Probing a SecurID Token

One of my friends gave me a few RSA SecurID tokens that are about to expire.

I had noticed already sometime before that the part on the back, where the serial number is written, appears to be a added later, it is made of a different kind of plastic than the rest of the case.

Having a few tokens to play with, I pryed off the badge with the serial number and looked underneath. There I found something that stimulated my curiosity even further….

The SecurID tokens, front and back

And now for the surprise…

I lifted the badge, put it aside on a sticker sheet, to find:

Yay! Programming pads! Or test pads, or whatever, at least something interesting. ;) By the way, appropriate stickers, eh? :p

Those pads just beg to be abused to satisfy my curiosity further. So, I whipped up a simple jig to get easy access to them.

The jig

I cut up a piece of perfboard, soldered some 30 AWG wire wrapping wire to the pads on the SecureID and wrapped the other end of the wires to some wire-wrapping headers on the edge of the board.

Now I can easily attach my scope probes to see what signals are on those pads.

With the scope I found a nice 1 Hz pulse, about 20 ms wide on one of the pins:

Sorry for the lousy quality, but it’s hard to photograph this using a full automatic camera. This pic was taken in many tries, in the dark, with the camera on its lowest ISO setting. I’m open for suggestions on how to photograph slow signals on a scope screen with a budget digital camera. :)

Then I wrote a simple program for my Arduino that served as a poor-man’s logic analyzer to see all the pins at once:

"the omnipresent arduino"

This showed not much more than the scope did before, only a few pins that wobbled every minute, when the SecurID’s lottery number changes, but nothing too interesting, alas.

So far my progress with this thing, if anybody had more information about the internals of the modern SecurID’s or did something interesting with these pads already, I’d be happy to hear from you!

Comments