RSA SecurID reversing attempts?

[casper.bang]

I'm all for 2-factor auth and Google Authenticator is a prime example to me, of allowing various logins to reside not only in one place but also on the one thing I already always carry around with me anyway - my smartphone. I'll be moving to FIDO Universal 2nd Factor (U2F) for stuff, which even helps to get rid of the manual labor associated with entering a passcode as well as being more secure against MITM attacks.

Anyway, back to corporate legacy land. I've recently been given an RSA SecurID's and I'm somewhat annoyed at the size of it and the manual labor associated with using it compared to the more modern alternatives I mention above. I'm aware that SecurID can be used as a smartphone app like the Google Authenticator, but that's not an option for me at the moment. In the perfect world, one could extract the serial no. and with the proper algorithm, write an Android app to mimic the hardware. From a security point of view, I can't readily see a difference between reading the numbers on a display on a custom piece of hardware vs. some generic phone. Some interesting info about the SecurID here.

So I was just wondering, short of going on the device, what am I going to find if I try taking one apart? Key-components? Tamper-proofing?

[amyk]

In the perfect world, one could extract the serial no. and with the proper algorithm, write an Android app to mimic the hardware. From a security point of view, I can't readily see a difference between reading the numbers on a display on a custom piece of hardware vs. some generic phone.

The difference is that it's much easier to extract the secret from a phone than it is the tamperproof hardware, so the hardware token is more secure; and they are designed so that it's extremely difficult to extract the secret:

https://www.eevblog.com/forum/projects/waterproofing-circuits/

[casper.bang]

The difference is that it's much easier to extract the secret from a phone than it is the tamperproof hardware, so the hardware token is more secure; and they are designed so that it's extremely difficult to extract the secret:

Interesting! Apart from the fact that acetone dissolves the plastic... this smells like security-by-obscurity. 

[kwallen]

Interesting! Apart from the fact that acetone dissolves the plastic... this smells like security-by-obscurity.

I don't imagine they're designed to do anything but prevent casual reverse engineering. The "secret" piece of information is already printed on the LCD at the front, actually recovering the seed used internally doesn't do an adversary any good. I would expect all of the seeds are unique, random, and not in any way able to be compromised by somebody with knowledge of the internals of the device.

[casper.bang]

I would expect all of the seeds are unique, random, and not in any way able to be compromised by somebody with knowledge of the internals of the device.

It's rumored that the seeds are mapped in an internal RSA database, which were compromised in 2011:
http://arstechnica.com/security/2011/06/rsa-finally-comes-clean-securid-is-compromised/

Without being a security expert, it occurs to me that it would be smarter not having anything to hide at all - just have the seed be a really long key, such that it manifests itself as "something you have" rather than "something you know" (which is already covered by a classic password/passcode).

[a210210200]

Attempting to open tamper proof chip packages may result in the secret being lost. Some credit card terminals have both trip wires, light sensors (on die and no power needed to erase), and a ton of micro-switches to impede attempts to access the secrets physically.

The RSA SecurID must have been pretty secure as they just went after RSA itself so I'd go with an easy to replace software driven one so if it gets compromised you can "replace" the keys instantly.

[GreyWoolfe]

I used something very similar when I started my current job 10 years ago.  They were used to generate a login for PGP authentication on our company laptops.  The login changed every time we logged in.   Most annoying.  As the batteries in them died, the company shifted and just went to a password scheme that changes every 90 days.  It was nice not to have to carry that thing on my company vehicle keychain any more.  I still have it but nothing on display as the battery is long dead and probably leaked all over the inside.  I still might open it up some day.

[SeanB]

I took apart a POS terminal, and every board ( even the printer) has a battery backup, and a processor or two on each board, even just a card interface or the display. Even the keyboard has one. About the only thing without was the power supply.