XACv2 security flaw

Eriequiet · October 25, 2022, 9:05am

So I spoke with Amal on this first and he wanted me to make a post

I am not going to talk about what tool was used, nor am I going to reveal what the token is
( if I can figure it out, others smarter than me can, but please don’t make it plainly viewable to the rest of the internet here, keep it discreet in case there’s a way to fix)

The xACv2 appears to have a PREloaded em4100 tag in its memory that will trigger it…

I do not believe I added this tag to any of my boards, I have tried the standard remove tag action and it remains an active tag on the board

The UID is very low security, so if a xACv2 is in a secure system be aware

I can’t make the claim at this time that all boards are effected, I hope maybe I did something to them, but it doesn’t appear to be the case

I hope it can be patched or removed that tag from memory… but it’s above my skill level

If you are a seasoned member of the board, PM me if you want specific details… I’ll share with you to try and have a larger sample size and try and rule myself out and or see if you can help remedy it

I just attempted the “clear all cards command” Immediately after that, I was able use the uid in question to open it

Equipter · October 25, 2022, 9:27am

do you know the UID? add it to the fuzzer lol

yeka · October 25, 2022, 11:04am

~~Someone with a xACv2 should contact you and test it. Pls.~~ see below

Btw I really like this issue
Nice catch!
Backdoored access control hardware :’)

Eriequiet · October 25, 2022, 11:05am

I have tested it on 2/3 boards I own, using multiple forms of emulation and written to a card

Eriequiet · October 25, 2022, 11:13am

No promises, but @darthdomo and I are chatting about possible fix maybe…

Will require a lot of smart work on Darths end, and some low intelligence possibly repetitive work on my end lol

@amal
Can you verify if you know for sure it only has 50 user capacity?

I know of a different (more Chinese) listing that lists it at 2000 users,

I’m more inclined to believe DT, but never know

amal · October 25, 2022, 5:11pm

we have not independently verified

I’m speaking to the vendor about it now and we’ll see if we can resolve this security issue for the next batch.

Eriequiet · October 26, 2022, 8:56pm

I wasn’t able to get around to trying the basic fix last night

One other user has confirmed that uid opens his board aswell :-/

Im going to try to keep it vague enough for random non users who visit the board can just copy paste the UID, but if you know what’s going on it’s pretty simple to piece together

From chatting with @darthdomo, he was thinking it could be an issue where the empty users are considered real instead of empty

His thought was to try to fill all the user slots and see if it persists

This is where the 50/2000 user slots is going to matter a lot lol

The flipper has a tool I believe I can use to have it emulate a list of uids with a set time delay between them, I just need to sit down and make a .txt with the right info

The order should be something like

“Master add tag”
Random uid 1
“Master add tag”
“Master add tag”
Random uid 2
“Master add tag”
Etc

Alternatively, I don’t know if the board allows you to add more than one uid at a time…
If it works this might be even easier

“Master add tag”
Random uid 1
Random uid 2
Random uid 3
Random uid 4
“Master add tag”

Trying to decide if it’s more secure to have 50 purely random uids, or a uid that’s random and 50 variations of it…. Probably the former since it’s more work

TheCyborgFirefighter · October 27, 2022, 2:51am

Ahh, getting flashbacks to hacking a garage door with the kids toy. Hopefully one of y’all can find a fix.

https://m.youtube.com/watch?v=CNodxp9Jy4A

Eriequiet · October 27, 2022, 9:09am

So I managed to semi brick my xac for a few minutes,

But during that experience, the UID issue went away lol

So it’s the first sign that it’s semi possible

On the downside, I managed to program the flippper to ram 50 different uids into the xac, and it appears that 50 is NOT the limit
(Also found original packaging which also states 2000 users)

tac0s · October 27, 2022, 10:40pm

Confirmed on both of mine.

mfries18 · October 28, 2022, 9:04pm

Confirmed works on my XACv2 as well. If I know what you’re talking about. I’ve used it a few businesses (that I’m already granted access to) and 3/14 we’re vulnerable to the attack.

caj380 · October 28, 2022, 9:47pm

Can confirm that it works on both the xAC v2 that I bought from DT as well as the knockoff unit I bought off AliExpress

amal · October 28, 2022, 10:06pm

Wait… what exactly do you mean here? Do you mean there are 14 deployed xAC v2 units but the attack only worked in three of them, or there are 3 xAC v2 controllers installed and 11 other types of access controllers which were not vulnerable to such an attack?

Pilgrimsmaster · October 28, 2022, 11:16pm

Or, alternatively, I thought he may have meant

There are 14 deployed but he has only tested 3 of them…so far!?

mfries18 · October 28, 2022, 11:40pm

Should have been more clear, not necessarily XACs, RFID system in general have been vulnerable to Default UID attacks

I work for a company that services pools many of which with RFID access, 3/14 had a default UID registered that allowed access

amal · October 28, 2022, 11:57pm

Oh man… ok. Man that sucks!

darthdomo · November 1, 2022, 1:17pm

Don’t think much more data was needed, but can confirm, works on my DT-purchased xACv2 as well.

heliloo · November 8, 2022, 8:26pm

Any update on the vendor fixing this glitch?

Am planning to use it for access for my RV/home. Would like something as secure as possible… Thanks.

amal · November 9, 2022, 3:53am

Still no word but I am having doubts they will be an to come up with a solution. I will update as soon as I hear back anything.

Eriequiet · November 9, 2022, 4:05am

I’ve found a variation of the board on aliexpress,
Looks similar but slightly different, blue pcb instead of green… and a few of the chips look different

I’ll order one in a week to see if it has the same issue