Dormakaba "Unsaflok" / MIFARE Classic Vulnerability Examined
How does the Dormakaba "Unsaflok" vulnerability work? In our first report - Dormakaba Discloses Critical Vulnerability, To Rip And Replace Access For 300,000 Doors. Now, in this report, we examine the technical details.
Specifically, we examine the flaws exploited both on Dormakaba's implementation and its use of MIFARE Classic, based on interviews with the company and the Researchers, concluding with recommendations on improved security.
Executive *******
**** *** ******** ********* ****** *************, dubbed********, ** ** **** ********* **** ever ** ******* **** ****** ******* to **** ****** ************.
***** *** ***************, ***** ****** * million ***** ********* *** **,*** ********** in *** ********* **** ****** *******, have **** ***** ** ********* *** more **** * **** *** * half ***** *** ******* ********** ** 2022 ** *** ******** ***********, ******* information *** *** ********* ******** ** create ********* ** *** ******** *****. Additional ********* ******* *** ** ****** in *** ******.
*** ********* ************* ****** ** ******** to ******** ********** *** **** ************ entry ** *** **** ** *** target ******** ** *** ******** *** obtain ** ******* ** ****** *****/***** key **** ****** ** *** ******.
***** ********* ********** ********* ****** ******* with ****** ********** * ** ****** DESFire *** **** **** ********** ** address *** ************* ********, **** ********** technologies **** ******* ******** **********, **** as ******* *** ***** ***-***. *******, many ******** ******** ***** ** *** support ***-*** ********* *** ***** ******* changing *** **** ********.
Mifare ******* *************** *********
****** ******* *** **** ***** ** be******** *** ******* ***** ****, ***** ************** ********** ********* (******-*)****** *** ******** **** *** ** used *** ************ ****** ** **** stored ** ***** *** **** *******.
******** **** ***** *** ******* **** from ****** ******* ********, ** **** use *** ********* **** **** ** demonstrate *** **** ****** ****** ** recover ******* **** *** **** ******* data.
*** **** ** *** **** ****** be **** ******* *** *** ** unknown.
**** *********'* *****-********* ********, ***** ******** ******* ***** *** recovery *******, **** **** * ****** Classic **** *** ** ********* ****** seconds.
**** *** ********* ***, *** **** on *** **** *** ** ****.
***** **** ** *** **** ****** method ** *** ********, ********* **** a *** ****, ***** *** ********** where ***** ******* *** ** ********, such ** ************ ** **** *** reader *******.
Saflok "********" ************* *********
*** *********** ***** *** *********************, ** *** ************* ** ******-********.
** ***** *** ************* ********, ** it ** * ************* **** ******* dormakaba ****** *******.
***** *** *** ** ****** ******* plays ** ********* ****, *** ******** Saflok *************** *** ** *** ********* implementations ** ******* ********* ****, **** as ********** *** **** ****** **********, as ********* ********:
*** ******* ********* ** *** *********** goes ******* ****** ******, ***** ***** key ********** *********, **** ********** *** data *********.
******** *********** ********* ** **** ** a **** ***** *** *** ************* works *** *** ** ******** *** exploit **.
** ******** *** *** *** ************* to ****** ********* ***** ** * specific ******** ***** ******* **** * single *******
** ******** ***** *** ** ******* any ******* **** *** ****** ** the ****** ********. **** *** ** their *** (*******) ***** *******, *** other (*******) ***** *******, ** ** (expired) ***** *******.
***** ** *** *********** ******** **** this ******* *** ******** ** **** able ** ******** * **** ** keycards.
***** *** ******** ***** ** ******** to **** *** **** ** *** property, ** ********** **** ************* ** the ****.
*** ******** *********** **** **** **** they **** *******-********** *** ****** *** Derivation ******** (***). (*** ****’* *********** ** * ******** researcher’s ****** *** **************).
***, ** *** ******* ******** *** Saflok *** *********. **** *** **** part ** *** ******** ** ******** to *********.
**** ******** ****** *** *** *** publicly ********* ** *** **** "*******" on *****.
************, ****** **** ***** **** **** reverse ********** *** *** **** ***** ago, ****** *** ******** *******.
******* ***** **** *** **** ********* detail, ***** ** *** *** *** in *** ***** ** ******* ******, knowledge ** *** *** ** *** strictly ********* *** *** ******.
*** ******** *********** *** *** ******** critical ******* ***** *** ************* ** IPVM, ********* ******* *********** ***** *** exploit *** ** ***** ** ******* apart **** *** ***** ************* *****:
*******, ** ********** **** **** ********** how ** ******* *** ******* *** sensitive *********** ** *** *** ****.
**** *** ********* ****, **** **** able ** ********* *** *** *****, one ** ** "******" **** *** the ***** ** * "*************" **** to ******* *** **** ** ****** the "******" ****.
Dormakaba *********** ***********
***** *** **** *** *************** ********** * *** *** *******, ********* ********** ********* ** ****** Ultralight * ** ******* *** **** Triple *** (****) ********** ******* ** MIFARE *******, ***** ********* **** *** been ********* ***** ****-****.
** **** ********* ********** * **** 3DES ********** ***** ****-**. **** ** the ******** ***** **** **** ********** was ********* ** *** *********.
**** ********** **** *********'* ********* ******** more ****** ************ *** *********** **** support******** ********** ******** (***), ***** ********* **** **** *** new *************.
*** ******** ********** ********** ** ** additional ******* ** **** ** *** newer ******* **** **** ** ***** layer ** **********. ** *** ** anything ** *** ********** *****. ** certainly ******* *** ********* **** ** our *********. **** ** *** **-** for *** *** *************.
*******, * *********** ******* ** ********* and ***** ****** ******* ************'* ******** electronic ***** / ******* ** *** support *** **********, ***** ***** ******* replacing **** ********.
3DES *** * **** **** ********
***** ** ********* *** ********** ******** to *** ************* *** ** ** use *********** **** ************* *** (****)*** ****** ******** ** *** *****, we ******* *** **** ****** ******** is ** ******* ** ********* **** support ***. ********* ******** **** *** ****** *** (3DES)*** ********* ** ****, ***** ******** NIST ** ********* *** *** ***** out *** *** ** *** *** 3DES ****** ************ ** ****.******** **** ***** ** *** ****** private ***, **** *** ********** *** use ****** *** ******* ************ ***** ******* 1, ****, *** *** ******* ** ***** out **** ********** ******* ****.
***** **** ** *** "*******," *** far ******* *** ****** ********* *** risk **** **** ****, ** ************* power *********, ** **** ****** ********* to ***** ******* ***** ****.
** **** ************* *****, ****** ******* technologies *** ********* **** *** **** years ** **** ******* ** ****. As ********** ********, ****** **** ** Unsaflok *** **** **** **** ************ such ** ***** ****.
******:
************* ***-****-******* *** ********* ******** ************* *********, and*** ** ********* ******** *** ******** analysis.