Finally, HID claims that “to the best of its knowledge,” none of its encryption keys have been leaked or publicly distributed, and “none of these issues have been exploited at customer sites and our customers’ security has not been compromised.”
Javadi counters that there is no way to know who could have secretly extracted HID’s keys, now that his method is known to be possible. “There are a lot of smart people in the world,” Javadi says. “It’s unrealistic to think we’re the only ones who could do this.”
Despite HID’s public warning more than seven months ago and software updates it released to fix the key extraction problem, Javadi says most of the customers whose systems he has tested in his work do not appear to have implemented those fixes. In fact, the effects of the key extraction technique may linger until HID’s encoders, readers and hundreds of millions of access cards are reprogrammed or replaced around the world.
It’s time to change the locks
To develop their technique for extracting keys from HID encoders, the researchers began by deconstructing their hardware: They used an ultrasonic knife to cut away a layer of epoxy on the back of an HID reader, then heated the reader to desolder and remove its protected SAM chip. They then placed that chip in its own socket to observe its communications with a reader. The SAM in HID readers and encoders is similar enough that this allowed them to reverse engineer the SAM commands.
Ultimately, that hardware hack allowed them to develop a much cleaner wireless attack: They wrote their own program to instruct an encoder to send their SAM secrets to a configuration card without encrypting that sensitive data, while an RFID “sniffer” device sat between the encoder and the card, reading the HID keys in transit.
In fact, HID systems and other forms of RFID card authentication have been… cracked repeatedlyin several waysover the past few decades. But vulnerabilities like the ones on display at Defcon can be particularly difficult to fully secure. “We crack it, they fix it. We crack it, they fix it,” says Michael Glasser, a security researcher and founder of Glasser Security Group, which has been uncovering vulnerabilities in access control systems since 2003. “But if your fix requires replacing or reprogramming every reader and every card, that’s very different from a normal software patch.”
On the other hand, Glasser points out that preventing key card cloning represents just one layer of security among many for any high-security facility, and in practical terms, most low-security facilities offer much easier ways to get in, such as asking an employee to hold the door open for you while you have your hands full. “Nobody says no to a guy who has two boxes of donuts and a box of coffee,” Glasser says.
Javadi says the point of his talk at Defcon wasn’t to suggest that HID’s systems are particularly vulnerable (in fact, they say they focused their years of research on HID specifically because of the challenge of cracking its relatively secure products), but rather to emphasize that no one should rely on a single technology for their physical security.
Now that they’ve made it clear that the keys to HID’s kingdom can be removed, the company and its customers may face a long and complicated process to get those keys back. “Now the customers and HID have to take back control and change the locks, so to speak,” Javadi says. “Changing the locks is possible, but it’s going to be a lot of work.”
