Security conferences are a great place to learn about the latest hacking tricks, tools and exploits, but they also remind us of important stuff that was shown to be hackable in previous years yet never really got fixed. Perhaps the best example of this at last week’s annual DefCon security conference in Las Vegas came from hackers who built on research first released in 2010 to show just how trivial it still is to read, modify and clone most HID cards — the rectangular white plastic “smart” cards that organizations worldwide distribute to employees for security badges.
Nearly four years ago, researchers at the Chaos Communication Congress (CCC), a security conference in Berlin, released a paper (PDF) demonstrating a serious vulnerability in smart cards made by Austin, Texas-based HID Global, by far the largest manufacturer of these devices. The CCC researchers showed that the card reader device that HID sells to validate the data stored on its then-new line of iClass proximity cards includes the master encryption key needed to read data on those cards.
More importantly, the researchers proved that anyone with physical access to one of these readers could extract the encryption key and use it to read, clone, and modify data stored on any HID cards made to work with those readers.
At the time, HID responded by modifying future models of card readers so that the firmware stored inside them could not be so easily dumped or read (i.e., the company removed the external serial interface on new readers). But according to researchers, HID never changed the master encryption key for its readers, likely because doing so would require customers using the product to modify or replace all of their readers and cards — a costly proposition by any measure given HID’s huge market share.
Unfortunately, this means that anyone with a modicum of hardware hacking skills, an eBay account, and a budget of less than $500 can grab a copy of the master encryption key and create a portable system for reading and cloning HID cards. At least, that was the gist of the DefCon talk given last week by the co-founders of Lares Consulting, a company that gets hired to test clients’ physical and network security.
Lares’ Joshua Perrymon and Eric Smith demonstrated how an HID parking garage reader capable of reading cards up to three feet away was purchased off of eBay and modified to fit inside of a common backpack. Wearing this backpack, an attacker looking to gain access to a building protected by HID’s iClass cards could obtain that access simply by walking up to a employee of the targeted organization and asking for directions, a light of a cigarette, or some other pretext.
Perrymon and Smith noted that, thanks to software tools available online, it’s easy to take card data gathered by the mobile reader and encode it onto a new card (also broadly available on eBay for a few pennies apiece). Worse yet, the attacker is then also able to gain access to areas of the targeted facility that are off-limits to the legitimate owner of the card that was cloned, because the ones and zeros stored on the card that specify that access level also can be modified.
Smith said he and Perrymon wanted to revive the issue at DefCon to raise awareness about a widespread vulnerability in physical security. HID did not respond to multiple requests for comment.
“Until recently, no one has really demonstrated properly what the risk is to a business here,” Smith said. “SCADA installations, hospitals, airports…a lot of them use HID cards because HID is the leader in this space, but they’re using compromised technology. Your card might not have data center or HR access but I can get into those places within your organization just by coming up to some employee standing outside the building and bumming a light off of him.”
Organizations that are vulnerable have several options. Probably the cheapest involves the use of some type of sleeve for the smart cards. The wireless communications technology that these cards use to transmit data — called radio-frequency identification or RFID – can be blocked when not in use by storing the key cards inside a special RFID-shielding sleeve or wallet. Of course, organizations can replace their readers with newer (perhaps non-HID?) technology, and/or add biometric components to card readers, but these options could get pricey in a hurry.
A copy of the slides from Perrymon and Smith’s DefCon talk is available here.