I saw this type of thing demonstrated 4 years ago… not much of a design there to release.

Posted at 9:29 pm on Aug 4th, 2007 by Dr. Pretorious

is it just me, or in this case isn’t “measures to prevent this type of intercept/control mechanism” just more physical security on the reader? …say, a padlock?

Also, wouldn’t the schematics for his particular device be proprietary to the reader he’s installing it in?

Posted at 12:16 am on Aug 5th, 2007 by bobdole

Au Contraire, mon frere. A padlock can be busted. half the stuff hosted on this site has been so far. a Screwdriver and a hammer… :p

To your ‘real’ question, though. I’d think so, the only way I see this being adaptable is if this guy collects schemata on individual card readers, detects similarities, and… well, that’s just silly.
I gues he can makie multiple types… I guess…

Posted at 1:22 am on Aug 5th, 2007 by Nox13last

ok, this kinda ticks me off.. This is a hardare hacking forum.. Not a place for someone to dangle a project infront of our eyes and say “TeeHeeHee Look what i can do!” Then refuse to show us how you did it.. or even prove for a fact that you did anything at all. Because off the record.. Last week.. I hacked into a communications sat., sent a message to mars… and the aliens got my message and transmitted one back.. I would show ya how to do it so you could be cool like me and talk to the aliens.. but I feel that the security measures requried to prevent such actions would be too costly, so i guess your out of luck.

Posted at 1:55 am on Aug 5th, 2007 by Ravious

the pictures looks to me like two quartz crystals back to back in a piece of heatshrink ;)

that could make a decent key!

Posted at 2:13 am on Aug 5th, 2007 by ex-parrot

By ‘install the sniffer’ I assume it is physically wired to the leads from the authentication system. If so, this could be countered by measuring the capacitance of the system when idle. If it changes, than the system will simply shut down or activate an alarm.

also, a lot of these systems have alarms attached to the covers. At my high school, the fire alarm panels had alarms to detect tampering.

Posted at 2:21 am on Aug 5th, 2007 by EarlJr

Surely this can be countered by a decent security protocol between the reader and the destination computer. Encrypt everything, make it jibberish to anyone but the receiver.

The way I look at every system security is, assume its running over the internet, so encrypt and protect.

Posted at 5:29 am on Aug 5th, 2007 by Chris

It seems like simple physical security should prevent this type of exploit. The ruse requires users to unknowingly swipe in on a compromised reader in order for information to be harvested. All you need is a tampering indicator — be it high tech like earljr’s suggestion or just a cut padlock.

I guess no one does that, though. One could surreptitiously crack open any of the card swipe boxes around here — but adding a security sticker would really be enough to solve that problem in many cases.

Posted at 5:31 am on Aug 5th, 2007 by jimmy

I haven’t seen the talk in question. My current job has me designing building access controls.

The protocol between most prox card readers and their controllers is not encrypted or authenticated. It’s trivial to sniff and replay.

Suitable hardware would be a PIC16F84 with two digital I/O’s. It’s an open collector bus.

The protocol design basically *requires* that the reader and cabling be physically secure. The readers are generally made with this in mind – they’re difficult to remove from walls and can have tamper switches installed. However, since you’re dealing with builders and not security experts here, they’re usually not installed in a secure fashion.

It is something of a big deal because this standard is very widespread. As mentioned, it would be extremely costly to replace.

- anon

Posted at 5:57 am on Aug 5th, 2007 by Anonymous Coward

Actually, its two rj plugs. Not crystals.

Posted at 8:05 am on Aug 5th, 2007 by SPongy

This only sniffs, but does not decrypt the string sent by the card. For instance, HID sends information in a certain bit pattern Weigand format. Usually, there is some logic controller installed in the entry/exit station that controls entry/exit. This controller also talks back to a central server. So unless he is able to make his own HID cards and replicate a card, he can just enter/exit. Most systems do not allow remote disabling of other cards by simple swiping another card. He built a sniffer.. that’s it. Once again, the designation of cards as valid, void, lost, stolen, etc is controlled by a central server. The communication between the reader and the server are usually secure. Plus, if anti-passback is installed and he tries to use this on a car parking lot garage, then he may not be able to get out with a card. He would first have to enter with a car and the card, then exit. That’s the usual logic. He’d then have to be so nefarious as to avoid the usual cameras that just took a snapshot and performed some sort of LPR on his license plate.

Posted at 9:46 am on Aug 5th, 2007 by Brian

Waaa, I’m ticked off.
this isn’t the kind of hack that _I_ like.

Laughing out loud.

Posted at 9:58 am on Aug 5th, 2007 by strider_mt2k

@ brian:

You’re forgetting that he now has a chip under his control sitting on the wire. He can pretty much do whatever he wants. If he wants to block a specific card, he just needs to figure out what the code for that card is, and tell his chip that if it sees that code, don’t pass it through. It won’t actually read as denied…it just won’t read at all.

Posted at 2:38 pm on Aug 5th, 2007 by Urza

The Achilles heel of all security systems is the people involved. Lazy installers, customers who don’t bother to check up on the quality of the work and ask the right questions, and security personnel who are interested only in alarm conditions, never the occasional glitch or system trouble. Every system that I have ever seen is set up to meet the bare minimum requirements and operated by people who decided that the next great career move from McDonald’s was a security job. It is easy to circumvent almost every system if you are familiar with typical installation practices and know the basic rules. Card access is especially vulnerable, and I’m more surprised that zac’s method even got notice at a major hacking conference, when card readers are rf based and no-tamper wireless sniffing methods are far easier to implement.

Posted at 2:48 pm on Aug 5th, 2007 by Anonymous

oh, and nice ring btw.

Posted at 6:16 pm on Aug 5th, 2007 by strider_mt2k

@urza

I get what your saying. This method is annoying at best until the maintenance folks get there and notice it has been toyed with. Most are covered with a CCTV system. If someone has physical access to your computer, that doesn’t make the software less secure necessarily. They have physical access. Given enough time and physical access, you can hack a lot of things. I’d be more impressed with a wireless no-tamper device mentioned above.

Posted at 8:14 pm on Aug 5th, 2007 by Brian Wilkins

This is a workable Hack – especially with the major Multipurpose Reader Manufacturer out there day, these days, the Readers actually DO just send a “Weigand” style code on off to the Controller mounted in some locked Closet someplace. The format and the code is irrelivant.

Installing the Sniffer on a Reader that is in a location not on CCTV would be easy. Some readers, like HID’s more popular models just need the cover removed and the wiring is visible right there.

After the Hacker ’sniffed’ a few codes, he would install a converter peice in that same reader that would convert his Prox Card to the known card that was sniffed, and assuming the Card had access to the Portal, so would our Hacker. The Converter piece could be programmed to pass all codes un-modified on to the controller as to not rise any eyebrows. The Hacker could then even take it steps farther to deny access to any code for a time frame AFTER his card was read allowing time for a get away. Possibilities are endless I suppose.

You can bet I will be requiring the wiring of each and every Tamper alarm on each and every reader I can from this point forward. Thanks for the Tip!

Posted at 1:18 pm on Aug 6th, 2007 by Card_Access_is_Me

I know it’s a bit messy to deal with when you need access to the reader, but a little hot glue in the holes would go a long way in preventing most screwdrivers from opening that thing up. Possibly a wax paper disc put in just before the screw itself would keep the hot glue out of the head, and it would be easy enough to drill out the hot glue without damaging the screw then.

Posted at 1:29 pm on Aug 6th, 2007 by Danno

This is not only perfectly workable and dead simple, one could get very creative with it. In addition to replacing your pet card with a real code for personal access, you could occasionally randomize the real codes passed through. Imagine the delicious chaos this would cause :-) Most techs will not suspect this kind of thing and if it’s done with a little subtlety they will just think the system is hosed and erect workarounds, which you could then exploit.

Posted at 2:34 pm on Aug 6th, 2007 by localroger

Most are installed with Tamper Proof Screws. IF you can get back into the reader to loosen those screws after you hot glue them, then so can the Hack.

Posted at 3:04 pm on Aug 6th, 2007 by Card_Access_is_Me

In many of the buildings that I have been in where there where proximity card readers the ones most vulnerable to this type of attack are located in the gaze of CCTV, the ones that are on the outside of the building have always amused me though. Why are they not put on the secure side of the glass? The “wireless” signal should be able to penetrate the glass, if not secure “tamper resistant” hoods could be installed. The ones that emit dye that are used to cover some dormitory fire alarms to prevent prank pulls.

Posted at 5:00 pm on Aug 6th, 2007 by convictus

I was at the talk (and am a friend of Zac’s). The device is installed into the wiring, and performs a MITM (man in the middle) attack on the reader. Since the reader is intercepting all communications, it can play back any arbitrary data it wants, or prevent any data from being transmitted. Filtering outgoing data is trivial, and that is how it prevents certain cards from working.

The problem is common with backwards compatible devices: older devices are not all retired at the same time, so often the first workable communications protocol becomes the standard, even after it is obsolete.

I expect Zac to expand the functionality greatly in his next release ;)

Posted at 2:10 am on Aug 9th, 2007 by Defcon G00N

I got this working with two continium transfunctioners and a pair of Paris hiltons jocky’s.

its not different than a putting a data logger inline with a keyboard, this guys deserves a medal.

I agree with “whoever said it” that encryption is the key between the reader and the auth…

after reading this I took my inline keyboard datalogger, from way back, ps2 style… and put it inline with a barcode scanner here at work…
took the string of numbers it captured, went into MS Word, typed in those numbers, selected the bar code font, printed it out. put it under the scanner and vola…

again, not much of a hack, just common sense, I am sure there are some wiz bang systems out there that could really use some hacking, but as we all know anything communication that is not encrypted is open to everyone.

Posted at 11:00 pm on Aug 14th, 2007 by Dr. Evil

what locks can protect your safety? it is here.

Posted at 3:00 am on Aug 16th, 2007 by steven

Do you know what locks is the most safety?

this is here. http://www.sncalarmlock.com

Posted at 3:10 am on Aug 16th, 2007 by steven

SNC ALARMLOCK LLC

Posted at 3:12 am on Aug 16th, 2007 by steven

our website is www dot snc alarmlock dot com

Posted at 3:15 am on Aug 16th, 2007 by steven

I cant able to open the given link, can you please help?

Posted at 5:29 am on Aug 16th, 2007 by Lehua

Yes! but do you have any guesses?

Posted at 5:37 am on Aug 16th, 2007 by Christopher

Most of the time you will not even need to go through this. When I worked for a candy and soda vending company nobody every asked any questions. I was able to go to a few angel games… go into huge data centers… go into plants that are cutting air plane wings.. you name it.. All you need is a button up t shirt and a box on a dolly.

Posted at 2:26 pm on Aug 30th, 2007 by Jay

Hi,

This is true and possible, although it requires a lot of hands-on with the vendors device and reverse -engg, to understand what encryption is used in order to decrypt the RF signals which contains the Access codes and then to find the rest of the details.

a good explanation can be found by searching for RFID – Security.

Thanks.

Nitin Kushwaha
India
CHFI.CEH

Posted at 3:13 pm on Oct 7th, 2007 by Nitin Kushwaha

How can I buy one of this

Posted at 11:50 pm on Nov 20th, 2007 by alex

Locks only keep honest people honest.

/old adage
/locksmith & electronic security tech

Posted at 11:36 am on Oct 6th, 2008 by Brian