How Iceman Champions PACS Vulnerability Research
Christian Herrmann, better known as Iceman, is a prominent figure in physical access control systems (PACS) vulnerability research, leading the development of Proxmark rdv4 and moderating PACS hacking communities.
Based on an interview with Iceman, we examine his background, contributions to RFID research, his company, IceSQL, and ethics within access control hacking.
This is the second in a new series profiling physical security researchers. For our previous security researcher coverage, see: Red Team Alliance / CORE Group Profile - Babak Javadi Interview.
Executive *******
****** **** *** ********* ** *** Physical ****** ******* ******* (****) ************* research ** ******* ******* ******* ** access ******* ******* *** **** *******. Iceman *** **** ************ ** ********** the *********, ******** ** *********** *********** repository, *** ****, * ****** **** security ******** ****. ****** ** ** active ********* ** **** ******* ***********, disseminating ********* *** *********** ************ ** the ***** ***** *********** ******* ******* practices.
Iceman’s ********** ** **** ********
****** ******* **** ******* ** ***** ago, **** ******* ******* ** ******** mastery ** **** ******* **** *** Proxmark, ******** *** ** *** ****** figures ****** *** **** ******* *********. Iceman **** *** **** ******* ********** started **** * *** ***** ******* Proxmark, ***** ** *** ******* ********** setting **.
***** ** ***** ***, * *** very ******* **** ****, *** * thought, "* **** ** ** ********* for ******." *'** ****** ***** ********* and *******, ** * ******* ** buy * ******* ****. *'* ***** my ***** *** ******* *** ***** RFID **** *** ******* ***** *** Proxmark. * ***** $*** ** * device **** *****. **** ** *******, it *** **** * *** *** some ********. * ***** * **** trying ** *** ** **, ****** for **** ** ******, *** ********** failed. ************, * ******* *** ********.
***** ******** *** ****** *** *** months, ** ******** * ***** *** got ** *******. *** ***** ** accomplishment ** *** **** ******* * bus ****** ********** *** ** ***** deeper **** **** *******, ****** *********, going ****“*** ****** **** ** *******” and ********* “****** **** ******.”
** *** ***** **** * *** judging ** **** * **** ***** for *** ******. *******, * **** following ****** ** *** *** ********** how ** *** **. **********, * thought, "*'** ***** ** **** ** this, * **** ** **** ** another ****." **, * **** ** down, ******** * *****, *** *** it *******. *** ***** **** * successfully ****** * *** ****** **** it, * **** * ***** ** accomplishment **** ****** **. ***** ****, it's **** * **** ****** **** of *******; ** ***** ****. **'* layers **** ******.
**** ******* ******* ********* ******, *********** him ** ******** *** ************ ** RFID *******. **** ***** ** * hobby ****** ** ********* *** * need *** ******** *********** ****** * professional *******. *** *************** ****** *** eye ** *** **** ******* *********, and ** ******* ******** **** * leadership ********, ******* ******** *** *********** in **** ***************.
*** ************* ** **** *** **** hacking *** ****** *********** ** *** previous **** ** *** *****, *** he ** "******** ** *** ********* of ******," ****** ****.
** **** ******** *****, **** ** a ******** ********* *** *** *** of * ****** ****** ******* *******. However, ******** *** **** ******* ***** considerable ****, *** ** ** ******** his ******* ** **** ****, ****** added.
******** *** **** ******* *** **** a ***** ** **** **** ***** over **** *** **** ****. ** you **** ** ** **** ** shame ** **** **** ****, **** my ************ ********* ********* *********** **** nobody **** *** *** ******'* ** computer ******* **** ***** ****** ****** asks ***. ** *** ***** **** to ******** ********** *** ****** ******* software. ****'* **** ****** *** **** for **** *** *****. * **** my *** *** ****** *** ******* of ******* *******, *** ****** **** I *** *** *** ** * startup ***** ****** ****** *******.
Key ************* ** **** ********
******’* ************* ** **** *** ************, from ********** ******** ***** *** ********* to ********* ***********. ****** *** *** development ** *********** ****, * ******** **** **** ** most ****** **** *** **** ************* testing. *** ******** **** ** * pivotal **** *** ******** ***********, ****** integrators, *** ************* ** *********** *** understanding ****** ***************. ****** **** **** helps *********** ********** *** ************ ****** PACS.
******** *** ******* ** ** ********** the ********** ******** ************ ** ******* PACS. *** *********** *** ********** **** made ** *** **-** **** *** anyone ******* ***** **** ************* ********.
******* ******* **** ******** **** ******* "Iceman **********," ************ *** ************* ** the *********** ** *** ****** *** continued ******* ** ******** *** *************.
****** *** ******* *** *************** *********** ********* ** **** *******. ***** ****** ***** ** **** for *********** ********, ******** *********** ** share ********, *************, *** ***** ********** vulnerabilities. *** ************* *********** *** *********** the **** ** ******** *** *** led ** *** ************** ** ******** security ***** **** ***** **** ********* gone *********, ****** ****.
********** ****** *** ********* ** ****** community *** ******** * ******** *** collective ************. *** ****** ********* ****** up *** ********* ** ***************, ****** PACS **** ****** ** *** **** run.
***** *** ********* ***** ***** ***, the **** ******* ******* ********* *** attracted **** *,*** *******. *** ********* is ******, **** ******* ******* *********, answers, *** *********** ***** ****.
****** *** ****** ******* ******** ******** and ************ ********** ******* *******, ************* *********** ** *** ******* security *********.
IceSQL ********* ******* ********* *** ************
***** ****** ********** ********* ****** ******** for *** ********* ********, *** *** direction ** ********* ******* ******** *** RFID ********, ********** ****** ********, *** providing ******** *** ********** ** **** devices *** ************ ******** ** *** European *******.
*'* ********* *** *** ******** ******** for ********* ******** **** **** ****. It's ***** ** ** ******** ******** for **** *******, ********. **'* ***** to ** ****** ******** ***********. **'* going ** ** ************* *** ********* as ****. *** **'** ***** ** focus ** *** ******** *******.
****** *********** ** *********** *** ********* vulnerabilities ** **** ************. *** ********* includes *********** ***** ******** ** **** the ******** ********** ** ***** *******.
The "******" **********
****** **** *** **** ** *** moderator ** *** *********** ******* ** communicating **** ******* ** *********** *** ensuring **** *** ********** ** *** vulnerabilities *****'* ********* ****** ****** ******.
***** ** "******" ** **** ******* represents * ******** *******. ******** * engage **** ******* ***********, ************* ***** achievements *** *******. **** ******* ************ something ***********, * ********** *********** **. However, **'* ******* ** ********** **** publicizing ***** *************** ***'* *********. **** have ******** ******* ***** ******; ******** only ********** *** ********** ******. * hesitate ** ********* ******* ***** *************** in, *** *******, ***** ******** *******. Such *********** *****'* ******* *** ********* at *****. *** *** **** ** to ****** ***'* *** ***** ************ positively ** *** *********.
Flipper **** ****** **** *** **** ** *****
****** **** *** *** *****, **** as ******* ****, **** *** **** of ***** ** **** ******** *** hacking **** *****, ********* ****** **** ready-to-use *****.
**'* ***** ****. *** *** *** hanging ****** ** ** ****** *** wide ******. ******* ***** ** ********* easy. *** ******* **** ******, ******* and *** ************ ** ***** **** hacking ** *** *****, ** ***** it * ***** *******.
******** ****** ******* ******* **** **** it ***** "*******" ****** ** ****-**-*** tool **** ******** *************** **** ***** harm *******.
******* **** ** ****. ******* ****** come ******* **** **** *****, * don't **** **** ****** ** **** this *****.
******* **** ********** *** *********** ** pursue **** *******, *** *** *** generation ** "**** ***********," ********* *** following ***** **********, *** ******.
******* **** ****'* ***** ******** ***, but *****'* * *** ********** ** RFID ******* ****** ***, *** ****** to ***** ****** *** ** **** excited ***** **. **** *** ****** excited ***** *** ********. *** **** are **** **** ***********, *** ****** about ************, ******* *** ***, ******* Tesla *****, ***. **'* ***** **** or *** ****, *** ** ***** back ** *** ******.
******* **** ******* ****, ******** ****** the *********** *** ** *** ***, can ** ****** ******** ** ******** limitations ******* ** ***********, ****** * threat ** ****** ******, ********* ** Iceman.
**** *********** *** *** ** **** limits ** *** ******. *** **** licenses *** *** ****** ***'* ****. They **** **** **. *** ******* Zero *** *** ******** ********** ** firmware ****** **** ** **** **** within *** ****** ** *** ********* spectrum **** *** *** *** **** and *******, ******* ** *** *********** they **** ** ******. *** **** download ******* ********, *** ****, *** have *** ** *** ******** *** hardware **** *** *********. *** ***'** telling ** *** *** ************ ****? Or *** **** *** ****?
Proxmark3 *********** *** ****
******** ** *** ** *** **** common ******** ***** *** **** ********, and ****** **** ***** *** ******* had *********** *************, *** *********** ***** not ** ******** ******* *** ******* work **** ** ******.
******** ** *** ******** **** **** has **** **** ** *** **** 15 ***** **** ** ***** ** RFID *******. *** **'* *** ****. It's * ********* ******. * **** to *** **** ******* **'** ******** on *** ********* ** ******. **'** been ***** **** *** *********. ***** are **** ***** ****** **** ** the **** *** **** *** ********** for **** ** *** **, *** we **** ** *** ****** *** carried ** **** ****.
*** *** **** ** *****, ****** has ******** *** ****** ** ******* Proxmark, **** ** * ******** *** a ******** ****, ****** ** **** field-useable.
**** *** *** ***** **** * preassembled ******** **** ****** ******** **** out. ** ******, *** *** **** was, "******** *** ** ********; *** just **** ** ********* ** ********." When * *******, * ******** ******** said ** ***** ** ********** *** could ***. **, * *** * vision. ** ****** ** **** *** see, *********** ** *** ****** **** and ******** ****. * ****** ** have * **** **** ******* * lot ** *******. * ****** ** have * **** **** ***** ** my *******. *** * **** ****** to **** ********* *** *** ** out ** *** *****. * **** want ** **** *** *********** ** store **** ****** ** ** ** store ***** ******* ****'* **** *** use ** ***. *** * **** it ** ** *********.
***** **** *** *** ********** *** their ***** **** ******** ***, ** is * ******** ******** **** ******** to **** ** *** ** ***** ago, ****** *****.
** ****'* ****** ** *** *** whole *** **** ** ******* **** was **. **'* ***, *** ***** the ***** **** ******** *******, **** you *** ** ***** ** **** much *** * ***** **** ** to ****. ** *** ** *******, I **** ** *** *** * wanted ** ** ****. ******, ** was ****** ** ****, *** *** pieces ***** ***** *****. *****, ** feels **** **** ** *** *******. You *** ** **** **** ***** are *******, *** ** *****. **** more ****** *** *** ***** *****, but ******** ***** ******* ******.
******** ** *** **-** ******** **** for **** *******. *******, *********** **** more *********** **** **** ****** *** standards ** ***** *** *******, ****** said.
**** *** **** ** ** ****** properly, *** *** **** ** ******* things, *** *** ********. *** ***** thing **** ** ***** ** **** hacking ** **** *** **** **** things. *** **** *** ***********, *** need *** **** ******, *** *** need ********* ** *** **. ** now *** **** **** * ******* software **************. ** *** *** *** commands *** *** ****** ** ** follows *** ******. *** **** **** is *** ** ** ****** ******* setting *** ********. *** ** * break *** ***** *** ** ** with **** ********.
Access ******* "**** ****** ******"
******** ******* *** ********* ********* ** more ****** **** **** ***, *** Iceman **** ***** ******** ************* *** the ****** ***** ***** **** *** secure, **** *** "**** ****** ******."
* ****** ** *** *** **** because *** ******* ** ***** **. Given *** ************* ** **** **'* supposed ** ** *** *** ******, the *********** ******, *** **** ** is ***** ** **, *** ******* of ***** ****** ** ******** **** actually ** ** ** * ****** system. * ***** ****** ************* **** tremendously. *'* ****** **** **** ** your ******** ****** ****** **** **** are ******. *** *** ** *** know *** ***% ********* **** ****'** not ******,just ****** ******. [emphasis added]
*** ******* ********* ** ****** ******* security ** ****** ***********. ****** **** that ** ****** *** ****** ** training, **** ****** **** *** ****** engineering ******, ******** ****** ***************.
**** ****** *** **** ****, *** spamming, ******** ******** ********, ******* ******, a *** ** ******** ************* ***** be ****** ** **. *** *** have ********* ******** **** *****. ** doesn't ******; *** **** **** *** the ****** *********** *****. *'* ***** aware ****** ***'* ******, *** ****'* a **** ** **. * ***** we ********** *** **** ** **** idea ** **** ******* *** ** or ****** **, *** ****** **** the ******** *** ******* *** ******. Vendors *** ** ******* ** ** safe *** ******, *** **'* ***. And ******* ** [****] **** ****. It [*** ******] ** ***** ** be ***** *** ** *****. ******'* changing **. ** *** **** * system, **'* ***** ** ** ***** [before *** ******]. ** ***'** *****, they **** ****** *** ******** **** or *****.
Access ******* ******** **** **** ** *** ****** ********
****** ******* ********* **** ************ **** hostile ****** **** *********** *** ******* (see**** ** *** ******** ********** *** Industry). *******, ****** **** ** ** changing **** ********* ******** *** ********.
**** ** ******* *** ** *** beginning, ** ***** ***, *** **** before ****, *** ******** ****** ******* companies **** ***, *** **** ******* towards *** ********, ******* *******, ******* finding ***************. ***** *** * *** of ***** *******, ******** ******** *********** back ** *** **** **** **** pushed *** ******* ***** *** ** much ********** **** *** *****. ** has ******* *** * ***** *** you **** ** ****** ***** ****** a ***. ** *** **** **** or **** ***** *** ******** *************,**** ****** **** ******, *** ********. Having ******* *** ******** *** *************** disclosure ******** *****. ***** ** * change. *********, ****'** **** ******** *******, hackers *** **** * **** ************* with ****, *** ******** ****** ***, making ****** ******, *** **** *** open **** **.
****** ***** ***** ********* ***** *** disclose **** *** ***************, **** ****** control ********* **** ** ****** ******** in **** ***********, ******* ********* *** changes.
**** ** ***** ** ***** ****, they *** *********, **** **** ** do ******. ** *** *** ** the ***, ********* ***** ** *** RFID ******* ******* [***********], *** ********* reads ****'* ***** **.
*** ****** ******** ***** ********* ** opportunity ** ******** ***** ******** **** a ****** ***********, ***** ***** ** stronger ******* ***********, *** ******.
** **'* **** **** ** ****. You ****, *** **** * ***** of *********. ****'** ***** ** ** a *** *** *** ***'* ****** them ** ******* *** ****** ******* and ********** *** ******* ** ******* out ** *** ***. ** ***** some ****. ****'* *** * ***** we **** *** ****** ********, * don't ***** ** *** **** ******* otherwise ****** **** **** *** *** bounty. *** ****, * ***'* ***** they *** ****** ****.
*** ********, ** **, ** ******* we ****** ****** **** *******.
***** **** **** ** **** ****** in *** ******.
** *** **** ** "*****/*****", **** was ****** ********** ** ** *** user. **** ** **** ****'* ** first, **** **** ***** ******** *** risk, ** *** **** ** **** a ****** ********.
*** * *** **** ** *** underlying ***** **** **** ** *** inability ** *** ******** ** ********* a ****** **** ********** ********* ** prevent ********, *********, ***. ** *** hardware ****** ***** *** ******* ************, or *** ******** *******, **** ***'** stuck ** **** ***** ** ******** until *** ********* ********* ******. *** can't **** ** * ******** ******, or **** ** "****** ****" ** your ******** ***'* ******* **.
***** **** **** ******** ******* ********* (eg: ****, *********** ****** ***** **** companies **** *********), *** *** ****** don't **** ** **** **** * top ****** ********, ** **** ** are.
*** ****** ***'* **** ** **** this * *** ****** ********, ** here ** ***. *****
******** *************** ***** **** *****:
* ** ***** ***** ** * bias ** *** ****** *** **** and **** ***** ******, ******* *** people *** *** ****.
* ** ***** ***** ** * bias ** *** ****** *** **** and **** ***** ******, ******* *** people *** *** ****.
******** ***** **** ****** ***. ****** something "******" ***** *****, *** ** your *********** *** *** ***** ** compete **** *** *** ********* ******, and ** ********* **** ***** ******** more *********, **'* * ***** **** to ***** **** ***** *****.
* **** ***** ***** ** *** much ******** ** **** *****, ** least ******* ******* *******. *** ***** site ** ******** ***** ******* **********. Lots ** ****** **** ** ******* alarms, ***** **** ****-****** ******* *** and ***, ********* ******* ***** ****** off *** ****** *** **** **** into ***** *****, *** ** *****. This **** ** **** ****** ***** up * *** **** ** *** market, *** ******** ********* ******* *&* spending ** ***** ********* **** ***'* pay ***** ***.
** *** *****, * ***** ****** manufacturers **** ** ** **** ***** and **** ********* ***** ***** ******. But, ****'** ******* **** ****** ** this, *** *** ****** ******* **** (and **********) *** * ***** ***** acting ******* ****.
* ***'* ******.
**********, * **********-********* ******** ****, ***'* seem **** * ******* ********** ****, but * **** ** ******* *********.
********* ********* **** ****** **** ****** want. **'* *** ***** *****? **** are **** ********** * ******? ** that *** **** **** ** ******** that ** ***** ******* ** ****** control ***************?
********* ********* **** ****** **** ****** want.
****, ** *** ********* ***** **** is *** **** **********/******** * ***'* even **** * ********.
* ***** **** *** *** *********** the **** "*************" ****. ***, ***, I ***'* ***** *** ***** *** best ******** **** *** ********* ********** either.
***, **** ** ** ******** **** technology. ** * ***** ******, ** are ***** ****, ****** *****, ***** locks, *** ***** ***** ** ***** that *** ****** ************. *** *** every *********** ***** *** ****** **** secure **********/***.
***** ** * ********** ******* * network *************, ** *** ***** ** attacker *** ****** * ****** ******* or ****** *** ******* **** **** of ******* **** ** **** ***********, and * ******** ************* ***** *** device ***** *** ** **** ** withstand * ****** ********* ********.
**** ***** ****, **** ***** *** fine *** *** ***** ** ******** that ***** ***** "******* ****** ****** honest", ****** * ******** ****** ** friction ** ************ ******, *** *** immune ** ******** *******.
** **** **** ********** *** * vulnerability ***** * ****** *** ******* that ******* ****** ** **** ** to * ****** *** **** *** lock, ** ***** ** * ********* scenario.
* ***** *** **** *** **** majority ** *****, *****, *********, *** similar ******* ******* *** **** ******** than ****** ******* (**, ***** **** is **** ** *********** **** ******** the*********** ******).
*** * ***** *** ********* ******* is ****. ********** *** * ******* that ******** ******* ** ******** *****, and **** **** ******** ********** (* say ********, ******* ******* **** ****** disagree ;) ). *** **** * prox-based ****** ******* ****** **** ***** to **** *** **** ******** ** people ***, *** *** ***** **** needs **** **** * ****-******** **** (eg: **** ****** ** * **** to *** ** ** **** ** casual ****** *** ************* *********).
* ******* * ******* **********:***** ** **** ******? * *** Or * **** ****? - **** Discussions
* ****** ** **** ****** *** Val ****** '******'.
***** *** **** *********** ***** ****** in **** ** *** ***** *** same ******* *** *********** **** *** realm ** *********** *** ** *********** money, ****** **** **** ******, ***'* it?
**** *******, ******** ********* ********... *** suddenly *** *** ****-************* **** ***** away.
"* *** **** ****** ** ******** people **** **** **** ** ******* the ******** ** *****" ***** *** keep *** *** ** *** ******* pokey *** ******.
***' *****'.
***** *** ****** **** ** ***** regarding ************** ********, *** ******** ***** is **** ****** "********" ***** *** can ****. ***** *** ***** ***** to ** ****** ** ****** **. If *** **** $**,*** ** ***** bills ** * ****, ***** ** no ********** ******* **** **** **** you * *** ***** ** $**,*** bills, ** ********* **** *** *** the ******** ****** ** $**,***. (*'** leave ********* *** ** ****, ** that ** * ********* ******).
**** * **** ****, *** **** is * ***** ** **** ***** to ****** * ***** ** ** authorized ****. ** **** *****, ** you **** *** ****, **** ****** will *** ** *******, *** *** will ** ******* * *** **********. While **** ************* *** ****** ** buy ***** ******* ** ********** ******, they ***** ******** ****** ** "****" their *** ***** ****************.
**** ********* ******* **** ********** ********, IMO.
***** ** ******* ** ******* ********* to *** **** **** *** *** opportunity ** *********** ** **** *********. It *** * ******** ** ****** in * ********** ********** ** *** important ***** ** ****.
***** **** ** ****** ** ****** to ****, **** ** ** *** their ********** ********* *** *** ************ manner ** ***** *** ********* *** conducted. **** ********** ** ********* * space *** ******** ******** ** ******* appreciated.
***** ******* ** ******** ** ******* discussions **** *** **** ********* *** welcome *** ********* ** ******** **** may ***** **** **** *******. ***'* keep *** ************ *****, ******* ********, and ******* ******** ** ******* *** challenges *** ************* ** **** ********.
****'* ** * ******** *** ************ dialogue!
******** ***** *** ********* *** ***** HSPD-12 **** **** ********** ** ******** over ****** ******** **** *** ******* PACS *******. ** ***** **** +*** means *** **** ** *****, ******** surf, ** **** *** *** *** of *** ****.
** ********* ** ********** ******* *** activates ** *** ****** *********. ** have **** ******** ********* ** *** team **** *** *********** *** *** great ********. *** ** ****** ***** to ***** **** *** ** ***** hackers, ***** *** * *** ** diverse ******** *** ***** ** *** hacker ********* *** **** ** *** some ******** **** *** ** **** we ***** ***** ***** ******* ********* and *** **** **** **** **** more ****** ********.
*** **** **** ********** ******* **** case ******* ** ******** ** *** OSDP ***** ** ***** ******* *** we **** ****** ********* ***** *** tendency ** ****** *** *********.
********* ** * ******* **** ** understanding *** *** ** **** ******** with *** *********.
*********** *********!
* *****, ** *** ****** *** premise **** ******* ** ***** ** change *** **'* ***** *** ** years, **** ******* ** ****.
*** ********, ** **, ** ******* we ****** ****** **** *******. *** years ***, ********* ** *****/***** **** relatively ****** ********, *** ***, **********, it's ***.
** ** **** ******** ** ********** access ******* ** ***** ******* ********** to * ********** *** ** ** an *** ******?