According to HID’s data, no encoder keys from their inventory have surfaced in public, nor have any of these points been exploited at customer locations, thereby ensuring the security of our clients remains intact.
Javadi argues that, without a concrete method to identify those requiring covert extraction of HID’s encryption keys, the possibility of this technique being exploited remains abstract. “There are many reasonable individuals on this planet,” Javadi remarks. “It’s unrealistic to assume we’re the only ones capable of accomplishing this.”
Despite HID’s public advisories issued over seven months ago and subsequent software updates released to address the key-extraction issue, many customers whose systems Javadi has evaluated in his research appear to have neglected to apply these patches. The far-reaching implications of this critical extraction method may only be fully mitigated once HID’s global network of encoders, readers, and a vast number of keycards have been reconfigured or replaced on a massive scale.
Time to Change the Locks
To extract the HID encoders’ encryption keys, the researchers initially dismantled the reader’s hardware. They employed an ultrasonic tool to carefully remove a thin layer of epoxy from the reader’s rear, followed by heat treatment to desolder the shielded secure microprocessor (SAM) chip. They inserted the chip into their own custom socket to monitor its interactions with a reader. Given the sufficient relationship between SAMs in HID’s readers and encoders, it is feasible for them to reverse-engineer the SAM’s instructions within encoders as well?
Finally, exploiting {hardware} vulnerabilities enabled them to create a more refined, Wi-Fi-based attack: By crafting their own program, they instructed an encoder to transmit its SAM secrets to a configuration card without encrypting this sensitive data – while an RFID “sniffer” system interceptively monitored the transmission, capturing HID’s encryption keys in real-time.
HID techniques and various types of RFID keycard authentication have been extensively used for several years, with multiple applications currently available. However, vulnerabilities akin to those showcased at Defcon might prove remarkably resilient against thorough defenses. We get it right, then they make it perfect. As Michael Glasser, founder of Glasser Safety Group and renowned safety researcher, astutely observes: “We crack it, they repair it,” highlighting the ongoing struggle to fortify entry management systems against emerging vulnerabilities since his initial findings in 2003. While switching or reprogramming individual readers and cards may seem akin to updating a standard software program, the complexity and scope of such an undertaking are fundamentally distinct from a traditional patch.
Despite acknowledging the importance of preventing keycard cloning, Glasser emphasizes that it merely represents one aspect of a comprehensive security strategy for high-security facilities. In reality, many low-security services often employ far more straightforward methods to grant access, such as requesting an employee to open a door for you when your hands are full. With a sly grin, Glasser observes that when someone’s bearing a substantial cache of donuts and a jug of espresso, it’s almost impossible to refuse their requests.
Javadi clarifies that the purpose of their Defcon presentation wasn’t to imply that HID’s techniques are inherently flawed, but rather to highlight that they focused on HID specifically because of its reputation for being a secure product – and instead emphasize that no one should rely solely on any single technology for physical security.
As the extraction of HID’s key dominance is now confirmed, the corporation and its future prospects are likely to confront a prolonged and intricate process to reacquire control over these crucial assets? “Now, prospects and HID must re-engage with management and reset the locks – figuratively speaking,” Javadi says. “Altering the locks is feasible. “Regardless of the effort required, this undertaking will prove demanding.”
