Postbank BestSign / SealOne USB

USB-Stick um Transaktionen zu verifizieren / autorisieren

Angebot der Postbank: http://www.postbank.de/privatkunden/pk_infocenter_bestsign_geraete.html
Ausgangsprodukt: http://www.seal-one.com/solutions-summary.de-DE.html
Diskussion rund um Postbank BestSign Google Groups

Innere Werte

Markante Bau- & Bestandteile

ARM Microcontroller STM32F103T8
Serial NOR Flash MX25L1606E
SmartCard, vermutlich Gealto TOP IM GX4, ATR: 3B FD 96 00 00 81 31 20 43 80 31 80 65 B0 83 11 48 C8 83 00 90 00 5D

Software

dmesg

usb 6-2: New USB device found, idVendor=219c, idProduct=0010
usb 6-2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
usb 6-2: Product: SecureSignToken
usb 6-2: Manufacturer: SEALONE AG
scsi13 : usb-storage 6-2:1.0
generic-usb 0003:219C:0010.0008: hiddev0,hidraw0: USB HID v1.11 Device [SEALONE AG SecureSignToken] on usb-0000:00:1d.0-2/input1
scsi 13:0:0:0: CD-ROM            SEALONE  SecureSignToken  1.17 PQ: 0 ANSI: 2
sr1: scsi-1 drive
sr 13:0:0:0: Attached scsi CD-ROM sr1
sr 13:0:0:0: Attached scsi generic sg2 type 5

sr-Filesystem (unterschiedlich nach einhängendem (!) OS)

  1792    2 dr-xr-xr-x   3                2048 Mai 25  2011 .
  1856    2 dr-xr-xr-x   3                2048 Mai 25  2011 ./.bin
  1920    2 dr-xr-xr-x   3                2048 Mai 25  2011 ./.bin/.locale
  1984    2 dr-xr-xr-x   3                2048 Mai 25  2011 ./.bin/.locale/de
  2048    2 dr-xr-xr-x   2                2048 Mai 25  2011 ./.bin/.locale/de/LC_MESSAGES
  2054    5 -r--r--r--   1                4564 Mai 25  2011 ./.bin/.locale/de/LC_MESSAGES/S1GUI.mo
  1866  120 -r-xr-xr-x   1              122540 Mai 25  2011 ./.bin/S1GUI
  1803    4 -r--r--r--   1                3146 Mai 25  2011 ./README.txt
  1807  192 -r-xr-xr-x   1              196028 Mai 25  2011 ./SealOne

SealOne Binary

strings ./SealOne ⇒ kann Spuren von libcurl enthalten
HTTP statt HTTPS; vermutlich Crypto in der Payload
schickt SCSI-Kommandos (ioctl) an den USB-Stick
gibt zumindest Antworten des Sticks per HTTP-Post an Server (SealOne) weiter
hält HTTP-Verbindung mit gw1.seal-one.com, gw2.seal-one.com oder gw3.seal-one.com offen
Request-Header ohne POST-Daten:

POST /S1CLGetMessage HTTP/1.1
User-Agent: SealOne USB-Connector/1.1
Host: gw2.seal-one.com
Accept: */*
Content-Type: multipart/form-data; boundary=*S1*
Content-Length: 402

lsusb

Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass            0 (Defined at Interface level)
  bDeviceSubClass         0 
  bDeviceProtocol         0 
  bMaxPacketSize0        64
  idVendor           0x219c 
  idProduct          0x0010 
  bcdDevice            1.00
  iManufacturer           1 SEALONE AG
  iProduct                2 SecureSignToken
  iSerial                 0 
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength           64
    bNumInterfaces          2
    bConfigurationValue     1
    iConfiguration          2 SecureSignToken
    bmAttributes         0x80
      (Bus Powered)
    MaxPower               96mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass         8 Mass Storage
      bInterfaceSubClass      6 SCSI
      bInterfaceProtocol     80 Bulk (Zip)
      iInterface              0 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x02  EP 2 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        1
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass         3 Human Interface Device
      bInterfaceSubClass      0 No Subclass
      bInterfaceProtocol      0 None
      iInterface              0 
        HID Device Descriptor:
          bLength                 9
          bDescriptorType        33
          bcdHID               1.11
          bCountryCode            0 Not supported
          bNumDescriptors         1
          bDescriptorType        34 Report
          wDescriptorLength      52
         Report Descriptors: 
           ** UNAVAILABLE **
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x83  EP 3 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               1
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x04  EP 4 OUT
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               1
Device Status:     0x0000
  (Bus Powered)