“Under-door” style attacks are when an attacker slides a tool through the gap underneath a door, hooks the interior handle from below, and opens the door by pulling the handle downward. This kind of attack works on the sort of doors and locks commonly found in hotels, where turning the handle from the inside always results in an open door. [Michal Jirků] found himself in a hotel room with a particularly large gap underneath the door, and decided to quickly design and print a door guard to protect against just such an attack.
It’s a simple object, and twenty minutes of printing and a little double-sided tape is all it takes to deploy. Because an attacker performs an under-door attack with a sizable mechanical disadvantage, it doesn’t take much to frustrate the attempt, and that’s exactly what the object does. Physical security in hotels is especially important, after all, and crooks have been known to exploit known flaws like the face-palmingly bad Onity key card lock exploit.
If you’re having trouble picturing how it all works, this video demonstrates an under-door attack in action, so you can see how blocking the space by the handle would easily prevent the tool from getting where it needs to go.
Many in the community are skeptical about the security of commercial smart home devices, and for good reason. It’s not like you have to look far to find examples of poorly implemented systems, or products that are abandoned by their manufacturers and left without critical security updates. But the design flaw in this video doorbell really drives home how little thought some companies give to their customer’s security.
As explained by [Savvas], and demonstrated in the video after the break, all you need to do if you want to get into a home equipped with one of these vulnerable door bells is pop the unit off the wall and hit it with 12 volts DC.
Incredibly, the terminals that connect to the electronic lock inside the house are completely accessible on the back of the unit. They even labeled them, on the off-chance the robber forgets which wire is which. It’s not even as though the thing is held on with some kind of weird security screws, it’s just a garden variety Phillips.
In the video, [Savvas] even shows he used a little gadget attached to a QuickCharge USB battery bank to get a portable 12 VDC source suitable for tripping these locks. Which, interestingly enough, is based on a trick he read about in the Hackaday comments. Something to consider while penning your next comment on these storied pages.
[Savvas] says he’s reached out to the company to get their side of the story, but so far, hasn’t received a response. We aren’t surprised, this is a fundamental flaw in the product’s execution. Clearly they wanted to make an easy to install device that doesn’t require any additional electronics in the house, and this is the inevitable end result of that oversimplification. All the more reason to roll your own smart doorbell.
Continue reading “Pop Open Your Neighbor’s Front Door With 12 Volts”
Join us on Wednesday, June 3 at noon Pacific for the Physical Security Hack Chat with Deviant Ollam!
You can throw as many resources as possible into securing your systems — patch every vulnerability religiously, train all your users, monitor their traffic, eliminate every conceivable side-channel attack, or even totally air-gap your system — but it all amounts to exactly zero if somebody leaves a door propped open. Or if you’ve put a $5 padlock on a critical gate. Or if your RFID access control system is easily hacked. Ignore details like that and you’re just inviting trouble in.
Once the black-hats are on the inside, their job becomes orders of magnitude easier. Nothing beats hands-on access to a system when it comes to compromising it, and even if the attacker isn’t directly interfacing with your system, having him or her on the inside makes social engineering attacks that much simpler. System security starts with physical security, and physical security starts with understanding how to keep the doors locked.
To help us dig into that, Deviant Ollam will stop by the Hack Chat. Deviant works as a physical security consultant and he’s a fixture on the security con circuit and denizen of many lockpicking villages. He’s well-versed in what it takes to keep hardware safe from unauthorized visits or to keep it from disappearing entirely. From CCTV systems to elevator hacks to just about every possible way to defeat a locked door, Deviant has quite a bag of physical security tricks, and he’ll share his insights on keeping stuff safe in a dangerous world.
Our Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, June 3 at 12:00 PM Pacific time. If time zones have you down, we have a handy time zone converter.
Click that speech bubble to the right, and you’ll be taken directly to the Hack Chat group on Hackaday.io. You don’t have to wait until Wednesday; join whenever you want and you can see what the community is talking about.
Anyone in the know about IoT security is likely to steer clear of a physical security product that’s got some sort of wireless control. The list of exploits for such devices is a long, sad statement on security as an afterthought, if at all. So it’s understandable if you think a Bluetooth-enabled lock is best attacked via its wireless stack.
As it turns out, the Master 5440D Bluetooth Key Safe can be defeated in a few minutes with just a screwdriver. The key safe is the type a realtor or AirBnB host would use to allow access to a property’s keys. [Bosnianbill] embarked on an inspection of the $120 unit, looking for weaknesses. When physical attacks with a hammer and spoofing the solenoids with a magnet didn’t pay off, he decided to strip off the resilient skin that Master so thoughtfully provided to prevent the box from marring the finish of a door or gate. The denuded device thus revealed its awful secret: two Phillips screws, each securing a locking shackle to the cover. Once those are loose, a little prying with a screwdriver is all that’s need to get the keys to the kingdom.
In a follow-up video posted later, [Bill] took a closer look at another key safe and found that Master had made an anemic effort to fix this vulnerability with a squirt of epoxy in each screw head. It’s weak, at best, since a tap with a hammer compresses the gunk enough to get a grip on the screw.
We really thought [Bosnianbill]’s attack would be electronic, like that time [Dave Jones] cracked a safe with an oscilloscope. Who’d have thought a screwdriver would be the best way past the wireless stack?
Continue reading “Fail Of The Week: Padlock Purports To Provide Protection, Proves Pathetic”
“A TURNIP CURES ELVIS” begins the opening credits, an intriguing beginning to a smart and still timely film that was released around 25 years ago. If you’ve never seen the movie, I’m about to spoil the hell out of it.
Sneakers features the title characters, hackers who work the 1992 gig economy as freelance penetration testers. They work for Martin Bishop, a hippie hacker Obi Wan who works San Francisco’s gray market, doing good deeds and helping banks improve their security.
While there is a fair amount of cheese in Sneakers, a lot of the problems the characters face — physical security and cryptography come to mind — remain the problems of today. Securing our digital business? Check. Surveillance? Check? Gray operators? Absolutely. At the same time, the movie does a good job of exploring different categories of hacker. The various characters seem to offer glimpses of people I see all the time at the hackerspace. Bigger than life, certainly, but they are in a Hollywood movie, after all.
Finally, the movie is just smart. Those opening credits offer a preview: the anagrams that begin the movie (“A TURNIP KILLS ELVIS” translates to Universal Pictures) are not just some art director’s conceit for the opening credits. The anagrams end up being important later on in the film, where there is a key clue hidden but if you think about it, shuffling letters on your Scrabble tray could be taken as a metaphor for hacker thinking — taking the same information as everyone else but looking at it in a different way.
Continue reading “Sneakers: A Love-Fest”
It doesn’t matter how many bits your password has, how proven your encryption is, or how many TrueCrypt volumes are on your computer. If someone wants data off your device, they can get it if they have physical access to your device. This is the ‘evil maid’ security scenario, named after hotel maids on the payroll of a three-letter agency. If someone has physical access to a laptop – even for an hour or two – the data on that laptop can be considered compromised. Until now, there has been no counter to this Evil Maid scenario, and for good reason. Preventing access to data even when it is in the possession of an Evil Maid is a very, very hard problem.
Today, Design Shift has released ORWL (as in George Orwell), the first computer designed with physical security in mind. This tiny disc of a computer is designed to defeat an Evil Maid through some very clever engineering on top of encryption tools we already use.
Continue reading “The First Evil Maid-Proof Computer”
The Massachusetts Bay Transit Authority (MBTA) has dropped its federal case against three MIT researchers, “the subway hackers”. This happened in October and now the EFF brings news that the students will be working with the MBTA to improve their system. The overall goal is to raise security while keeping expenses minimal.
This whole mess started in August when a gag order was issued against the students’ presentation at Defcon. It’s a shame no one ever saw it because it covers a lot of interesting ground. A PDF of the banned slides is still online. They performed several attacks against both the subway’s fare system and physical security. Our favorites by far were using GNU Radio to sniff the RFID card’s transaction and bruteforcing Mifare Classic with an FPGA.