Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
AllYour Door
Belong To Me –
Attacking Physical
Access Systems
VALERIE THOMAS
EXECUTIVE SECURITY CONSULTANT
@HACKTRESS09
• Executive Security
Consultant for Securicon
• 10+ years in Information
Security
• Coauthor of Building A
Security Awaren...
Agenda
• Why this talk?
• Topology of a physical access system (PACS)
• Why PACS deployments are insecure
• Attack surface...
What Is A Physical Access
System?
A Physical Access Systems (PACS) consists of
several components working together to ensu...
Why Physical Access Systems?
PACS Components
• Access control point
• Door
• Gate
• Turnstile
• Credential Reader
• Credential
• Access card
• Electron...
Access Cards
Low frequency
• 125kHz
• Small amount of data
• Unencrypted
High frequency
• 13.56 MHz
• Large amount of data...
Access Cards
PACS components
• Access control panel
• Decodes binary data
• Compares card data to an access list, then grants or denies...
• Access control server
• Software provided by manufacturer
• Usually aWindows server
• Maintains card records
• Maintains...
How credentials are read
https://media.blackhat.com/us-13/US-13-Brown-RFID-Hacking-Live-Free-or-RFID-Hard-Slides.pdf
https://en.wikipedia.org/?title=Access_control#/media/File:Access_control_door_wiring.png
https://en.wikipedia.org/?title=Access_control#/media File:Access_control_topologies_main_controller_a.png
The Split Personality of Security
Computer Security
• Protects valuable assets
• Typically reports to
Technology or
Financ...
Why PACS deployments are insecure
• The gap between physical and cyber security is
closing
• The physical security industr...
HID iClass
• The card and reader perform mutual
authentication using a 64 bit encryption key
• This key is programmed into...
https://www.blackhat.com/docs/us-15/materials/us-15-Evenchick-Breaking-Access-Controls-With-BLEKey-wp.pdf
Physical security culture
• Majority are former military/defense
• Lack technical understanding of PACS
• Unaccustomed to ...
Attack surfaces and exploits
• Access cards
• Readers
• Request to exit devices
• Access control panel
• Access control se...
Access card attacks
Access card attacks -
Long Range
• Weaponized long range reader (read & record)
• Does not clone/write
• Read distance is ...
PROS
• Improved read range
• Stores hundreds of
card reads
• No interaction
required – just power
on
CONS
• Expensive =(
•...
Design 1 – Tastic RFID Thief
Tastic RFID Thief Output File
Tastic RFID Thief
Parts list and design details:
http://www.bishopfox.com/resources/tools/rfid-
hacking/attack-tools/
Design 2 - RavenHID
RavenHID
• BLE Mini Add-on (http://redbearlab.com)
• Parts list and design details
https://github.com/emperorcow/ravenhid
Long Range Power
Must have 12V Output
Access card attacks – low tech
Most vendors print the card number ONTHE CARD
Access card attacks – low tech
And on the box
Reader attacks - BLEKey
• Inserted in-line with the reader
• Records card data and sends via Bluetooth
• Replays data
• Re...
Reader attacks - BLEKey
Blackhat presentation
https://www.blackhat.com/docs/us-15/materials/us-
15-Evenchick-Breaking-Acce...
Request to exit device attacks
Access control panel attacks
• Remember how important door controllers are?
• Medium to large environments will have multi...
Hunting Door Controllers
• Many controllers have features to simplify
configuration
• Embedded web servers
• FTP
• SNMP
• ...
Hunting Door Controllers
Keep in mind…
• These devices can be very fragile – heavy scanning
is not recommended
• Many of t...
Hunting Door Controllers
Ports to look for
• TCP 21
• TCP 23
• TCP 80
• UDP 161
• TCP 9999
Keywords in
DNS/Nessus Scans
• ...
What Can Controllers Tell Us?
• Card numbers and access log
• Areas they control
• IPs of other controllers
• IPs of the a...
Web Interface
Web Interface
Web Interface
Web Interface
VertX
https://github.com/brad-anton/VertX
Hunting Access Servers
• Usually not as obvious as controllers
• Majority areWindows Servers
• Can often obtain the IP fro...
Hunting Access Servers
DNS/Nessus Keywords
• CCURE/C-CURE/C*CURE
• OnGuard
• AccessControl
• FacilityCommander
• Additiona...
Other PACS Resources
PACS information and card data can be found in
other areas of the network
• SharePoint
• Email
• Docu...
Putting it all together
• Long range reader to
collect card data
• Programmed
duplicate cards and
created fake
employee ca...
Putting it all together
• Placed hardware
keyloggers
• Captured credentials
and other useful data
• Gained access to acces...
Putting it all together
Putting it all together
Game Over
Long road ahead
• Physical security has a lot of catching up to do
• Will require huge culture shift
• Many of the misconf...
Valerie.Thomas@securicon.com
@hacktress09
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
Prochain SlideShare
Chargement dans…5
×

Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems

Attacking Physical Access Systems

  • Identifiez-vous pour voir les commentaires

Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems

  1. 1. AllYour Door Belong To Me – Attacking Physical Access Systems VALERIE THOMAS EXECUTIVE SECURITY CONSULTANT @HACKTRESS09
  2. 2. • Executive Security Consultant for Securicon • 10+ years in Information Security • Coauthor of Building A Security Awareness Program • Social Engineering trainer • Physical access “enthusiast” Introduction
  3. 3. Agenda • Why this talk? • Topology of a physical access system (PACS) • Why PACS deployments are insecure • Attack surfaces and exploits • Putting it all together for complete takeover
  4. 4. What Is A Physical Access System? A Physical Access Systems (PACS) consists of several components working together to ensure that access is granted or denied to a controlled area when appropriate.
  5. 5. Why Physical Access Systems?
  6. 6. PACS Components • Access control point • Door • Gate • Turnstile • Credential Reader • Credential • Access card • Electronic fob • Personal identification number (PIN) • Biometric
  7. 7. Access Cards Low frequency • 125kHz • Small amount of data • Unencrypted High frequency • 13.56 MHz • Large amount of data • Sometimes encrypted
  8. 8. Access Cards
  9. 9. PACS components • Access control panel • Decodes binary data • Compares card data to an access list, then grants or denies entry
  10. 10. • Access control server • Software provided by manufacturer • Usually aWindows server • Maintains card records • Maintains access groups • Card format details • Event monitoring • Door components • Electric strike • Door contact • Request to exit (RTE) PACS components
  11. 11. How credentials are read https://media.blackhat.com/us-13/US-13-Brown-RFID-Hacking-Live-Free-or-RFID-Hard-Slides.pdf
  12. 12. https://en.wikipedia.org/?title=Access_control#/media/File:Access_control_door_wiring.png
  13. 13. https://en.wikipedia.org/?title=Access_control#/media File:Access_control_topologies_main_controller_a.png
  14. 14. The Split Personality of Security Computer Security • Protects valuable assets • Typically reports to Technology or Financial Officers • “You must be really smart” • Controls designed and implemented by network security professionals Physical Security • Protects valuable assets • Typically reports to Administration or Facilities Organization • “You’ll get a better job someday” • Controls designed and implemented by electrical contractors
  15. 15. Why PACS deployments are insecure • The gap between physical and cyber security is closing • The physical security industry is ~15 years behind IT • No security maturity model • Vendors implement features without security testing • Heavily reliant on IT but lack understanding • Often deployed and forgotten
  16. 16. HID iClass • The card and reader perform mutual authentication using a 64 bit encryption key • This key is programmed into the reader at the manufacture • Don’t worry - It’s encrypted! Why PACS deployments are insecure
  17. 17. https://www.blackhat.com/docs/us-15/materials/us-15-Evenchick-Breaking-Access-Controls-With-BLEKey-wp.pdf
  18. 18. Physical security culture • Majority are former military/defense • Lack technical understanding of PACS • Unaccustomed to patching/addressing vulnerabilities • Vendor loyal • Resistant to change Why PACS deployments are insecure
  19. 19. Attack surfaces and exploits • Access cards • Readers • Request to exit devices • Access control panel • Access control server • Workstations
  20. 20. Access card attacks
  21. 21. Access card attacks - Long Range • Weaponized long range reader (read & record) • Does not clone/write • Read distance is ~2ft • Available for • Proximity • iClass (Standard Security) • Indala
  22. 22. PROS • Improved read range • Stores hundreds of card reads • No interaction required – just power on CONS • Expensive =( • Can misread custom card formats Access card attacks - Long Range
  23. 23. Design 1 – Tastic RFID Thief
  24. 24. Tastic RFID Thief Output File
  25. 25. Tastic RFID Thief Parts list and design details: http://www.bishopfox.com/resources/tools/rfid- hacking/attack-tools/
  26. 26. Design 2 - RavenHID
  27. 27. RavenHID • BLE Mini Add-on (http://redbearlab.com) • Parts list and design details https://github.com/emperorcow/ravenhid
  28. 28. Long Range Power Must have 12V Output
  29. 29. Access card attacks – low tech Most vendors print the card number ONTHE CARD
  30. 30. Access card attacks – low tech And on the box
  31. 31. Reader attacks - BLEKey • Inserted in-line with the reader • Records card data and sends via Bluetooth • Replays data • Reader DoS
  32. 32. Reader attacks - BLEKey Blackhat presentation https://www.blackhat.com/docs/us-15/materials/us- 15-Evenchick-Breaking-Access-Controls-With- BLEKey.pdf Parts list and software https://github.com/linklayer/BLEKey
  33. 33. Request to exit device attacks
  34. 34. Access control panel attacks • Remember how important door controllers are? • Medium to large environments will have multiple door controllers • These controllers are usually reachable from the general address pool • Often have very useful data
  35. 35. Hunting Door Controllers • Many controllers have features to simplify configuration • Embedded web servers • FTP • SNMP • Access is generally open or protected with a weak default password • Many allow anonymous FTP
  36. 36. Hunting Door Controllers Keep in mind… • These devices can be very fragile – heavy scanning is not recommended • Many of the web interfaces will only work in IE • Don’t change any settings
  37. 37. Hunting Door Controllers Ports to look for • TCP 21 • TCP 23 • TCP 80 • UDP 161 • TCP 9999 Keywords in DNS/Nessus Scans • Tyco • iStar • Matrix • Lenel
  38. 38. What Can Controllers Tell Us? • Card numbers and access log • Areas they control • IPs of other controllers • IPs of the access server • Passwords!
  39. 39. Web Interface
  40. 40. Web Interface
  41. 41. Web Interface
  42. 42. Web Interface
  43. 43. VertX https://github.com/brad-anton/VertX
  44. 44. Hunting Access Servers • Usually not as obvious as controllers • Majority areWindows Servers • Can often obtain the IP from a controller • DNS search is a fairly reliable method
  45. 45. Hunting Access Servers DNS/Nessus Keywords • CCURE/C-CURE/C*CURE • OnGuard • AccessControl • FacilityCommander • Additional keywords at http://www.capterra.com/physical-security- software/
  46. 46. Other PACS Resources PACS information and card data can be found in other areas of the network • SharePoint • Email • Document shares (usually in null session) • Guard workstations
  47. 47. Putting it all together • Long range reader to collect card data • Programmed duplicate cards and created fake employee card • Observed security guard daily activity
  48. 48. Putting it all together • Placed hardware keyloggers • Captured credentials and other useful data • Gained access to access server • Produced duplicate cards for employees with the most access
  49. 49. Putting it all together
  50. 50. Putting it all together
  51. 51. Game Over
  52. 52. Long road ahead • Physical security has a lot of catching up to do • Will require huge culture shift • Many of the misconfigurations discussed are preventable • PACS security checklist (in progress)
  53. 53. Valerie.Thomas@securicon.com @hacktress09

×