High Intensity Deconstruction: Chronicles of a Cryptographic Heist

Presented at DEF CON 32 (2024), Aug. 9, 2024, 11:30 a.m. (75 minutes).

Introduced in 2011, HID Global’s iCLASS SE solution is one of the world’s most widely-deployed Electronic Physical Access Control platforms. HID's iCLASS SE Readers are ubiquitous in electronic physical access control and used in most government agencies and Fortune 500 companies. The readers can be easily seen and identified in almost every form of mainstream media. Almost 13 years after iCLASS SE’s introduction, ground-breaking research and technical exploits will be disclosed publicly for the first time. In this talk, we detail the process by which we reverse engineered the complex hardware and software chain of trust securing HID’s iCLASS SE platform. Over a seven-year research period, we analyzed hardware, firmware, and software elements the ecosystem, uncovering an unfortunate series of pitfalls and implementation defects. These flaws culminated in an attack chain that allowed for the recovery of sensitive cryptographic key material from secure elements, which have received CC EAL 5+ accreditation. This chain resulted in revealing some cryptographic keys to the kingdom. Finally, we provide comprehensive guidance on technical and operational mitigations for end customers to identify practical risks and reduce impact. Inspirational (research done on previous generation system) - Heart of Darkness - Milosch Meriac [link](https://get.meriac.com/docs/HID-iCLASS-security.pdf) - Dismantling iClass and iClass Elite - Garcia, de Koning Gans, Verdult, & Meriac [link](https://www.cs.bham.ac.uk/~garciaf/publications/dismantling.iClass.pdf)

Presenters:

• Babak Javadi - Founder at The CORE Group
  Babak Javadi is the Founder of The CORE Group and Co-Founder of the Red Team Alliance, a covert entry training and certification body. As a professional red teamer with over a decade of field experience, Babak’s expertise includes a wide range of disciplines, from high security mechanical cylinders to alarm systems and physical access control platforms. Babak’s community contributions include the co-founding of The Open Organisation of Lockpickers (TOOOL) where he served on the Board of Directors for over 13 years.
• Nick Draffen - Product Security Architect
  Nick Draffen is a Product Security Architect, focusing on the protection of laboratory instruments and their software. Outside of work, he dives into research, reverse engineering, and hardware hacking, leveraging his technical expertise to both build and break things. He is a member of the Security Tribe and volunteers with the RF Village, creating and overseeing challenges for the RF CTF at various security conferences. Always eager to lend a helping hand, he is known for his ability to pull just the right tool from his extensive bag of tricks.
• Aaron Levy - Lead of Security Engineering at Clover
  Aaron Levy is an independent security researcher that was credited in the discovery of CVE-2018-10897 and CVE-2019-11630. In his day job, he leads Security Engineering for Clover, a Payments and Point of Sale company that is a subsidiary of Fiserv.

Similar Presentations:

• Kiwicon X: The Truth is In Here (2016) / Hacking HID iClass
• CactusCon 12 (2024) / Unlocking RFID Security: A Deep Dive into Flipper Zero and the Vulnerabilities of Multiclass Readers
• DEF CON 32 (2024) / Mutual authentication is optional