Current State of HID iClass SE and SEOS Cloning?

Support
1

Hello,

I’m relatively new to RFID and I’ve been doing a lot of reading online and testing with my pm3 easy. It hasn’t been easy since I’m not very technical, but this has turned into a fun and neat hobby and I’m grateful that there are many fantastic resources (like this forum) for beginners like me.

SOME CONTEXT:

I recently helped my cousin make an extra iClass legacy copy of his condo’s iClass SE fob (they wanted to charge him $150/fob :face_exhaling: so I told him I’d look for cheaper options). Using the PACS data from a cloned legacy fob he got from a store, I made him a copy that luckily worked with his place’s Signo readers.

He then asked me what to do if they stopped working and all I could tell him was that I could try taking a look at them, but there is little I can do if the admin updates the security and disables legacy credentials.

THE PROBLEM:

If the building updates their readers to disable legacy credentials and/or upgrades to SEOS in the future (which from what I’ve read so far is unlikely in most cases), is there anything I can do with the new pm3 iceman firmware (Release v4.21128) to make new clones for him?

ASSUMPTIONS BASED ON MY LIMITED KNOWLEDGE AND TESTING:

  1. His Signo readers are relatively new (model: HID Signo Reader 20)
  2. The readers are probably standard keyed since the iClass legacy clone he got from the store was done in-person
  3. I tried, but can’t access the readers using HID reader manager (auth code required)
  4. Downgrading to LF is not possible since I used an RFID field detector and only the HF LED lit up
  5. Physical tampering with the readers is not an option (don’t want to get arrested LOL)
  6. I have the PACS data (format, FC, & CN) needed to make more copies
  7. If SE is set as the only usable credential on the reader, the SE+SIO authentication would make any clones unusable - since I cannot change the CSN to match the original fob’s
  8. The current transmission protocol is wiegand (since the clones worked)
  9. If they change it from wiegand to OSDP (secure channel enabled), the clones will stop working (unlikely due to the cost to re-do the wiring and re-programming?)
  10. iClass SE can’t be cloned to a new fob/card since the standard keys and KDF have not been leaked (yet)
  11. SEOS can’t be cloned to a new fob/card since the standard keys haven’t been leaked (yet)
    • I watched iceman’s SEOS open-source implementation video (https://www.youtube.com/watch?v=mnhGx1i6x08), but I had a hard time understanding if and how I can write the known PACS data onto a blank SEOS card or fob using the newly released firmware
  12. If for whatever reason, the PACS data changes (e.g. via CN offset), I would need access to a HID SAM (e.g. via omnikey reader) to get the new PACS data

SOLUTIONS TO SCENARIOS?

Scenario 1: Disabled legacy credentials on reader, SE+SIO authentication over wiegand only

Since the standard keys and KDF have not been leaked yet, there is nothing I can do and the clones will stop working right? Even theoretically assuming I can get a pre-owned encoder like the “HID iCLASS SE CP1000 Encoder” with usable iClass SE encoding credits; even if I encoded a new iClass SE fob with the known PACS data, it wouldn’t work since the SE+SIO authentication is partly derived from the CSN (which is locked at the factory).

But, if the standard keys and KDF are leaked in the future (and the iceman firmware is updated to support read, write, decrypt, etc.), would the pm3 be able to encode iClass SE fobs that would pass a SE+SIO authentication over wiegand?

Scenario 2: They upgrade everyone to SEOS fobs, but still use wiegand

From what I’ve read so far, these kind of upgrades are unlikely (especially for a residential building, unless for like a security upgrade?), but I am curious what I could do here since I don’t know much about SEOS.

So with the new iceman firmware (Release v4.21128), there is added support for SEOS write and SEOS sim. I spent some time reading the help menus and examples in proxspace, but can’t get my head wrapped around how I’d go about using the write and sim functions. I was thinking of getting an SEOS card to play around with, but I don’t have a reader I can test it with.

So assuming I had an SEOS card, what would I need to do to encode the known PACS data onto another SEOS fob/card? Would I need to use a HID SAM to get the PACS data again (since it’s no longer picopass, but a javacard, even if they keep the PACS data the same)?

Also, as mentioned above, I watched the video on how they came up with the open-source implementation, but does that mean they’ve reverse-engineered the whole protocol (i.e. we now know the standard keys, KDF, auth keys, etc.)? Since SEOS also uses SIO (and we can’t change the CSN), would clones fail to work even if we have all standard keys, KDF, auth keys, etc.?

Hope this isn’t too much for a first post. Will work on formatting this so it’s easier to read. Thanks in advance for any insight, corrections, and thoughts on this.

2

I don’t think that’s necessarily true, I’m pretty sure OSDP only changes the communication between the reader/controller, not the reader/credential, the same credential should be compatible with both systems?

If you can get the PACS payload data and encode it onto the new card as an SIO that is valid with the new card’s UID, and uses the same key as the system, it should still work with the system, even though it’s a different SIO (I think).
The reader just decodes the SIO and sends the output down the wire, it doesn’t know or care whether the data’s valid. Similarly, the controller only looks at the decoded credential, it doesn’t know or care what the SIO was

I’ve never used HID’s encoders, so whether that’s actually possible for an end user to do, I dunno.

As far as I know (which isn’t particularly far), there’s still no publicly available method for cloning/re-encoding SE or SEOS credentials without using HID’s official options, whatever they may be

1 Like
3

This is correct. HID’s encryption is TIGHT with SE and SEOS. If the downgrade-attack creds no longer work, I suspect that your cousin is SOL.

In my experience (which is limited), upgrades go slow. It takes time and money to fully replace everyone’s key cards, confirm they work, take back the old ones, etc. This is why so many places still use ProxPass or other T5577-replicatable LF standards. Even though they’ve been cracked, knowing how to crack them is a niche thing that you still need a pm3 or other device and the computer know-how.

I’ve seen a handful of these around. They seem to support that standard iClass DP/DY cards we’ve seen that can have both legacy and SE/SEOS blocks on them.

This is one of those things that I suspect will not be leaked for a long time. Figuring out how to even do the downgrade attack took a long time and a lot of resources. Long time ≠ never, though.

… maybe? You’re also assuming that the encoding credits are going to be findable - I suspect finding those will be part of the battle. There are some snooping/MITM attacks that look promising, but I haven’t had much luck with them.

3 Likes