PW - All your badge are belong to me

thank you thank you mayos welc to surprise up last this track This is my first talk in us first talk in English please Bear with me talk is named all name noran working penest foreg net security Origin electronic engineer with specialization in Wireless systems and telecommunication but it's much more fun to break stuff than building stuff there for I do penetration testing instead of engineering been doing penetration testing for 16 years focusing on everything from internal testing web apps physical testing solal engineering and so on small disclaimer ehm most of the stuff in this presentation is not new most of it is already known but it's so stupid and everyone should know therefore I'm Giving this talk Nothing of what I say

represent my company It is my meanings and feelings packs pacs Does anyone know what that acronym stands for no one close Proximity access control system ehm most I hope have seen readers like this and have cards like this if you haven seen anything like this before go out from the rock hiding under I made this Sketch to try to explain how access control system is built starting On The Right for You You have the token the badge communicates Reader hf 1.5 12 khz lf eh when you take your card Against The Reader there is RF signal charging a capacitor in the in the token acting like a battery giving power to the microcontroller Which Again makes the

communication Between The Reader and the token possible The Reader communicates either wireless or Wired protocols like vegan osdp to controller controller has the entire Us database and the controller is the one doing the authentication the controller also communicates with the door and Open The Doors if the token is valid the controller talks to a server Which has the user interface user database and configuration server many cases like Cent the software is sy in many cases This is standalone system not connect to the local network It's not connected to anything in many cases except Maybe internet Because the vendor need to have access via TeamViewer to do configuration in some other cases you might have the same over here But the

server and you have several clients with the application running on it and the server and the clients might be joined to a domain So if an Adversary is able to compromise the domain he Also compromised the entire access control system which I have done in several penetration test we were able to dump the entire database and create own cards i mentioned earlier that you have hf and lf tokens High Frequency And Low Frequency slide try exp techn used and to

many about my Classic tokens Classic cards Nag hid i Elite is really easy to copy to clone my Ultra my ev1 is consider also possible to clone but bit Harder gre ones ev2 EV3 is considered quite secure EV3 is what is recommended if you're going to have a myer Classic myer installation and the low Frequency cards you have like hid ProX EM Avid ind Dale eo ProX EM Marin viking and a bunch of Others they have no security There is a few exceptions Someone has tried to make some password thing there but no one is using it So if you have any lf cards it's really easy to clone them eh my Classic a little bit more details

on them eh and Per you asked us to have some some kittens if there are some slides with just information someone might know so I Included some chat gpt generated kittens ehm the my Classic is invention from the mid 90s it's not so old Maybe It's getting old Ja it was original Philips The Dutch company Who made my Classic my was later turned into moved over to company nxp semiconductors in 2006 it was a proprietary encryption it should be really secure or maybe not in 2007 2008 Karsten no really famous security researcher from Netherlands

cic algor in 2011 there was update with back compatibility That was cracked in 2015 in 2015 n XP also recommends No one should use my Classic afterwards the picture you can see Here I took during penetration test last year That was a system installed in ju last year using Wi classic Which was recommended in 2015 never to be used anymore you use more secure cards like for ex3 this installation also uses Only the uid on the Card which I will come back to later more details on the my Classic The data on those cards are divided sectors Blocks block

hard uid reg and all sectors Has Its own encryption Keys two keys to one a and one B key both of them are si by long If one of these Keys are know are attacks n hard attack mak to all keys many [Latter] EX only one Sector is used and proted seor has default f Us default Keys no one uses Def Keys passwords any good to he in 2014 I worked for company in Norway I got my access card to Office h a Reader AC 122 if anyone haser like that really good Reader i cck the keys card ious had done any work with rfid before I just wanted to try it out crack the keys put those Keys into

my Android phone with the app my Classic tool just to show my collegues so easy to copy the cards Maybe we should talk to the people Own The Building and maybe Make Them change the system or something but a couple Weeks Later I was doing internal penetration test for a customer mine and during lunch We just I saw that he had this card hanging around his neck and I we started to talk about access control and I was just Curious Can I just try to read your card to see what kind of technology is used and to my surprise I was able to dump his card and I didn't understand why until I saw that I accidentally chose the dictionary

with the keys from where I worked so It turned out that I was able to dump his card from a totally different Company totally different building using the keys from my office så I started to do some research talk to people I knew found some people who had the same access control system we tried to dump those cards to and we found all cards were using the same Keys all the systems had the same a Key and I talk to the vender and they Us default keys for all installations easy eh system hardcoded with them and it was impossible to contr of different keys for all customers therefore they use the default Keys now in 2024 I still see these Keys

used on new systems and the funny thing Is that if you take that Key and decode it as ask It is the name of the

vendor be on YouTube I had the name of the vend i real on YouTube I removed Here I have a vendor the only Reason I have the vendor Here is that this is screenshot taken from the ProX Mark default dictionary eh salto is a company Who makes access control System Of course and use offices Hotels all Two Different systems for Hotels and like regular Office buildings But The uses the same keys on everything so if you able If you stay at a hotel having a system from salto you can take the keys from that system eh and you can use the same Keys at the office Building and it's only This is the a Key and that's

the B key found in the default dictionary so it's really easy dump and in Norway at least I've seen this one used access contr systems interesting the customer buys access contr sy documentation encryption keent for

EX databases for sec Storage password managers could simple as biten for saving the keys for different companies should never use default keys you never use the keys other

customers 25th J Per sent this article in ar Technica about default Keys there was article about secure boot using default keys on many many many models from the large vendors of laptops computers Lenovo HP and on and in this article there was the guy was interviewed tried to make metaphor compare [Musikk]

fits quite wellb this presentation imag all people apartment buing the front door lock and key if any Los the key could ening if things are Even wor other buildings the lo Keys

for the access control systems so story time as I doing penetration testing I'm doing a lot of physical penetration testing so here's a story about One physical pentest I did a while back for a large power company in Scandinavia it was a physical penetration test and the goal was getting physical access to the headquarter to prove that we could access the Network Show access to sensitive areas and place a dummy bomb on a central location everything from proving that H network access to showing that we could Blown up the building so wel skip all the Recon and the so engineering part but basically we were able to tailgate into a temporary Office building next to the headquarter

it was some Barracks That was temporary installed there we found two access cards just laying around on a desk very shiny and new and It turned out that they didn't work because the employees had started when we Tested the cards in front readers it only blink red so didn't have access but we found out These CS using my Classic ev1 and several of the sectors had the encryption keys f Never Mind How many F is Def Keys as mention before using crack all other Keys eh on the Card that data the data looked like this turn This is ask decod ask and string for one card and string for another card get the and the though the Turn out

to be the site ID Ander

to the vend from that don't Inter old Magnetic CS Magnetic cards

sy used places seers many Many Places olders Anders for back as mention

Happens take user IDs and try to increment them and decrement them and see do get any other valid cards try to change the ID to something else swipe The Card didn't work to about the what if we actually have a Val ID crc end Val me crc mine that ham away with cyberchef and different methods trying to find I didn't have have the Patience Shouldn't Be that difficult We can't sit all day in the car try to find what crc method use so I'm a big fan of kiss like keep it simple stupid the had b i ched ID started check Zero and incremented on the second try I got a green light on The Reader The Card was

valid but I was asked for a Pin so we used some hours on this we were able to make valid cards but that company used PIN All Day not many uses This is valuable information IF

PIN instead copying the Card walking in with that we just tail in instead and access to very critical areas in that building but it was interesting case and learn a lot from It more about my Classic my Wow time eh

EU ult olders is password DP using flipper zs if fir readers password to dumps dump the password

Classic mention salto here in us this sumer I had road trip from New York to la i St at n Hotels Across Us all classic of them I was able to crack dump the cards using my flipper mark with Diaries and n

you Hotel Vegas now just take Seconds to copy card emulator on on the Door another I'm doing a of physical testing much very eager in doing other things coping the cards because it's much more easy to just attack physically On The Doors in many cases like for example this That's a hotel in Norway So why bother with all the technology when you can just use a simple shim to open the door so bar eh encrypted data i mentioned earlier that some systems only uses the uid eh when the uid only is used There is no encrypted data eh both Classic and desfire And of course lf cards the uid can be s super fast and

you can use like equipment lar anten you can read it for like meter Maybe more If you really specialized equipment There is a large number of venders and large number installations that have only the uid There is a lot of vend that support everything else support encrypt support supp of Sec te uid iig don't have to manage those Keys just use the uid and this is a screenshot for the application for a large vender access contr syst Scandinavia default types of Cards that you can use n here mention encrypted sectors here csn card serial number hid Pro That's Only the ID 125 khz card ProX digits EM only uid des far csn ja and most installations i from

vender has only uid i

intern resar organization Again We had a physical penetration test the goal was to get in and get access to most areas We went in at the end of the day when someone was going out We just went in started tock all the available spaces in the building found found Office

cabinet

[Musikk] cabin cabinet

person for the son of the janitor because apparently He had some Summer job or something there copi that car together with some other ones started to go around the building but need PIN at night we not able to get any areas but we came back the day after we I only had one card with me One Bl card i

Restless in cars boring mid winter Nor I took my flipper emulating The Card walking by the Security Guard

[Musikk]

Why Why is so much crap still used that yons badges

and in many cases I think that the security requirements are not specified good enough in the request for proposal there is much price on the much focus on the price and the customers of they trust the Sellers stupid as are they trust the sales person This is a secure system I asked eh installation company why they still use this Cards Why do you still use this all protocols Why do you still use only the uid and his answer was We just install it and make it work We don't know anything about the protocols that scary so eh Can you upgrade access control system if it's old enough You have to replace all the readers the

controllers the server everything it will be May like depending on the si of the company of course if relatively new the hardware many cases new Technologies but as mention before the people installing it They use the old Technologies because What know if rela new it is possible to only replace the replace the badges and or recode the badges and do some configuration Changes on The system The badges are often quite expensive that Shouldn't Be because they really cheap to produce But The providers takes a lot for them Anyway eh just I found a video on YouTube from hid the large American manufacturer of access control systems eh showing how they could reprogram Nei how they could

upgrade the firmware on a Reader so they had I think in this process He had five different cards containing the firmware For The Reader had to set The Reader in a special upgrade mode and it took like Five Minutes to upgrade one Reader placed one card on The Reader Rebooted The Reader When It started to blink the correct sequence of color replace it put in a new card It's like you installing a game with floppy diss in 95 minutes Plus for one Reader actually is possible to upgrade some the readers using mobile if lers take time software

the cards are many cases to CL use PIN All Day On all places That's point from all the slides I had before roles in most cases not all cards have the same access Of course How can that be misused for ex in many cases you have a master card card access EX janits like that in Many Places some places seen that you have seen key boxes like this I guess how easy is it to open a box like this anyone tried I was able to teach my daughter in 5 minutes She was 11 years old She Used 5 Minutes to learn how to open boxes like this and inside These boxes you can find access cards with the master Role

without PIN because in emergency you don't need want to use the PIN because It Takes more time So that's kind of scary Guest cards They can be upgraded in many cases for example if you remember Back When I was talking about this going from invalid to a valid card We just change the ID So if you have a Guest card you can try to increment

PIN codes What do you think is the most Us pin code in this place one What Digit is that What about that 258 we were doing another penetration test this outs took thought it was kind funny later we were able to inside getting cards from drawers in there and we Tri those cards on internal Doors pinin

out that pin code all CS for employe on that facility eh more about PIN codes one large vender I ask them How do you store your PIN codes in database they encrypted but they wouldn't say how not allowed to say how this is a dump from the databas This is encrypted encrypted encoded

dat

tech man

syw man

on that because of course Dat Run syst BR syp I found that pin code encrypted in database another part of the DIS We found exp csv allard numbers Pin

CS

pinin how 5000 users replay attacks abouts access sys I remember sketch I had cards at the next controller and between the controller and Between The Reader and the controller there isoc VP and many of those is possible to repay RS osdp eh The Reader communicates with the controller and the controller opens door if it's a valid The Card as I mentioned earlier But what if you able to connect something here and when the Card is swiped you are able to record that data and afters you can replay it because are not encrypted så but how how do you get access to that cable Here's some card readers that have seen on some test This is one from Solid card

asoy and on the bottom you have this tubular key is anyone into lock picking is it hard to open locks like this eh it's possible to open them with just a piece of paper or a big pen this one is Eas you can scw up phw when

inside

ales av other places eh Esp key anyone heard about that eh That's a device based on esp32 Which you can connect and do the replay attack red Team Tools by devent Olaf and babak and guys You might Have Known from from defcon they sell This At their store eh It is also open source is possible to build it yourself It's quite complicated but you can short dem works kit to to show done card connect key pH replay up Green

key9 comp to make access uses connect access via Wi via wifi phone often get screwed up because it doesn't have internet access and it got confused because it's connected to a wii but doesn't have internet access so I didn't like that so I just I made my own Project just to simplify everything eh This is entire schematics It has code name blp key by at the moment because it's instead of wifi it connects via Bluetooth low energy and it has really few parts just one esp32 DC DC conver C res C Trans Prototype board can it if anyone wants to help me finish the code please shout out the hardware design is finished the code needs some

tuning I'm no coder at the moment it looks like this eh if you w do research rfid and access control systems there some Tools that you need Pro Mark 3 i gu many of heard about that this is Pro with blue shark Bluetooth module on Top with a battery everyone that Do rfid Oh need a proxmark if you have Android phone you can install the application Classic Toolkit which is also very very Handy to have

some China stuff eh This is a really cheap China card cloner I think it cost like 10 15 dollars also have options to crack encrypted cards but then you need to connect to it connect the pc to it and you need to install some Shady Chinese software so I never tried it but it's really easy to use to copy the the ID on all sorts of Cards eh cameleon Ultra is really good if you need some tips on what equipment you need just shout out of course everyone knows This how many does have a flipper here that's good to see And for the rest of you bu one it's fun couple of links to where you can buy

some stuff Lab 401 is really good especially if you live in Europe red Team Tools Ja M tool B Did you think it was bad until now let's make it a Bit Bit More verse Let's see your access control system you will never expose that on internet will you do you think anyone will eh during during the making of this presentation I just thought it would be fun to just check out shen to see if I found some access control systems there actually I found three different vend Nor I found several access control systems only from those three venders exposed to internet vender number one salto eh I Found You can see in the in the

banner information is it blurry Ja salto salto and here rdp session in ehm for asalto server also there some some web interface lag St sal access control system Another One lenel which I talked about earlier several in the US eh access to to the management interface Which might have default password I don't know and some of them are running the database to which mentioned earlier with a default password so Maybe some of The Ones You can find on show has a default password I don't know eh one more render altså bloy ehm many many in Norway and Sweden having expos the admin interface and for for AS abloy when you first log on to installation the default

username is master and you have to change the password on the first logon but way too many change the password to Master because it's easy Master master and since this are expos internet What could possibly go wrong eh I actually found a way of brute forcing the I made a tool for password spraying against this as abloy eh boxes bare Ja I will not say so much more about that so that's [Applaus] it any questions questions for

John so I think you mentioned about

Reader Google Maps Google stre you may identify vend The System from that you can Whats ised by that

type for example a phone And Also to see if it's see if I have a picture eh you can easily find out if it's communicating over if it's hif or lf card using for example this field Detector this will have two leds one will blink if it's 13.56 mhz and one will blink if it's 125 khz It has two antennas Tun to the Two Different Frequencies you can easily identify that really Handy to have are som open source project on også here at bide H his business card this field Detector built in Well we have to C off there this was the last talk contract and Will mid of

Thank you all for com John also speaking at Dec Village something No but you will be there and I will be at the red Team Village red Team Village can also find there and talk as Again appla forn