INSIGHTS | November 3, 2007

Safenet iKey 1000 In-depth Look Inside

We received a lot of  attention from our previous article regarding the  iKey 2032. We  present to you a teardown of a lesser, weaker Safenet, Inc. iKey 1000 series USB token.

We had two purple iKey 1000 tokens on hand that we took apart-Cypress 24 pin CY7C63001/101 type USB controller is a likely candidate underneath the epoxy above

 

Cypress’ USB controllers run from a 6 Mhz oscillator and an 8 pin SOIC EEPROM might be beneath this smaller epoxy area

 

Once we took our initial images of the two sides, it was time to remove whatever was under the epoxy.

 

If needed, we can clean off the remaining epoxy

 

There was indeed a serial EEPROM underneath the bottom side.  Removing took some heat and we lost the cover to our oscillator during the process.

 

Opening the device revealed exactly what we suspected (we could sort-of tell by the 24 pin SOIC) being familiar with the Cypress family of processors. We discovered a Cypress CY7C63101.

 

The red pin denotes pin 1 of this Cypress CY7C63101

 

A 200x magnification photo of the die above shows a 20 pin version of the CPU used in the iKey1000 token.

 

The Cypress CY7C63 family of USB microcontrollers have serious security issues.  This family of  processors should not be used by anyone expecting their security token to be secure. Unfortunately, we’ve seen a lot of dongles using this family of CPU’s.

 

We successfully read out the CPU (using our magic wand again). Poking around the code looking for  ASCII text we found the USB identifier string at address offset $0B7: “i.-.K.e.y”

 

The code contained inside the Cypress CPU is always static between iKey1000 tokens.  The Cypress CPU is a One-Time Programmable (OTP) type device.  There is no non-volatile type memory inside except for the EPROM you may program once (hence OTP).  The only changes possible are within the external EEPROM which is a dynamic element to the token.  The EEPROM turned out to be a commonly found 24LC64 8K byte EEPROM.

 

Given the above, we can then assume that the iKey1032 is identical to this token with the except of replacing the 24LC64 with a larger 24LC256 32K byte EEPROM.  This is a logical assumption supported by Safenet’s brochure on the token.
Are you securing your laptop with this token?  We are not…