Vasco SafeID / Digipass GO3 Teardown


Introduction:

The Vasco / OneSpan Digipass G03 is a keyfob device used to generate dynamic one-time passcodes (OTP) for each time a user remotely logs into an application, website or network.

The manufacturer’s webpage can be seen at:
https://www.vasco.com/products/two-factor-authenticators/hardware/one-button/digipass-go-3.html

The keyfob is pre-programmed for the end-user before delivery. The operation is very simple – a press of the button will display a number on the 8-digit display. The associated website will ask for this number during a log-on procedure to provide an additional layer of security.

It uses an algorithm to generate the codes. For more info on this please see the YouTube video below:
Experimental Study of DIGIPASS GO3 and the Security of Authentication

There is a label on the rear of the device that must match the account you are trying to log into so you cannot use just any keyfob to log in.

The battery inside the unit is a regular CR2032 Lithium Cell.

Note: If you remove the battery from the keyfob it will lose the software / algorithm from memory and effectively ‘brick’ the keyfob. The keyfob photographed in this article had been ‘bricked’.


Inside the Keyfob:

The Keyfob assembly uses two plastic half-shells that contain the PCB and LCD units. As first glance the unit looks ultrasonic welded but the shells are actually held together with retaining clips. Also there is an adhesive applied to each clip to prevent the unit bouncing open if dropped.

External Shells & PCB LCD
The photo below shows the shells, LCD, battery, and rubber button.
The button has a conductive spot that sits over the contacts at K11 on the PCB



Internal Shells & PCB Components:
The photo below shows the component side of the PCB
A quick glance at the PCB shows the CPU under the black blob alongside a clock crystal. There was no marking on the crystal but I suspect 32.768kHz as this is a standard realtime clock frequency. There are various resistors on the PCB and a small SOT-23 transistor.

These keyfobs are supplied as ‘blanks’ to whatever institution issues them as there are 6 pads on the PCB that align with 6 holes on the left-side shell.
A programmer with a programming lead using 6 spring loaded contacts would contact the PCB and configure the device without needing to open it up.
After programming the unit an identification label is placed on the outside of the shell that covers the holes.


PCB fitted into shell:



Close Up – LCD Side



Close Up – Component Side:



Bricked Unit – LCD Readout

The battery had been removed and re-inserted into the unit. After that it was non-responsive.
The unit was given a hard-reset by shorting the RES pad to the GND pad.

After the Reset the unit’s behaviour completely changed. Instead of displaying the usual 6-digit number when the button was pushed it displayed several other things.

First Button Press:
The unit displays a line of eight ‘8‘ digits



Second Button Press:
The display showed “FFFFFFFF
Each additional press of the button would run a test of the button.
It would display an 8 when the button was down, and a 2 when the button was released.
If the button was held down for >2 seconds it would display a 4



After the button test it would display this:
I have no idea what this represents.



Next button press displayed “A849”.
This number is also written on the PCB near the crystal.



Next button press displayed “bAtt C2”
I suspect this is a battery level indicator in Hexadecimal.



Next button press displayed “SoFt031A”
I suspect this is the software revision of the underlying boot code.



Normal Keyfob – Hidden Menus

When using the keyfob a single button press shows a series of dashes, then the log-in number is displayed.

If you press and hold the button down for a few seconds other functions are available.

1. Press and hold the button to display the 8 dashes:


2. Keep holding the button down for > 5 seconds. The display will show these three messages in rotation:






Battery Level:
When the display shows the image below release the button:


The keyfob will show the battery level:




KeyFob ID:
When the display shows the image below release the button:


The KeyFob will show letters dp (for DigiPass..?) and the first two digits of the code printed on the label.
I used 1234567890 as an example:


Wait a few seconds and it will display the remaining digits of the label code:




Seconds Counter:
The Seconds Counter is a 10 digit number.
The counter value is the number of seconds that have passed since 0:00am on 1st Jan 1970.
This counter is known as an Epoch & Unix Timestamp

When the display shows the image below release the button:


The KeyFob will show “SEC Ft” and the first two digits of the counter:


Wait a few seconds and it will display the remaining digits of the counter:


At the time of writing the counter on my KeyFob was 1573238136.
This translates to Friday, 8 November 2019 18:35:36

You can check your KeyFob counter against a website that shows the current Unix Epoch Time here:
https://www.epochconverter.com


// End of SafeID – DigiPass GO3 article.

sector101

Leave a Reply