John and I talk about facility Access Control systems and some of the vulnerabilities!
Andy Terrell:
Okay, let's get this thing started. Good morning, everybody. Happy Friday, and hope your working from home is smoothly happening and there's some sort of normalcy in your life. Although I must say I'm enjoying traffic lately, but I'm also enjoying this whole working from home thing. It's awesome.
John Miears:
It's pretty nice.
Andy Terrell:
So, yeah. So we're going to talk about some access control vulnerabilities today. Normally, we will be doing this in the office at the conference table, but obviously social distancing and all that fun stuff, we're doing it via Zoom. So-
John Miears:
Probably the only people doing that right now, too.
Andy Terrell:
Yeah. Yeah. We're-
John Miears:
Probably.
Andy Terrell:
But, hey. So hey, leave a message in the comments below on how your meetings are going and what tools you're using to make those better. So anyways, I'm going to turn this over to John and he's going to start walking through vulnerabilities of the access control systems. John?
John Miears:
Hey, everybody. I want to get my screen pulled up here. Excellent. So access control vulnerabilities. Okay. Access control. What vulnerabilities are out there? Do they affect me? How easy is this to pull off?
John Miears:
We're going to be going over old card and reader technologies and backwards compatible technologies. The main question I want you to keep it your back of your mind is, "What does it cost to purchase keys to your facility? Are they for sale? Are they for sale and you don't know they're for sale?" Most people probably don't like the idea of anyone being able to buy keys to their facility. And we're going to come back to that.
John Miears:
And an access control system, your card, it just has a number on it. It gives that number to the reader and that reader gives the number to the panel. The whole system is just looking at that number to see whether or not it should open the door for you. For us, that means if we want to trick your system into letting us in, we just need to get that number to the panel and we're in.
John Miears:
Your standard PROX card that 44% of facilities are still using, I've got some notes on it here. Came out in 1995. It's old enough to drink a beer. There's no encryption on it. Everything's just plain text. You can buy a copying device on Amazon. And like I said, 44% of access control systems still use this.
John Miears:
Here's a screenshot of these devices on Amazon. There's nothing fancy about it. They range 29 to, I think, 100 dollars. So if you use PROX, that's what it costs for a key into your facility.
John Miears:
Here's a demo. Not my sharing. We have one of these devices. Power it up. And you might not be able to read this, but it's making me agree. Now, I'm only going to use this for legal activities. So of course. Who would ever use one of these illegally? Got my HID PROX card here. Send it in there. Going to have this scan. I think the screen's blown out, but, oh, it was able to read it. It's an HID card. There's the first card.
John Miears:
We're going to take our second card here. Pop it in. Right to it. Oh, right. Success. How about that?
John Miears:
These two cards are now the exact same. This could be a security guard's card, someone with access to your IDF or MDF. It could be anybody.
Andy Terrell:
Server room, data center.
John Miears:
Yeah, anything. It doesn't matter. Whatever you use the card for, I've copied it. This model was about 45 bucks, I think. So maybe 70. I don't know. Too cheap honestly.
John Miears:
What about a long range copping solution? This is the HID Maxiprox 5375 Long Range Reader. It has a two-foot read range, and conveniently you can battery power it and fit it into a laptop bag.
John Miears:
Here's a picture of ours. We've modified it to be able to read cards remotely. Don't go through airports with this. What we're exploiting here is the for the reader and the panel. We don't have a panel in our unit, but we don't need one. The reader just sends it out.
John Miears:
I would say 90% of readers, if not more, use a technology called the lead in. It was patented in 1974 and like the PROX protocol, there's no encryption, just dumb straight numbers. Anyone can read it.
John Miears:
And conveniently, there are devices that you can buy that read them for you and store them. These are two separate devices here. Each one's about the size of a stamp. And you can punch down the wires into it and it'll record every number. And then later, you can log in and look at that number. Once you've looked at that number, you can use the Proxmark 3. Now, this is getting more expensive for sure, looking at probably a thousand dollars to pull this off. Still pretty cheap for a key to your facility.
John Miears:
Proxmark 3 is a RFID research device, and this is the mac daddy version of the little Amazon reader.
John Miears:
Here's our long range reader that we use. As you can see, this could easily fit in any bag. It's reading one of my cards right now, and here are all the nice pretty guts that you got. And that beep that you hear, you can turn that off with the dip switch. I want to leave it on so we hear when it scans a card, but just know that in real life this would be turned off and you would never know this thing was functioning.
John Miears:
What's cool about this is I'm going to have to actually back up for this. HID PROX card, long range reader. See how close do I need to get with you and a laptop bag? That's not far at all. Or that's not too close at all. There it is.
John Miears:
And now what we do with that, this little tiny chip right here, let's see. I think you can see it good. I'm going to do, I'll set the reader down for now. Let me get on my iPad or phone or laptop. It doesn't matter. Wait for it to load, and you log into it and there's a list of every card it scanned. So with those numbers, all we have to do is put them on a blank card. This is readily available. We have some iS3 branded. Get them online. You're good to go.
John Miears:
So how does the industry fix this. With HID SE and iCLASS cards. These have encrypted technology. You can't just read them. You can't just copy them. Very secure. The people that break encryption on cards for a living or it's very, they expect them to be secure well into the future. And these currently, if you can break the encryption on this, you're much more likely to just rob a bank.
John Miears:
I'm tripping on everything. Okay. Encrypted card formats stop us from getting the number off the card itself. And between the reader and the panel, we replace the wiegand technology with OSDP. This is AES-128 bit encryption, and I'd say nine times out of 10 you can use the same wire. Very cheap upgrade. And that renders those man in the middle of texts just useless.
John Miears:
And as a nice side effect, you can also change many reader settings straight from the panel without having to use flash cards. The only problem with this industry approach is a lot of people will install a multi-class reader, and these are good for cross grading a facility because they read PROX and iCLASS. The only downside is they read PROX. So if your card number and facility code gets known, you can make basically a downgraded version and the panel can't tell the difference between it. And it's just an unencrypted backdoor. It's not really the best solution.
John Miears:
And Legacy iCLASS is an older version of iCLASS that is broken. It's a lot harder to copy, but it can be done and it leaves you open to the same vulnerability.
John Miears:
We mentioned this before, but your card number is a facility code and a card number. It's like an area code and your phone number. Most building's facility codes are the same and only the card number changes. What this means, the contractor, the disgruntled employee, anyone who's ever had one of your ,badges, you can scan it, you can find out the facility code and then nine times out of 10, you can look at someone else's card and get their card number. This could be a security guard, someone in IT. It doesn't matter. It could be anybody.
John Miears:
Combining that with the Proxmark, now you're that person to the building and you have their access. Not all access control systems are set up to even look at a facility code, so you might not necessarily even have to do that. What this means, these different facility codes with the same card number all show up as the same user.
Andy Terrell:
Okay. So if you'd like us to take a look at your access control system and check out any vulnerabilities that may exist, hit us up at is3tech.com and we would be happy to consult with you on your current situation and look into upgrades or making it more secure for your facility and your employees.