Ensuring the security of your organisation is essential
to prevent any breaches that could result in devastating consequences.
Despite the advancements in technology, many organisations are still using outdated and vulnerable security systems that are susceptible to attacks. At last week’s annual DefCon security conference in Las Vegas, hackers highlighted a significant vulnerability that has been present for over a decade, yet remains unfixed in many organisations worldwide.
The vulnerability concerns HID cards, rectangular white plastic “smart” cards that organisations distribute to employees for security badges. The Chaos Communication Congress (CCC) released a paper in 2010 demonstrating a serious vulnerability in smart cards made by HID Global, the largest manufacturer of these devices.
The CCC researchers showed that the card reader device that HID sells to validate the data stored on its then-new line of iClass proximity cards includes the master encryption key needed to read data on those cards.
The researchers proved that anyone with physical access to one of these readers could extract the encryption key and use it to read, clone, and modify data stored on any HID cards made to work with those readers.
This vulnerability is still present in many organisations worldwide, despite the issue being raised over a decade ago.
HID responded to the 2010 paper by modifying future models of card readers so that the firmware stored inside them could not be easily dumped or read.
However, HID never changed the master encryption key for its readers, likely because doing so would require customers using the product to modify or replace all of their readers and cards, which would be a costly proposition given HID’s huge market share.
The issue with this approach is that anyone with a modicum of hardware hacking skills, an eBay account, and a budget of less than AUD $150 can grab a copy of the master encryption key and create a portable system for reading and cloning HID cards.
At least, that was the gist of the DefCon talk given by the co-founders of Lares Consulting, a company that gets hired to test clients’ physical and network security.
Lares’ Joshua Perrymon and Eric Smith demonstrated how an HID parking garage reader capable of reading cards up to three feet away was purchased off of eBay and modified to fit inside of a common backpack.
Wearing this backpack, an attacker looking to gain access to a building protected by HID’s iClass cards could obtain that access simply by walking up to an employee of the targeted organisation and asking for directions, a light of a cigarette, or some other pretext.
Smith and Perrymon noted that, thanks to software tools available online, it’s easy to take card data gathered by the mobile reader and encode it onto a new card, also available on eBay for a few pennies apiece.
Worse yet, the attacker is then also able to gain access to areas of the targeted facility that are off-limits to the legitimate owner of the card that was cloned because the ones and zeros stored on the card that specify that access level can also be modified.
The vulnerability in HID cards raises a significant issue for organisations that use them. Many organisations may still be using these outdated systems and could be at risk of a security breach.
Ensuring that organisations are aware of this vulnerability is essential to help prevent any potential attacks.
At this point, it is essential to remind organisations that security is a never-ending process. New vulnerabilities will always arise, and organisations must remain vigilant to detect and prevent any potential attacks.
Furthermore, organisations must not assume that their current security measures are foolproof.
Instead, they must take proactive measures to ensure that their security systems are up-to-date and can protect against the latest threats.
One approach that organisations can take is to partner with security experts who can help identify vulnerabilities and provide recommendations for improving security measures.
These experts can conduct penetration testing and report any security access related issues.