How HID High-Frequency Only Readers Are Vulnerable To Downgrade Attacks
The main objection to IPVM's downgrade attack report was that it impacted only 125 kHz credentials. A similar vulnerability exists for high-frequency readers leveraging iClass legacy credentials, which IPVM was able to reproduce.
Based on IPVM testing, we detail how HID high-frequency only readers are vulnerable to downgrade attacks from iClass SE / Seos to iClass Legacy credentials.
No ******** **** *** ** ******
**** ******* *** ** *** ******* times **** ** ******** ** *** request *** *******.
*** *** ******* ** * ******** request ***** ***'* *********, *********** **** the **** ********** ****** ***** ******* and *** **** ** ********* **** legacy ************, ******** ******* ***** *** iClass.
*** ******** ** *** ********* ** HID’s *** ********. *** ***** ******* have * ***** ** ********** ******** that **** ********** ********* **** *** right ******* ******* *********** *** ********. For *******, **** ***** ****** ** currently ******* **** * ********* ******* options, * ** ***** ** *** support ****. *****-********** ******* ***** ********* the *********** ** ******* *** **** of ********* **** **** ****** ********** technologies, * ********* **** *** *** be **** ** **** *********. ** also ***** ***** **** *** ****** Manager ** ****** ****** ************** ** the ***** *** **** *********** ** educate *** ********* ** *** ********** of ********* ****** ********** ********** ****** needed.
HID ********** ******* *****
***** *** ** **** ******** ******* include ****** ****** *******, ****** ***** readers ********** ** ********* *******.
*** ******** ************* **** "******* *******" *** ********** profiles, *** ***** ********* ***-********* *** high-frequency ***********, *** ****** **** ****-****, the ***** **** ****-*********-**** *********** ********* cracked ****** ******, *** *** **** with *** ******** ********** ***** *******.
Downgrade ****** ** ****** ** / **** ** ****** ****** (**.** ***) ******
****'******** **** ****** ******* ******* ************ *** ****** *** ***** **** HID **** *** ******* *********** ****** *** ******* **** *** HID *** *** ** **** ** read *** **** **** **** ****** SE / **** *********** *** ********* them ** ****** ****** *** **** formats.
**** ******* ********* *** **** **** extracted ** ******* **** *** *** SAM ******* *** ********** ****** ****** and **** *********** **** ******** ** Flipper.
**** ******** *** **** *********** **** an ****** ******* ****** ** ****** 37-bit ****** *** ***** ** *** multiClass ** ******. ****** ** ***'* proprietary **-*** ****** **** ******** ******** code *** **** *******, *** ***** with ****** *** ******* ** *** to "******* ***********."
** *** "******** *******" *************, ******* successfully **** *** **** ********** *** downgraded ** ** ****** *** **** formats, ******** ******.
** *** "***** *******" ************* **** does *** ******* ****, ****** ****** emulation ******* ******, ******* **** *** not.
** *** "****-****" *************, **** ** known ****** ** ****, ******* **** was *** ******* ****** **** *** downgrade ******. *** ***** ***** *** to ******* ****** ****** *** ***** formats **** *** ****** ** ******* downgrade *******.
No ********** **** ***
**** *** *** **** *** ****** disclosure **** *** ** **** ********* attacks ** *** *************** ****** ** Flipper **** *** ******. ********* *** Flipper **** ** ****** ****** ***'* website **** *** ****** *** *******:
*******
***** *** ** **** ********** ******** HID ****** *** ********** ** *********, showing ******* ********** ***** **** ** Prox *** ****** ****** ******** *** security ** ******** ****** ******* *******. While **** *************** *** *********** *** *** **.** Mhz ********* ****** ***** ********** *******, *** ************* ****** ******* ******** HID ****** ********** ***'* ************** ** mitigate ********* ******* ** ****.
** *** ***** ****, *********** *** end-users *** *** ****-**** ******* ** Elite/Custom **** **** ***** ******* ** prevent ********* *******.
** ******** *** **** ************** ** the ***** ** ****** ** *** land.
**** ******* *** ****-**** ************** (** SEOS+DESFire) *** *** *** ** **. If *****-****, *** "**** ********" **** profile **** *** *** ******** *** encrypts *** *** ** ******* (**** SEOS), ***** ******** ** ********** ***** of ********.
******* *** *** ** **** ** the ****, ** *******'* ******, *** with * "**** *** **********" ********, making *** ******'* ***** ********* ** never * *** *****. **'* **** to ***** * **** ******* *** keys, *** **'* **** ****** **** you **** **** *** ****.
*************, ***** ***'* ** **** *** on ***** ** *** ****** ****. Elite's ***** *** *** ** **. Or ******, ** *** *** *** away **** **. **'* **** ** revoke *** **-***** ****** ***********, *** those *** *** ****-*****. ******* *** no *** ** **** **** ** the *****.
**** *********** ** ******:
*. **** *** *** **** *****, the **** *** *********** ** ***** on *******.
*. *** ***, ***'** ******* ***** most ** ***** ********* *** *** readable *** *** ******* ****. **** could ****** ******.
*. *** ***, ** ****** * can **** *** *** ** *** read ****** *** ** *** ***** get *** ******** *** *********** *** can ** ****** **** *** **********. Without ** *** *** *** **** response ** ******* **** ****** ******* and *** ****** **** *** *******.
* **** ********* ** ** ***** with **** ** *** ********* ***** this ***** ******. ******** ******** *** readers ** *** **** ********* ****.