12:50 AM
Connect Directly

Getting Physical At Black Hat

Researchers offer up work on breaking into buildings by hacking alarm key pad sensors and key card access control systems

Work as a penetration tester for even a moderate amount of time and chances are that in order to get your hands on the digital goods, you'll find it takes actually physically getting your hands on a system or two. Discounting the outliers -- dressing up in disguise for a bold daytime incursion or simply taking advantage of miserably lacking physical security measures -- clever pen testers have to come up with high- and low-tech ways to get around building security. Next week at Black Hat USA, three security pros from consulting firm Bishop Fox will present two different talks on new methods they developed for getting around building alarm systems and RFID access card readers to gain discrete access inside targeted buildings.

Click here for more of Dark Reading's Black Hat articles.

"A lot of attackers are becoming bolder in their attacks, and physical security is one of the areas where companies might be lacking," says Drew Porter a senior security analyst for consulting firm Bishop Fox. "They might have great digital defense, but on the physical side it can be lacking."

Porter, together with his colleague Stephen Smith, also a senior security analyst, will demonstrate how basic building alarm systems can be maneuvered around without careful installation. The duo will offer up a number of ways to circumvent security alarm systems -- most notable among them a means of hacking alarm system sensor keypads by building a rogue cellular base station to manipulate signals meant to go to and from the alarm company data center.

The pair found that while many of the alarm systems in common use within homes and offices tout their dependency on two different cellular bands, the truth is that the most commonly used keypads associated with those systems only support those systems. Similarly, keypads were typically designed around older 2G technology for a reliability sake rather than going with more secure 4G or 3G communication. All of that made it easier for Porter and Smith to develop a simple cellular base station to wreak havoc.

"We found that they were using an older standard for cellular, which is extremely easy to intercept and to force onto our network," Porter says. "I was able to get a cellular base station up and going from scratch in about six hours and then start intercepting communications."

That interception made it possible for the pair to not only prevent the alarm from tipping off the authorities at the company's home base, but to also send a signal from the base station that would silence the alarm sound going off on-site.

In addition to this more dramatic development, Porter and Smith also discovered ways to circumvent alarm system sensors with methods like developing infrared light "bombs" or even just holding up a piece of cardboard up to fool motion detectors.

As experts who work frequently in physical security penetration testing, the pair found necessity to be the mother of invention when it came to their alarm research. The same could be said for an additional bit of hacking to be presented by Fran Brown, managing partner at Bishop Fox, who will take the wraps off of a concealable hardware device that will make it easier for penetration testers like him to steal key card information in order to clone them and gain entry to doors protected by RFID access control systems.

Brown says the research stemmed from a gig he was tasked with to penetrate a SCADA system, which required entry into two specific buildings. As he did research into key card leeching tools already freely available, he found that their range was exceedingly limited.

"My goal was to walk by someone and steal their badge information without them noticing," he says. "But the handful of tools out there only have a couple centimeter range, which means you have to go up and essentially grab people's asses. That's not very practical, and you're going to get caught."

In spite of being a computer scientist with very little electrical engineering training, Brown put his shoulder into learning the finer arts of soldering and circuit board design to hack the same kind of keycard reader used at garages -- designed with lots of proximity head space so drivers don't have to get out of their cars -- to come up with a portable reader that can steal badge information, convert it to text files, and store it on a miniSD card. Brown used an Arduino prototyping board to weaponize commercial card readers and create an easily stashable device that works up to three feet away.

He will not only only demo the device at his talk, he's also giving away the ingredients to his secret recipe. Bishop Fox is giving away 100 copies of the custom PCB Brown developed to those in attendance at Black Hat and DefCon; those who miss out will also be able to download the schematics to manufacture their own PCBs, plus a parts list and instructions on how to build a lookalike.

Brown reports that the device not only worked for the gig he originally designed it for, it's now become a staple at his firm.

"We have done several pen tests since them, and it's worked like a charm," he says.

At his talk, Brown will also discuss countermeasures against methods like the one he will demo. This can include tactics as simple as requiring users to use shielding envelopes around their badges, to those as thorough as upping the lifec ycle of physical security hardware. According to HID Global, the maker of the access control systems Brown hacked, while there is newer technology immune to Brown's methods, the truth is that 70 to 80 percent of their customers still use the older vulnerable hardware.

"The reality is that physical security products have a life cycle of 20 years," Brown says, explaining that organizations may need to rethink their physical security hardware priorities to protect their properties.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
7/23/2013 | 4:13:31 PM
re: Getting Physical At Black Hat
This is just simply criminal behavior, why call breaking and entering "hacking". This information is only useful for criminal purposes. Just like a lock, these systems only keep out honest people. WHY help those who hurt others?

They may as well just say "with a gun I can break into anyone's security" no one is safe from that kind of thinking anyway. Your wireless security will not stop bullets and explosives.

Call it what it is - Breaking the law.
Register for Dark Reading Newsletters
White Papers
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-07-04
The D2CenterstageService.getComments service method in EMC Documentum D2 4.1 and 4.2 before 4.2 P16 and 4.5 before P03 allows remote authenticated users to conduct Documentum Query Language (DQL) injection attacks and bypass intended read-access restrictions via unspecified vectors.

Published: 2015-07-04
The D2DownloadService.getDownloadUrls service method in EMC Documentum D2 4.1 and 4.2 before 4.2 P16 and 4.5 before P03 allows remote authenticated users to conduct Documentum Query Language (DQL) injection attacks and bypass intended read-access restrictions via unspecified vectors.

Published: 2015-07-04
Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum WebTop 6.7SP1 before P31, 6.7SP2 before P23, and 6.8 before P01; Documentum Administrator 6.7SP1 before P31, 6.7SP2 before P23, 7.0 before P18, 7.1 before P15, and 7.2 before P01; Documentum Digital Assets Manager 6.5SP6 before P2...

Published: 2015-07-04
Multiple cross-site scripting (XSS) vulnerabilities in IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before FP17, 6.2.1 before FP9, and 6.2.2 before FP15, as used in Security Access Manager for Mobile and other products, allow remote attackers to inject arbitrary web script or HTML via a crafte...

Published: 2015-07-04
Platform Software before 4.4.5 in Cisco Unified Communications Domain Manager (CDM) 8.x has a hardcoded password for a privileged account, which allows remote attackers to obtain root access by leveraging knowledge of this password and entering it in an SSH session, aka Bug ID CSCuq45546.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report