Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
centralohioissa
2,232 views
67 slides
Apr 19, 2016
Slide 1 of 67
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
About This Presentation
Attacking Physical Access Systems
Slide Content
All Your Door Belong To Me – Attacking Physical Access Systems Valerie Thomas Executive Security Consultant @hacktress09
Executive Security Consultant for Securicon 10+ years in Information Security Coauthor of Building A Security Awareness Program Social Engineering trainer Physical access “enthusiast” Introduction
Agenda Why this talk? Topology of a physical access system (PACS) Why PACS deployments are insecure Attack surfaces and exploits Putting it all together for complete takeover
What Is A Physical Access System? A Physical Access Systems (PACS) consists of several components working together to ensure that access is granted or denied to a controlled area when appropriate.
Why Physical Access Systems?
PACS Components Access control point Door Gate Turnstile Credential Reader Credential Access card Electronic fob Personal identification number (PIN) Biometric
Access Cards Low frequency 125kHz Small amount of data Unencrypted High frequency 13.56 MHz Large amount of data Sometimes encrypted
Access Cards
PACS components Access control panel Decodes binary data Compares card data to an access list, then grants or denies entry
Access control server Software provided by manufacturer Usually a Windows server Maintains card records Maintains access groups Card format details Event monitoring Door components Electric strike Door contact Request to exit (RTE) PACS components
How credentials are read https:// media.blackhat.com /us-13/US-13-Brown-RFID-Hacking-Live-Free-or-RFID-Hard-Slides.pdf
https:// en.wikipedia.org /?title= Access_control #/media/ File:Access_control_door_wiring.png
https:// en.wikipedia.org /?title= Access_control #/ media File:Access_control_topologies_main_controller_a.png
The Split Personality of Security Computer Security Protects v aluable assets Typically reports to Technology or Financial Officers “You must be really smart” Controls designed and implemented by network security professionals Physical Security Protects v aluable assets Typically reports to Administration or Facilities Organization “You’ll get a better job someday” Controls designed and implemented by electrical contractors
Why PACS deployments are insecure The gap between physical and cyber security is closing The physical security industry is ~15 years behind IT No security maturity model Vendors implement features without security testing Heavily reliant on IT but lack understanding Often deployed and forgotten
HID iClass The card and reader perform mutual authentication using a 64 bit encryption key This key is programmed into the reader at the manufacture Don’t worry - It’s encrypted! Why PACS deployments are insecure
https:// www.blackhat.com /docs/us-15/materials/us-15-Evenchick-Breaking-Access-Controls-With-BLEKey-wp.pdf
Physical security culture Majority are former military/defense Lack technical understanding of PACS Unaccustomed to patching/addressing vulnerabilities Vendor loyal Resistant to change Why PACS deployments are insecure
Attack surfaces and exploits Access cards Readers Request to exit devices Access control panel Access control server Workstations
Access card attacks
Access card attacks - Long Range Weaponized long range reader (read & record) Does not clone/write Read distance is ~2ft Available for Proximity iClass (Standard Security) Indala
Pros Improved read range Stores hundreds of card reads No interaction required – just power on Cons Expensive =( Can misread custom card formats Access card attacks - Long Range
Design 1 – Tastic RFID Thief
Tastic RFID Thief Output File
Tastic RFID Thief Parts list and design details: http ://www.bishopfox.com/resources/tools/rfid-hacking/attack-tools /
Design 2 - RavenHID
RavenHID BLE Mini Add-on ( http://redbearlab.com ) Parts list and design details https ://github.com/ emperorcow / ravenhid
Long Range Power Must have 12V Output
Access card attacks – low tech Most vendors print the card number ON THE CARD
Access card attacks – low tech And on the box
Reader attacks - BLEKey Inserted in-line with the reader Records card data and sends via Bluetooth Replays data Reader DoS
Reader attacks - BLEKey Blackhat presentation https://www.blackhat.com/docs/us-15/materials/us-15-Evenchick-Breaking-Access-Controls-With- BLEKey.pdf Parts list and software https://github.com/linklayer/ BLEKey
Request to exit device attacks
Access control panel a ttacks Remember how important door controllers are? Medium to large environments will have multiple door controllers These controllers are usually reachable from the general address pool Often have very useful data
Hunting Door Controllers Many controllers have features to simplify configuration Embedded web servers FTP SNMP Access is generally open or protected with a weak default password Many allow anonymous FTP
Hunting Door Controllers Keep in mind… These devices can be very fragile – heavy scanning is not recommended Many of the web interfaces will only work in IE Don’t change any settings
Hunting Door Controllers Ports to look for TCP 21 TCP 23 TCP 80 UDP 161 TCP 9999 Keywords in DNS/Nessus Scans Tyco iStar Matrix Lenel
What Can Controllers Tell Us? Card numbers and access log Areas they control IPs of other controllers IPs of the access server Passwords!
Web Interface
Web Interface
Web Interface
Web Interface
VertX https:// github.com /brad- anton / VertX
Hunting Access Servers Usually not as obvious as controllers Majority are Windows Servers Can often obtain the IP from a controller DNS search is a fairly reliable method
Hunting Access Servers DNS/Nessus Keywords CCURE/C-CURE/C*CURE OnGuard AccessControl FacilityCommander Additional keywords at http://www.capterra.com/physical-security-software /
Other PACS Resources PACS information and card data can be found in other areas of the network SharePoint Email Document shares (usually in null session) Guard workstations
Putting it all together Long range reader to collect card data Programmed duplicate cards and created fake employee card Observed security guard daily activity
Putting it all together Placed hardware keyloggers Captured credentials and other useful data Gained access to access server Produced duplicate cards for employees with the most access
Putting it all together
Putting it all together
Game Over
Long road ahead Physical security has a lot of catching up to do Will require huge culture shift Many of the misconfigurations discussed are preventable PACS security checklist (in progress)
[email protected] @hacktress09
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 2,232
- Slides 67
- Favorites 2
- Age 3513 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
14
Fertility awareness methods for women in the society
Isaiah47
29 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views