Subscriber Discussion

HID Signo Hacked At Defcon?

Undisclosed #1

•Aug 26, 2021

Brian,

Can you comment on the issues associated with HID signo's denial of service security exposure and the demo done at DEFCON earlier this month?

*****://***.*********.***/*****/*******/*****/**************/***-***-****-**.***

* ** ***** **** **** ** DEFCON ******* ************ ***** ********* ** create * ****** ** ******* ****** for ******/**** ***** ********* ** *** reader. **** ****** ****** ***** ** a ***** **** * ***** ***** of ******** *** **** *** ***** being **** ** ********** ** *** reader ** ********* *** ******* *** reader.

******* **** ** ** **** *** bluetooth ** ***** ***** ***** ** can ** ****** ********* **** ******* reader *******. **** *** ****** ** also *********** ** * ******.

***** *** ****** *** *** *** best ******** *** *** ** ******* and ** ** *** *** ****** cards ******* ** ****** ** *** bluetooth *** **** * ***** **** be *********.

******

Reactions:

(4)

Brian Rhodes

•Aug 26, 2021

IPVMU Certified

***********, ****** *** ******* ****. *'** ask *** ** ******* *** ****** back.

************ **** *** **** **** *****:

'*** *** ********* ***** *** ********* that ****** ************* ** ****** ********* configuration ********** **** ***** ***** ******** and ********** ************'

** *** ***** ***:

******* **** ** ** **** *** bluetooth ** ***** ***** ***** ** can ** ****** ********* **** ******* reader *******.

******* *** *** ***** **** ** 'turning *** *** ***** *** ******** the ****** **** **** ** ***' since ** ****** ***** *** *********, so * ** ******* ***.

Reactions:

(1)

Undisclosed Integrator #2

•Aug 26, 2021

*** *** **** ** *** *** CON? * ******'* **** * ************ about ** ******* ******* *******, *** ********* **** ******* ****** for * ***** ** **** ************* time ** *******. **** ****, ***** Bluetooth ** *** ***** **** * pretty ****** ******, ******** ** *** system ******** **** ***.

********* ** ****** ** ******* (***) attacks *** ********* *** ***** *** HID *** ***** ** ******* ** official ******** ** *** ***** **** the **** ** ********* *** ********* partners *** *** *********.

***** *'* ******* *** **** **** it, *** ** *****'* ***** **** HID ** ***** ** "***" **. I'm *** **** **** **'* ******** to ***, ** *** ******* ***** inherent ** *** ****** ** *** system. ***** **** *** ** ******, "Sure **'* ********; ** ***'** ******* about **, ******* *********."

Reactions:

(1)

Undisclosed #1

•Aug 27, 2021

"**** ****, ***** ********* ** *** seems **** * ****** ****** ******, inherent ** *** ****** ******** **** way."

**** ****** ** **** **** *** different ** **** *** *** ****** also ***** *** **** **** ** the ******. ** **** *** *******, the *** ******* ** *** ****** would ***** ** ******** *** *** can ********* *** *** **** **** to **** ******.

******* ***** **** **** **** *** into *** **** **** ** *** reader ****** ** *** **** *** BLE, *** ****** *********** **** ** both ***** *** ***** -- ***** the ******** *****.. **** * ****** of *** ****** **** *** ** as *** ******** **** **********.

******* *** *** ** ***** ******** the ******, *** **** ******** ************* which ** **** ***.

Reactions:

(1)

Brian Rhodes

•Aug 27, 2021

IPVMU Certified

*** *********, ****** *****:

******* ****** ******, *** *** ******** of *** ************ ** *** ******** researchers *** ********* **. ***** *** publicity *********** ******, ** ***** ** publish ** ******** ******** **** *** goal ** ********* *** ********* ******** and ***-********* ***** ****** ** ******* (DoS) ******* ** *********-******* *******.
*****, **’* ********* ** ******* *** references ** “******/**** *****” *** “*** Mobile” ****** *** ******** ****. ***** DoS ******* *** ****** * ****** incapable ** ******* ********** *********** (*.*. iCLASS *****, **** *****, ****** ***********), an ******** ****** **** ************ ******, personal ****, ** ************ *********** **** a *** ****** *****.
** ***** ** *****/*********, *** *** developed ****** ********, ********* *** *****, such **** ********* *** ** ***********, fully ********** *** **** ** * Bluetooth-based *** ******. ***** ** *** analysis, ** ******* **** ** *** only ********* ********** *** ********* *** have ******** ***** *********-***** *** ******* on *******.
*******, *’** ***** * ******** ** each ** **** ***** ********* *****:
[****:]** *** ** ****** ***, *** are ***** ******* **********?
*** ***** ******* *** ** **********, using ******* ******* ******* *** ****** Manager, *** ***. **** ********** *** added ** *** ****** ******* ****** Android ******* *.*.*, ******* * **** ago.
[****:]*** ** *** **** ****** ** again?
* **** ******** * ***** ************ with *** ****** ******* ****** ******** detailing *** ** **********/****** ********* ************* on *** ***** *******. **** ********* is ***********, * ************* *** ** applied (** ** ******** ****** **********) to ****** ********* ***** ** ******* device *** ***.
[****:]*** **** **** ****** *** ****** users?
***** ******* ******* ** *** ****** Access ** ****, *** ******** ******* for ****** *********** *** *** *** Bluetooth. **** ********* ** *********** ** the ******, ***** ** *** ****** Access **** ** ******* ** *** “Tap” ************. *** ******* *** ****** credentials ***** ******* ***-***** ****** ****** on **** ******* *** ***** *********.
[****:]*** **** ** ***** ** * firmware ***** ** ** **** * new ******** ***?

*** ********* ** *********** ********* ******* to ******* ******** *** ********** ** our ******** *** ******** *** ******** of ****** ** ***** ****** *** attacks. ***** *** ** ************* **** we *** ******** ** *********** ** this ****. ** ******** ** ******* public *********** ** ******** ******** ******* and ******* ******* ** ******* *** products ** **** *** ******* **** difficult *** *** ******** **** *********. According ** *** ********* **********, ******** mitigation ** * *** **** ********* is *********** ** ******* **** ********* communication *******. ****, ********* *** ******** the **** ** ** ******** ****** deactivate ********* ************* ** ***** *******.

** *******, ***'* ************** ** ******* off *** *** ***** *** *** HID ****** *** ** ********* *****. If *** ** ********, *** ******** 'NFC ***', ***** ** * ***** change *** ***** ********** ** ***** BLE *** '***** & **' ********. Likewise, *** **** ****** ******* **** be **** *** *** ****** **** BLE **** *** ** ********.

* **** ************ ***** *** ***** plans *** *** ****** ***** *** whether * *** *** ****** ***** the ****** ****** ** ** **** BLE *********.

** *** ********* * **** *** next ****, *** ****** *** *** heads-up.

Reactions:

(4)

Undisclosed #3

•Aug 27, 2021

IPVMU Certified

In reply to Brian Rhodes

****, ********* *** ******** *** **** to ** ******** ****** ********** ********* communication ** ***** *******…

…****** ********* * **** ******.

Reactions:

(1)

Brian Rhodes

•Aug 31, 2021

IPVMU Certified

**** ******* ** ******** *** **** about ****:*** ******* *** ************* *** *** CON **** ********.

** ******** * **** ***** ** the *** *** *********** ********** *** attack, *** ******** ******** **** ***. We ***** ** ***** ****** ***** were *******, *** **** ******** **.

Reactions:

(1)

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions