Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2016-01-26 07:21:16

bsmith
Contributor
Registered: 2016-01-12
Posts: 4

Current status of iClass hacking....

I've been doing as much reading as I can, and wanted to see if my understanding was currect......

iClass "Legacy": Completely broken. Keys can be recovered with three RevA readers, game over
iClass "SE": Not publicly cracked yet, unless it allows you to use legacy cards, in which case you can possibly clone an SE card's wiegand data on to a legacy card or use a spoofer that exploits the legacy mode
iClass "elite": LOL. Completely broken

Is this correct? Have I missed anything?

If you were testing an access control system, how would you go about evaluating whether it is vulnerable to the known attacks?

Offline

#2 2016-01-26 18:16:08

carl55
Contributor
From: Arizona USA
Registered: 2010-07-04
Posts: 175

Re: Current status of iClass hacking....

Your understanding is mostly correct.
I would change the first line to the following:

iClass "Legacy": Completely broken. Keys can be recovered with one RevA reader; firmware AND keys require three readers, game over.

If I were testing an iclass access control system, I would do the following:

1. Obtain one legacy iclass card and one iclass SE card (both known to be standard security, NOT Elite).
2. Present each of them to the iclass reader being tested.
3. Note whether one or both cards invokes a reaction from the reader (e.g. beep/blink).

Legacy Reaction   SE Reaction	Vulnerable to attack    Reader Type
     Yes              Yes              Yes              SE+Legacy (denoted by a "T" in the 5th digit of part#)
     Yes              No               Yes              Legacy iClass
     No               Yes              No               iClass SE using "new" keyset 2
     No               No               *Maybe	        Legacy or SE reader operating in High Sec/Elite mode

*4. If neither reader invokes a reaction then try high security key recovery attack described in "Dismantling iClass" paper to obtain HS key.
If key is recoverable then system is vulnerable to an attack.

Last edited by carl55 (2016-01-26 18:19:12)

Offline

#3 2016-01-29 19:58:43

bsmith
Contributor
Registered: 2016-01-12
Posts: 4

Re: Current status of iClass hacking....

Thanks for the very helpful reply. It looks like I'm going down the right path.

Offline

Board footer

Powered by FluxBB