Vulnerability Directory For Access Credentials

By Brian Rhodes, Published Feb 20, 2020, 10:07am EST (Info+)

Knowing which access credentials are insecure can be difficult to see, especially because most look and feel the same.

IPVM Image

**** *********** *** ***** *** ***** ****** used, *** ***** **.** *** ********** is ** ********* *** ****** *** not **** ******.

** **** ******, ** **** * deeper **** **:

  • *** ** **** ***** *** *** Formats
  • ***** **.** *** ******* *** ********* (So ***)
  • *** ******* **.** ***** ***** ****** Used
  • *** ** ******* *** ***********
  • ********* *** ******* ** *****
  • ******* **** ******* **** ***
  • **** ********** ****** ******
  • ***** ** ****** ******* *****

** ***** ***** ****** ******.

125 *** ******** ** ***

***** *** ************* ** ******** **.** MHz ******* ** *****, ***** *** kHz *** ****** ********** ** ********* copying **** ***** *** ****** ********* components. ** ******* *** **** ** our**** **** ****** ******* **** **** $30 *** ****** **** **********, *** **** *** ** ******* the ************* **** *********** ****** ****** ******* ********* *****.

Common *** *** ******* *** ********

*** **** ** **********, *********** *** kHz ******* **** ** ****** ** substantial, ****** ******** **** ******** ** credentials ***** ** *** *****. *** common ******* *******:

Formats *** *** *******

*** **** ** ******* ****** ******* currently *** ******* ** ****** ** small *** ******** ***** **** *****:

*** ****** ****

***'* ****** **.** *** ****** *** yet ** ** ****** *** ********* as ******* ***** ********** *****.

*** *** ******** ******* *** ******* 'factory ***', *** ** ***** ***** ****** ******, ** ******* *** *********** ***** to *** ***-******* ******-******** (***) **** for *** ********, ******* ********** ******** of **** ******* ***********.

****** ******* ***(********* ****)*******?

**** ******** *** **.** *** ****** has **** ****** ******* ******* ***** America, ** ***-********** ****** ******* *******, and **** ****-********* ****-******* ****** *********** and *******, *** **** ***-*** *** encryption *** ******* **** *******.

****** ** *** ******** **** **** distributed ** *** ****/*** ****** ***********, but *** **** ** ****** *** been ********** **** ******* ******, **** exploit ***** ******* ** *********** ***** potential ****** *****, *** ********* ***** for ****** ***:

*** **** ************ *** ****** ********** resellers, *** ******* ******* *** **** replaced ** *** ******* *********** **** when *** ******* ********** ** ***.

****** ******* ***(********* ****)

**** '****-***' *** ****** ****** ** offer ******** ********** ******* ** *** information ** ********** ** *** ********** but **** *** *********** ******** ************.

** *******, ******* ******** ** *** EV1 *** **** **** ***, ******** the *** *********** ** **** *** the ********* ** ********* ** ****** systems.

** ****, ** ******/****** ** ******** have **** *********** *** *** ******* DESFire ** ********** ******.

Formats ************ *******

*** ******* ****** ** ******** ** not ****** ******** ** *********** *** end-users. *** ******* ***** **** ** many ** ******* **** **** ******, but *********** **** ** '******' ** access *************:

****** ******* *******

********* ********* ****** ******* ******* *** exploited** ****, **** *** *** **** widely ********** ** *** **** ******, with **** ***** ******** *** **.** MHz ********* ****** ** ****.

*******, *** ****** ** ********** ******** security **** ******** *** ******* ** discontinue **********. *** ****** ** ***** available **** *********** *******.

*** ****** ***** (***-**/**** *******)

*** ****** ** ********** '****' **** HID's ******** **.** *** ****** ***** multiple ******* *** ***** *** *** publicized ******* ** *** '***** ** ********' *****.

**** ******** ********** ********** *********** *** be ******* ** *** *****. *** still ***** ***** ********** ***********, ******** the **** ****** **/**** ****** *** a ********* ****** *** ******** ****** of ********** ** ******* ******* ********.

No ******* *** ***********

******* ** ****** ** '**********' ** 'unbumpable' ***** **** *** ***** ********* given **** *** ******** ** *** public, ** ********** ******* ****** ** viewed ** '***********'.

***** *** ********** ******** **** ******* and ********* ******* *** ********* ** breaking ******* *********** '******* *** ***** locked' ** ********* *****, ******* ** hack **** *** ******* *** **********.

** ****** ****, *********, ** ********** should ****** ******* *********** ******, *** planning ********-****** ***************** ******** ********* ** *******.

Cracking ********* ******* ** ****** *********

*** ********* *** ****** ****** ** crack ********* ******* ********* *** ******** bench *********** **** ******* ******** ***********, electrical ***********, *** ********* ***** ** code.

*** ** *** **** ******* ********** RFID ******* *****, *** ****-****************,*** **** ********** ** *** ***** wiki:

** ****** ** ******* *** ***** early **** *** ********* ** *** really *** *********. ** *** *** not ******* ****** ******** **** ***********, embedded ***********, **** ** ****** *** ISO *********, **** ****** **** ******** bring *** **** *********** **** ******** else ! ***** **** ** *** understand *** ***** ********** ****** **** may **** ********** ***** *** ******.

*** ***** ******* *** *** **** powerful *****, **** ****** *** ****** a '***** *** *****' **** ******, but ****** * *** ** ********** that ******* **********, ********, *** ******** that **** ** ********** ******** *** access ********** *******:

IPVM Image

**** *** ***** *********** *** *** formats, *** *****, *****-****, *** **** to *** ******* *********, **** ***$** **** *** *** ******** ****** **** ********* *******:

IPVM Image

*******, *** *** '***** *** *****' copiers *** ***** ** ****** *******. For *******, ** ****** ********** (**.*****) ********** *** *** **** **** ****** access *******, ******* *** ****** ** copying ********, ********* *******:

IPVM Image

Another ****** ******: *******

****** ***** ****** ****** ** ********** to *** **** ** ******* ******* when ******** *** ********* ** *** reader. *** **** *********** **** ********* can **** ** **** ** ****** identical ****** ** ***** ***** ** to ****** ***** ******* ******* ** systems ********* ******* ********.

*******, ** ******* ***** *****, ******** access *** ************ ** ********* ** needed.

*** *******, *** ** *** **** commonly **** ******* ** ********** ******* keys **** ****** ******* ******** ********** wiring * ******* ** ******** *** output **********, *** ******* ******** *** installed *** **** ***:

IPVM Image

*** **** ****** *******, *** ********** and **** ****** ** *** **** method ** * **** ************* ********* the ****, ** *** ****** ***** be ****** ******** ** ***********.

*** **** ******** *** **** ******* often ***** ***** ** **********. **** methods *** **** ** *** ** 5 ******* (**** *********** ***), ***** ****** **** ******** ***** or **** **** (**** ******** ***** **** ******* ****).

Wiegand ******* *****

*** *******,*** ******, ************ ***** ***** ** *******, can ** **** **** *** ******/********* side ** *** ****, *** ** undetectable ** *** ****** *** ****** managers.

IPVM Image

*** ***** ***** ***** *** ***** skimmers *** ********* *********:

******* ******** *** **** *** *********** to ***, **** **** **************** ~$** - $** ******.

Cracks ***** ********* ** ***** *******

*** *** *********** ** **** **** the **** ***** *** ******* ****** need ** ***** ********** *******, *** biggest **** ** ********** ****** ******* of ******** *** ******* ***** ***** takes ****.

*******, *** $** *** *** ****** can ** **** ** ******* *** semi-covertly, ** ***** ******* ****** ** avoided. *** *** **.** *** *******, even ***** ******* ******, ***** ** time, ******** ****, *** ******** ************ of ******* ** ***** ********.

*** **** ********* ******* ******* *******: maintain ***** ************** ******* ** **** keys, '**** ***' **** **** ********, do *** ******* ***********, *** **** sharp **** **** *** ********* ** installed ******* *** ***********.

The ******* ********* ** *****

******* ** *** '*********' ********* ** hobbyists ********** ** ******* ********** *****, there *** ********* ****** *** ******** participate *** ********** ** ******* ****** credentials.

*** ** *** ****** ****** ***** these ***** ****** ** *********** ********** *********, **** ********* ** ***** *** hundreds ** ***** ***** *****, ***** collaborative ******* ** ******* ******** *** methods *** ******** ******* (********* ******, MIFARE, *****, *** *** ***********) **** place.

***** ****** *********, ****-****** ********* *** easy ** ******. ******** ******* ******** can ** ***** ** ******, * large *** ***** ****** ************* ****** of ***** ************. ***** ***** *** many ******** ** ********** ********, ** example *** ***:

******* *******

Comments (6)

Avatar

Allan Bleakley

02/21/20 01:25am

While some may argue that the most solid defense against this is a 4 digit PIN, or even a fingerprint or hand geometry, I would argue that this hacking is rare, and not a large issue.

Agree: 2
Disagree: 2
Informative: 1
Unhelpful
Funny
Avatar

Brian Rhodes

IPVMU Certified | In reply to Allan Bleakley | 02/21/20 01:33am

I agree inasmuch the far more pragmatic threat is someone breaking in by smashing glass openings with a rock or exploiting a propped door.

However, given the ease and (undetected) quickness of making 125 kHz copies, the threat is still there.

So, as security professionals, we can consult customers on the full scope of risks and minimize potentials based on educated choices.

Agree: 2
Disagree
Informative
Unhelpful
Funny

Undisclosed #1

In reply to Allan Bleakley | 02/24/20 06:42pm

A 4 digit PIN isn't considered secure by any standard.

Agree: 1
Disagree: 2
Informative
Unhelpful
Funny
Avatar

Billy Guthrie

ZMANA | In reply to Undisclosed #1 | 07/27/21 08:56pm

More so when you can sniff the data; as long as it is not encrypted.

Agree
Disagree
Informative
Unhelpful
Funny
Avatar

Brian Rhodes

IPVMU Certified | 02/21/20 05:35pm

[Update: SEOS Clarified]

We've edited the post above to remove sources re: attempted SEOS hacks, because after further examination the claims were unclear or mistaken to which generation of iClass was being targeted.

Those performing the attempts are often mistaken/wrong as to which product they are trying to break, especially given several generations are all named 'iClass'.

This report's findings are unchanged, we just eliminated confusing details.

Agree: 1
Disagree
Informative
Unhelpful
Funny
Avatar

Samy Kamkar

Openpath | 03/30/20 08:58pm

Great info, thanks!

I'd note that neither DESFire EV1 (nor EV2) have any publicly known vulnerabilities. The video titled "New Attacks On The MIFARE DESFire EV1..." are not attacks on EV1, but rather two attacks on the original DESFire protocol and a third attack on the implementation (incorrect order of operations) by the transport system.

Also although OSDP introduced cryptography, unfortunately it is quite broken from a security standpoint, even in the latest rev of OSDP 2.1.7.

Agree: 1
Disagree
Informative: 1
Unhelpful
Funny
Login to read this IPVM report.
Why do I need to log in?
IPVM conducts reporting, tutorials and software funded by subscriber's payments enabling us to offer the most independent, accurate and in-depth information.
Loading Related Reports