OSDP traffic

hkplus · 2021-07-22 00:07:39

Not directly related but has anyone tried to look at OSDP traffic and hack on the protocol? There are some interesting exploits and the encryption is...:-( Getting the conversation started!

iceman · 2021-07-24 17:59:47

there are some interesting exploits

?? care to share some information or links to source for that?

hkplus · 2021-10-02 18:33:46

Don't have links but one interesting thing...the BUSY signal from the PD (reader) can be sent unencrypted back to the panel even if secure-channel is enabled. With the current specification, the BUSY signal can be sent unencrypted indefinitely making the APU (panel) think that nothing at all is wrong. It's a way to respond to a poll that was sent over secure channel without responding with a secure response. Additionally, some manufacturer's devices (Cypress-based) can be reset from the bus, making the reader jump back to RS485 Address 0 with Secure channel disabled and reset to the default base key. This reset process is also accepted unencrypted. A perfect way to inject a man-in-the middle attack to scan swipes without the panel knowing about it with a very simple circuit just added to the bus. There's more...

Last edited by hkplus (2021-10-02 18:39:22)

hkplus · 2021-10-02 18:36:37

Iceman, I need a favor...I could not find the bit and parity structure of HID Corp 1000 48 bit format with a search...do you have this offhand? Also looking for how to generate the checksum of Securikey, but I don't think anyone but the manufacture knows that calculation. I am sure I can find the Corp 1000 48 bit format someplace...

Last edited by hkplus (2021-10-02 18:37:45)

Proxmark3 community

Announcement

#1 2021-07-22 00:07:39

OSDP traffic

#2 2021-07-24 17:59:47

Re: OSDP traffic

#3 2021-10-02 18:33:46

Re: OSDP traffic

#4 2021-10-02 18:36:37

Re: OSDP traffic

Board footer