blarkavr 
Hey folks,
I'm just wondering if this is theoretically possible, advisable, or if I should just get another PIC chip.
I'm a security consultant and I'm doing some work with the iClass HID access system (http://proxclone.com/pdfs/iClass...) and I was wondering if I could brew up my own version of that hack using AVR as I have a bunch of them around my place.
Thoughts?
Thanks folks!
jgmdesign 
Well first off this is highly ILLEGAL.
Second, as a user of HID equipment I would highly doubt HID Would make it that simple to crack their readers.
Third, I sent the link to my contact at HID and asked him to let me know if this is doable.
I'll let everyone know what he says.
There is no reason why an SPI (almost) anything can't talk to (almost) any other SPI device. Manufacturer is not relevant.
That other stuff is for other minds to cope with.
Jim
blarkavr Well first off this is highly ILLEGAL.Second, as a user of HID equipment I would highly doubt HID Would make it that simple to crack their readers.
Third, I sent the link to my contact at HID and asked him to let me know if this is doable.
I'll let everyone know what he says.
Since when is doing a security audit illegal? This is on my own hardware, and for the purpose of evaluating security.
Sorry to be the bearer of bad news. This weakness is well documented, and totally legitimate! Check this out:
http://www.youtube.com/watch?v=m...
and
http://www.openpcd.org/HID_iClas...
At least now that you know you can take appropriate precautions.
jgmdesign Then you should have no trouble doing all this on your own without assistance on how SPI works.
Of course you always could hire a consultant to work with you on this 'Audit'. ;)
My rates are fair. :)
blarkavr Then you should have no trouble doing all this on your own without assistance on how SPI works.Of course you always could hire a consultant to work with you on this 'Audit'. ;)
My rates are fair. :)
I'll hack around. I just wanted to avoid the FTDI method, and try something a little different. Our own office uses these cards, and several clients so it's always nice to have the skills (and hardware) to show them exactly how insecure things can be!
This will be my first time playing with SPI really... fun stuff ;)
jgmdesign THen start here:
http://en.wikipedia.org/wiki/Ser...
See, I am not such a hump as you might think.
Then again :?
blarkavr THen start here:
http://en.wikipedia.org/wiki/Ser...See, I am not such a hump as you might think.
Then again :?
I'm curious if the rep from HID ever got back to you. I wonder what they are saying publicly about this... I'd love to hear what they say if anything :)
I'll keep you updated on how this goes. Probably will have lots of questions, hopefully some SPI ninjas can help!
jgmdesign Not yet, but I am not surprised. He sometimes takes a week to call.
You can simply contact the company in Irvine CA and ask yourself.
jgmdesign Well, I just got off the phone with HID corporate, and I do have to eat a little crow. :(
blarkavr has brought to the table a valid design flaw in the iCLASS reader system that can be penetrated be various means. HID Corp. is aware of this design flaw and have introduced a new ICLASS reader that eliminates this issue. From my discussion with HID I get the idea that they have no intention of disclosing the design flaw in the current iCLASS devices, but anyone that calls customer support can speak to the head of customer support for an amicable solution to their concerns. :?
So, that being said I apologize to blarkavr on point #2 of my first post. I was wrong.
I am not apologizing on point #1 as it is illegal to do what he wants without permission from the person that owns the reader. ;)
And I did what I said I would on point #3. :)
I am off now to pick a few feathers from my teeth :lol:
blarkavr Well, I just got off the phone with HID corporate, and I do have to eat a little crow. :(blarkavr has brought to the table a valid design flaw in the iCLASS reader system that can be penetrated be various means. HID Corp. is aware of this design flaw and have introduced a new ICLASS reader that eliminates this issue. From my discussion with HID I get the idea that they have no intention of disclosing the design flaw in the current iCLASS devices, but anyone that calls customer support can speak to the head of customer support for an amicable solution to their concerns. :?
So, that being said I apologize to blarkavr on point #2 of my first post. I was wrong.
I am not apologizing on point #1 as it is illegal to do what he wants without permission from the person that owns the reader. ;)
And I did what I said I would on point #3. :)
I am off now to pick a few feathers from my teeth :lol:
Just to clarify, we're doing this on our own equipment! I guess I wasn't clear enough in my first post - we own all of this gear!
The weakness can be exploited in two ways, I'm curious if they patched both vulnerabilities. Guess I'll find out when we start poking around :)
I'll be back when we start to keep everyone up to date.
Mark
jgmdesign I'm curious if they patched both vulnerabilities
They introduced a new type of iCLASS reader. I guess I did not make that clear. There is no patch.
Just to clarify, we're doing this on our own equipment! I guess I wasn't clear enough in my first post - we own all of this gear!
I'll be back when we start to keep everyone up to date.
blarkavr
They introduced a new type of iCLASS reader. I guess I did not make that clear. There is no patch.
This is interesting - because from my understanding HID made a huge design mistake by using a UNIVERSAL key for the readers. Meaning if you get the key once, it's game over. That is, unless you're using the Elite version of the reader which utilizes a site-specific key... Although if you watch the video I posted earlier they highlight that you don't get to know your own site key... weird.
Anyway, I'm thinking that the key is in the wild anyway now so if you're not using the Elite iClass your doors are vulnerable (even with the new readers).
Still waiting for more gear in the mail. I will let you know.
newniceguy 
Hey Guys,
There are a lot of problems with the HID iClass system. It involves weak cryptographic designs, implementation failures and problems with their "tamper resistant" hardware. For further reading I would recommend:
Dismantling iClass and iClass Elite
and the website
