Technical Exploits of HID's iClass SE Discovered, To Be Revealed at DEF CON 32

MK
Mert Karakaya
Published Jul 15, 2024 13:25 PM
PUBLIC - This article does not require an IPVM subscription. Feel free to share.

Researchers have "reverse-engineered the complex hardware and software chain of trust securing HID’s iCLASS SE platform" and will present "ground-breaking research and technical exploits" at DEF CON 32 (see presentation abstract).

IPVM Image

This is a serious concern, as the researchers themselves note, "HID's iCLASS SE Readers are ubiquitous in electronic physical access control and used in most government agencies and Fortune 500 companies." While HID SEOS is newer and more advanced than HID's iCLASS SE, IPVM statistics show that SE is still widely used.

Indeed, the researchers claim that they will be "revealing some cryptographic keys to the kingdom." Such keys are critical to authenticating credentials.

They are not disclosing any embargoed details prior to the presentation itself, the researchers confirmed to IPVM, so key technical details will not be made public until August 9th. The presenters are Babak Javadi, Aaron Levy, and Nick Draffen.

Six months ago, in January 2024, HID pushed "major mandatory upgrades" for "legacy downgrade attacks." At that time, they added iCLASS SE to a list of "legacy credentials [that] can expose a security risk," despite the fact that iCLASS SE had no publicly disclosed vulnerabilities at that time.

At the same time, HID told IPVM that iCLASS SE was not cracked.

IPVM will attend the presentation and report on the technical details when they are disclosed.

About IPVM
IPVM is the world's leading authority on physical security technology covering video surveillance, access control, weapons detection and more; delivering unmatched reporting, research, and test results.
How Do I Become a Subscriber?
Learn more about IPVM subscriptions now.
Comments are shown for subscribers only. Login or Join