Endpoint
7/23/2013
00:50 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Getting Physical At Black Hat

Researchers offer up work on breaking into buildings by hacking alarm key pad sensors and key card access control systems

Work as a penetration tester for even a moderate amount of time and chances are that in order to get your hands on the digital goods, you'll find it takes actually physically getting your hands on a system or two. Discounting the outliers -- dressing up in disguise for a bold daytime incursion or simply taking advantage of miserably lacking physical security measures -- clever pen testers have to come up with high- and low-tech ways to get around building security. Next week at Black Hat USA, three security pros from consulting firm Bishop Fox will present two different talks on new methods they developed for getting around building alarm systems and RFID access card readers to gain discrete access inside targeted buildings.

Click here for more of Dark Reading's Black Hat articles.

"A lot of attackers are becoming bolder in their attacks, and physical security is one of the areas where companies might be lacking," says Drew Porter a senior security analyst for consulting firm Bishop Fox. "They might have great digital defense, but on the physical side it can be lacking."

Porter, together with his colleague Stephen Smith, also a senior security analyst, will demonstrate how basic building alarm systems can be maneuvered around without careful installation. The duo will offer up a number of ways to circumvent security alarm systems -- most notable among them a means of hacking alarm system sensor keypads by building a rogue cellular base station to manipulate signals meant to go to and from the alarm company data center.

The pair found that while many of the alarm systems in common use within homes and offices tout their dependency on two different cellular bands, the truth is that the most commonly used keypads associated with those systems only support those systems. Similarly, keypads were typically designed around older 2G technology for a reliability sake rather than going with more secure 4G or 3G communication. All of that made it easier for Porter and Smith to develop a simple cellular base station to wreak havoc.

"We found that they were using an older standard for cellular, which is extremely easy to intercept and to force onto our network," Porter says. "I was able to get a cellular base station up and going from scratch in about six hours and then start intercepting communications."

That interception made it possible for the pair to not only prevent the alarm from tipping off the authorities at the company's home base, but to also send a signal from the base station that would silence the alarm sound going off on-site.

In addition to this more dramatic development, Porter and Smith also discovered ways to circumvent alarm system sensors with methods like developing infrared light "bombs" or even just holding up a piece of cardboard up to fool motion detectors.

As experts who work frequently in physical security penetration testing, the pair found necessity to be the mother of invention when it came to their alarm research. The same could be said for an additional bit of hacking to be presented by Fran Brown, managing partner at Bishop Fox, who will take the wraps off of a concealable hardware device that will make it easier for penetration testers like him to steal key card information in order to clone them and gain entry to doors protected by RFID access control systems.

Brown says the research stemmed from a gig he was tasked with to penetrate a SCADA system, which required entry into two specific buildings. As he did research into key card leeching tools already freely available, he found that their range was exceedingly limited.

"My goal was to walk by someone and steal their badge information without them noticing," he says. "But the handful of tools out there only have a couple centimeter range, which means you have to go up and essentially grab people's asses. That's not very practical, and you're going to get caught."

In spite of being a computer scientist with very little electrical engineering training, Brown put his shoulder into learning the finer arts of soldering and circuit board design to hack the same kind of keycard reader used at garages -- designed with lots of proximity head space so drivers don't have to get out of their cars -- to come up with a portable reader that can steal badge information, convert it to text files, and store it on a miniSD card. Brown used an Arduino prototyping board to weaponize commercial card readers and create an easily stashable device that works up to three feet away.

He will not only only demo the device at his talk, he's also giving away the ingredients to his secret recipe. Bishop Fox is giving away 100 copies of the custom PCB Brown developed to those in attendance at Black Hat and DefCon; those who miss out will also be able to download the schematics to manufacture their own PCBs, plus a parts list and instructions on how to build a lookalike.

Brown reports that the device not only worked for the gig he originally designed it for, it's now become a staple at his firm.

"We have done several pen tests since them, and it's worked like a charm," he says.

At his talk, Brown will also discuss countermeasures against methods like the one he will demo. This can include tactics as simple as requiring users to use shielding envelopes around their badges, to those as thorough as upping the lifec ycle of physical security hardware. According to HID Global, the maker of the access control systems Brown hacked, while there is newer technology immune to Brown's methods, the truth is that 70 to 80 percent of their customers still use the older vulnerable hardware.

"The reality is that physical security products have a life cycle of 20 years," Brown says, explaining that organizations may need to rethink their physical security hardware priorities to protect their properties.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
anon12
0%
100%
anon12,
User Rank: Apprentice
7/23/2013 | 4:13:31 PM
re: Getting Physical At Black Hat
This is just simply criminal behavior, why call breaking and entering "hacking". This information is only useful for criminal purposes. Just like a lock, these systems only keep out honest people. WHY help those who hurt others?

They may as well just say "with a gun I can break into anyone's security" no one is safe from that kind of thinking anyway. Your wireless security will not stop bullets and explosives.

Call it what it is - Breaking the law.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4448
Published: 2014-10-22
House Arrest in Apple iOS before 8.1 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information from a Documents directory by obtaining this UID.

CVE-2014-4449
Published: 2014-10-22
iCloud Data Access in Apple iOS before 8.1 does not verify X.509 certificates from TLS servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-4450
Published: 2014-10-22
The QuickType feature in the Keyboards subsystem in Apple iOS before 8.1 collects typing-prediction data from fields with an off autocomplete attribute, which makes it easier for attackers to discover credentials by reading credential values within unintended DOM input elements.

CVE-2012-5242
Published: 2014-10-21
Directory traversal vulnerability in functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the name parameter in a get_template action.

CVE-2012-5243
Published: 2014-10-21
functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to read arbitrary database information via a crafted request.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.