Beruflich Dokumente
Kultur Dokumente
Introduction
Imagine the following scenario A hacker walks up to the corporate headquarters of a Fortune 500 company. The building used in this e ample relies upon the use of an i!lass !ontactless "mart !ard system to manage access to the facility# ensuring that only authori$ed personnel are allowed to enter. The hacker locates an i!lass reader that is installed on a side door and which is typically out of the security guard%s &iew. 'ith a (hilips screwdri&er he remo&es the one screw on the bottom of the unit that secures the reader to its mounting plate. The reader slides right out of its holder e posing the backside of the unit and re&ealing a )*pin connector that is used for In*circuit "erial (rogramming at the +I, factory. 'hile the reader remains powered up -and fully functional.# the hacker plugs a tiny circuit card onto the I!"( connector. The hacker presses a small pushbutton on the circuit card which causes an /0, to begin blinking. 'ithin ten seconds the blinking stops and the hacker disconnects it from the reader. The reader is slid back into its mounting plate and the single screw is replaced. The hacker then retreats to his home ha&ing spent less than a minute doing his dirty deed. 'hat did this hacker 1ust obtain you ask 2 ,uring the ten second data dump the hacker was able to retrie&e the following3 The +I, 4aster )5*bit Authentication key used by all i!lass readers. The two )5*bit T,0" keys used to encrypt and decrypt all secure communication between the reader and an i!lass credential The 678*byte key table that is used to generate the 9+igh "ecurity: key that is required to authenticate with any credential that has been configured to operate in +I,%s 90lite: or 9!ustom ;ey: high security programs. The card serial number -!"<. and ,i&ersified ;ey of the last credential that was read. The Facility !ode and !ard <umber of the last credential that was read.
=ou are now asking yourself # !an it really be that easy to collect all of that 9secret: information without damaging the reader or ha&ing to take it back to a lab for some serious re&erse engineering2 The simple answer is yes# and here are the two reasons why 6. The (I!68F557 microcontroller incorporates an In*!ircuit "erial (rogramming interface that is intended to allow an e ternal third*party de&ice to be attached and to re*program the processor with a new or updated program. Although it is not real ob&ious from reading the (I! (rogramming "pecification manual# the same interface can also be used to 9e tract: data that resides in the 65>)*byte ?A4 File ?egister space. 7. 'hen the i!lass reader communicates with a card it has to retrie&e the authentication and T,0" keys from 00(?@4 and place them into the ?A4 file register space where they need to reside before they can be used. The high security key table must also be calculated -and sa&ed in the File ?egister space. whene&er an i!lass credential is read. As a result# all of the secret key information now resides in &olatile ?A4 memory and is readily accessible &ia the I!"( interface.
October 1, 2011
www.proxclone.com
Page 1
Although the I!"( interface supports ten different types of commands -as shown in the table below.# only two commands are required to read the (I! File ?egister contents. These two commands ha&e been highlighted below. !ommands for (rogramming ,escription
Core Instruction (Shift in 16-bit instruction Shift out TABLAT Register Table Read Table Read, post increment Table Read, post decrement Table Read, pre-increment Table Write Table Write, post-increment by 2 Table Write, post-decrement by 2 Table Write, start programming
5*bit !ommand
0000 0010 1000 1001 1010 1011 1100 1101 1110 1111
Cy e ecuting a short sequence of instructions# the "(I interface can effecti&ely be used to force the (I! processor to loop through a sequence of three instructions until all ) banks of 75) registers -65>) total. ha&e been dumped back to the "(I master de&ice. A table that summari$es the "(I 9?egister ,ump: sequence is shown in the table below.
October 1, 2011
www.proxclone.com
Page 2
An e ample of a captured register dump is shown in the figure below. The microcontroller used in capture circuit has con&erted the he adecimal data to an A"!II format and added the appropriate file address information prior to being transferred to the (!.
October 1, 2011
www.proxclone.com
Page 3
HID Master Auth key, TDES keys and HS key table are XXd out
October 1, 2011
www.proxclone.com
Page 4
October 1, 2011
www.proxclone.com
Page 5