Breaking the iClass security

iClass is a popular format of RFID enabled access cards. These are issued to company employees to grant them access to parts of a building via a card reader at each security door. We’ve known for a long time that these access systems are rather weak when it comes to security. But now you can find out just how weak they are and how the security can be cracked. [Milosch Meriac] delved deep into the security protocol for HID iClass devices and has laid out the details in a white paper.

The most invasive part of the process was breaking the copy protection on PIC 18F family of chips in order to read out the firmware that controls card readers. This was done with a USB to serial cable and software that bit-bangs its own implementation of the ICSP protocol. After erasing and attacking several chips (one data block at a time) the original code was read off and patched together. Check out [Milosch's] talk at 27C3 embedded after the break, and get the code for the ICSP bit banging attacks from the white paper (PDF).

Comments

  1. HackerK says:

    Very interesting read and nice idea on how to extract ‘copy protected’ PICs.

  2. Nick Fury says:

    I worked with Milosch at The Last HOPE for the RFID tracking project (AMD). It was a lot of fun. I was surprised but delighted to see his name show up here working on some more RFID research. Both he and his wife were awesome people to hang out with at HOPE.

  3. nes says:

    Great read. Amazing how simple the strategy for breaking the PIC code protection turned out to be too. I didn’t quite get the part about reading the fuse bits though. I take it these just don’t get obfuscated in code protect mode.

    This is a fairly major fail on Microchip’s part but equally the iClass folk are to blame for entrusting their global DES keys to a single line of defence.

  4. wifigod says:

    I’m curious if they use the same keys for their Proximity line of badges (125kHz I think?). Our entire enterprise uses HID Proximity badges for access to everything. :-/

  5. wifigod says:

    Whoops, just watched part of the video and apparently HID Prox = no encryption! :-(

  6. Spork says:

    If anyone has the iClass keyfob, I’m looking to purchase one. Shoot me an email.(my username) at pihack.com

  7. David in Cambridge says:

    So if I’m looking at putting in a keycard system somewhere, which one IS actually secure? :)

    thanks!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 96,672 other followers