Using your seemingly secure biometric or contactless smart card to get into the building may be the equivalent of leaving the door wide open for an intruder.
A U.K. researcher built a homegrown device called Gecko, which intercepts a user's authentication entry data, letting an attacker steal or clone a user's entry credentials. Gecko, which is built with a Programmable Intelligent Computer (PIC) chip and circuits, targets the Wiegand protocols used by most readers to communicate with the access control systems.
"Wiegand [communicates the data] in plain text, so it's easily intercepted," says Zac Franken, who demonstrated the building system hack at Black Hat DC this year. Many readers can be easily cracked open merely by unscrewing their plastic cover plates, he notes.
Gecko -- which sits between the scanner and back-end access control system -- can capture, record, replay, and even disable the user's credentials after they scan their card through the reader. And that's just in its first version. Franken plans to add some additional features, such as storage in Flash memory for multiple IDs, a Bluetooth interface that can fool biometric scanners, and a GSM interface so the attacker can open the door to the building remotely.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message