Presentation:
https://www.youtube.com/watch?v=-cZ7eDV2n5Y
Access control systems are everywhere. They are used to protect everything from residential communities to commercial offices. People depend on these to work properly, but what if I had complete control over your access control solution just by using my phone? Or perhaps I input a secret keypad combination that unlocks your front door? You may not be as secure as you think.
The world relies on access control systems to ensure that secured areas are only accessible to authorized users. Usually, a keypad is the only thing stopping an unauthorized person from accessing the private space behind it. There are many types of access control systems from stand-alone keypads to telephony access control. In this talk, Dennis will be going over how and where access control systems are used. Dennis will walk through and demonstrate the tips and tricks used in bypassing common access control systems. This presentation will include attack methods of all nature including physical attacks, wireless, telephony, network, and more.
3. Agenda
Physical Access Control System
Linear Commercial Access Control Systems
Attacks
Local
Remote
Demo/Tools
Device Enumeration Techniques
Recommendations
5. Physical Access Control
What do they do?
Limiting access to physical location/resource
Secure areas using:
Doors
Gates
Elevators floors
Barrier Arms
6. Access control systems
Keypad Entry (Entry/Directory codes)
Telephone entry
Radio receivers for remotes
Proximity cards (RFID)
Swipe cards
Sensors
Physical Access Control
How do they work?
7. Where are they used?
Use cases:
Gated Communities
Parking Garages
Office Buildings
Apartments
Hotels/Motels
Commercial Buildings
Recreational Facilities
Medical Facilities
21. Linear Controller
Commercial Telephone Entry
System
Utilizes a telephone line
Supports thousands of users
Networked with other controllers
Can be configured/controlled
through a PC
Serial Connection
22. Linear – TCP/IP Kit
AM-SEK Kit (Serial-to-TCP)
Converts Serial to Ethernet
Allows Management over TCP/IP
network
Allows for remote management
(over the internet)
23. Linear – Typical Installation
Serial
Cable
Ethernet
Cable
Management PC
192.168.0.40
AE1000Plus
Controller
Ethernet
Cable
Router/Switch
192.168.0.0/24
24.
25. Software - AccessBase2000
Add/remove users
Entry codes
Directory codes
Cards
Transmitters
Manually toggle relays
View log reports
Communicates through serial
Requires a password to
authenticate
26.
27.
28. PC to Controller Communication
Request
5AA5000A1105010008000000CB97
Response
Acknowledged:5AA50004110C462
5
Not Acknowledged:
5AA50005110D024C23
Invalid Checksum:
5AA50005110D017EB8
No response (not authenticated)
5AA5000A11013635343332319A71
5AA50005110D024C23
33. AE-500 – Default Password
Hold 0 and 2 on the keypad
Type the default password:
123456#
Input the commands to add a
new entry code
31#9999#9999#99#
Type in your new code (9999)
Access Granted!
36. Master Key
Same key for all AE1000plus,
AM3plus controllers
Purchase them from a supplier or
on eBay
Or just pick the lock
Full access to the device
38. Physical Access
Manual Relay Latch buttons
Toggle Relay
Lock their state
Programming buttons
Program device locally
Erase Memory
Active Phone Line
Serial connection to the controller
39. Tamper Monitoring?
Magnetic tamper switch inside
enclosure
No active alerts
Can be bypassed by placing a
magnet on the outside of the
enclosure
40.
41. So how do we target these
controllers?
Physical Access
Local Programming
Serial port inside the controller
42. So how do we target these
controllers?
Physical Access
Local Programming
Serial port inside the controller
Internal Network Access
IP of Serial to TCP device
TCP Port 4660
External Network Access
IP of Serial to TCP device
TCP Port 4660 open to the internet
5AA5000A11013635343332319A71
5AA50005110D024C23
Bad Guy
5AA5000A11013635343332319A71
5AA50005110D024C23
192.168.0.32:4660
74.12.x.x:4660
47. No Password Necessary
Authentication not enforced!
Send unauthenticated commands
Any commands will execute
May not get any confirmation
data
Hacker
Raw Connection
AE1000Plus
Controller
48. Open Doors Remotely
Send one simple command
5AA5000A1105010000080000E88D
Triggers a relay for 2 seconds thus
opening a door or gate
Great for movie style scenes
5AA5000A1105010000080000E88D
Hacker
Raw Connection
AE1000Plus
Controller
Door 1
Access
Granted
49. Lock Doors Open/Closed
Keeps Doors/Gates open
or closed
Will not respond to user
input (RFID cards, remotes,
etc)
Persist until manually
unlocked or rebooted
50. Delete Logs From The Controller
Controller keeps logs of events
Downloading logs deletes them
from the controller
Hide evidence of entry or
tampering
51. Change the Password
Upload configuration settings
Change password without
needing the previous password
Normal functionality remains
Upload other configuration
changes
52. Denial of Service
Fake database update will disable
controller connected to or
rebooted
Overwrite device firmware
Lock relays to prevent access
55. Device Enumeration Techniques
Scan the network
Look for any COM port redirectors
Default port = TCP 4660
Send broadcast packet to UDP 55954
Devices will respond
Send a password request string to port
4660
5AA5000A11013635343332319A71
5AA50004110C4625
5AA50005110D024C23
5AA5000A11013635343332319A71
5AA50005110D024C23
UDP Broadcast
Broadcast
Response
Client
Response
57. Recommendations
Always change the default password
Change physical locks
Use a direct serial connection
If networked, utilize authentication
Resist opening the controller to the
internet
58. Final Thoughts
Other vendors
Ongoing research
Tool – More work is needed
Tool located on https://github.com/linuz/Access-Control-Attack-Tool
It’s currently just a prototype
Continue updating it/take it out of “PoC mode”
Working on an Nmap script
Slides uploaded to SlideShare
www.slideshare.net/DennisMaldonado5
59. Questions?
If you have any questions, you can:
Twitter: @DennisMald
Find me here at DEFCON23
Email me at: dmaldonado@klcconsulting.net
Notes de l'éditeur
Thank everyone for the opportunity to speak!
Passion for Physical security and combining with with electronic aspects
Physical Access Control System
What they are
Use cases
Vendors
Talk about a specific vendor of access control, the architecture, and how it communicates
Attacks, local and remote
Demo and tools
Device enumeration
Recommendations
TALK ABOUT DEMO
Control a variety of devices
Selectively permit access to a protected resource or area.
Authenticate users in a variety of ways. Some solutions utilize only some of these methods
SHOW EXAMPLE: Use transmitters to open Doors 2-4
Talk about the use cases I have seen while going through pictures on the next few slides
Not limited to
DKS (Doorking) Model 1834, 1835, 1837
Elite EL2000, Elite Icon 26
Owned by Chamberlain – Sentex Infinity S, Infinity M, Infinity L
Owned by Chamberlain - EL1SS, EL2000
Linear AE1000, AE1000plus, AE2000plus, AM3plus controllers
Finally talk about what we will be focusing on
Linear 1000plus, 2000plus, AM3plus are all the same
2000plus offers a bigger screen and more buttons
AM3plus headless, no interface for users. Used for certain access situations (RFID only for example) or expansion of an existing system
Condominiums downtown (note the use of a keypad and RFID reader)
Gated communities
Commercial buildings
Elevator access on the left
On the right, room with locked controllers for access control, networked together
Access control controller (AM3plus) found in a bathroom.
HERE IS ANOTHER ONE I FOUND
Access control controller (AM3plus) found in a bathroom.
Linear AE1000, AE1000plus, AE2000plus, AM3plus controllers
Finally talk about what we will be focusing on
Linear 1000plus, 2000plus, AM3plus are all the same
2000plus offers a bigger screen and more buttons
AM3plus headless, no interface for users. Used for certain access situations (RFID only for example) or expansion of an existing system
Smarter access control system
Controllers are the ae1000,2000,am3plus
Active phone line used for calling users or potentially managing the device in certain configurations
AM-SEK used to allow these devices to be managed on a conventional TCP/IP network or potentially remotely over the internet.
The managing computer will create a virtual serial port which will then connect to this serial-to-tcp device
The most common use case I have seen in the field
Network scan
Controllers are the ae1000,2000,am3plus
Active phone line used for calling users or potentially managing the device in certain configurations
AM-SEK used to allow these devices to be managed on a conventional TCP/IP network or potentially remotely over the internet.
The managing computer will create a virtual serial port which will then connect to this serial-to-tcp device
The most common use case I have seen in the field
Network scan
Controller is connected to the serial-to-tcp interface which is then connected to the network. From there a computer on the local network can manage the controller using special software to interface with it.
Documentation encourages external internet access by forwarding ports to the serial-to-tcp/ip interface. No authentication required
--
So now that we understand how [this] is set up, lets talk about how a computer interfaces with the Linear Controller
Software used to connect to the controller
Requires a password to authenticate.
Talk about how to download
Putting in the password. Password is exactly 6 characters, numeric only.
Application attempts the password when connecting
Application will not do anything unless the correct password is put in
Example of managing users
PacketHeader is fixed, hard-coded
Mimimum length of the data that will be sent
Maximum length of the data
Net Node which is the address of the controller relative to the other controllers on the network
Command (1-16) such as pull log, push firmware, query status, etc
Data itself. The data is the ASCII encoded values of each character which is then converted to hex and sent over the virtual serial connection
Check sum which is used to check the validity of the message. Calculated from the NetNode, command, and data values.
Find devices by scanning the network (nmap)
So now that we talked about the remote attacks, lets assume that these devices are not networked or are the versions that do not support networking.
AE-500 does not support networked configuration and is programmed locally from the keypad.
The AE-5000 is used for much smaller installations
Default password, rarely ever changed from what I have seen in the field
Use key combination with the default password to backdoor the controller in under 10 seconds
PacketHeader is fixed, hard-coded
Mimimum length of the data that will be sent
Maximum length of the data
Net Node which is the address of the controller relative to the other controllers on the network
Command (1-16) such as pull log, push firmware, query status, etc
Data itself. The data is the ASCII encoded values of each character which is then converted to hex and sent over the virtual serial connection
Check sum which is used to check the validity of the message. Calculated from the NetNode, command, and data values.
Video of utilizing the default password on the keypad to create my own entry code
Commentate video while playing
At least all AE1000plus and AM3plus share the same key regardless of supplier
Obtain the key from the vendor, a supplier, or purchase them off eBay (enclosures)
You could also pick the lock if you are so inclined
Physical access to the inside of the controller will give you full access
Toggle relays to open doors or gates
Manually re-program some controllers or completely reset the controllers
Active phone line, find the phone number and use it to call the device. You may be able to program the device from the phone if you know the master password (default=123456)
Serial connection to the controller for attacks (raspberry pi to make it networked/backdoored)
Tamper switch used for monitoring when the enclosure is opened or closed
No active alerts, need to download the logs and view the logs for any tamper events
Can be rendered useless by placing a magnet at the right place
Video of bypassing magnetic tamper switch
Commentate video while playing
So now that we talked about physical access, lets talk about targeting these devices via the network or internet
Find devices by scanning the network (nmap)
Lets get into the fun stuff
Show the accessbase software and trying to log into it resulting in “Wrong Password” (Client password should be set to 123456 while controller should be set to 000051 or something else)
A password is “required” to configure the device. There is no rate limit or password lockout so you can just keep sending guesses in a typical bruteforce fashion. The speed is limited by the speed of the virtual serial connection
Exactly 1,000,000 combinations to test
Testing full keyspace would take about 114 hours which is about 4.75 days
Demo the brute force script. Finish talking BEFORE the attack is finished!
Show the access base software, logging into it and triggering relays
Demo downloading logs normally after bruteforcing password
Authentication is “required” but not enforced
You can send serial commands through the virtual serial connection which will be executed by the controller
Does not require a password or prior authentication
Most commands will not return any data if the user has not authenticated recently, however, they will still execute.
What can we do wit this?
Trigger the controller’s relays!
Send one command and the specific relay will trigger for x number of seconds depending on configuration (2 by default)
Just like if someone was granted access normally using an entry code or RFID card for example
Logged as request to exit so it would be hard to detect this was done illegitimately after the fact
Scenario: Classic movie scenario where you have a team of jewelry thieves who enter the building after the hacker on the team who is setting in a van across the street hacks into the access control network with his or her laptop and grants them access into the building
Lock relay state to either open or closed
Effectively locks doors, gates, or whatever to open or closed state, making them unresponsive to valid user.
Keep a door open or keep it closed
Persists until manually unlocked or the controller is rebooted
The controller logs most things including access denied, access granted, controller enclosure is opened (tamper switch) device rebooted, and more
Every time the logs are downloaded from the controller into the application, the logs are deleted from the controller to save space.
Initiate a log download, and the logs are deleted from the controller!
Hides any evidence of entry or tampering with the controller
Upload configuration without authentication which can be used to change the password without needing the previous password
Controller continues to function normally
Can upload other changes such as entry codes or transmitters (backdoor)
Prevent people from using the controller
Lock relays to prevent access to doors or gates
Fake a database update which will effectively disable the controller until someone else authenticates to it or the device is rebooted
Overwrite the devices firmware to brick the device
Show entire tool in windows, including deleting logs
UDP broadcast is animated
Demo of DetectLinear tool
Always change the default password
Do not network these if you don’t have to (direct serial connection)
If you have to network this, utilize authentication everywhere (including the serial-to-tcp device)
Don’t open this to the internet
Change the lock to something more secure
Still working on my research. I do hope to cover more on this and other vendors as well. These issues are not limited to any one vendor
Need to finish the tool (make some fixes/updates)
Working on more security research on that focuses to joining the physical and electronic space.