Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
1. AllYour Door
Belong To Me –
Attacking Physical
Access Systems
VALERIE THOMAS
EXECUTIVE SECURITY CONSULTANT
@HACKTRESS09
2. • Executive Security
Consultant for Securicon
• 10+ years in Information
Security
• Coauthor of Building A
Security Awareness Program
• Social Engineering trainer
• Physical access “enthusiast”
Introduction
3. Agenda
• Why this talk?
• Topology of a physical access system (PACS)
• Why PACS deployments are insecure
• Attack surfaces and exploits
• Putting it all together for complete takeover
4. What Is A Physical Access
System?
A Physical Access Systems (PACS) consists of
several components working together to ensure
that access is granted or denied to a controlled
area when appropriate.
9. PACS components
• Access control panel
• Decodes binary data
• Compares card data to an access list, then grants or denies
entry
10. • Access control server
• Software provided by manufacturer
• Usually aWindows server
• Maintains card records
• Maintains access groups
• Card format details
• Event monitoring
• Door components
• Electric strike
• Door contact
• Request to exit (RTE)
PACS components
11. How credentials are read
https://media.blackhat.com/us-13/US-13-Brown-RFID-Hacking-Live-Free-or-RFID-Hard-Slides.pdf
14. The Split Personality of Security
Computer Security
• Protects valuable assets
• Typically reports to
Technology or
Financial Officers
• “You must be really smart”
• Controls designed and
implemented by network
security professionals
Physical Security
• Protects valuable assets
• Typically reports to
Administration or
Facilities Organization
• “You’ll get a better job
someday”
• Controls designed and
implemented by
electrical contractors
15. Why PACS deployments are insecure
• The gap between physical and cyber security is
closing
• The physical security industry is ~15 years behind IT
• No security maturity model
• Vendors implement features without security
testing
• Heavily reliant on IT but lack understanding
• Often deployed and forgotten
16. HID iClass
• The card and reader perform mutual
authentication using a 64 bit encryption key
• This key is programmed into the reader at the
manufacture
• Don’t worry - It’s encrypted!
Why PACS deployments are insecure
25. Access card attacks -
Long Range
• Weaponized long range reader (read & record)
• Does not clone/write
• Read distance is ~2ft
• Available for
• Proximity
• iClass (Standard Security)
• Indala
26. PROS
• Improved read range
• Stores hundreds of
card reads
• No interaction
required – just power
on
CONS
• Expensive =(
• Can misread custom
card formats
Access card attacks -
Long Range
37. Reader attacks - BLEKey
• Inserted in-line with the reader
• Records card data and sends via Bluetooth
• Replays data
• Reader DoS
38.
39. Reader attacks - BLEKey
Blackhat presentation
https://www.blackhat.com/docs/us-15/materials/us-
15-Evenchick-Breaking-Access-Controls-With-
BLEKey.pdf
Parts list and software
https://github.com/linklayer/BLEKey
47. Access control panel attacks
• Remember how important door controllers are?
• Medium to large environments will have multiple
door controllers
• These controllers are usually reachable from the
general address pool
• Often have very useful data
48. Hunting Door Controllers
• Many controllers have features to simplify
configuration
• Embedded web servers
• FTP
• SNMP
• Access is generally open or protected with a weak
default password
• Many allow anonymous FTP
49. Hunting Door Controllers
Keep in mind…
• These devices can be very fragile – heavy scanning
is not recommended
• Many of the web interfaces will only work in IE
• Don’t change any settings
50. Hunting Door Controllers
Ports to look for
• TCP 21
• TCP 23
• TCP 80
• UDP 161
• TCP 9999
Keywords in
DNS/Nessus Scans
• Tyco
• iStar
• Matrix
• Lenel
51. What Can Controllers Tell Us?
• Card numbers and access log
• Areas they control
• IPs of other controllers
• IPs of the access server
• Passwords!
57. Hunting Access Servers
• Usually not as obvious as controllers
• Majority areWindows Servers
• Can often obtain the IP from a controller
• DNS search is a fairly reliable method
60. Other PACS Resources
PACS information and card data can be found in
other areas of the network
• SharePoint
• Email
• Document shares (usually in null session)
• Guard workstations
61. Putting it all together
• Long range reader to
collect card data
• Programmed
duplicate cards and
created fake
employee card
• Observed security
guard daily activity
62. Putting it all together
• Placed hardware
keyloggers
• Captured credentials
and other useful data
• Gained access to access
server
• Produced duplicate
cards for employees
with the most access
66. Long road ahead
• Physical security has a lot of catching up to do
• Will require huge culture shift
• Many of the misconfigurations discussed are
preventable
• PACS security checklist (in progress)