Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:50 AM
Connect Directly

Getting Physical At Black Hat

Researchers offer up work on breaking into buildings by hacking alarm key pad sensors and key card access control systems

Work as a penetration tester for even a moderate amount of time and chances are that in order to get your hands on the digital goods, you'll find it takes actually physically getting your hands on a system or two. Discounting the outliers -- dressing up in disguise for a bold daytime incursion or simply taking advantage of miserably lacking physical security measures -- clever pen testers have to come up with high- and low-tech ways to get around building security. Next week at Black Hat USA, three security pros from consulting firm Bishop Fox will present two different talks on new methods they developed for getting around building alarm systems and RFID access card readers to gain discrete access inside targeted buildings.

Click here for more of Dark Reading's Black Hat articles.

"A lot of attackers are becoming bolder in their attacks, and physical security is one of the areas where companies might be lacking," says Drew Porter a senior security analyst for consulting firm Bishop Fox. "They might have great digital defense, but on the physical side it can be lacking."

Porter, together with his colleague Stephen Smith, also a senior security analyst, will demonstrate how basic building alarm systems can be maneuvered around without careful installation. The duo will offer up a number of ways to circumvent security alarm systems -- most notable among them a means of hacking alarm system sensor keypads by building a rogue cellular base station to manipulate signals meant to go to and from the alarm company data center.

The pair found that while many of the alarm systems in common use within homes and offices tout their dependency on two different cellular bands, the truth is that the most commonly used keypads associated with those systems only support those systems. Similarly, keypads were typically designed around older 2G technology for a reliability sake rather than going with more secure 4G or 3G communication. All of that made it easier for Porter and Smith to develop a simple cellular base station to wreak havoc.

"We found that they were using an older standard for cellular, which is extremely easy to intercept and to force onto our network," Porter says. "I was able to get a cellular base station up and going from scratch in about six hours and then start intercepting communications."

That interception made it possible for the pair to not only prevent the alarm from tipping off the authorities at the company's home base, but to also send a signal from the base station that would silence the alarm sound going off on-site.

In addition to this more dramatic development, Porter and Smith also discovered ways to circumvent alarm system sensors with methods like developing infrared light "bombs" or even just holding up a piece of cardboard up to fool motion detectors.

As experts who work frequently in physical security penetration testing, the pair found necessity to be the mother of invention when it came to their alarm research. The same could be said for an additional bit of hacking to be presented by Fran Brown, managing partner at Bishop Fox, who will take the wraps off of a concealable hardware device that will make it easier for penetration testers like him to steal key card information in order to clone them and gain entry to doors protected by RFID access control systems.

Brown says the research stemmed from a gig he was tasked with to penetrate a SCADA system, which required entry into two specific buildings. As he did research into key card leeching tools already freely available, he found that their range was exceedingly limited.

"My goal was to walk by someone and steal their badge information without them noticing," he says. "But the handful of tools out there only have a couple centimeter range, which means you have to go up and essentially grab people's asses. That's not very practical, and you're going to get caught."

In spite of being a computer scientist with very little electrical engineering training, Brown put his shoulder into learning the finer arts of soldering and circuit board design to hack the same kind of keycard reader used at garages -- designed with lots of proximity head space so drivers don't have to get out of their cars -- to come up with a portable reader that can steal badge information, convert it to text files, and store it on a miniSD card. Brown used an Arduino prototyping board to weaponize commercial card readers and create an easily stashable device that works up to three feet away.

He will not only only demo the device at his talk, he's also giving away the ingredients to his secret recipe. Bishop Fox is giving away 100 copies of the custom PCB Brown developed to those in attendance at Black Hat and DefCon; those who miss out will also be able to download the schematics to manufacture their own PCBs, plus a parts list and instructions on how to build a lookalike.

Brown reports that the device not only worked for the gig he originally designed it for, it's now become a staple at his firm.

"We have done several pen tests since them, and it's worked like a charm," he says.

At his talk, Brown will also discuss countermeasures against methods like the one he will demo. This can include tactics as simple as requiring users to use shielding envelopes around their badges, to those as thorough as upping the lifec ycle of physical security hardware. According to HID Global, the maker of the access control systems Brown hacked, while there is newer technology immune to Brown's methods, the truth is that 70 to 80 percent of their customers still use the older vulnerable hardware.

"The reality is that physical security products have a life cycle of 20 years," Brown says, explaining that organizations may need to rethink their physical security hardware priorities to protect their properties.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
7/23/2013 | 4:13:31 PM
re: Getting Physical At Black Hat
This is just simply criminal behavior, why call breaking and entering "hacking". This information is only useful for criminal purposes. Just like a lock, these systems only keep out honest people. WHY help those who hurt others?

They may as well just say "with a gun I can break into anyone's security" no one is safe from that kind of thinking anyway. Your wireless security will not stop bullets and explosives.

Call it what it is - Breaking the law.
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...