valerie thomas - all your door belong to me - attacking physical access systems
TRANSCRIPT
All Your Door Belong To Me – Attacking Physical Access SystemsVALERIE THOMASEXECUTIVE SECURITY CONSULTANT@HACKTRESS09
• Executive Security Consultant for Securicon
• 10+ years in Information Security
• Coauthor of Building A Security Awareness Program
• Social Engineering trainer
• Physical access “enthusiast”
Introduction
Agenda
• Why this talk?• Topology of a physical access system
(PACS)• Why PACS deployments are insecure• Attack surfaces and exploits• Putting it all together for complete
takeover
What Is A Physical Access System?
A Physical Access Systems (PACS) consists of several components working together to ensure that access is granted or denied to a controlled area when appropriate.
Why Physical Access Systems?
PACS Components
• Access control point• Door• Gate• Turnstile
• Credential Reader• Credential• Access card• Electronic fob• Personal identification number (PIN)• Biometric
Access Cards
Low frequency • 125kHz• Small amount of
data• Unencrypted
High frequency • 13.56 MHz• Large amount of
data• Sometimes
encrypted
Access Cards
PACS components
• Access control panel• Decodes binary data• Compares card data to an access list, then
grants or denies entry
• Access control server• Software provided by manufacturer• Usually a Windows server• Maintains card records• Maintains access groups• Card format details• Event monitoring
• Door components• Electric strike• Door contact• Request to exit (RTE)
PACS components
How credentials are read
https://media.blackhat.com/us-13/US-13-Brown-RFID-Hacking-Live-Free-or-RFID-Hard-Slides.pdf
https://en.wikipedia.org/?title=Access_control#/media/File:Access_control_door_wiring.png
https://en.wikipedia.org/?title=Access_control#/media File:Access_control_topologies_main_controller_a.png
The Split Personality of Security
Computer Security• Protects valuable assets• Typically reports to
Technology or Financial Officers• “You must be really
smart”• Controls designed and
implemented by network security professionals
Physical Security • Protects valuable
assets• Typically reports to
Administration or Facilities Organization
• “You’ll get a better job someday”
• Controls designed and implemented by electrical contractors
Why PACS deployments are insecure
• The gap between physical and cyber security is closing• The physical security industry is ~15
years behind IT• No security maturity model• Vendors implement features without
security testing• Heavily reliant on IT but lack
understanding• Often deployed and forgotten
HID iClass• The card and reader perform mutual
authentication using a 64 bit encryption key• This key is programmed into the reader
at the manufacture• Don’t worry - It’s encrypted!
Why PACS deployments are insecure
https://www.blackhat.com/docs/us-15/materials/us-15-Evenchick-Breaking-Access-Controls-With-BLEKey-wp.pdf
Physical security culture• Majority are former military/defense• Lack technical understanding of PACS• Unaccustomed to patching/addressing
vulnerabilities• Vendor loyal• Resistant to change
Why PACS deployments are insecure
Attack surfaces and exploits
• Access cards• Readers• Request to exit devices• Access control panel• Access control server• Workstations
Access card attacks
Access card attacks - Long Range
• Weaponized long range reader (read & record)• Does not clone/write• Read distance is ~2ft• Available for• Proximity• iClass (Standard Security)• Indala
PROS• Improved read
range• Stores hundreds of
card reads• No interaction
required – just power on
CONS• Expensive =(• Can misread
custom card formats
Access card attacks - Long Range
Design 1 – Tastic RFID Thief
Tastic RFID Thief Output File
Tastic RFID Thief
Parts list and design details:http://www.bishopfox.com/resources/tools/rfid-hacking/attack-tools/
Design 2 - RavenHID
RavenHID
• BLE Mini Add-on (http://redbearlab.com)• Parts list and design details https
://github.com/emperorcow/ravenhid
Long Range Power
Must have 12V Output
Access card attacks – low tech
Most vendors print the card number ON THE CARD
Access card attacks – low tech
And on the box
Reader attacks - BLEKey
• Inserted in-line with the reader• Records card data and sends via
Bluetooth• Replays data• Reader DoS
Reader attacks - BLEKey
Blackhat presentationhttps://www.blackhat.com/docs/us-15/materials/us-15-Evenchick-Breaking-Access-Controls-With-BLEKey.pdf
Parts list and softwarehttps://github.com/linklayer/BLEKey
Request to exit device attacks
Access control panel attacks
• Remember how important door controllers are?• Medium to large environments will have
multiple door controllers• These controllers are usually reachable
from the general address pool• Often have very useful data
Hunting Door Controllers
• Many controllers have features to simplify configuration• Embedded web servers• FTP• SNMP
• Access is generally open or protected with a weak default password• Many allow anonymous FTP
Hunting Door Controllers
Keep in mind…• These devices can be very fragile – heavy
scanning is not recommended• Many of the web interfaces will only work
in IE• Don’t change any settings
Hunting Door Controllers
Ports to look for• TCP 21• TCP 23• TCP 80• UDP 161• TCP 9999
Keywords in DNS/Nessus Scans• Tyco• iStar• Matrix• Lenel
What Can Controllers Tell Us?
• Card numbers and access log• Areas they control• IPs of other controllers• IPs of the access server• Passwords!
Web Interface
Web Interface
Web Interface
Web Interface
VertX
https://github.com/brad-anton/VertX
Hunting Access Servers
• Usually not as obvious as controllers• Majority are Windows Servers• Can often obtain the IP from a controller• DNS search is a fairly reliable method
Hunting Access Servers
DNS/Nessus Keywords• CCURE/C-CURE/C*CURE• OnGuard• AccessControl• FacilityCommander• Additional keywords at
http://www.capterra.com/physical-security-software/
Other PACS Resources
PACS information and card data can be found in other areas of the network• SharePoint• Email• Document shares (usually in null session)• Guard workstations
Putting it all together
• Long range reader to collect card data• Programmed
duplicate cards and created fake employee card• Observed security
guard daily activity
Putting it all together
• Placed hardware keyloggers• Captured
credentials and other useful data• Gained access to
access server• Produced duplicate
cards for employees with the most access
Putting it all together
Putting it all together
Game Over
Long road ahead
• Physical security has a lot of catching up to do• Will require huge culture shift• Many of the misconfigurations discussed
are preventable• PACS security checklist (in progress)
[email protected]@hacktress09