Defcon 15: Exploiting Authentication Systems


[Zac Franken] gave a good talk on authentication systems. (Card readers, biometric systems, etc). After a good introduction to various access control systems, he demoed an excellent exploit tool. Rather than focus on the access mechanism, he exploited the lack of reader installation security. Most card readers are secured by a plastic cover and a pair of screws. Inside, the reader wires are vulnerable. [Zac] put together the equivalent of a keyboard sniffer for the reader wiring. With this little device in place, he was able to collect access codes and use them to exploit the reader authentication system.

The operation goes like this: Install the sniffer. Let it collect some codes. On return, [Zac] is able to use his own card to become a pseudo authenticated card owner, restrict and allow access to other cards. That’s it. No sneaking up behind people to read their cards, just a few minutes with a screwdriver.

He’s not releasing the design, simply because measures to prevent this type of intercept/control mechanism would be extremely costly.

34 thoughts on “Defcon 15: Exploiting Authentication Systems

  1. is it just me, or in this case isn’t “measures to prevent this type of intercept/control mechanism” just more physical security on the reader? …say, a padlock?

    Also, wouldn’t the schematics for his particular device be proprietary to the reader he’s installing it in?

  2. Au Contraire, mon frere. A padlock can be busted. half the stuff hosted on this site has been so far. a Screwdriver and a hammer… :p

    To your ‘real’ question, though. I’d think so, the only way I see this being adaptable is if this guy collects schemata on individual card readers, detects similarities, and… well, that’s just silly.
    I gues he can makie multiple types… I guess…

  3. ok, this kinda ticks me off.. This is a hardare hacking forum.. Not a place for someone to dangle a project infront of our eyes and say “TeeHeeHee Look what i can do!” Then refuse to show us how you did it.. or even prove for a fact that you did anything at all. Because off the record.. Last week.. I hacked into a communications sat., sent a message to mars… and the aliens got my message and transmitted one back.. I would show ya how to do it so you could be cool like me and talk to the aliens.. but I feel that the security measures requried to prevent such actions would be too costly, so i guess your out of luck.

  4. By ‘install the sniffer’ I assume it is physically wired to the leads from the authentication system. If so, this could be countered by measuring the capacitance of the system when idle. If it changes, than the system will simply shut down or activate an alarm.

    also, a lot of these systems have alarms attached to the covers. At my high school, the fire alarm panels had alarms to detect tampering.

  5. Surely this can be countered by a decent security protocol between the reader and the destination computer. Encrypt everything, make it jibberish to anyone but the receiver.

    The way I look at every system security is, assume its running over the internet, so encrypt and protect.

  6. It seems like simple physical security should prevent this type of exploit. The ruse requires users to unknowingly swipe in on a compromised reader in order for information to be harvested. All you need is a tampering indicator — be it high tech like earljr’s suggestion or just a cut padlock.

    I guess no one does that, though. One could surreptitiously crack open any of the card swipe boxes around here — but adding a security sticker would really be enough to solve that problem in many cases.

  7. I haven’t seen the talk in question. My current job has me designing building access controls.

    The protocol between most prox card readers and their controllers is not encrypted or authenticated. It’s trivial to sniff and replay.

    Suitable hardware would be a PIC16F84 with two digital I/O’s. It’s an open collector bus.

    The protocol design basically *requires* that the reader and cabling be physically secure. The readers are generally made with this in mind – they’re difficult to remove from walls and can have tamper switches installed. However, since you’re dealing with builders and not security experts here, they’re usually not installed in a secure fashion.

    It is something of a big deal because this standard is very widespread. As mentioned, it would be extremely costly to replace.

    – anon

  8. This only sniffs, but does not decrypt the string sent by the card. For instance, HID sends information in a certain bit pattern Weigand format. Usually, there is some logic controller installed in the entry/exit station that controls entry/exit. This controller also talks back to a central server. So unless he is able to make his own HID cards and replicate a card, he can just enter/exit. Most systems do not allow remote disabling of other cards by simple swiping another card. He built a sniffer.. that’s it. Once again, the designation of cards as valid, void, lost, stolen, etc is controlled by a central server. The communication between the reader and the server are usually secure. Plus, if anti-passback is installed and he tries to use this on a car parking lot garage, then he may not be able to get out with a card. He would first have to enter with a car and the card, then exit. That’s the usual logic. He’d then have to be so nefarious as to avoid the usual cameras that just took a snapshot and performed some sort of LPR on his license plate.

  9. @ brian:

    You’re forgetting that he now has a chip under his control sitting on the wire. He can pretty much do whatever he wants. If he wants to block a specific card, he just needs to figure out what the code for that card is, and tell his chip that if it sees that code, don’t pass it through. It won’t actually read as denied…it just won’t read at all.

  10. The Achilles heel of all security systems is the people involved. Lazy installers, customers who don’t bother to check up on the quality of the work and ask the right questions, and security personnel who are interested only in alarm conditions, never the occasional glitch or system trouble. Every system that I have ever seen is set up to meet the bare minimum requirements and operated by people who decided that the next great career move from McDonald’s was a security job. It is easy to circumvent almost every system if you are familiar with typical installation practices and know the basic rules. Card access is especially vulnerable, and I’m more surprised that zac’s method even got notice at a major hacking conference, when card readers are rf based and no-tamper wireless sniffing methods are far easier to implement.

  11. @urza

    I get what your saying. This method is annoying at best until the maintenance folks get there and notice it has been toyed with. Most are covered with a CCTV system. If someone has physical access to your computer, that doesn’t make the software less secure necessarily. They have physical access. Given enough time and physical access, you can hack a lot of things. I’d be more impressed with a wireless no-tamper device mentioned above.

  12. This is a workable Hack – especially with the major Multipurpose Reader Manufacturer out there day, these days, the Readers actually DO just send a “Weigand” style code on off to the Controller mounted in some locked Closet someplace. The format and the code is irrelivant.

    Installing the Sniffer on a Reader that is in a location not on CCTV would be easy. Some readers, like HID’s more popular models just need the cover removed and the wiring is visible right there.

    After the Hacker ‘sniffed’ a few codes, he would install a converter peice in that same reader that would convert his Prox Card to the known card that was sniffed, and assuming the Card had access to the Portal, so would our Hacker. The Converter piece could be programmed to pass all codes un-modified on to the controller as to not rise any eyebrows. The Hacker could then even take it steps farther to deny access to any code for a time frame AFTER his card was read allowing time for a get away. Possibilities are endless I suppose.

    You can bet I will be requiring the wiring of each and every Tamper alarm on each and every reader I can from this point forward. Thanks for the Tip!

  13. I know it’s a bit messy to deal with when you need access to the reader, but a little hot glue in the holes would go a long way in preventing most screwdrivers from opening that thing up. Possibly a wax paper disc put in just before the screw itself would keep the hot glue out of the head, and it would be easy enough to drill out the hot glue without damaging the screw then.

  14. This is not only perfectly workable and dead simple, one could get very creative with it. In addition to replacing your pet card with a real code for personal access, you could occasionally randomize the real codes passed through. Imagine the delicious chaos this would cause :-) Most techs will not suspect this kind of thing and if it’s done with a little subtlety they will just think the system is hosed and erect workarounds, which you could then exploit.

  15. In many of the buildings that I have been in where there where proximity card readers the ones most vulnerable to this type of attack are located in the gaze of CCTV, the ones that are on the outside of the building have always amused me though. Why are they not put on the secure side of the glass? The “wireless” signal should be able to penetrate the glass, if not secure “tamper resistant” hoods could be installed. The ones that emit dye that are used to cover some dormitory fire alarms to prevent prank pulls.

  16. I was at the talk (and am a friend of Zac’s). The device is installed into the wiring, and performs a MITM (man in the middle) attack on the reader. Since the reader is intercepting all communications, it can play back any arbitrary data it wants, or prevent any data from being transmitted. Filtering outgoing data is trivial, and that is how it prevents certain cards from working.

    The problem is common with backwards compatible devices: older devices are not all retired at the same time, so often the first workable communications protocol becomes the standard, even after it is obsolete.

    I expect Zac to expand the functionality greatly in his next release ;)

  17. I got this working with two continium transfunctioners and a pair of Paris hiltons jocky’s.

    its not different than a putting a data logger inline with a keyboard, this guys deserves a medal.

    I agree with “whoever said it” that encryption is the key between the reader and the auth…

    after reading this I took my inline keyboard datalogger, from way back, ps2 style… and put it inline with a barcode scanner here at work…
    took the string of numbers it captured, went into MS Word, typed in those numbers, selected the bar code font, printed it out. put it under the scanner and vola…

    again, not much of a hack, just common sense, I am sure there are some wiz bang systems out there that could really use some hacking, but as we all know anything communication that is not encrypted is open to everyone.

  18. Most of the time you will not even need to go through this. When I worked for a candy and soda vending company nobody every asked any questions. I was able to go to a few angel games… go into huge data centers… go into plants that are cutting air plane wings.. you name it.. All you need is a button up t shirt and a box on a dolly.

  19. Hi,

    This is true and possible, although it requires a lot of hands-on with the vendors device and reverse -engg, to understand what encryption is used in order to decrypt the RF signals which contains the Access codes and then to find the rest of the details.

    a good explanation can be found by searching for RFID – Security.

    Thanks.

    Nitin Kushwaha
    India
    CHFI.CEH

  20. Unless you know the model number of the alarm, there is not much you can do. If you can find the model number, order a new remote.. if you don’t want the alarm anymore, have it taken out.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.