Let's Get Physical: Physical Access Controls Security

hi everyone so let's get physical' first of all this is not an original title and there have been some talk to this out of before but it was too good not to not to use it it felt too good for for this presentation so I'll start by introducing is my name is Lucia 13 I work at adamant sec this year is Pedro Rodriguez he is a security engineer at fire fetch and together we comprise a team of very curious individuals that have met and some some very fun projects in the past some of them we can talk about some of them we can but since this talk was was heaven so so big and so big

we brought projects so broad so proud sorry it was a very broad research and we wanted to share it with the community and hopefully we can get you guys as curious as we were about about these devices and hopefully starting also to do some research reading standard disclaimer yeah we have to put it here and now I'll pass the word to Pedro hello everyone before we start let me just went through the basics of authentication basically you could authenticate yourselves with the device any kind of authentication through three ways the citizen something you know that's like a password or a pin or something like that something that you have a keycard of cellphone or something on that matter

something you are that something that you cannot change like your fingerprint your iris your eyes your face something that you are born with obviously passwords are easy to change key cards sometimes it has a cost but fairly easy and it's cents on the key card fingerprints and eyeballs and something like that it's easy if you do a transplant the transplant itself could not be maybe it's not that easy but it's easy on that note biometric devices everyone is starting to deploy that meant to deploy them it's great for time attendance because when you need to place your finger on the device you need to have that finger you cannot borrow someone's finger to to bypass it that's

great because your boss now knows that effectively you went to the office at that time and obviously you can't forget your finger at home I usually lost my cards and people who know me know that I may not misplace everything it's easy it's getting cheaper by the day and nobody's really loved them so in the recent months more specifically about one month one month and a half ago if you go to exploit a beer you see to exploit for prime access control and face entry they are basically time attendances and access control devices they both have RC vulnerabilities in them and you can also see a BBC news story about the bio star leaks it

basically was given an elastic such exposed to the web and that was leaked through that I don't know why they have data bytes or fingerprints and time antennas but you know leaks happened let's spoil them okay so it's kind of pull these devices use Department deploy them you make them work oh yeah I see I cannot bypass this authentication or this control because you need to have physical existence before the device so it was cool to find something on other devices that we could have exploit more or less like the watchdog's game the watchdogs tube from Ubisoft where Marcus the main character went through the city with the cellphone opening doors and study and bypassing

all these controls so you know let's try to do something like that okay how do you start Katarina call me hey look when you device here what we start looking cool this is really a standalone device that you can place and it has a weird protocol and stuff you let's let's let's this up so we start looking out this devices word they later and before we know it this happened just an enter and now the Lord is open notification easy just went through so how did we manage to do this we look at Wireshark because it was a janky protocol and we took the payload and replay it and it's opened the door it was easy

there is no announcer or something like that and probably not an SSL or TLS encryption connection so we configure the part mirroring or spanning part if you want and restart to listen every payload that was sent to the device the architrave was the following there is a management software where you control the devices your all devices from your office you can ask them to open it or upload a new fingerprint or access code and you can manage all through that you actually most of your implementations need that when we started to make small requests get me the device information open the door get the the current locks starting from scratch in Wireshark the payloads the payloads were actually very

simple you can see here it starts with a five and as a small number of whites it is wrongly recalled it stated that I I psi CTL its hello well something like that protocol don't know don't care really but since it was small man we could take the challenge we are not experts in reversing but you know something like this I don't see any passwords or something that resembled it because we set a password and it's not being sent here so let's dig deeper since we have control of the network we start making those small requests open the door by force negative I states whatever that is device type record information something small to understand how the protocol

work as you can see here they all start the same with a fight bite then it has a small number for instance get record info if you have four bytes with numerical one below on the open door force you have all zeros and we didn't understand how this was what is going to affect our research but we start changing all these parameters to see how the device respond so we can come up with this we know that there is a preamble and no data but it's very small one - it's like a sequence number not a huge number but yet it has four bytes the interesting thing was some devices respondent when we did a replay attack

when it sweet when we change the number it stopped responding but if we nope I thought the sequence every devices start to respond so we just set all zeros on pillows and went with it because we did not know what this thing was there is a one byte for any instruction opened our or get devices records or something like that it's basically the command there was what we assumed length two bytes for the length because it was the remaining of the data - - so we map we thought maybe this is length but they are two bytes that aren't linked so we marked as unknown data and we start the process of fingering what that two bytes were

luckily and this provides an SDK this SDK is for you to deploy your own implementations for instance and it's product from telly max here in Portugal that uses SDK to implement their own software and control all these devices since we have an SDK and we didn't know how these packets were being made we start either and start to to look for this this belt this is the SDK it has four files one talk acts that I didn't understand I'm not going to say the next four and three files a DLL header file and a dot exe file it's a testing program that you can interact with every device and get all records from from that

basically they just say okay this is vulnerable but just use it so you don't need to provide any password to interact with which device or the test problem we started reversing but there wasn't any export functions that resemble a checksum or CRC we know it's a CRC 16 now because to bite but we didn't find any export process so maybe it's a function that is being : not exported but going through the flow of all the communications and so it's kind of tedious so we we are lazy and we just look for the function that has most cross references to it and guess what we actually find it this is the the this is assembly the start of the function and

we looked at the bottom and we saw an array CRC has polynomials that I used to make that array it's a standard CRC for our point of view but we started to looking we didn't understand these bytes it's same it seemed different that's what we used to use so we just start reversing and I'm mapping a lots to to our implementation of the protocol later no noon right my friend that's a far fetch told me yeah you are looking at at wrong CRC 16 they are multiple standards you are looking at the wrong standard I just waited 8 hours of my life thank you now since we have two CRC we have all the requirements to make a payload so we

just make drip I repeat the same spell outs and start to look for the responses the responses were quite easy to parse because it follows almost the same structure of the protocol and it was easy since we have access to the device to map out what what the bytes that the name is going to be the password the card ID RFID and even fingerprints the fingerprints it's not a no a BMP or PNG file it's actually a Aiden vowel matrix so let's fortune that but you can extract passwords and even you can set your own password without knowing to the previous password so the protocol is so open that you just send an instruction and it accepts it no matter what you are

the boss if you have access to part 50 10 DCPS I see the SDK add some security in some fields when we call the DLL is we saw some sanity checks that are going to truncate our pilots and something more or less like that so we just okay we can implement probably not the protocol so we may make our own implementation of the protocol so you can face it without any constraints we aim to look for vulnerabilities in the device and in the management manager not on the SDK so not start building and basically at this point here we have the structure where were able to communicate with the device devices themselves and retrieve information change information we had

control of the devices without any any authentication what we didn't have was access to the server for the other way that part would be very interesting and if if the devices are designed like this and implemented like this it'll probably it won't be that hard probably so damn we wanted to see if we could find some some problems with the manager and yeah and after some I don't know I think it was the first fuzzing test we were trying to communicate through the devices at the same time so probably some payload some random pill because this access violation so okay we have a buffer overflow but yeah we're talking about some software that has a lot of

years in the market and the vendor is yeah well-known so it will probably have a SLR canneries it will have some protection right yeah at this point we saw that it didn't have any any type of protection yeah and we were talking about a 32-bit executable some file so it was easier for us and this simply admit that if it were in in 64 it takes a take us some some more time but fortunately they didn't they gave us a hand and yeah and basically okay now so we have we know that there is a buffer overflow we can replicate it and at this point will not bother with the details but basically yeah we we basically

rewrite the EP and register on the under on the CPU when you can exploit the buffer overflow we found the jump ESP function in the in the executive L file so we were able to jump to the point of the stack and we were able to place some malicious payload and hopefully to go as we wanted and gives us some I'll put it would be good for us so so basically we have our our solution in there some someone runs the the cross-checks application that is the manager of the devices they search for new devices and below we can see that yeah we have remote code execution we can get access to the to the men to the

server that is hosting the manager okay so we have control in two directions we're good to go right we're gonna stop here I didn't want to so we kept going one Martin notes these application needs to be run at highest privilege on the system because it uses raw sockets and some more obscure stuff so when you are executing you need elevated privileges and as we were testing we left Wireshark open because we wanted to see everything on the network and we actually come across this and no plain old HTTP connection you know it's not unusual to see this but it's here it came to our attention that it was trying to get an upgrade so it could be nothing because

it could have a PGP check later on like apt or something like that so okay maybe you should look at it but don't get our hopes up too much when you try to upgrade if there is no available a plate you'll see an on your version like on the screen but since you are controlling the network we redirect the traffic to us about simple peyten HTTP server and we start to tamper with the requests we actually show that change the message to nothing to show we just received the request from the the version that he was advertising and we increment by one and we say okay it's and there is nothing to show but here is the manifest of all new

files and updates since you are running as with hires privileges we can upload just a simple backdoor everything will run with ice villages on the device you just need to send a file with the same name as you right on manifest of the upgrade and you get a shell but if you if you can poison the DNS or redirect traffic you can also try to overtake the server with this vector here okay this is pretty much broken of course and we didn't know why someone will deploy this to the network but we kept going we start to talk each other and all the public resources and we actually found something interesting the vendor and this actually recommends that these

devices are exposed to the Internet so you can allow inter-site communication why anyone will do this without VPN or something like that I don't know I really do not know but ok if they recommend this probably someone on the internet will expose this right so we so basically that's our open source intelligence gathering you can see it yeah from ranging from 1 to 2 163 IPS we got a total of 1,000 78 unique devices and we stopped basically later on we'll talk about the disclosure we were asked how was what was the exposure of this visible materiality and we wanted to be able to reply so we we thought yeah we have more than 1,000

unique devices so we're good to go and we sent a tests payload for to show them with so that they would be able to confirm that the devices are there it's now on the the better version and hopefully it will be on unsure and soon you will be able to search for the ports in six zero one zero four tin find devices so yeah but until now we would be thinking yeah they're probably small clients right and all small companies are implementing this and we went to their website to see if they would would share some of their and some some of the the clients that that are using this solution so you can see on the bottom we

did some sim warnings before this talk we coordinated a responsible researcher of course hopefully most of them are now not implementing this solution but yeah basically this is the the point where yeah so memory where the that was a time that people exposed printers to be able to print anywhere in the world what if you can upgrade the software version to a vector or a filmer that will perform malicious actions on your network you basically start to getting into the the network itself of all these clients and since this is an application that has PII personal are infinitely added file information it that could be a leak a major leak here and this is not a small

vendor as you can see this is actually very dangerous for people to deploy on their networks and you know you are liable for what you start on your devices to back me up on this yes there is an appropriate function that you can call and you can upload an evil firmware and basically you have control you can put make an applause to have a socks proxy an extension of the current protocol to proxy your request inside network or you can make a farmer that will pound the manager itself and you get a reverse shell with highest privileges mode on your attack machine these are some useful exported fractions that you can call with DLL you can force

unlock this call will not log anything on log file so it will never happen at the eyes of the CM you can download all records all attendance records you can erase all records of course you get you can get Network information installed personal you can live message to someone when they place the fingers you can pop a message saying you have just been pumped or you can get admitted credentials because there is no verification of any kind there is no security whatsoever okay so we were trying to release the tool today I'm not sure we'll be able to but yeah we've been working on it until five minutes before we entered in this room we're

also releasing this tool as the implementation of the protocol is able to communicate with the devices themselves and it has also the buffer overflow proof of concept in there but we're also releasing as as a standalone file for exploit TV hopefully it will be publishing yeah today so now to the future yeah hopefully we'll be able to see the the exposure I have a better understanding of the exposure to the Internet well it is possible you know that it is possible to upload some firmware some malicious firmware to the device and vector to the device and basically attack all of the devices that are exposed so we wanted to do some more but we didn't have the time it makes some

sense to create if someone wants to take that initiative to create the protocol decoder for Wireshark some firmware analysis we wanted to disassemble the device and do some more is some more research on it but not in time but yeah there's still a lot of work to do in the the devices in the firmware itself so to the disclosure we of course contacted CNCs the c-cert in Portugal and they they met with us here here in Lisbon and during which was between February and March but but basically we told them what was going on how we asked them well how they wanted to proceed they they agreed to coordinate with us we would contact and visited indirectly and they

would be aware of any communications in the meantime they would also contact the the major ISPs here in Portugal to to get them to advise the companies as much companies as a good so they will disable or at least segregate the devices and in the meantime and this didn't reply to any of our emails we know that there was another researcher that basically he didn't coordinate to it and with other entities it was fortunate to have a reply for them and he published some of these some of the same same vulnerabilities not all the buffer overflow and some other ones and the upgrade but that part is in full disclosure right now but for the to us

we still don't have don't have a reply and yet they published on their website there we saw that a few weeks ago that we they're promising to have peer-to-peer double encryption for all device communications so this is only a small part of the documents basically they have military-grade security and at least they're telling us they have it we don't know we haven't talked to them and yeah and we downloaded the latest update of the cross checks and everything worked every exploit works the same for the upgrade to the devices themselves and they say that they have an upgrade but you have to send an email server to to be able to receive it and we don't have

we don't have that that upgrade so at least cross-checked its in in the same point by now so of course seriously yeah and the the CRC was a big lesson to us and thank you again no number but yeah basically I think the lesson here the main lesson is do not expose devices and this is transmitted rehearsal to every IOT device right now right but don't expose them don't trust them segregate them as much as you can and again question them and for the people that are here that and they have the time and have the will to do some more research in this yeah there's a lot to discover a lot to to contribute and hopefully a few years

from now we'll have secure devices we wanted to thank also besides Lisbon for letting us do this presentation we liked you a link for the for the vendor wanted to thank Sharon for the implementation of the protocol and of course since yes they were very quick to respond they coordinated everything with us they're a very efficient team and yeah we were basically very very lucky to have them have them on our side because we're a bit worried to to get arrested or something like it so some more thanks and just to to seems an end in the ends as average further for the document review a big thank you and a and I told you that we wanted to

do leave this in writing this in there there has been a CV disclosed for some parts of the this research also and yeah we basically saw in the meantime that we were able to get the comms protocol so we lost a lot of time but yeah we were not less fun so thank you and questions

Thank You Louis and fellow questions anyone no questions I have to make time because coffee break is not ready so you still have time yeah they don't have the food ready so if you want to ask some simple questions you have you guys know any jokes or yes a joke or a question I'll ask a quick question okay how hard was it to find the Control Manager software was it easy to find was it it's free on the vendors website turn off but your love them they have two versions another one and the new one they all work the same and they all have two simple devotee soon except for Ian Ian it's on a PI basis

but it's from tally max it's not an official application okie Dokes thanks okay can I ask question cake course how long have you been working on this and what fuzzer did you use to test the software okay so how long we spent yeah we talked about it yeah we spend a lot of time in the in this research especially in the beginning I don't know 30 years ago a lot of days a lot of days is some weekends yeah I don't really have the the idea of how much time we spent because it was a really fun but it was a lot was a lot and as for the second question it was what yeah what fozzy yeah we

basically didn't didn't need any forecasts any any professing program because basically if you send some enough ace you'll be able to get every result so no need for that it was not that hard we don't deserve the credit [Music] so in terms of the devices in the firmware they have did you open one of the devices you know what type of storage does it has is like emmc is a flash to not yet not yet yeah basically the one we had access to isn't there are complete access to it was implemented on our office so what is the cost of one of those devices anywhere did you like stationary but very and when I asked

dalla max to the implementation portico they asked me for 300 euros it was quite expensive so that delay a little bit we should make an Hardware love and get sponsors to buy the devices I try but no one was answering this conference okay okay more questions really okay let's pray that if you want to to go more in that this this is now fully open to the web you can accept the application you can look for the disclosure on the sites that we are we show here and you can see all the process that we took to understand this protocol if you want to understand the market okay so thank you [Applause]