Wibu-Systems Blog

Good Things Come in Small Packages

Posted by Terry Gaul on Oct 14, 2015 11:49:38 AM


The SD Association recently celebrated the 10th anniversary of the microSD™ Card.  Founded in 2000 by Panasonic, SanDisk and Toshiba, the SD Association is a group dedicated to establishing SD standards and facilitating their adoption and development. In their Thought Leadership article, the Association shares interesting facts, including that the memory capacity of the microSD card had increased 6,000 times during that 10 year period, with the latest version available to consumers today containing 200 gigabytes of storage. 

Due to their tiny form factor, microSD cards have found their way into a growing list of devices that require expanded memory, from smart phones to wearable devices and many more. For Wibu-Systems the microSD form factor is a perfect solution for protecting and licensing embedded systems and the next generation IoT devices. Our CmCard/microSD contains an integrated smart card chip with approximately 384 kbytes of secure memory available for storing more than 1,000 licenses and providing the full complement of CodeMeter security functions, including symmetric and asymmetric encryption, signatures, and the storage of X.509 certificates. At only 11 mm x 15 mm x 0.7 mm in size, the CmCard/microSD will fit in the tiniest of devices, providing both security and flexible licensing options in space limited embedded systems and Industry 4.0 sensors.

Integrated security functionality and built-in SLC flash memory are standard features in all of our CmCard form factors that include µSD, SD, Compact Flash, and CFast cards along with optional SLC or MLC flash memory for our USB Sticks. The combination offers our customers many benefits:

  • Lower costs by combining functions on a single device
  • Industrial grade design for long life
  • Field upgradeability without any changes to hardware
  • Dedicated data partitions offer application flexibility, such as storage of highly sensitive data on mobile devices
  • Prevention of software piracy
  • Protection against counterfeiting
  • Additional security for gambling machines, ATMs or other devices frequently targeted for tampering and attacks

You can learn more technical details about our flash-equipped CmDongles in our latest whitepaper, CmDongle with Flash Memory in Practice. The document illustrates the technological alternatives, the modalities of use, the possible applications, and the commercial reasons that provide the commercial advantages for Wibu-Systems’ protection, licensing, and security devices.

The white paper specifically addresses:

  • The types of memory best suited to commercial and industrial purposes
  • The available partitions (encrypted, read-only, CD-ROM, and public areas)
  • The complete calculation concerning the Total Cost of Ownership
  • The advantages of a combination product
  • The benefits in terms of increased security
  • The versatility of the many form factors
  • Real-world customer applications

Wibu-Systems-White_Paper_Cm-_125Download the whitepaper

Topics: dongles, CodeMeter, CmSticks

Repelling the BadUSB Exploit with Cryptography and Secure Boot

Posted by Terry Gaul on Aug 7, 2014 5:06:02 PM

By now, many of you have heard about the “BadUSB” exploit, where two security researchers at Security Research Labs demonstrated how they could perpetrate an attack on USB devices.  By reprogramming the USB’s firmware with malicious code, attackers could gain control of a PC or any other USB-driven peripheral, such as a mouse, keyboard or even a smartphone. Once the infected USB is connected to the device, the software can be programmed to perform any number of malicious acts, from corrupting data to impersonating a USB keyboard to type in its own commands. And, the attack code can remain hidden long after the contents of the device’s memory would appear to the average user to be deleted.

So what should we conclude about the vulnerabilities of USB sticks? Given the ubiquity of USB technology, consumers using USB memory sticks should be aware of the potential threat and be more cautious about the origin of the stick and who else may have used it, before it’s connected to a device.  But we should also be aware that not all USB sticks are alike and some, such as our WibuKeys and CodeMeter sticks (CmStick), incorporate advanced security technology that make attacks, such as BadUSB, impossible to perpetrate.

Let’s take a deeper look. Each USB stick consists of a controller chip and at least one memory module. The controller is responsible for the communication with the computer over the USB interface, and manages the memory. In principle, this can be equated to a microcomputer that, upon being plugged in, boots its operating system (firmware) from a non-visible part of the flash memory. Then it sets the flash memory of the computer as an available drive.

For economic reasons, the firmware on USB sticks is updateable, and therein lies the vulnerability. There are two ways to update the firmware: 1) a safe, secure boot process or 2) a simpler one with obfuscation of undocumented commands. The latter approach applies to all classic USB sticks and is the main vulnerability to the BadUSB threat.

The first step to a BadUSB attack is the manipulation of the firmware, which must be reversed engineered. New custom firmware is then developed and loaded onto the stick, in a manner that circumvents the obfuscation protection.

Secondly, the modified USB stick presents itself to the computer as an HID device. Once the USB stick is connected, the computer recognizes the HID device and initializes it automatically  -  a standard procedure that would not draw suspicion from the user. Once initialized, the modified firmware goes into action and the programmed malware is unleashed.

Although the explanation of the exploit seems simple enough, the demonstration by Security Research Labs is extremely difficult to achieve. Reverse-engineering controller firmware requires great technical skills and is extremely time consuming. Plus, the attack is controller specific, so it would require extensive knowledge of the specific chip and the reverse engineering effort would need to be repeated for each threat.

However, as we have grown to understand the hacking community, we don’t underestimate their persistence and leave nothing to chance in terms of the protection we build into our CmSticks.  At Wibu-Systems, our own security experts have been developing and refining technologies to make software safe from malicious tampering since 1989.

Our family of CodeMeter CmSticks comes in many form factors. All are implemented on a separate chip that has its own memory and cryptographically secure firmware. Only firmware signed by Wibu-Systems can be downloaded into the controller, making a BadUSB attack impossible. Our most modern CmStick offers further protection. The chip firmware is encrypted and signed and the root key is stored in non-alterable ROM. This key is written only once during manufacturing and cannot be subsequently updated in the field under any circumstances. This is our implementation of a secure boot process. The inter-chip communications is also encrypted, making the stick immune to hardware based attacks.

In conclusion, if you are using any of our USB powered devices, you can feel confident that you are protected from the BadUSB threat.

For a more detailed description of our cryptographic protection and secure boot process, please read our official statement "BadUSB Uncovered", or contact one of our security experts.






Topics: CodeMeter, software copy protection, CmSticks, cracking, WibuKey, embedded security

CodeMeter Dongle Now Detected as HID

Posted by John Poulson on Apr 23, 2013 6:00:00 AM

I was pondering the benefits associated with our new HID interface option available to CodeMeter users; when I realized that I didn’t know how to put my own personal CmDongle into HID mode. After reviewing the steps found in the CodeMeter User Manual, I was able to successfully make the change.

Before showing the "HOW," let me remind everyone about the "WHY."

One of the major objections end users have against traditional dongles is the hassle involved in keeping the device drivers current.

Wibu-Systems answered this objection with the very first "driver-less" dongle to hit the market. Wibu-Systems developed a patented method that allowed the operating system (Windows, Mac, Linux, etc.) to see the dongle as a "Mass Storage Device (MSD)." All modern operating systems have kernel level drivers that know what to do with MSD hardware.

This feature has served the market very well for several years. However, never a company to rest on past laurels, Wibu-Systems recently announced that CodeMeter USB sticks can now be set to appear as Human Interface Devices (HID) as well as MSD. This means the CmStick no longer appears as a detachable memory device but integrates as a USB input device; just like a keyboard or mouse does. Every CmStick with a Serial Number in the 2-xxx format can be switched at will between either interface. One requirement is that the CmStick is updated to firmware 2.02 or higher. The second requirement is that CodeMeter RunTime 5.0 is installed on the target system.

By design, CmStick/M and CmCards do not support the HID interface and are restricted to the MSD interface: For the CmStick/M, MSD is used to address the flash memory. Card interfaces in general do not support the HID interface.

The biggest advantage of the HID interface vs. the MSD interface is that CmSticks no longer appear as memory sticks or thumb drives. In some network environments detachable memory devices are forbidden. It always took a special white paper and lots of red tape to explain that a CmStick is not really a memory device to administrators with such restrictions. Now that a CmStick can appear as a simple HID device, this concern has been eliminated.

If you would like a downloadable copy of the MSD to HID instructions for either you or your end users, please download the instructions PDF here.

john poulsonJohn Poulson has worked in the software protection industry since 1988 and has been with Wibu-Systems since 2000. He is an expert in license authentication best practices and deep powder skiing.

Topics: CodeMeter, CmSticks