Once the application ran in the VM, we could use USB passthrough to connect the USB dongle to the VM and utilize the program's functionality. It's also likely that the application did not detect VirtualBox’s Guest Additions but this is untested. This breaks most if not all of the functionality of VMWare Tools so there's likely not much difference between uninstalling it and adding the config value. In this case, one can disable querying the VMWare Tools version by adding the following line to the virtual machine's vmx file: Often times this is done by detecting features of a VM. Many applications that wish to resist the efforts of a reverse engineer will attempt to detect if they are currently in a virtual machine. But you'll soon discover that the first hurdle to bypass is virtual machine detection being used in the application. Obviously, it would be prudent to run the software in a Virtual Machine (VM) in order to limit the impact it could have on your system. It emulated an HID device of some kind which also added to its suspiciousness. Unfortunately, I don't have a picture of the dongle and no longer have it in my possession, but it's a rather suspicious looking PCB encased in blue translucent plastic. Not only is this annoying, but it also adds to the suspiciousness of the software. Despite already having the master key, this application presented an interesting challenge.įor one thing, the application could only be run if the manufacturer provided USB dongle was attached to the computer. While this technique seems much easier and less expensive, it's been very difficult to replicate by myself and others.īut if you want to avoid buying a vulnerable reader altogether, I'll be outlining a technique for reverse engineering the master keys from released software, and also reading and writing HID iClass cards without needing the master key.Īt some point, I received a copy of chinese software used to clone iClass cards after gaining the master key in a more conventional way. In addition, there exists an alternative technique pioneered by and Brad Antoniewicz which dumps the memory of only one reader. If you want to replicate the Heart of Darkness method, you will be looking for two of these model numbers: These are fairly hard to come by, but if you monitor Ebay or keep a watchful eye on Google, you could get lucky. The only caveat is that it must be Revision A. The most commonly exploited reader is the HID RW300 Rev A, but you can use an RW300, RW400, RWK400, R30, R40, or RK40. The two halves can be stitched together to create a full firmware image which can be used to re-flash the two sacrificial readers. By modifying the firmwares, the readers each dump one half of the complete firmware image. The Heart of Darkness approach entails leveraging those debug pins to modify the on-board firmware of two vulnerable readers. This method takes advantage of a vulnerability in a specific line of readers released by HID which expose 6 debug pins on the rear of the reader. The original approach for gaining the HID master key was disclosed in a paper entitled Heart of Darkness - exploring the unchartedīackwaters of HID iCLASS™ security. This effectively means that an attacker with possession of the authentication key is capable of cloning HID iClass cards and changing configuration settings on the physical reader itself. The authentication key is highly sensitive as it allows one to read decrypted card content and also overwrite card content. The system boasts a higher level of security through encryption and mutual authentication.īut neither of these defenses mean much when the master authentication key used by every standard iClass reader is retrievable by a moderately technical individual. The HID iClass line of proximity cards and readers is a widely deployed RFID system that's been poked full of holes by security researchers.
0 Comments
Leave a Reply. |