Saturday, November 3, 2007

Safenet iKey 1000 In-depth Look Inside

We received a lot of attention from our previous article regarding the iKey 2032.  We present to you a teardown of a lesser, weaker Safenet, Inc. iKey 1000 series USB token.

We had two purple iKey 1000 tokens on hand that we took apart-

Cypress 24 pin CY7C63001/101 type USB controller is a likely candidate underneath the epoxy above

Cypress' USB controllers run from a 6 Mhz oscillator and an 8 pin SOIC EEPROM might be beneath this smaller epoxy area

Once we took our initial images of the two sides, it was time to remove whatever was under the epoxy.

If needed, we can clean off the remaining epoxy

There was indeed a serial EEPROM underneath the bottom side.  Removing took some heat and we lost the cover to our oscillator during the process.

Opening the device revealed exactly what we suspected (we could sort-of tell by the 24 pin SOIC) being familiar with the Cypress family of processors.  We discovered a Cypress CY7C63101.

The red pin denotes pin 1 of this Cypress CY7C63101


A 200x magnification photo of the die above shows a 20 pin version of the CPU used in the iKey1000 token.

The Cypress CY7C63 family of USB microcontrollers have serious security issues.  This family of processors should not be used by anyone expecting their security token to be secure.  Unfortunately, we've seen a lot of dongles using this family of CPU's.

We successfully read out the CPU (using our magic wand again).  Poking around the code looking for ASCII text we found the USB identifier string at address offset $0B7:  "i.-.K.e.y"

The code contained inside the Cypress CPU is always static between iKey1000 tokens.  The Cypress CPU is a One-Time Programmable (OTP) type device.  There is no non-volatile type memory inside except for for the EPROM you may program once (hence OTP).  The only changes possible are within the external EEPROM which is a dynamic element to the token.  The EEPROM turned out to be a commonly found 24LC64 8K byte EEPROM. 

Given the above, we can then assume that the iKey1032 is identical to this token with the except of replacing the 24LC64 with a larger 24LC256 32K byte EEPROM.  This is a logical assumption supported by Safenet's brochure on the token.

Are you securing your laptop with this token?  We are not...


  1. This family of processors should not be used by anyone expecting their security token to be secure.

    Why? What's the background I'm missing here?

  2. This is our opinion based off the level of technical ability required to extract the code contained inside the CPU (Cypress CY7C63101).

    This CPU is the weakest of the USB CPU's we have seen. Our theory is that security was not part of the design requirements.

    One other issue regarding the overall security of this token is the ease of opening the plastic package. Very simple to do without leaving any traces of entry.

    Apply a little Jasco epoxy remover and the epoxy wipes off. Clean it up, read out the EEPROM by connecting up with a test-clip and you a) clone this token into a token you bought from eBay or b) just know the pin and use that token.

    So an attacker can literally "borrow" your token; Open it and return it in minutes if they are prepared. This could happen in a coffee shop!

  3. [...] might have seen this picture from the iKey1000 teardown.  That’s because we borrowed the Cypress pictures from that teardown [...]

  4. Weaknesses of hardware-based dongles are old news (see below link from seven years ago), but it's interesting that nothing has really changed, even with the advances in integration, availability of smartcard ICs, etc. So sad.


  5. Hi Kingpin,

    Nice report and thank you for visiting the website. We're aware this wasn't new infact, we've examined the smartcard contained inside the PCB of your iKey2000 in the past (it was an older version of the smartcard chip presented in our iKey 2032 teardown).

    We try to present a different approach to the strength of the tokens. Our approach is more towards cloning a legitimate token vs. cracking the algorithm layers which can be patched in software.

    Good to see you!

  6. [...] Y ya esta listo para el análisis, podéis ver las entradas aquí y aun mas explicado sobre otra llave aquí [...]

  7. Hehe, this is one of my favorite blogs. Keep up the good work ;)

  8. Be sure to choose the appropriate method to learn quickly.
    If you can do this, it is a single of the greatest approaches to find out.
    It would not be a sensible idea to suggest you learn
    to read six notes straight away so we are going to look at just reading two notes to start

    my page ... Learn To Play Guitar (Www.Intendant-Group.Ru)

  9. hi, how you are to open this ikey, my question is to no damage my key xD thanks