Proxmark3 community

et4

Contributor

Registered: 2015-04-22

Posts: 12

Writing an iClass Elite card after decrypting and reading card

Hi,

I've wondering how to write an iClass card using a custom encryption key? I've read a cards decrypted contents and have the custom key that was used to originally encrypt.

I've got a Omnikey 5321 which I can use to write standard/global key-encrypted cards but unsure about custom key/elite. I've also got the pm3.

Many thanks.

Sam.

roz

Member

Registered: 2015-04-23

Posts: 3

Re: Writing an iClass Elite card after decrypting and reading card

Please refrain from giving such power to anyone visiting the forum.
Even though the information is available since 2012, I have seen iclass readers (probably elite) on every single doors in an international airport. I also had my credit card magnetic strip duplicated when withdrawing money from an ATM in that same international airport... It won't take much for someone to borrow his access card to a person with malicious intent. It might only open the broom cupboard but it can also be used to guess other high priority user's card number.
It has been 3 years since the white paper was published and they are still using those shitty readers. It's a shame... But it cannot be our responsibility if something happens. Therefore, I won't comment (with my other account) or help anyone asking for this king of things.

You have extracted the key? Good for you! Do the right thing, go tell the facility manager or whoever is in charge. Show them how easy it was.

et4

Contributor

Registered: 2015-04-22

Posts: 12

Re: Writing an iClass Elite card after decrypting and reading card

Hi Roz,

Thanks for the reply. I do see your point regarding open access to anyone, potentially with malicious intent.

Like security research in general, it can be used for good an bad. For example, when the OpenSSL/Heartbleed vulnerability was discovered, we patched all systems etc but 2-3 days later, saw a massive increase in IDS/IPS events with attempts to take advantage of the vulnerability using freshly programmed exploit kits.

We do a lot of web/(IT)infrastructure testing and security assessments, including a portion of how physical security may influence their risk exposure. At the moment it is limited to who has access rather than the actual access implementation method.

Part of our penetration testing (of IT) is showing evidence in an annex to our report. Moving back nto the subject of iClass, it's nigh on useless talking to senior management about handshakes, MACs, CSNs, etc. They want to see the door click open, disproving the security that the manufacturer/integrator has sold them on.

It's like telling them their e-commerce site is easily exploitable to order items without paying, but not being able to show at least a few screenshots of how we got in/manipulated data.

What we do is try to educate our clients about the broad risks that apply to their environment. It's no good having the most secured web portal if anyone can walk in with $300 worth of kit and pull the hard drive (so to speak). Few clients want to pay for a month of sustained social engineering for example, but we include a small portion of it. The idea was to do the same with building access control.

In any case, I appreciate the impressive engineering exercise that has been described in various threads and external sites. If we can't get a full test case then we will have to fall back on a cursory statement about their access control having published weaknesses but not able to actually execute onit.

Keep up the good (and very interesting) work.

Sam.

roz

Member

Registered: 2015-04-23

Posts: 3

Re: Writing an iClass Elite card after decrypting and reading card

If you have to ask here how to do it, it means you cannot do it yourself...
Once again, everything has been published since 2012. You had 2 years to do your homework.
For the sake of your clients, it might be better to leave this to a professional. If you have made statement that their stuff have weaknesses without the required factual research, that probably was not a good idea for your company's image.
How do you expect to prove that the new system you want to install/recommend is going to be secure if you cannot even prove the previous one was not.

roz

Member

Registered: 2015-04-23

Posts: 3

Re: Writing an iClass Elite card after decrypting and reading card

I will be more than happy to help if you want a professional to help you with the  "door click open"
Leave your email here. Or ask for mine.

et4

Contributor

Registered: 2015-04-22

Posts: 12

Re: Writing an iClass Elite card after decrypting and reading card

Roz,

Like I mentioned, we do a broad assessments. Performing a very deep but narrow investigation of purely access control is not what most client desire. We are not experts and as such do not implement access control systems. Our focus is IT systems, so if someone can gain access to the server room, that's important to note.

Of course I cannot do it myself. There was a time you couldn't either. I was just looking to the community for information sharing and assistance. In essence, what you are doing here is exactly what got HID in this mess in the first place - security by obscurity. Keeping things secret doesn't help. Look at AES - open as things get and, AFAWK, secure.

holiman

Contributor

Registered: 2013-05-03

Posts: 566

Re: Writing an iClass Elite card after decrypting and reading card

@et4 - I agree with what you're saying. Hard evidence convinces, whitepapers do not carry the same weight, that's why I've been doing all this work.

Anyway, regarding your question; writing tags is not yet implemented in pm3. If you know how to write data to a tag with omnikey, just encrypt the data first and then write it.

However, two things: when you're doing elite; from what I've seen, elite tags do not use encryption. But that probably varies...?
Second thing; the tag you are now programming into elite mode, you need to program it with the tag-specific diversified key. So, if you have the custom key, you need to calc the div key based on the CSN.

If you do 'hf iclass dump <key> e' against the tag that you want to program the stuff into, proxmark will tell you what the diversified key for that tag should be.

et4

Contributor

Registered: 2015-04-22

Posts: 12

Re: Writing an iClass Elite card after decrypting and reading card

There are multiple systems in question.

I remember everyone going through all of this back in the WEP days. People accusing others of trying to steal neighbour's wifi vs. legitimate purposes. Plenty of people were stealing other's wifi, but not everyone.

I agree about the inadvertent publishing though. It was clumsy and whilst I'm juggling multiple pieces of work, alongside this research into additional capability, I was a bit lazy with file management. I put my hand up to that no question.

Happy to defend our position, with appropriate details, over the phone, email or in person.

Gusto-the-bun

Contributor

Registered: 2015-04-19

Posts: 16

Re: Writing an iClass Elite card after decrypting and reading card

There are multiple systems in question.

I remember everyone going through all of this back in the WEP days. People accusing others of trying to steal neighbour's wifi vs. legitimate purposes. Plenty of people were stealing other's wifi, but not everyone.

I agree about the inadvertent publishing though. It was clumsy and whilst I'm juggling multiple pieces of work, alongside this research into additional capability, I was a bit lazy with file management. I put my hand up to that no question.

Happy to defend our position, with appropriate details, over the phone, email or in person.

Hi et4,
I tried to write to block 3 with div key but unsuccessful, can u please guide me through? Thanks gustothebun@gmail.com

Gusto-the-bun

Contributor

Registered: 2015-04-19

Posts: 16

Re: Writing an iClass Elite card after decrypting and reading card

@et4 - I agree with what you're saying. Hard evidence convinces, whitepapers do not carry the same weight, that's why I've been doing all this work.

Anyway, regarding your question; writing tags is not yet implemented in pm3. If you know how to write data to a tag with omnikey, just encrypt the data first and then write it.

However, two things: when you're doing elite; from what I've seen, elite tags do not use encryption. But that probably varies...?
Second thing; the tag you are now programming into elite mode, you need to program it with the tag-specific diversified key. So, if you have the custom key, you need to calc the div key based on the CSN.

If you do 'hf iclass dump <key> e' against the tag that you want to program the stuff into, proxmark will tell you what the diversified key for that tag should be.

Hi holiman
      What the command to write iclass block 3, thank you