Getting Physical At Black Hat
Researchers offer up work on breaking into buildings by hacking alarm key pad sensors and key card access control systems
Work as a penetration tester for even a moderate amount of time and chances are that in order to get your hands on the digital goods, you'll find it takes actually physically getting your hands on a system or two. Discounting the outliers -- dressing up in disguise for a bold daytime incursion or simply taking advantage of miserably lacking physical security measures -- clever pen testers have to come up with high- and low-tech ways to get around building security. Next week at Black Hat USA, three security pros from consulting firm Bishop Fox will present two different talks on new methods they developed for getting around building alarm systems and RFID access card readers to gain discrete access inside targeted buildings.
|Click here for more of Dark Reading's Black Hat articles.|
More Security Insights
- The 12 Critical Questions You Need To Ask When Choosing an AD Bridge Solution
- A New Set of Network Security Challenges
"A lot of attackers are becoming bolder in their attacks, and physical security is one of the areas where companies might be lacking," says Drew Porter a senior security analyst for consulting firm Bishop Fox. "They might have great digital defense, but on the physical side it can be lacking."
Porter, together with his colleague Stephen Smith, also a senior security analyst, will demonstrate how basic building alarm systems can be maneuvered around without careful installation. The duo will offer up a number of ways to circumvent security alarm systems -- most notable among them a means of hacking alarm system sensor keypads by building a rogue cellular base station to manipulate signals meant to go to and from the alarm company data center.
The pair found that while many of the alarm systems in common use within homes and offices tout their dependency on two different cellular bands, the truth is that the most commonly used keypads associated with those systems only support those systems. Similarly, keypads were typically designed around older 2G technology for a reliability sake rather than going with more secure 4G or 3G communication. All of that made it easier for Porter and Smith to develop a simple cellular base station to wreak havoc.
"We found that they were using an older standard for cellular, which is extremely easy to intercept and to force onto our network," Porter says. "I was able to get a cellular base station up and going from scratch in about six hours and then start intercepting communications."
That interception made it possible for the pair to not only prevent the alarm from tipping off the authorities at the company's home base, but to also send a signal from the base station that would silence the alarm sound going off on-site.
In addition to this more dramatic development, Porter and Smith also discovered ways to circumvent alarm system sensors with methods like developing infrared light "bombs" or even just holding up a piece of cardboard up to fool motion detectors.
As experts who work frequently in physical security penetration testing, the pair found necessity to be the mother of invention when it came to their alarm research. The same could be said for an additional bit of hacking to be presented by Fran Brown, managing partner at Bishop Fox, who will take the wraps off of a concealable hardware device that will make it easier for penetration testers like him to steal key card information in order to clone them and gain entry to doors protected by RFID access control systems.
Brown says the research stemmed from a gig he was tasked with to penetrate a SCADA system, which required entry into two specific buildings. As he did research into key card leeching tools already freely available, he found that their range was exceedingly limited.
"My goal was to walk by someone and steal their badge information without them noticing," he says. "But the handful of tools out there only have a couple centimeter range, which means you have to go up and essentially grab people's asses. That's not very practical, and you're going to get caught."
In spite of being a computer scientist with very little electrical engineering training, Brown put his shoulder into learning the finer arts of soldering and circuit board design to hack the same kind of keycard reader used at garages -- designed with lots of proximity head space so drivers don't have to get out of their cars -- to come up with a portable reader that can steal badge information, convert it to text files, and store it on a miniSD card. Brown used an Arduino prototyping board to weaponize commercial card readers and create an easily stashable device that works up to three feet away.
He will not only only demo the device at his talk, he's also giving away the ingredients to his secret recipe. Bishop Fox is giving away 100 copies of the custom PCB Brown developed to those in attendance at Black Hat and DefCon; those who miss out will also be able to download the schematics to manufacture their own PCBs, plus a parts list and instructions on how to build a lookalike.
Brown reports that the device not only worked for the gig he originally designed it for, it's now become a staple at his firm.
"We have done several pen tests since them, and it's worked like a charm," he says.
At his talk, Brown will also discuss countermeasures against methods like the one he will demo. This can include tactics as simple as requiring users to use shielding envelopes around their badges, to those as thorough as upping the lifec ycle of physical security hardware. According to HID Global, the maker of the access control systems Brown hacked, while there is newer technology immune to Brown's methods, the truth is that 70 to 80 percent of their customers still use the older vulnerable hardware.
"The reality is that physical security products have a life cycle of 20 years," Brown says, explaining that organizations may need to rethink their physical security hardware priorities to protect their properties.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.