Some of our devices look like they’re straight out of hacker movies. For instance, how about a small board you plant behind an RFID reader, collecting access card data and then replaying it when you next walk up the door? [Jakub Kramarz] brings us perhaps the best design on the DIY market, called The Tick – simple, flexible, cheap, tiny, and fully open-source.
Take off the reader, tap into the relevant wires and power pins (up to 25V input), and just leave the board there. It can do BLE or WiFi – over WiFi, you get a nice web UI showing you the data collected so far, and letting you send arbitrary data. It can do Wiegand like quite a few open-source projects, but it can also do arbitrary clock+data protocols, plus you can just wire it up quickly, and it will figure out the encoding.
We could imagine such a board inside a Cyberpunk DnD rulebook or used in Mr Robot as a plot point, except that this one is real and you can use it today for red teaming and security purposes. Not to say all applications would be NSA-catalog-adjacent pentesting – you could use such a bug to reverse-engineer your own garage door opener, for one.
Simple replay attacks don’t work on any modern ‘real’ access card system any more, which use a credential and key exchange and crypto processor in the card.
So, using one of these, how long would it take to crack the crypto on, say, a middle-of-the-road HID iClass card?
(asking for a friend…)
Sometimes you don’t really have to try that hard.
We once had a brand new intern who was tasked with documenting all of the computer hardware currently present in a building just down the street from our main facility. Off he went, by himself, badge in hand to a location he’d not been to before.
Upon his return, we were puzzled by some of the assets recorded on his list as they were a brand that we didn’t buy.
Later in the day, one of our regular employees noticed a police presence around the next suite over from ours in the same building where the intern had dutifully walked around earlier and recorded the brand, model, and serial number of the computer equipment. This other suite housed a secure logistics operation of some sort.
Upon conversing with the police, our guy found out that some unknown person had, earlier that day, been observed walking around in their facility taking notes.
Upon putting two and 2 together, and getting the intern’s account of his morning’s activities, our guy brought the intern’s badge to the other company’s main door and effortlessly scanned in. He then proceeded to do the same with his own badge as well as one of our other employee’s badges.
That’s what happens, I guess, when you configure your access control system to open the door in the presence of any badge.
I don’t really remember who the intern was at this point, but I’ll bet after his conversation with the local constabulary, he remembers us.
(Nothing happened to the kid as his only mistake was not reading the suite number. It was a fairly short conversation, since our guy demonstrated that any old badge of the correct type opened the door. I’m sure eyes were opened at the logistics company.)
Many years ago, I was attending a demonstration of a new OS given by a certain company whose name might be the opposite of ‘macro’ and ‘hard’.
In the next room, they had several server racks behind a large glass window, clearly designed to wow business clients.
These were protected by a single door and a badge reader.
One of my coworkers walked up to the door and used his badge, which caused the reader to happily admit him access to the racks. No, we were not employees of said company – our employer was just one of many customers of theirs.
Long ago, deep in a forgotten forest, an ancient witch bestowed upon me a gift—a rod, carved from the heart of a fallen thunderstrike oak, humming with unseen power.
“This will open any door bound by lightning’s touch,” she whispered before vanishing into the mist.
I thought it nonsense—until I found myself before a towering steel door, its badge reader glowing like an unblinking eye. With nothing to lose, I tapped the rod against it. A spark danced, the light blinked green, and the door slid open with a silent bow.
One by one, barriers fell before me. Server rooms, vaults, entire fortresses of glass and steel—all yielded to the witch’s gift. No alarms rang, no guards stirred.
I walked through the world as if it had never learned to say no to me.
Often enough it was like this in the late 80s – early 00’s. People were sold on cheap access to security systems used by the military!11!, it must be better!, right? Only without the same protocols and trying to underpay on implementation yields predictable results.
Ever been in a secure location when an unaffiliated employee accidentally wanders in from a utility access they were working inside? It was actually that bad. You may have heard of a group of notorious military penetration testers, their stories were enabled by this kind of thing, when base administrators made the same mistakes a decade earlier.
I’ve worked with access control and I’ve seen this happen. You don’t need to “program” anything, it’s a simple misconfiguration, at least sometimes, may a stray checkbox. And you may not notice it because, hey, you grant people access and they get in, so what’s the problem? Until you try to turn somebody’s access off, which is when you find out. IIRC it’s not just any old card, but a compatible one (obviously) with the right facility code: anybody who seems to be associated with your facility can access certain doors, no questions asked.
125 kHz HID Proxcards are still in wide use – hell, my current employer uses them. I’m fully aware of what they’re using, given that I have my badge stored on my FZ, and the FZ works to let me into the office (got to keep the dolphin happy! ;) ).
This device appears to be aimed at these common access controls.
Most environments I’ve ever tested in recent years still use good ol’ fashion Wiegand, totally unencrypted. The protocol does not have any notion of a nonce’s or replay protection. There are newer, encrypted protocols and most modern badge readers even support them, but they are almost never configured because the cert configuration / management is a pain in the ass.
Project author here. In the photos you can see the implant attached to quite modern HID iCLASS SE reader, supporting HID SEOS credentials thanks to its embedded iCLASS SE Processor. The reader does establish cryptographically secure channel with the card, performs cryptographically strong authentication and decrypts cryptographically secure credential from the modern card and then, proceeds to send it unencrypted over the wires using Wiegand protocol. To mitigate you can buy an OSDP backpack and replace half of your EACS system to support OSDP or switch to new Signo line.
In a proper installation any keycard access is answered by both the system and a person inside with at least a camera view of you.
The keys you are asking abought are between card and reader. This goes between reader and door controller where the data is plain text. Similar devices have been on the market for some time and are relatively inexpensive.
Definitely not the case here. HIDglobal states the encryption is end-to-end, from the card to the remote (and secure) server. The reader passes encrypted data, and does not perform the authentication itself.
I’d say there are already 4 or 5 similar public projects, and the first one was released almost 20 years ago. The difference? Most will go into magic smoke when connected to a 24V long-range reader, unless connected through additional DC-DC converter.
I wonder how many projects are called “The Tick” we built one at my last company that was designed to allow us to spin a shaft until the index on the encoder kicked. then it would count ticks and display where the shaft was in its rotation.
Between the blog title, color of the stains on the hot plate, the color of the pcbs, and the name of the device, I thought this post was about a device that was implanted under someone’s skin to perform espionage. I’m glad I was wrong because implanting those boards would be painful.
I thought this too. Maybe it was a suppository?
Almost: the stains are permanently embedded leftovers of some card reader, that served as parts donor for other project. You can follow that other journey on Iceman’s discord server.