Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2012-03-23 22:53:00

rule
Member
Registered: 2008-05-21
Posts: 417

Cryptographic weaknesses in iClass security and PicoPass security

The article Dismantling iClass and iClass Elite shows several cryptographic weaknesses in the design and implementation of HID Global iClass and Inside Secure PicoPass.

These are examples of products that are being sold with labels like 'proprietary cryptography' and 'security by obscurity'. Companies hope to gain more confidence from their customers when they keep their 'intellectual property' hidden. The lack of public scrutiny in the development of cryptographic algorithms and authentication protocols is an endless recurring mistake. This is not only proven by several bad ciphers which are broken (A5/1, A5/2, DECT, GMR-1, GMR-2, MIFARE, CryptoMemory, Hitag2, DST, Keeloq, E0, CCS, ...) but also confirmed by peer-reviewed cryptographic ciphers that resist (practical) attacks for decades now (DES, 3DES, AES, ...).

It is disappointing to see companies still follow the principles such as 'security by obscurity'. This only withholds their mistakes from public disclosure and makes it impossible for their customers to asses the real risk they are exposed to. However, bad guys who are willing to invest some time in reverse-engineering such algorithms, have much more (security related) product insight than the paying customer. Information which could lead to serious exploits that attack (obvious) vulnerabilities at unaware customers.

Offline

#2 2012-03-26 13:46:57

vivat
Contributor
Registered: 2010-10-26
Posts: 332

Re: Cryptographic weaknesses in iClass security and PicoPass security

Nice work, guys
iClass is ISO15693-compatible tag, so is it possible to "erase" and change block 0, where is tag UID stored(as shown in pages 4-5)? My goal is to get ISO15693 "changeable UID" tag.
Sorry for dumb question, I don't have any iClass reader/tag and haven't read any datasheet.

Offline

#3 2012-03-26 15:08:32

rule
Member
Registered: 2008-05-21
Posts: 417

Re: Cryptographic weaknesses in iClass security and PicoPass security

Hey Vivat,

Thanks for you comments.

A quick answer to your question would be 'no, it is not possible to change the uid'. However, it is pretty easy to simulate a ISO/IEC 15693 tag with the proxmark. I think there is already some initial support in the firmware available. Note, that the iClass cards us a proprietary anti-collision protocol. Although they can be configured to be compliant with ISO/IEC 14443 or ISO/IEC 15693, they are not by default.

More information about iClass / PicoPass tags are in the datasheet.

Cheers,

  Roel

Offline

Board footer

Powered by FluxBB