AVR as SPI Master with PIC SPI Slave possible?

Go To Last Post
14 posts / 0 new
Author
Message
#1
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Hey folks,

I'm just wondering if this is theoretically possible, advisable, or if I should just get another PIC chip.

I'm a security consultant and I'm doing some work with the iClass HID access system (http://proxclone.com/pdfs/iClass...) and I was wondering if I could brew up my own version of that hack using AVR as I have a bunch of them around my place.

Thoughts?

Thanks folks!

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Well first off this is highly ILLEGAL.

Second, as a user of HID equipment I would highly doubt HID Would make it that simple to crack their readers.

Third, I sent the link to my contact at HID and asked him to let me know if this is doable.

I'll let everyone know what he says.

I would rather attempt something great and fail, than attempt nothing and succeed - Fortune Cookie

 

"The critical shortage here is not stuff, but time." - Johan Ekdahl

 

"Step N is required before you can do step N+1!" - ka7ehk

 

"If you want a career with a known path - become an undertaker. Dead people don't sue!" - Kartman

"Why is there a "Highway to Hell" and only a "Stairway to Heaven"? A prediction of the expected traffic load?"  - Lee "theusch"

 

Speak sweetly. It makes your words easier to digest when at a later date you have to eat them ;-)  - Source Unknown

Please Read: Code-of-Conduct

Atmel Studio6.2/AS7, DipTrace, Quartus, MPLAB, RSLogix user

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

There is no reason why an SPI (almost) anything can't talk to (almost) any other SPI device. Manufacturer is not relevant.

That other stuff is for other minds to cope with.

Jim

Jim Wagner Oregon Research Electronics, Consulting Div. Tangent, OR, USA http://www.orelectronics.net

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

jgmdesign wrote:
Well first off this is highly ILLEGAL.

Second, as a user of HID equipment I would highly doubt HID Would make it that simple to crack their readers.

Third, I sent the link to my contact at HID and asked him to let me know if this is doable.

I'll let everyone know what he says.

Since when is doing a security audit illegal? This is on my own hardware, and for the purpose of evaluating security.

Sorry to be the bearer of bad news. This weakness is well documented, and totally legitimate! Check this out:

http://www.youtube.com/watch?v=m...

and

http://www.openpcd.org/HID_iClas...

At least now that you know you can take appropriate precautions.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Then you should have no trouble doing all this on your own without assistance on how SPI works.

Of course you always could hire a consultant to work with you on this 'Audit'. ;)

My rates are fair. :)

I would rather attempt something great and fail, than attempt nothing and succeed - Fortune Cookie

 

"The critical shortage here is not stuff, but time." - Johan Ekdahl

 

"Step N is required before you can do step N+1!" - ka7ehk

 

"If you want a career with a known path - become an undertaker. Dead people don't sue!" - Kartman

"Why is there a "Highway to Hell" and only a "Stairway to Heaven"? A prediction of the expected traffic load?"  - Lee "theusch"

 

Speak sweetly. It makes your words easier to digest when at a later date you have to eat them ;-)  - Source Unknown

Please Read: Code-of-Conduct

Atmel Studio6.2/AS7, DipTrace, Quartus, MPLAB, RSLogix user

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

jgmdesign wrote:
Then you should have no trouble doing all this on your own without assistance on how SPI works.

Of course you always could hire a consultant to work with you on this 'Audit'. ;)

My rates are fair. :)

I'll hack around. I just wanted to avoid the FTDI method, and try something a little different. Our own office uses these cards, and several clients so it's always nice to have the skills (and hardware) to show them exactly how insecure things can be!

This will be my first time playing with SPI really... fun stuff ;)

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

THen start here:
http://en.wikipedia.org/wiki/Ser...

See, I am not such a hump as you might think.
Then again :?

I would rather attempt something great and fail, than attempt nothing and succeed - Fortune Cookie

 

"The critical shortage here is not stuff, but time." - Johan Ekdahl

 

"Step N is required before you can do step N+1!" - ka7ehk

 

"If you want a career with a known path - become an undertaker. Dead people don't sue!" - Kartman

"Why is there a "Highway to Hell" and only a "Stairway to Heaven"? A prediction of the expected traffic load?"  - Lee "theusch"

 

Speak sweetly. It makes your words easier to digest when at a later date you have to eat them ;-)  - Source Unknown

Please Read: Code-of-Conduct

Atmel Studio6.2/AS7, DipTrace, Quartus, MPLAB, RSLogix user

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

jgmdesign wrote:
THen start here:
http://en.wikipedia.org/wiki/Ser...

See, I am not such a hump as you might think.
Then again :?

I'm curious if the rep from HID ever got back to you. I wonder what they are saying publicly about this... I'd love to hear what they say if anything :)

I'll keep you updated on how this goes. Probably will have lots of questions, hopefully some SPI ninjas can help!

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Not yet, but I am not surprised. He sometimes takes a week to call.

You can simply contact the company in Irvine CA and ask yourself.

I would rather attempt something great and fail, than attempt nothing and succeed - Fortune Cookie

 

"The critical shortage here is not stuff, but time." - Johan Ekdahl

 

"Step N is required before you can do step N+1!" - ka7ehk

 

"If you want a career with a known path - become an undertaker. Dead people don't sue!" - Kartman

"Why is there a "Highway to Hell" and only a "Stairway to Heaven"? A prediction of the expected traffic load?"  - Lee "theusch"

 

Speak sweetly. It makes your words easier to digest when at a later date you have to eat them ;-)  - Source Unknown

Please Read: Code-of-Conduct

Atmel Studio6.2/AS7, DipTrace, Quartus, MPLAB, RSLogix user

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Well, I just got off the phone with HID corporate, and I do have to eat a little crow. :(

blarkavr has brought to the table a valid design flaw in the iCLASS reader system that can be penetrated be various means. HID Corp. is aware of this design flaw and have introduced a new ICLASS reader that eliminates this issue. From my discussion with HID I get the idea that they have no intention of disclosing the design flaw in the current iCLASS devices, but anyone that calls customer support can speak to the head of customer support for an amicable solution to their concerns. :?

So, that being said I apologize to blarkavr on point #2 of my first post. I was wrong.

I am not apologizing on point #1 as it is illegal to do what he wants without permission from the person that owns the reader. ;)

And I did what I said I would on point #3. :)

I am off now to pick a few feathers from my teeth :lol:

I would rather attempt something great and fail, than attempt nothing and succeed - Fortune Cookie

 

"The critical shortage here is not stuff, but time." - Johan Ekdahl

 

"Step N is required before you can do step N+1!" - ka7ehk

 

"If you want a career with a known path - become an undertaker. Dead people don't sue!" - Kartman

"Why is there a "Highway to Hell" and only a "Stairway to Heaven"? A prediction of the expected traffic load?"  - Lee "theusch"

 

Speak sweetly. It makes your words easier to digest when at a later date you have to eat them ;-)  - Source Unknown

Please Read: Code-of-Conduct

Atmel Studio6.2/AS7, DipTrace, Quartus, MPLAB, RSLogix user

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

jgmdesign wrote:
Well, I just got off the phone with HID corporate, and I do have to eat a little crow. :(

blarkavr has brought to the table a valid design flaw in the iCLASS reader system that can be penetrated be various means. HID Corp. is aware of this design flaw and have introduced a new ICLASS reader that eliminates this issue. From my discussion with HID I get the idea that they have no intention of disclosing the design flaw in the current iCLASS devices, but anyone that calls customer support can speak to the head of customer support for an amicable solution to their concerns. :?

So, that being said I apologize to blarkavr on point #2 of my first post. I was wrong.

I am not apologizing on point #1 as it is illegal to do what he wants without permission from the person that owns the reader. ;)

And I did what I said I would on point #3. :)

I am off now to pick a few feathers from my teeth :lol:

Just to clarify, we're doing this on our own equipment! I guess I wasn't clear enough in my first post - we own all of this gear!

The weakness can be exploited in two ways, I'm curious if they patched both vulnerabilities. Guess I'll find out when we start poking around :)

I'll be back when we start to keep everyone up to date.

Mark

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Quote:
I'm curious if they patched both vulnerabilities

They introduced a new type of iCLASS reader. I guess I did not make that clear. There is no patch.

Quote:
Just to clarify, we're doing this on our own equipment! I guess I wasn't clear enough in my first post - we own all of this gear!


Yes, your first post stated that. I did say while swallowing my crow that it is illegal if you don't have permission to hack the reader. :)

Quote:
I'll be back when we start to keep everyone up to date.

Wonderful!! We'll be here.

I would rather attempt something great and fail, than attempt nothing and succeed - Fortune Cookie

 

"The critical shortage here is not stuff, but time." - Johan Ekdahl

 

"Step N is required before you can do step N+1!" - ka7ehk

 

"If you want a career with a known path - become an undertaker. Dead people don't sue!" - Kartman

"Why is there a "Highway to Hell" and only a "Stairway to Heaven"? A prediction of the expected traffic load?"  - Lee "theusch"

 

Speak sweetly. It makes your words easier to digest when at a later date you have to eat them ;-)  - Source Unknown

Please Read: Code-of-Conduct

Atmel Studio6.2/AS7, DipTrace, Quartus, MPLAB, RSLogix user

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

jgmdesign wrote:

They introduced a new type of iCLASS reader. I guess I did not make that clear. There is no patch.

This is interesting - because from my understanding HID made a huge design mistake by using a UNIVERSAL key for the readers. Meaning if you get the key once, it's game over. That is, unless you're using the Elite version of the reader which utilizes a site-specific key... Although if you watch the video I posted earlier they highlight that you don't get to know your own site key... weird.

Anyway, I'm thinking that the key is in the wild anyway now so if you're not using the Elite iClass your doors are vulnerable (even with the new readers).

Still waiting for more gear in the mail. I will let you know.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Hey Guys,

There are a lot of problems with the HID iClass system. It involves weak cryptographic designs, implementation failures and problems with their "tamper resistant" hardware. For further reading I would recommend:

Dismantling iClass and iClass Elite

and the website

HID iClass demystified

Attachment(s):