Finally, HID states that “to its knowledge,” none of its encoder keys have been leaked or distributed to the public and that “none of these vulnerabilities have been exploited by customers and the security of our customers is not at risk.”
Javadi counters that there is no real way to find out who might have secretly extracted HID’s keys now that their method is known to work. “There are a lot of smart people in the world,” Javadi says. “It’s unrealistic to think that we’re the only ones who could do something like this.”
Despite HID’s public warning more than seven months ago and software updates designed to fix the key extraction problem, Javadi says most customers whose systems he has tested as part of his work do not appear to have implemented those fixes. In fact, the impact of the key extraction technique could last until HID’s encoders, readers and hundreds of millions of keycards worldwide are reprogrammed or replaced.
Time to change the locks
To develop their technique for extracting the HID encoders’ keys, the researchers started by deconstructing the hardware: They used an ultrasonic knife to cut away a layer of epoxy on the back of a HID reader, then heated the reader to desolder and peel off the protected SAM chip. They then plugged that chip into its own socket to observe how it communicates with a reader. The SAM in the HID readers and encoders is so similar that they were able to reverse engineer the commands of the SAM in the encoders as well.
By hacking the hardware, they were ultimately able to develop a much cleaner, wireless version of their attack: They wrote their own program to tell an encoder to send its SAM’s secrets to a configuration card without encrypting the sensitive data – while an RFID “sniffer” device sat between the encoder and the card, reading the HID’s keys as they were transmitted.
In fact, HID systems and other forms of RFID keycard authentication have been cracked in various ways over the past few decades, but vulnerabilities like those presented at Defcon may be particularly difficult to fully protect against. “We crack it, they fix it. We crack it, they fix it,” says Michael Glasser, a security researcher and founder of the Glasser Security Group, who has been discovering vulnerabilities in access control systems since 2003. “But if you have to replace or reprogram every reader and card to fix it, that’s a lot different than a normal software patch.”
On the other hand, Glasser points out that preventing keycard cloning is just one of many layers of security in high-security facilities—and in practice, most lower-security facilities offer much easier ways to get in, like asking an employee to hold the door for you while you’re busy. “Nobody says no to the guy holding two boxes of doughnuts and a carton of coffee,” Glasser says.
Javadi says the goal of their Defcon talk was not to suggest that HID’s systems were particularly vulnerable. Rather, they focused their years of research specifically on HID because of how difficult it is to crack its relatively secure products. Rather, they wanted to emphasize that no one should rely on a single technology for their physical security.
Now that they’ve made it clear that HID’s keys to the kingdom can be compromised, the company and its customers may still face a long and complicated process to get those keys back. “Now customers and HID need to take back control — and change the locks, so to speak,” Javadi says. “Changing the locks is possible. But it’s going to be a lot of work.”
