00:50 AM
Connect Directly

Getting Physical At Black Hat

Researchers offer up work on breaking into buildings by hacking alarm key pad sensors and key card access control systems

Work as a penetration tester for even a moderate amount of time and chances are that in order to get your hands on the digital goods, you'll find it takes actually physically getting your hands on a system or two. Discounting the outliers -- dressing up in disguise for a bold daytime incursion or simply taking advantage of miserably lacking physical security measures -- clever pen testers have to come up with high- and low-tech ways to get around building security. Next week at Black Hat USA, three security pros from consulting firm Bishop Fox will present two different talks on new methods they developed for getting around building alarm systems and RFID access card readers to gain discrete access inside targeted buildings.

Click here for more of Dark Reading's Black Hat articles.

"A lot of attackers are becoming bolder in their attacks, and physical security is one of the areas where companies might be lacking," says Drew Porter a senior security analyst for consulting firm Bishop Fox. "They might have great digital defense, but on the physical side it can be lacking."

Porter, together with his colleague Stephen Smith, also a senior security analyst, will demonstrate how basic building alarm systems can be maneuvered around without careful installation. The duo will offer up a number of ways to circumvent security alarm systems -- most notable among them a means of hacking alarm system sensor keypads by building a rogue cellular base station to manipulate signals meant to go to and from the alarm company data center.

The pair found that while many of the alarm systems in common use within homes and offices tout their dependency on two different cellular bands, the truth is that the most commonly used keypads associated with those systems only support those systems. Similarly, keypads were typically designed around older 2G technology for a reliability sake rather than going with more secure 4G or 3G communication. All of that made it easier for Porter and Smith to develop a simple cellular base station to wreak havoc.

"We found that they were using an older standard for cellular, which is extremely easy to intercept and to force onto our network," Porter says. "I was able to get a cellular base station up and going from scratch in about six hours and then start intercepting communications."

That interception made it possible for the pair to not only prevent the alarm from tipping off the authorities at the company's home base, but to also send a signal from the base station that would silence the alarm sound going off on-site.

In addition to this more dramatic development, Porter and Smith also discovered ways to circumvent alarm system sensors with methods like developing infrared light "bombs" or even just holding up a piece of cardboard up to fool motion detectors.

As experts who work frequently in physical security penetration testing, the pair found necessity to be the mother of invention when it came to their alarm research. The same could be said for an additional bit of hacking to be presented by Fran Brown, managing partner at Bishop Fox, who will take the wraps off of a concealable hardware device that will make it easier for penetration testers like him to steal key card information in order to clone them and gain entry to doors protected by RFID access control systems.

Brown says the research stemmed from a gig he was tasked with to penetrate a SCADA system, which required entry into two specific buildings. As he did research into key card leeching tools already freely available, he found that their range was exceedingly limited.

"My goal was to walk by someone and steal their badge information without them noticing," he says. "But the handful of tools out there only have a couple centimeter range, which means you have to go up and essentially grab people's asses. That's not very practical, and you're going to get caught."

In spite of being a computer scientist with very little electrical engineering training, Brown put his shoulder into learning the finer arts of soldering and circuit board design to hack the same kind of keycard reader used at garages -- designed with lots of proximity head space so drivers don't have to get out of their cars -- to come up with a portable reader that can steal badge information, convert it to text files, and store it on a miniSD card. Brown used an Arduino prototyping board to weaponize commercial card readers and create an easily stashable device that works up to three feet away.

He will not only only demo the device at his talk, he's also giving away the ingredients to his secret recipe. Bishop Fox is giving away 100 copies of the custom PCB Brown developed to those in attendance at Black Hat and DefCon; those who miss out will also be able to download the schematics to manufacture their own PCBs, plus a parts list and instructions on how to build a lookalike.

Brown reports that the device not only worked for the gig he originally designed it for, it's now become a staple at his firm.

"We have done several pen tests since them, and it's worked like a charm," he says.

At his talk, Brown will also discuss countermeasures against methods like the one he will demo. This can include tactics as simple as requiring users to use shielding envelopes around their badges, to those as thorough as upping the lifec ycle of physical security hardware. According to HID Global, the maker of the access control systems Brown hacked, while there is newer technology immune to Brown's methods, the truth is that 70 to 80 percent of their customers still use the older vulnerable hardware.

"The reality is that physical security products have a life cycle of 20 years," Brown says, explaining that organizations may need to rethink their physical security hardware priorities to protect their properties.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
7/23/2013 | 4:13:31 PM
re: Getting Physical At Black Hat
This is just simply criminal behavior, why call breaking and entering "hacking". This information is only useful for criminal purposes. Just like a lock, these systems only keep out honest people. WHY help those who hurt others?

They may as well just say "with a gun I can break into anyone's security" no one is safe from that kind of thinking anyway. Your wireless security will not stop bullets and explosives.

Call it what it is - Breaking the law.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.