HID “Keys to the kingdom” exposed at DEFCON 32

August 21, 2024 – From the desk of Andrew Mahon

At the recent DEFCON 32 convention in Las Vegas, an interesting presentation (High Intensity Deconstruction: Chronicles of a Cryptographic Heist) was made outlining an approach to “stealing” the keys from certain HID encoders for the iCLASS SE platform.  While much of the talk goes way over my head, it seems like the standard keys for ICLASS SE & SEOS are vulnerable to the approach outlined.
 
While the impact to most should be small, and HID had added iCLASS SE to its legacy product range some time ago, this should serve as a timely reminder of the importance of using high assurance credentials (PIV/CAC/TWIC) in your high security areas.  FIPS 201 credentials offer a higher level of security when utilizing the PKI built-in to the platform and supported hardware & software that ensure the credentials are not cloned (or tampered) and have not been revoked by the issuing agency.
 
Below are two articles with more details:

Click here to contact Andrew Mahon and learn more.

About Identity One

Identity One builds on the FIPS 201 standard, creating innovative next generation registration, validation, issuance visitor management, visitor PIV card and derived credentials for CAC, PIV and TWIC.  Identity One’s solutions serve physical access, logical access for TWIC compliance, US Federal Government Security and US Armed Forces Security. We issue, register and verify identities for frictionless access and integration everywhere, protect identities from being impersonated, and secure intellectual property. We digitally verify identities for the physical and logical world. Identity One software and services are BAA (Buy American Act) compliant and TAA (Trade Agreements Act) compliant. Identity One is headquartered in Atlanta, Georgia, USA and all our products are proudly made in the USA.