How Hackers Extracted the ‘Keys to the Kingdom’ to Clone HID Keycards

HID Global’s keycards—the company’s radio-frequency-enabled plastic rectangles that are inside hundreds of millions of pockets and purses—serve as the front line of physical security for hundreds of companies and government agencies. They can also be spoofed, it turns out, by any hacker clever enough to read one of those cards with a hidden device that brushes within about a foot of it, obtain an HID encoder device, and use it to write the stolen data to a new card.
HID Global 的钥匙卡是该公司的射频塑料矩形，位于数以亿计的口袋和钱包内，是数百家公司和政府机构的物理安全前线。事实证明，它们也可能被任何足够聪明的黑客欺骗，他们可以通过一个隐藏的设备读取其中一张卡，该设备会在大约一英尺内刷过它，获得一个HID编码器设备，并使用它来将被盗的数据写入新卡。

Now a team of security researchers is about to reveal how one of HID’s crucial protections against that cloning technique—secret cryptographic keys stored inside its encoders—has been defeated, significantly lowering the barrier to copying credentials that let intruders impersonate staff and unlock secure areas worldwide.
现在，一个安全研究团队即将揭示HID针对这种克隆技术的关键保护措施之一——存储在其编码器中的秘密加密密钥——是如何被击败的，从而大大降低了复制凭据的门槛，使入侵者可以冒充员工并解锁全球安全区域。

At the Defcon hacker conference later today, those researchers plan to present a technique that allowed them to pull authentication keys out of the most protected portion of the memory of HID encoders, the company’s devices used for programming the keycards used in customer installations. Instead of requiring that an intruder get access to an HID encoder, whose sale the company attempts to restrict to known customers, the method the researchers plan to show on the Defcon stage now potentially allows HID’s secret keys to be pulled out of any encoder, shared among hackers, and even sold or leaked over the internet, then used to clone devices with any off-the-shelf RFID encoder tool.
在今天晚些时候的Defcon黑客会议上，这些研究人员计划展示一种技术，使他们能够从HID编码器内存中最受保护的部分中提取身份验证密钥，HID编码器是该公司用于对客户安装中使用的密钥卡进行编程的设备。研究人员计划在Defcon舞台上展示的方法现在可能允许HID的密钥从任何编码器中提取出来，在黑客之间共享，甚至在互联网上出售或泄露，而不是要求入侵者访问HID编码器。 然后用于使用任何现成的 RFID 编码器工具克隆设备。

“Once the chain of custody is broken, the vendor no longer has control over who has the keys and how they’re used,” says Babak Javadi, cofounder of the security firm the CORE Group and one of the four independent researchers who found the new HID hacking technique. “And that control is what all the security depends on.”
“一旦监管链被打破，供应商就不再能控制谁拥有密钥以及如何使用它们，”安全公司CORE Group的联合创始人Babak Javadi说，他是发现新的HID黑客技术的四位独立研究人员之一。“而这种控制是所有安全所依赖的。

The team of security researchers presenting HID’s vulnerabilities at Defcon: (from left) Kate Gray, Babak Javadi, Aaron Levy and Nick Draffen.Photograph: Roger Kisby
在 Defcon 上展示 HID 漏洞的安全研究人员团队：（左起）Kate Gray、Babak Javadi、Aaron Levy 和 Nick Draffen。摄影：Roger Kisby

The researchers’ method, presented publicly for the first time at Defcon, mostly affects the majority of HID’s customers with lower-security installations of its products, and it isn’t exactly easy to pull off. HID also says it’s been aware of the technique since sometime last year and that it’s quietly worked with many of its customers to help them protect themselves against the cloning technique over the last seven months. But the possibility of extracting and leaking HID’s keys considerably raises the risk that hackers—now even those without HID encoders—will be able to surreptitiously scan and copy keycards, says Adam Laurie, a longtime physical security researcher and head of product security at electric-vehicle-charging firm Alpitronic, whom the Defcon speakers briefed on their research ahead of their talk. “If you get that crypto key out of the encoder, then you can derive any component of the system from it,” Laurie says. “It is literally the keys to the kingdom.”
研究人员的方法首次在Defcon上公开展示，主要影响了HID的大多数客户，其产品的安全性较低，而且实施起来并不容易。 HID还表示，自去年某个时候以来，它就已经意识到了这项技术，并且在过去的七个月里，它已经悄悄地与许多客户合作，帮助他们保护自己免受克隆技术的侵害。但是，提取和泄露HID密钥的可能性大大增加了黑客的风险 – 现在即使是那些没有HID编码器的人 – 将能够秘密扫描和复制密钥卡，Adam Laurie说，他是电动汽车充电公司Alpitronic的长期物理安全研究员和产品安全主管，Defcon发言人在演讲前介绍了他们的研究。“如果你从编码器中取出加密密钥，那么你就可以从中派生出系统的任何组件，”Laurie说。“从字面上看，它就是通往王国的钥匙。”

The researchers’ technique extracts HID’s crucial authentication key out of an HID encoder’s Secure Application Module—the most protected element of the encoder’s memory—by reverse engineering the software that controls how an encoder interacts with a so-called “configuration” keycard. Those configuration cards are how HID and its customers move authentication keys between elements of the system, such as from encoders to the readers on doors and gates. Javadi uses the analogy of an armored car designated to pick up bags of cash from a bank’s vault. “As it turns out, we found a way to fool the bank manager and fabricate the transfer orders that would allow that key transfer to take place,” says Javadi, “We basically took our own armored car—our own configuration card—to the vault, and it gave us the keys.”
研究人员的技术通过对控制编码器如何与所谓的“配置”密钥卡交互的软件进行逆向工程，从HID编码器的安全应用模块（编码器内存中最受保护的元素）中提取HID的关键身份验证密钥。这些配置卡是 HID 及其客户在系统元素之间移动身份验证密钥的方式，例如从编码器到门和闸机上的读卡器。贾瓦迪用一辆装甲车来比喻，该装甲车被指定从银行的金库中取出一袋袋现金。“事实证明，我们找到了一种方法来欺骗银行经理，并捏造允许进行密钥转移的转移订单，”Javadi 说，“我们基本上把自己的装甲车——我们自己的配置卡——带到保险库，它给了我们钥匙。

(From left) An HID keycard, reader, encoder and configuration card.Photograph: Roger Kisby
（从左至右）HID 钥匙卡、读卡器、编码器和配置卡。摄影：Roger Kisby

Compared with that key extraction, the earlier step in an HID cloning attack, in which a hacker covertly reads a target keycard to copy its data, isn’t particular challenging, Javadi says. Javadi, who often performs physical penetration testing for clients, says he’s cloned HID keycards to surreptitiously break into customers’ facilities, scanning the keycard of unsuspecting staffers with an HID reader hidden in a briefcase with the device’s audible beep switched off for added stealth. “It takes a fraction of a second,” Javadi says.
Javadi说，与这种密钥提取相比，HID克隆攻击的早期步骤，即黑客秘密读取目标密钥卡以复制其数据，并不是特别具有挑战性。Javadi经常为客户进行物理渗透测试，他说他已经克隆了HID钥匙卡，偷偷闯入客户的设施，用隐藏在公文包中的HID读卡器扫描毫无戒心的工作人员的钥匙卡，并关闭设备的可听见蜂鸣声以增加隐身性。“这需要几分之一秒，”贾瓦迪说。

An HID reader capable of pulling data off a keycard from 6 to 12 inches away is relatively large: a 1-foot-square panel. But in addition to hiding it in a briefcase, Javadi has also tested out secreting the reader inside a backpack or a pizza box to silently read a target’s keycards. His team even hid one in a paper toilet seat cover dispenser to read the keycard of employees inside a bathroom stall. “We’ve gotten creative with it,” he says.
能够从 6 到 12 英寸外的钥匙卡上提取数据的 HID 读卡器相对较大：一个 1 英尺见方的面板。但除了将其藏在公文包中外，贾瓦迪还测试了将读卡器藏在背包或披萨盒中，以默默地读取目标的钥匙卡。他的团队甚至将一个藏在纸质马桶盖分配器中，以便读取浴室隔间内员工的钥匙卡。“我们在这方面发挥了创意，”他说。

The researchers have demonstrated it’s possible to extract HID’s sensitive keys by plugging an encoder into a PC running their software that instructs the encoder to transfer the authentication keys from the encoder to a configuration card without encrypting them. A “sniffer” device that sits between the encoder and configuration card reads the keys, as shown here.Photograph: Roger Kisby
研究人员已经证明，通过将编码器插入运行其软件的 PC 来提取 HID 的敏感密钥是可能的，该软件指示编码器将身份验证密钥从编码器传输到配置卡，而无需对其进行加密。位于编码器和配置卡之间的“嗅探器”设备读取按键，如此处所示。摄影：Roger Kisby

A Complex Fix in Progress
正在进行的复杂修复

When WIRED reached out to HID, the company responded in a statement that it’s actually known about the vulnerabilities Javadi’s team plans to present since sometime in 2023, when it was first informed about the technique by another security researcher whom HID declines to name. While details of the researchers’ key extraction technique will be presented publicly for the first time at Defcon, HID warned customers about the existence of a vulnerability that would allow hackers to clone keycards in an advisory in January, which includes recommendations about how customers can protect themselves—but it offered no software update at that time.
当 WIRED 联系 HID 时，该公司在一份声明中回应说，它实际上已经知道 Javadi 的团队计划自 2023 年某个时候以来展示的漏洞，当时它首次被另一位安全研究人员告知该技术，HID 拒绝透露姓名。虽然研究人员的密钥提取技术的细节将首次在Defcon上公开展示，但HID在1月份的一份公告中警告客户存在一个漏洞，该漏洞将允许黑客克隆密钥卡，其中包括关于客户如何保护自己的建议 – 但当时没有提供软件更新。

HID has since developed and released software patches for its systems that fix the problem, it says, including a new one that it intends to release “very soon” following the Defcon presentation. The company declined to detail what exactly this latest patch is for or why it was necessary after its previously released software updates, but stated that its timing is unrelated to the researchers’ Defcon talk. “Once available, we recommend that customers implement these new steps as soon as they are able,” HID’s statement reads.
HID表示，此后为其系统开发并发布了软件补丁，以解决问题，其中包括打算在Defcon演示后“很快”发布的一个新补丁。该公司拒绝详细说明这个最新补丁的确切用途，或者为什么在之前发布的软件更新之后有必要这样做，但表示其时间与研究人员的Defcon谈话无关。“一旦可用，我们建议客户尽快实施这些新步骤，”HID的声明中写道。

HID and the team researchers who found its vulnerabilities both say that the cloning technique works most practically against the majority of HID’s customers who use so-called “standard” or “shared key” implementations of systems. In those installations, a single set of keys extracted from an encoder could be used to clone keycards for hundreds of customers. So-called “elite” or “custom key” customers, on the other hand, use a unique key for their installation, so it would require hackers to obtain an encoder or extract an encoder’s keys for that specific customer, a far more difficult prospect.
HID和发现其漏洞的团队研究人员都表示，克隆技术对使用所谓的“标准”或“共享密钥”系统实现的大多数HID客户最有效。在这些安装中，从编码器中提取的一组密钥可用于克隆数百个客户的密钥卡。另一方面，所谓的“精英”或“自定义密钥”客户使用唯一的密钥进行安装，因此需要黑客为该特定客户获取编码器或提取编码器的密钥，这是一个更加困难的前景。

A trash bin of all the HID readers the researchers destroyed in the process of developing their technique.Photograph: Roger Kisby
研究人员在开发技术的过程中摧毁了所有 HID 读卡器的垃圾桶。摄影：Roger Kisby

The team presenting at Defcon say that they also found a method to convert an HID reader taken from a customer into an encoder, which would allow cloning of keycards that use those custom keys, too. But that method requires removing the reader from the wall of a customer’s building, vastly raising any intruder’s risk of being caught or foiled. As such, HID recommends that customers switch to that higher security—and more expensive—custom key implementation.
在Defcon上展示的团队表示，他们还找到了一种方法，可以将从客户那里获取的HID读卡器转换为编码器，这也允许克隆使用这些自定义密钥的密钥卡。但这种方法需要将读卡器从客户建筑物的墙壁上移开，这大大增加了任何入侵者被抓住或挫败的风险。因此，HID 建议客户切换到安全性更高且成本更高的自定义密钥实现。

HID also points out that for many customers, stolen keycard data would only allow cloning if it’s written to valid HID keycards. (“HID keycards are not hard to come by,” Javadi notes.) But that safeguard doesn’t apply to a common situation in which HID customers’ readers are configured to allow for the use of older keycard technologies. So HID recommends that customers also update their cards and disallow the use of older card types in their facilities.
HID 还指出，对于许多客户来说，被盗的钥匙卡数据只有在写入有效的 HID 钥匙卡时才允许克隆。（“HID 钥匙卡并不难买，”Javadi 指出。但是，这种保护措施不适用于 HID 客户的读卡器配置为允许使用较旧的密钥卡技术的常见情况。因此，HID 建议客户也更新他们的卡，并禁止在其设施中使用旧卡类型。

Finally, HID says that “to its knowledge,” none of its encoder keys have leaked or been distributed publicly, and “none of these issues have been exploited at customer locations and the security of our customers has not been compromised.”
最后，HID表示，“据其所知”，其编码器密钥都没有泄露或公开分发，并且“这些问题都没有在客户位置被利用，我们客户的安全也没有受到损害。

Javadi counters that there’s no real way to know who might have secretly extracted HID’s keys, now that their method is known to be possible. “There are a lot of smart people in the world,” Javadi says. “It’s unrealistic to think we’re the only people out there who could do this.”
Javadi 反驳说，既然知道他们的方法可能是可能的，那么没有真正的方法可以知道谁可能秘密提取了 HID 的密钥。“世界上有很多聪明人，”贾瓦迪说。“认为我们是唯一能做到这一点的人是不现实的。

Despite HID’s public advisory more than seven months ago and the software updates it released to fix the key-extraction problem, Javadi says most of the clients whose systems he’s tested in his work don’t appear to have implemented those fixes. In fact, the effects of the key extraction technique may persist until HID’s encoders, readers, and hundreds of millions of keycards are reprogrammed or replaced worldwide.
尽管 HID 在七个多月前就发布了公开咨询，并发布了用于解决密钥提取问题的软件更新，但 Javadi 表示，他在工作中测试过的大多数系统客户似乎都没有实施这些修复程序。事实上，密钥提取技术的影响可能会持续存在，直到 HID 的编码器、读卡器和全球数以亿计的密钥卡被重新编程或更换。

Time to Change the Locks
是时候换锁了

To develop their technique for extracting the HID encoders’ keys, the researchers began by deconstructing its hardware: They used an ultrasonic knife to cut away a layer of epoxy on the back of an HID reader, then heated the reader to desolder and pull off its protected SAM chip. Then they put that chip into their own socket to watch its communications with a reader. The SAM in HID’s readers and encoders are similar enough that this let them reverse engineer the SAM’s commands inside of encoders, too.
为了开发提取HID编码器密钥的技术，研究人员首先解构了其硬件：他们使用超声波刀切掉HID读卡器背面的一层环氧树脂，然后加热读卡器以拆焊并拉下其受保护的SAM芯片。然后，他们将芯片放入自己的插槽中，以观察其与读卡器的通信。HID 读卡器和编码器中的 SAM 非常相似，这使得它们也可以在编码器内部对 SAM 的命令进行逆向工程。

Ultimately, that hardware hacking allowed them to develop a much cleaner, wireless version of their attack: They wrote their own program to tell an encoder to send its SAM’s secrets to a configuration card without encrypting that sensitive data—while an RFID “sniffer” device sat between the encoder and the card, reading HID’s keys in transit.
最终，这种硬件黑客攻击使他们能够开发出一种更简洁的无线攻击版本：他们编写了自己的程序，告诉编码器将其SAM的秘密发送到配置卡，而不加密敏感数据，而RFID“嗅探器”设备位于编码器和卡之间，在传输过程中读取HID的密钥。

HID systems and other forms of RFID keycard authentication have, in fact, been cracked repeatedly, in various ways, in recent decades. But vulnerabilities like the ones set to be presented at Defcon may be particularly tough to fully protect against. “We crack it, they fix it. We crack it, they fix it,” says Michael Glasser, a security researcher and the founder of Glasser Security Group, who has discovered vulnerabilities in access control systems since as early as 2003. “But if your fix requires you to replace or reprogram every reader and every card, that’s very different from a normal software patch.”
事实上，近几十年来，HID 系统和其他形式的 RFID 钥匙卡身份验证已经以各种方式反复被破解。但是，像在Defcon上展示的漏洞可能特别难以完全防范。“我们破解它，他们修复它。我们破解它，他们修复它，“安全研究员、Glasser Security Group的创始人Michael Glasser说，他早在2003年就发现了访问控制系统中的漏洞。“但是，如果你的修复需要你更换或重新编程每个读卡器和每张卡，这与普通的软件补丁有很大不同。

On the other hand, Glasser notes that preventing keycard cloning represents just one layer of security among many for any high-security facility—and practically speaking, most low-security facilities offer far easier ways to get in, such as asking an employee to hold a door open for you while you have your hands full. “Nobody says no to the guy holding two boxes of donuts and a box of coffee,” Glasser says.
另一方面，Glasser 指出，对于任何高安全性设施来说，防止钥匙卡克隆只是众多安全层中的一层，而且实际上，大多数低安全性设施都提供了更容易进入的方式，例如要求员工在你忙得不可开的时候为你开门。“没有人会拒绝那个拿着两盒甜甜圈和一盒咖啡的人，”格拉瑟说。

Javadi says the goal of their Defcon talk wasn’t to suggest that HID’s systems are particular vulnerable—in fact, they say they focused their years of research on HID specifically because of the challenge of cracking its relatively secure products—but rather to emphasize that no one should depend on any single technology for their physical security.
Javadi说，他们Defcon演讲的目的并不是要暗示HID的系统特别容易受到攻击——事实上，他们说他们把多年的研究重点放在HID上，因为破解其相对安全的产品是一个挑战——而是强调任何人都不应该依赖任何单一技术来确保他们的物理安全。

Now that they have made clear that HID’s keys to the kingdom can be extracted, however, the company and its customers may nonetheless face a long and complicated process of securing those keys again. “Now customers and HID have to claw back control—and change the locks, so to speak,” Javadi says. “Changing the locks is possible. But it’s going to be a lot of work.”
既然他们已经明确表示，HID的王国密钥可以被提取，然而，该公司及其客户可能仍然面临一个漫长而复杂的过程，以再次保护这些密钥。“现在，客户和 HID 必须收回控制权，并更换锁，可以这么说，”Javadi 说。“可以更换锁。但这将是一项艰巨的工作。