 2009 @ 8:10

  2. [...] Hardware, Quickpost, RFID — Didier Stevens @ 0:01 Here’s an alternate use for your Poken: use it to detect 125 kHz RFID readers. It’s led will blink red when you bring it next to a [...]

    Pingback by Quickpost: Using Your Poken as a Lowcost LF RFID Detector « Didier Stevens — Monday 4 May 2009 @ 0:05

  3. Zullen we even onze Pokens neuken?…

    Do you Poken?Poken, ik poken, jij pokent, wij poken.

    Als verwaarloosde Nintendo-kleuter al aan de Flippo, als twintiger aan de nicotine: de betuttelde moderne dertiger botviert zijn verzamel c.q verslavingsdrang onverhoopt op het zogenaamde Poken. M…

    Trackback by Babalin.com :: online panacee — Tuesday 5 May 2009 @ 12:14

  4. 64 bits can be padded with random bits to reach 128 … AES stregnth get back ?

    Comment by camerling — Wednesday 8 July 2009 @ 8:04

  5. I don’t consider the use of 64-bit encryption for an application as the Poken an issue. I was just pointing out that the encryption isn’t disclosed, and that 64-bit isn’t considered state-of-the-art anymore.

    Comment by Didier Stevens — Wednesday 8 July 2009 @ 9:10

  6. [...] und festgestellt, dass neben der Poken ID im Klartext (Base64 ist keine Verschluesslung…) eine Verschluesslung mit maximal 64 Bit eingesetzt wird. “State-of-the-art” ist etwas anderes. Sollte diese Verschluesslung tatsaechlich [...]

    Pingback by Do You Poken? | Simon Koelsch — Sunday 19 July 2009 @ 14:48

  7. [...] to know how Pokens work and related security?  Check out this really awesome, detailed article created by Didier [...]

    Pingback by Security Justice » Blog Archive » Security Justice Episode 17 – Pokens, CUDA, Physical Security Exercises, Makerbots, Hawt Chicks — Friday 25 September 2009 @ 2:34

  8. I really enjoyed your article. However there is a newer version of the poken, that you should take a look at – called the “pokenPulse” which now sports a 2 GB jump drive along with the updated poken_start. I got my first poken (a ninja) from http://www.findapoken.com. Since I got my first poken from them at the start of the year, they gave me a discount code to save a few dollars and to help spread the poken love. Information should be free so the code they gave me “findapoken23″ – should save you a few dollars!

    Comment by James Mitchell — Sunday 25 October 2009 @ 19:16


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 223 other followers

%d bloggers like this: