Locks on the Wire

thank you um yes so I here today to talk about locks on the wire with the word locks I guess being sort of liberally applied um I'm me uh you might know me from previous bsides camera hits such as oh my God there's a fire and uh the power of Slash disclaimer before we start really just talking about actually network based um we call it a tax uh functionality of these things so not the typical red team pen testing uh approach although you might use it alongside those you might say well how do I get network based access to a lock um few ways that you could do that publicly accessible Network points such as in the lobby that happens to be

bridged onto the right network Wi-Fi tends to extend outside of the building perhaps you are doing a red team and you've dropped an implant um you might be able to pull a power over ethernet device off the wall uh and a lot of these things have 4G 5G whatever mobile backup uh so you might even find them through War dialing um should probably also put on there is quite often an option where the vendor will have a internet managed tunnel implementation but those tend to be very vendor specific um so with that out of the way uh let's talk about locks on The Wire uh and what better way to talk about locks um and networks then through a modern

love story or perhaps I should take say a modern take on a love story some of you might have uh heard of this love story before uh there's two big families mon capula they have children um Romeo and Juliet and I suppose since it's a modern love story and we don't really want to emphasize gender stereotypes in in infos we'll just say Romo might be a she her and Juliet will be a they them and then that way we're not pandering to the um yeah pety uh all right so being a Modern Love Story they of course they met on Roblox dating um quite quickly hit it off and moved into you know sharing memes uh and perhaps the memes were a

little one-sided um so Romo feels that perhaps uh she needs to really show her love uh and what better way to do that than to hand over an nft of a jacket the only question is how do you give someone an nft of Jack uh turns out that Juliet's family is is having a a major uh masquerade bow and so what better opportunity than to use the cover of masquerade bow to um gift the nft so Roma comes up with a plan she's going to get carpack access and then from the car par into the building um I'm going to find Juliet's Locker in the building because of course he has a locker uh sorry they have a locker uh and then

plant the nft something should happen and then of course Juliet will fall in love seems like a sane plan for for any person uh which of course brings us to the interesting part what we will call the nft not a heist um Act One gain access to the car park or garage in this case there's a garage controller on the wall um and perhaps I'm sort of breaking my first rule of this is network access but it it comes full circle trust me uh right there is the device that operates the garage store and the boom Gates and if you open that gray box you'll find of course Enterprise grade Hardware it's a Raspberry Pi with a

relay Shield uh the other things that are in that box is a SD card inside the Raspberry Pi there's ethernet for network based stuff uh and USB power to keep it going um so of course as an enterprising hacker we might pull the SD card and have a look on there and of course we have openvpn config slack tokens Google cloud or uh application source code Wi-Fi was disabled but it does have a it did have a standardized Wi-Fi password which uh you would have easily been able to access and of course the red team here goes well in addition to this you could just add some extra code and and use this as a as an implant on the

network which you know with Wi-Fi access clearly extending just outside the door of the garage is is probably quite handy um but we're talking about the locks not the red team so let's look at the application source code here um everybody loves a bit of uh typescript or Java compiled JavaScript compiled to typescript uh the bit in this wall of text that we care about is that there's a post operation for open and it takes a query parameter relay number that contains a number uh this in turn calls a function called handle open gate and and it checks if the relay number is one or two because there were two relay on that relay Shield uh and then basically just

triggers the relay with the number there is no or there is no anything other than a post request with a query string so when we run this basic Cur command to the host on the right port with forward SL access forward SL open Rel number equals one we're able to take this boom gate from a closed position to an open position and of course the hero of our story is in the CAC all right so the first step of a plan is a success now we need to get into the actual building um so let's talk about intercoms you know handy little things that sit on the wall often publicly accessible um this might be

the intercom installed in this imaginary building it has power over ethernet uh it can do video calls it can do phone calls and it can unlock the door through PIN codes um it can do other stuff too but let's let's stick with this for now how do you find one of these on the network well they respond to UDP broadcast and they'll hand back information such as the IP address the serial number uh what type of device it is what version of software it's running um you can also do some other stuff through this um interface um but also if you just go to the IP you'll see that they they have a handy web interface um but it is of course

protected by username and password so you can't do anything with it of course um so we put the we web interface aside and let's have a look at the the network traffic in general everything in this talk can be done with wi shock or DN spy it's not super difficult uh and we see that the broadcast device identifier protocol is running on UDP broadcast Port 802 and it sends a hip 1.0 request call on Echo it's sort of HTTP like protocol but it's not um and the response as we can see the stuff that we saw on the screen so the serial number the MAC address I don't think we saw the MAC address but

it's there software version uh variant name the ports where the web server runs Etc uh also observed that there's a very similar protocol running on Port 804 that contains a bit more information it discusses things like the the video information sip um you can see if if a door is configured uh and it also has some encrypted packets I have no idea what those do so uh if if someone's looking for a research project um I'm sure there's some interesting stuff there um but one packet I did notice which is this concept of remote config so when you go in and you you find something on broadcast you might need to reconfigure it because perhaps the IP

address or whatever isn't set up correctly and so you can send this packet that does request X config um so anything that's a request is is a client side request it's not the device responding um and it has some stuff like the HP enabled IP address or net mask so that you can remotely configure the device in order to send this package you have to enter an admin password in the uh in the UI and then I notice that there is an very interesting line there which says orth and I thought well that's sort of interesting you have to enter a password and there's an or header I wonder what that could be so let's go dig through the source

code um I call it texam uh because I guess that's sort of what it is uh and with see there's a function here called send config I don't know if you can read this at the back it's not really all that interesting but uh the function send config has a bunch of headers it adds a request sequence Mac address DHCP enabled IP address net mask default gateway that sounds exactly like the packet that we saw and then the bottom here there's a bit of uh a b 64 hashy thing that seems somewhat related as well and then the last line is to add that base 64 sheeting back into the message so if we take the time to read this we see that

the first thing it does is it hashes the password as a shaan just raw shaan converts that to b64 string then it adds that string plus a challenge token which incidentally is always an empty string I think they wanted this to be a little bit more advanced but never got around to it uh and then the entirety of the message which is the packet um as a single string and then it computes a new sha one that is the concatenation of the base 64 of the hash of the password plus the message as it happens to be we have the whole message and we have the orth checkum challenge so if you put this together

you can Brute Force the password so let's see how that would work right um so we take this packet here and then we put that into our cracker why are you not showing on

screen how much just restart

that close window start it again all right there we go and then we can type in some some words so we know the from reading the documentation that the default password for this device is 2N so a two character default admin password that's very secure can't Brute Force those things um let's try on a few others admin password and let's try to crack it uh that didn't work now I happen to know what the the password is I mean you could you could Brute Force this or you could certainly run a much larger word list than than my four words here uh and we can see that the password has been cracked as demo demo there is a little bit more to it

than this when you're doing it um you got to realize that the the or header gets added after it sus up the message so basically when you're BR forcing you only take the first couple of lines any line that occurs including or or after or you you discard um but um this should eventually make it onto my GitHub so you can do that right so now that we know what the admin password is uh we can go ahead head and log in all right great news you are now within um the nwork and I I should mention that if if you're standing outside the building yes you can pull that device off and you can

just sort of plug in because it's broadcast it it works um all right but getting into the intercom doesn't get us into the building um so why did we do take this detour well that takes us to the next ACT which uh we talk about door controllers so similarly to the garage controller and there's another gray box here this one's bigger and fancier and and more corporate um this is an Integrity U door controller um they have this nice interface where you can just manage the Integrity system with get requests because then you can just make at static HTML page as the control panel um uh so from their documentation because I didn't get the chance to

actually mess with the Integrity door controllers apparently those things are not welcome targets for pentests uh you can you can lock a door with a URL like that um it basically assess the door number D1 on controller 3 with the action lock so that lock the door similarly you can do other things like disarm the alarm turn of the master ction indicator bunch of stuff um their API documentation is I would say deliberately very lacking and if you want to get the soap Falls or the postman Falls to to actually see what all of it does uh there's a whole bunch of ndis and legal stuff and um so sharing any information that you have

from Integrity mod um yeah you might want be cautious with it uh but of course I am not a lawyer and even if I was I'm not your lawyer so um Tech take that as you as you wish um but once once we're logged into the intercom you can park around in some services and we'll see here that we we have a HTTP command setting uh there's a URL configured with the icon of a door and username and a password but we can't see where that password is except if you just look at either um the developer toolbar or you go into burp and you you see the API uh Json response that loads the content into the page

you'll see that the the plantex password is right there uh you could also export the the config for the device and crack the r sha one uh hash that it has stored for the the passwords all passwords on the devices appear to be sh one uh in the config when you just export that uh so now that we have this password well let's go back and think about this so we have a a door lock that we can control through get request but the documentation only describes the lock action it doesn't describe any other actions um probably to make it really hard for people to understand how to unlock the door you might think that hey

I'll just change lock to unlock and do a a cur request but I did do some reverse engineering of some of the other tools so they have a few public uh Android apps so you you take a look at the apks and you'll see that they generally would probably use the command toggle or open rather than unlock but like I said I didn't get a chance to test this on a on a real Integrity system um and you'd also you'd need to know what controller and what address the door that you want to unlock is so this is kind of not good I mean it could work in a pinch luckily there's a much simpler

solution you add a user and you just set door access true and then a badge number and then Romeo she can just wander through that door easy all right so now we're on stage three we got to get into the locker just takes us to act four smart lockers um I guess most modern buildings with hot desking and you know hybrid Workforce or whatever these things will they'll either be in your office or they'll probably be on on the way into an office uh soon these systems are made up of many parts there's the individ individual locks inside the locker which is the exhibit one I guess you would call it um there's some Hardware plates whatever then

there's item number four which is the lock controller that tends to sit underneath all of the locker so you can just like unscrew the kickboard and get to it it speaks to the lock I'm assuming something like uh IC squar don't really know uh and it speaks serial RS 484 if I remember correctly to the item that circled which is the the main controller so this controller sits on the network and it has da chains of the other controllers up to 256 locks per controller and then you need another controller so usually there's there's quite a few of these controllers around the building um you can probably do a whole bunch of other attacks like serial or IC

Square Direct Communications to the lock uh but I again looked at TCP stuff how do you find this well guess what they respond to UDP broadcast just like everything else and like everything else the discovery tool has a bunch of other interesting information like configure the IP reboot the device um I didn't look at those probably again a whole bunch of other stuff that you can do that's super interesting um I think each one of these devices so I could probably have been their own 1our talk um but I did what I did in the time I had so um here we are so again I looked at the TCP protocol and between the U

the management software for the the lockers um which is either like a net smart uh th client or a web-based client uh you'd see the this on the wire and it looks suspiciously like some sort of PL text protocol which is always great uh and it's all sort of readable there doesn't appear to be anything really suggesting encryption there's no usernames and passwords except this little bit at the start which has authentication but it's just a bunch of hex codes so um how do you actually know what this thing does well we go into DN spy we load up the scanners and whatever we find uh the bit of uh reference code for the gr o a

packet because that was the first packet we saw we see that generates a a new authentication a request as anything else in in net dnspy you just follow down you analyze F reference analyze fund reference you work your way down we find something called G Net writer so this is something that communicates over Network through a g writer communication uh it takes some arguments which is a a server a port authentication password well that's pretty handy um let's analyze a bit further and see where this thing gets called from well it turns out there's a something called an ig7 communic um Unfortunately they have so many different device Frameworks and Communications but U however we ended up

here um and we see that it has a wrapper that takes a communication channels presumably that's the TCP socket to IP port and a threel thing called Gat okay so let's go back to this and we go okay well it appears that the password is G but we we've got to dig a bit further uh and I'll spare you all of the the endless screenshots of of code uh but we'll we'll summarize it instead this is how the protocol works we send a request authentication a the server responds with a Au a result uh containing a random a and a string of hex we Crypt this using a EBC and uh the password Gat again strong passwords hard

to break uh that decrypts into this hex string and it's it's essentially just a bunch of random bites um the first eight are filled in the remainder eight are zeros then what the client does is it fills up those remaining eight it encrypts it back to to as with the password get and then sends this as the or B request with the U hexadecimal of the encrypted string uh and then you get the result state zero which means you are now authenticated to the device you can add master keys unlock any Locker do whatever you want this is essentially the only or um there is one other thing I'm Notting that is that the final filled in full 16

byte random bite value is set as the session key but I never observed the session key being used for anything else presumably it is used to sign things like a firmware update but um yeah all you really need is is this bit so uh again do a demo uh I have uh the protocol here and we can see we get the random a input and again it's off screen Just Launch it again um and so if we take the encrypted string we decrypt it we get a bunch of zeros uh we'll just o one two three four we'll encrypt those of course I had the wrong number of

bites we'll encrypt those again and I don't even know if the the protocol verifies that the first eight bytes are the same bytes that it it set Chan are you can just send it a pre-computed string and then that becomes the session string um but the one thing we can see here if if if we look now so this was the first um random B we got back from the server uh we decod we changed it to 1122 but if if I instead take the final result from the the pcap uh you'll see that when I decrypt this the first 8 bytes stand stays the same same but the remaining 8 by is different so even even

if you didn't know what this was uh I suppose you could just grab the the second value decrypt it and reuse the existing session key right so now that we can authenticate to the locker controller uh we can send the generic Jr get Locker info command that will give us the inventory of all the lockers available on that controller uh in this case we found that Locker number 700 is the one that we're interested in we query its state and we can see um bnch of values essentially says that it's it's locked and it's this type of um model and some dates um we clear the orth list we um set a locker action uh to toggle

the Locker state it changes state um and then uh we action that and now that Locker is open great we only have a few more steps uh in our process uh so the first thing we got to do is we got to got to plant the nft um in in the locker and then we got to lock the locker so that it's a secret in a price right uh luckily for us toggling the state of the locker from locked to open we can just replay and toggle it back to locked um so that's that nice and simple um now there's that that bonus St we we we don't really know what's going to happen with Rome and Juliet but

instead I'll I'll talk about gantner some more because they don't just do lockers they also do doors and other stuff um so I dug through some of the other um DLS and we found that there's uh there's a door controller communication very similar uh rather than Communications channel in this case it explicitly calls out the TCP client and we can see that the password again is gat um however we also I don't know if you can have sharp of eyes you'll see that um there is an a chance that instead of the password being get a defaults to dc7 1,200 I don't know why um but I think it tries that one first and if

that doesn't fa it falls back to get and if that doesn't work it it does something else um I didn't have any doors to to test this on so I don't have any any pcaps um but I guess we can show the one of the reasons why this is so interesting is well you can do stuff like update the firmware from the the functions we can see it sort of the top of this we have uh update firmare request um and then as we look sort of further down on the door control communication there's a whole bunch of like Fire Control for allowing fire exess on the doors um which is why it might be a really bad idea to just go

throwing packets at this uh in the real world you don't want to turn your building into a death trap so use this with caution um right and of course while we were busy talking about doors uh love has happened and realize I'm running a little ahead of time here but uh maybe we can all have a bit of a longer lunch uh so conclusion uh security collusions continue to have bad security uh I think that's something we're seeing more and more recently uh iot security which is I guess what these things are uh they tend to be another 20 years behind your your VPN endpoints and firewalls um and particularly as far as I've SE seen in this space um they tend

to rely quite heavily on secrecy and or litigation to to keep this information from becoming public hence staying secure and that is actually it any questions from the audience a round of applause for [Applause] Elder are there any questions in the audience we have Josh and Antonette they'll run the mic mic out if anyone has any questions plenty of time it's a bit hard to see so wave your hand around there one all the way at the back there in the yellow shirt good good anet's running hey thanks Elder um did you have to deal with the vendors and were there any issues with them threat litigation uh so the simpl answer to that is I've dealt with one of the

vendors they were okay the other ones uh I guess you can consider OD day any any other questions wave like crazy okay that's probably really good another round of applause for Elder