Recent Posts
Archives

AI BEA CTO Cybersecurity DefCon32 Devoxx DevoxxBE2023 DevoxxBE2024 DevoxxFR DevoxxGR2025 DevoxxGreece2025 DevoxxPL2022 DevoxxPoland DevoxxUK2024 DevoxxUS2017 Docker Eclipse EJB GWT Hibernate IntelliJ IDEA Java Jetty JMS Jonathan Lalou JSF Kotlin Kubernetes Maven Maven 2 Microservices Mule Mule ESB Oracle OxidizeConf2024 Python recommendation RustLang Security Spring SQL Tomcat tutorial Weblogic Weblogic 10

PostHeaderIcon [DefCon32] DEF CON 32: Hi-Intensity Deconstruction – Chronicles of a Cryptographic Heist

Author: Jonathan Lalou | July 23, 2025

Javadi, Levy, and Draffe, a trio of security researchers, presented a groundbreaking study at DEF CON 32, unraveling vulnerabilities in HID Global’s iCLASS SE platform, a widely deployed electronic physical access control system. Over seven years, they reverse-engineered its complex chain of trust, uncovering flaws that enabled the recovery of cryptographic keys from CC EAL 5+ accredited secure elements. Their talk detailed the attack chain and provided practical mitigations for organizations relying on iCLASS SE.

Reverse-Engineering iCLASS SE

Javadi opened by contextualizing the ubiquity of HID’s iCLASS SE readers in government agencies and Fortune 500 companies. The team’s seven-year journey involved analyzing hardware, firmware, and software components to understand the platform’s security architecture. They discovered a series of implementation defects that compromised the system’s cryptographic integrity, challenging the notion that iCLASS SE was among the most secure access control solutions available.

Uncovering Cryptographic Flaws

Levy detailed the attack chain, which exploited pitfalls in the iCLASS SE’s secure elements. By targeting weaknesses in the hardware and software trust chain, they recovered sensitive cryptographic key material, effectively accessing the “keys to the kingdom.” Their approach combined advanced reverse-engineering techniques with exploitation of interoperability issues, particularly those tied to legacy Wiegand protocols, which undermined the platform’s security.

Operational Implications and Risks

Draffe explored the real-world implications, noting that standard key users face moderate risks, while advanced threat actors could exploit these flaws with significant skill. The vulnerabilities allow unauthorized access to physical systems, posing threats to high-security environments. The team’s findings underscore the dangers of relying on outdated protocols and the need for robust risk mitigation strategies to protect critical infrastructure.

Mitigating and Upgrading Security

Concluding, Javadi offered comprehensive guidance, recommending users transition to custom keys like HID’s Elite keys, which the vendor is offering fee-free for the first year. For advanced users, upgrading to the latest hardware and engaging with integrators to assess risks is critical. The researchers emphasized building security like an “onion” with layered defenses, urging organizations to work closely with HID to implement practical mitigations and enhance system resilience.

Links:

Posted in en-US | Tags: , , , , , , ,

Leave a Reply

(c) 2008 Jonathan Lalou's Blog
All Rights Reserved.

Powered by WordPress and WordPress Theme | Host-euro.