DEFCON32 took place last week in Las Vegas. As has been increasingly common, a number of the sessions focused on vulnerabilities and exploits related to security industry products:
Securing CCTV Cameras Against Blind Spots
Watchers being watched: Exploiting the Surveillance System and its supply chain
Open sesame - or how vulnerable is your stuff in electronic lockers
But one session in particular seems to be generating a lot of interest:
High Intensity Deconstruction: Chronicles of a Cryptographic Heist
PDF of the presentation (leaves a bit to be desired without the narration)
In this session a group of researchers outlined how they extracted the encrypted keys used in HIDs iCLASS SE readers. This session, and the implications of the exploit, have been analyszed online in a number of place already, eg: IPVM, Reddit, Wired, and my LinkedIn post.
Here, I'd like to dig a little deeper into this and discuss how to assess any potential risk to your organization, what this exploit means in practical terms, and how you can reduce your exposure if you are a user of these devices.