Open Sesame – All Your Doors Are Belong To Us

Uh so my name is Kev Breen. I'm a sabat researcher at Immersive. Um I've been in the sector for a while and over the last couple of years I've really got interested in um in hardware reverse engineering. Um attacking hardware systems and uh access control systems uh became a thing that really interested me a little while ago and that's kind of what we're we're here to talk to you about today. >> Yeah. Uh hello everyone. My name is Finn McCarthy. Uh I also work at immersive as a sort of cyber threat researcher. The I often say and like to the upset of my girlfriends that the love of my life is reverse engineering. Um and that picture

there is where I won battle bots at Bides Bristol. So you know I'm defeated. [laughter] [snorts] So I said we're going to talk about access control systems and we're going to get into some exploits and some attacks. But before we do that, a little bit of a primer. So most people are familiar with this side of the access control system. So that is the card reader, the thing that sits on the door, the hotel room, the office building. And this is what most people are interacting with. Uh these are proximity based. So like RFID or NFC depending on what it is. Loads of different vendors, loads of different protocols. There's a lot going on with these things. Uh, and this is

the thing that most people are going to be most familiar with when we talk about access control systems. Almost all of them can be card cloned um or compromised in some way. There's very few that that don't survive that. Um, so again, we're not going to dwell too much on this. Um, but it's important to understand how the access control systems work because we're going to to compromise some of that a little bit later on. So most of these systems, some of these older systems, uh, work on the UID. So that is just the, uh, the hardcoded thing that's on the card. That's the thing you're cloning. That's very true on, uh, some of the older

systems. So stuff that runs on like 125 kHz. For more modern systems, um, like the MyFare side, they don't just use the UID, they use other data that's on the the card as well. Some of those have crypto. Um, some of them don't. Some of it's broken, some of it isn't. It's just a very, very confusing world. And this is where I started. So, when I first got into access control systems, it was all about the classic card clone. That's the thing I was interested in. That was the sexy side of access control systems. Um, but that's not where I wanted to be. There's a lot of research by a lot of clever people already done in that area.

All the tools already exist. So the only thing you can really do in there uh is do things like uh build red teaming tools to make it easier to do those kinds of attacks. Um there's uh stuff at breaking crypto and those things uh for systems that haven't been broken, but that's not where I wanted to be. Um I wanted to look at something that wasn't uh as obvious. So if we take a peek behind the door, this is kind of what an access control system looks like. So on the bottom row there, the they're the door readers. That's the bit that you're most used to interacting with. Um those card readers control the doors. Um the doors then

each have a door controller, an ACU. And this is the thing that I was really interested in understanding. So we know how we can attack the wireless protocol from the actual cards themselves. What about the stuff between the door and the reader? Well, again, that one's pretty broken as well, especially if it's talking something like Regan or RDP. Um, those things are well understood and there's plenty of hardware out there as well. Um, like the um the name's gone, the RF key something um that you can put in line that'll intercept the wagon code and there's lots of things in that space as well. So, I was like kind of didn't want to focus any research there, but

the door controller to the server was where it was most interesting for me. this is a uh piece of hardware. It's running a microcontroller uh that's talking to some window stuff. And I was like, that doesn't have as much um research in it as stuff like the classic card cloning does when it comes to actually how these are installed in buildings. This is what it actually looks like. So like I said, each one of those door readers, so each one of those squares controls a single door, sometimes two doors, sometimes four doors. So they take up a lot of space because of regulation. Uh especially in the US and the UK. Um these things have to operate

independently. So they can't if in the event of a fire or a power cut, you can't have all the doors failing to open and locking everybody in. So they still have to run on things like battery backup. Um so these things take up a lot of space. If you're in a big office building, a big hotel, a big airport, uh where you've got hundreds of doors, you're going to have to have hundreds of these things uh around. Um and each one, like I said, controls a door. So, it's like, okay, so how are those things all connected together then? So, why does that door have an RJ45 on it? And there's two ways that these door

controllers are connected uh back to the central systems. They can run something over like RS485 like so that's twisted wire. Uh but more commonly uh they're just Etherneted in. Um I've spoken to a number of people who do installations and they say that what they tend to do is install these things using the existing network that's there. Some good installers will do things like separate subnets and VLANs. Uh most installers would just like just plug it in and yolo the system into play. So that was then okay this now has me a little bit interested. This is the research area that I want to get into. So I started um I had some uh cheap stuff that you could

buy on Amazon like Chinese door controllers um but there's no authentication. There's nothing on those there. Just open it and lock the door. So like I wanted something that was a little bit more commercial. I always wanted to do something like this.

There's no sound, but um for those of you not familiar, this is um Ethan Hunt uh breaking out of a prison or into a prison. It's very unclear which way he's going. Uh down in the van, the trusty hacker just unlocking all the doors for him. Just watching on the CCTV. Just point unlock this door for me and away you go. I'm going to leave all the fighting to Ben. I'm the guy in the van. >> [clears throat] >> Um, and then like we go through, punch some people, and it's like, no, open all of the doors. And this is a trope we see across a lot of films, a lot of Hollywood. I thought, how true is that

really? Cuz that's not card cloning. That's not them cloning cards. That's actually just sat outside, not in the network, remoting in and unlocking all the doors. That's what I wanted to do. And like I said, the cheap Chinese stuff like isn't commercial. is not really going to be installed in prisons and airports and hotels. So, what does uh I was actually at Bside in 23. Uh uh Ian Parks was running a presentation on Oops. [laughter] Uh was running a presentation called access uncontrolled. Uh in that presentation uh he was attacking the fire system. So, the emergency exit buttons, the fire exit buttons with some social engineering and how you can use those uh to gain access to buildings.

Uh, and on the demo he had, there was a small little green yellow uh box in the middle. Um, so I took a picture of it, zoomed in, and it was Paxton. I was like, great, this is something that's commercial. Didn't know anything about the company, just knew that this was used in commercial buildings. Uh, so jumped onto their website. Sure enough, access control systems, remote administrations, hundreds of doors, like all the things I wanted. A Windows server that was running um the the operating system, the the server controller, lots of ACUs, lots of doors, lots of readers, uh that kind of stuff. Uh also, don't know how well you can see that, but this is installed in uh

hospitals. Uh there's a prison in the US that has this system uh in it. Man United um are also on the list of things. So after this, you absolutely cannot use any of these attacks to watch Man United for free. Um that's not a thing you should be doing. Um and then we found them on eBay. Um so normally these things are very expensive, especially if you want them installed. Uh but I just jumped on to eBay uh and found a full setup system uh for around £500, I think. Um guy wanted me to drive and pick it up. I said, "No." He said, "I'll ship it to you." I said, "Great." Uh, [snorts] and a couple of weeks

later, that thing arrived uh at my home uh and we were ready to go. So, like I said, I'd always had this interest and I was really interested in the hardware and attack surface, but I don't like doing things on my own. So, I went to Ben who I worked with and went, "Oi, uh, I could really do with some help, please." >> Yeah, of course. I always say yes, obviously. Um, if you want to go to the next slide. So we we kind of spent a little bit of time uh you know reverse engineering uh the Paxton sort of project and what we kind of want to talk about right now is the different vulnerabilities that we found

across all of the um across the suite of of tools that they have um and also show how the design decisions can actually be actually replicated across many different access control systems as well. So you can take a lot of what we're talking about here in terms of the approach we took for reverse engineering um and actually look at other things that other products that we we'll talk about a little bit later. So you know as you can see there are already three languages that we'll talk about here. So we've got a VBA client, we've got a C server which calls to um some CDLs. If any you know as soon as you sort of see

that alarm bell should be going off because the security of of each language is a bit different. um you know how are they how are they managing the communication between one language to another you know all of these sorts of things start to kind of you know bring bring questions into your mind and um I don't know if anyone's actually reverse engineered VBA before but it's absolutely horrible to look at um but C is quite nice because you can get the source code back nice and easy um and then C is obviously again a bit more difficult because you're looking at either decompiled C or assembly but we'll talk a little bit about all of

that later um but let's let's first talk a little bit the the process that we went through. This is um just an example of the logging that this tool uh sort of does. And as you can see, it's incredibly verbose, which is great if you're a defender and you know, maybe you want to set up some detections or you want to pass some stuff, but it's also really good if you're an attacker as well because it's literally telling you it's literally, as you can see, socket connection. It's telling you exactly where the function is that is um you know, performing a particular action. So you can, you know, run the program up to a certain point, check the

logs, okay, what functions have run. You don't even have to do any tracing, you know, it's basically just tracing for you. Um, and that, you know, that actually helps with identifying where you want to start looking uh for particular issues inside the system. And you can see here, I don't know if you can actually see my Yeah, you can see my mouse. Uh there is this thing called uh bin.base 64 and then there's this sort of B 64 encoded string. So, we're going to talk a lot about that in a second, but as you can see, just from literally looking at this, there's already quite a lot of information that you can just gleam and it's just a very small uh

screenshot or some logs uh of the process running. So, one of the vulnerabilities that we got was um essentially an off bypass. Uh so, we can just start connecting to the server, sending off commands, you know, doing doing what uh what did you call him? It's not Ethan Smith. >> Ethan Hunt. >> Ethan Hunt. Yeah, there you go. you can just start doing what uh you know open the doors for Ethan Hunt to move through these prisons or to go watch Man United. And this this vulnerability I think came back at sort of preliminary like 9.8. So it's you know it's quite high up in the the CVSS. Um and it's over the network. So let's

talk a little bit about the actual process of reverse engineering it. uh everyone thinks you know reverse engineering is all about just opening up a binary in like gedra spending you know hours bashing your head until you kind of see something that might be interesting but actually it's a lot about uh holistically taking a look at something and understanding okay what is it actually doing normally you know so running let's run the program check logs out for example those verbose logs what is it doing on wireshark you know how how does the authentication protocol look like so if I you know launched net 2 on on a PC and had Wireshark up. What sort of communications is occurring?

What sort of ports are being opened up uh that I can actually connect to and start sending data to a privileged process? And as you can see, there are quite a few ports uh that this service opens. So, you know, all of these things without even doing any sort of um you know, reverse engineering into assembly language and all that, we're actually kind of beginning to understand what what this uh what this tool is. So we first just sort of um like actually tried to log in you know set up a user uh you know have actually bought the system so we could just set up users willy-nilly um and looked at the uh the

sort of communication protocol. As you can see there is um what looks like to be a sort of header here and then PD94. Does anyone know what PD94 in B 6 base 64 is? It's the beginning of an XML blob. um you know which is lovely for us uh cuz that's plain text and beautiful uh and it's always much easier when things are plain text uh if I go to the actual Can you see that you can beautiful uh if I go to the VM uh I'm just going to start it on local host and then I'm going to get rid of Cybersh for now um and then I'm just going to launch net two access and just

show you kind of you know uh it takes a little while to launch by the It's a bit of a slow program. >> Yeah. So, while Ben's looking at that, so one of the things we spotted really early on is that a lot of this traffic is happening before we even authenticate. So, without even opening the client, just looking at um the local host traffic, we could see there's a lot of interactivity always going on. Now, the way that net 2 is architected is that you can have a single server and you can run everything from that server. You can install it onto uh like a Windows 7 machine uh or a Windows 10 machine and you can have everything

running locally or you can install this headless on a server somewhere and then have lots of clients connect to it. So this thing is both talking to itself on local host but it's also got all these ports exposed as well so that the remote clients can connect in and they talk the exact same way. >> Exactly. just trying to showcase, you know, just the the sort of process that we go through. And as you can see here, uh yeah. Oh, thank you. Oh, I did not see how how small it was. Um no one shouted out. Come on. Uh so, as you can see again here, we got this bin. Base 64. So, that's something that actually like

interested us. We were like, "Oh, this this string's interesting. All right, let's let's actually just take a look at that." Um if it's just B 64, is that the crypto that they have? Um, no. Okay. So, okay. So, the bin.b64 obviously means something. There's like uh you know there's something that happens in that process before um before but in in the uh the traffic after that string is sent uh there is then a login right the login actually occurs and then you can start sending these sort of functions. So, our idea was right this is obviously an authentication process. Let's identify what that actually looks like. Uh, cool. And just to kind of show you like the

interesting XML that we were sort of decoding. So you can see here socket initialize. This time stamp is very important. So please write that down. Um, then you've got uh or request which you can see is that bin.b64. Uh, and then here's like a state key. Uh, then that's a function that's called to the get server initialized which Kev will talk a little bit about later. And there you go. Or connection fully uh uh set up. So my the the reason I'm showing you this before we kind of go into a little bit more about the reverse engineering is that it's important just to look at how a program works without trying to break it at the beginning

because then you can start to identify where there are potentially weak issues. And we've identified here that bin.b64 is a bit weird. Um and then you know another function there. So this is what decompiled VBA looks like. Um it's pretty horrible. the if you've ever actually done it. I I haven't spent a lot of time in in VBA, it doesn't really feel like when you use the decompiling like software that actually gives you all of the code back. Um, so what I actually much prefer to do is do it in a debugger uh or or GEDA. But with a VBA compiled binary, uh you uh you're actually like reverse engineering kind of the engine behind VBA, not just like

the VBA code itself. So, as you can see, these underscore underscore is they're all private functions that shouldn't really be looked at. Um, but what's interesting is, you know, while we were going through the process and, you know, setting break points at certain uh points when like network connections are made and all that sort of stuff is we saw this like Zat MSM. Now, we found online there was this person. Is it Damian? >> Darren Darren's in the house. >> Is he here? >> Oh, he we he >> he's in the building somewhere. Oh, just didn't want to come see us. [laughter] Um, fair enough. But, uh, there originally there was actually just this this this word called elephant in in

that exact sort of casing. Um, and that ended up being the the seed to a particular crypto. Um, and as you can see after after Daniel, you know, uh, went to Paxton and said, you know, this isn't good enough, what they did is they updated the seed to a new a new much more secure one. >> It's worse than that. Like they didn't like change anything. They literally So when we got the new version, like we knew it was this elephant string. It's like, but it doesn't work. So like we opened it up, we jumped straight to the exact same offset and it was right there. So it hadn't been like redesigned or recompiled. It was literally just

this single >> same length string everything >> same string just been replaced. So it's like yeah this was working and then we updated and it broke and it's like oh just jump to the offset >> even have to bin diff or anything you know it's just straight to that offset. There's there's the new seed. And then like I said I hope people wrote down the time stamp earlier but this is here here it is again. Um and you can see here uh underscore VBA straat. So, you know, we can probably take from that name that we're concatenating these and then going through some sort of again crypto. Um, and then we go back to the VBA, which is

really upsetting. Um, as you can see, it's quite complex. Like, uh, there's I mean, I've never written VBA like code properly, so I you know, this looks quite complex to me. It looks a bit spaghetti. It looks a bit odd. I don't know what ask and mid is. Um so again we went back to the uh to the de to the debugger decompiler and you know within sort of a few lines of Python and I am going to do that. Don't you worry Kev. Uh if I get it right there we go away AI. Um, yeah. So, essentially it was just ended up being just a few lines of code, right? And I think that hopefully this is a lesson

to everyone here that you should never really roll your own crypto because you're definitely not going to be clever than the people that spend their whole lives at GCHQ developing these sort of like systems that keep us all secure, right? Um, so I'm not really sure what the design process that they had in mind was, but essentially it was take a take a bite, exor it against this uh like this string if if uh sorry like hex uh if it was the first sort of um like character in this string and then against the uh x uh ox 17. If not, we go against uh this one plus whatever index in the array we are. Uh and then we just

reverse it and do the same thing. Um and then just do a nice and of oxfff. So it's not really crypto. It's kind of like obscure like security for obscurity. Like you know if I B 64 decoded that string and it was just gobbledygook I was like ah okay fair enough. Um but when you actually look at it, you realize all you're doing is sending it through some static keys and then um reversing it and just doing the same thing, you know. So that the design decision there was a little bit interesting. >> You you say that. So we'd been working on this for like days, weeks at this point and like we knew we had to break

this crypto and Ben crypto expert that he is sort of was focused on this and it was late at night. It's like 10 11:00 and I get a message from Ben. I've broken it. I finally got it. Like amazing. Super happy. I'm >> in. >> Um so like send me the code you've got. So he sends it over. Uh and it wasn't this relatively nice Python. You see what Ben had done is he' taken each line of the uh assembly and written it as Python. So every single step it was like 140 lines of like individual operations in Python. >> They didn't have to know any of [laughter] >> Yeah. My my Python is basically C which

is basically assembled. you know, but you know, Kev Kev beautified it and then put it up on our repo, which you'll see later. So, you know, that was uh thank you for that. Um, but you know, the the point is is that we we just went through the process of understanding, right, there's the hard-coded key, there's a time stamp which is specific to the time when you are obviously connecting to the server, concatenate it, goes through this little process, B 64 encodes it, and sends it off. And you know we were like come on let's uh let's connect and we got it you know actually you know just just through that sort of um reverse engineering from

the typical debugger and just trying to identify early on where potential weak points are cuz the program is quite large. It's uh evidently sort of organically grown over time. They've just added new functionality. Um but you know so what can we do now? We can unlock doors, lock doors, lock down mode, uh add or remove credentials. Basically anything, right? we we we kind of own the server now that we've um broken their crypto. Uh so yeah, >> and just before Ben plays a demo, so when you first log in, you log in with a password. Um you don't actually need that password. The way that entire cryptophase works um is that the that that string, the elephant or that zap me

string plus the time stamp, that's all you need. So that password that's there doesn't actually serve much of a purpose. uh in the actual crypto there. >> Useless. But we'll just play. This is our home lab with uh with Paxton. This is going to unlock up here. Boom. Did you see that? I hope you did. Um but yeah, so you know that's the that's the remote sort of opening of a door which is uh you know really cool. Um, and like I was saying, we we want to talk about this particular problem uh more holistically than just just access like Paxton access control because we've actually noticed that this particular type of um like implementation of crypto and stuff is is

rife amongst the access control systems and we kind of think that maybe it's because they're very difficult and expensive to update. So if you buy them 10 years ago, you're not really going to spend loads of money every year updating and getting new new systems in place. So, you know, we're we're hazardly guessing that probably quite a few of the commercial ones have similar issues to this. Um, so yeah, get out of my way. Cool. Over to Kev. Cool. So, at this point, we've got full control over the software remotely. So like Ben said like we can do a lot of interesting things in regards to access control system uh itself and then if you remember earlier

the one of the the B uh one of the XMLs payloads that was sent was get server config and that was a thing that was really interesting for the next data. So we've got control of the system but like what more can we do? So this is what the server config replies to and again this is all with that hardcoded key. So I don't need passwords. I don't need credentials. I've got the hard-coded key and a time stamp that comes from the server when I ask it very nicely to give it to me. Um so we look at this and again we this is just pure XML as it comes through. But there's a connection

string that is a sequence of hex and there's also a SQL TCP port which is also a string of hex. Not our luck. We can't just hex decode that. Um but actually we don't need to worry too much about it. Again, you can definitely tell that this thing grew organically. This thing uh net 2 is well over a decade or two decades old. It's been around for a while. This is why it's got its roots in VB. Um and like Ben was saying, like these things need to interoperate with each other. They were actually using a really horrible X seed library uh to do uh as encryption. So whilst they're rolling their own, they're also using as

encryption, but it's from a weird library that doesn't really implement it in a a nice sane kind of way. But again, hardcoded keys all through uh the code. So uh we found this uh it's as encrypted and then with that we can really easy then decrypt that and what we get is this connection string. For those of you not familiar with MSQL, this is everything we need to connect to that box. Uh this gives us a database. It gives us a UID. So we can see we're running uh net 2 service. And then that password which is a um a UID4 that is not hardcoded. That is not the same on every installation. Every installation

does have uh its own password. But as we've seen with the or bypass uh we can just get straight to this connection string. So MSSQL it's listening on 000000 uh because third party integrations those remote clients uh SDK uh users all use this to connect in it can be disabled you can put it into secure mode uh which disables it but that is not the default design um so like by default this is listening out the port uh out the gate we also have an SA account so whilst it says it's net two service this is the SA account. Um, with this we've got access to all the underlying data. So, we can do all the things we could do with the

access control software itself. Uh, we can dump all the data, all the logs, um, all the data, all the card details. Uh, we can add our own cards like we were talking about with card cloning. Uh, if you've got your own blank card, you can just read the UID, uh, the details. You can go here and you can just add your own card. Now, at any point, you can just walk up, tap your own card, uh, and it will let you in the door. Um, so there's all that kind of stuff. And the way the system works is the the commands get queued up in the SQL server and then sent out to the ACU, which means we can

actually use the SQL server to queue up things like unlock all the doors or lock uh all the doors. So, we've got full access again to the entire system. Just to just before we go on to that, I was just going to say um one of the demos that we had. So there there's a few of us that have sort of researched this particular product and someone actually used a Tesco Express card to unlock the door to get through which is um it's a little bit worse than that. Uh XV command shell. Anybody familiar with XV command shell? I can see a few hands. So uh this is remote code execution built into C uh MSSQL server. So by

design uh if you are an SA account and XV command shell is enabled you can run system commands over uh over SQL which is >> when we found that it felt like a sort of CTF. [laughter] [snorts] >> Uh so that's what we're going to do in this demo. So again that same demo. So uh if I Wow, that was fail hard. See if I can pause correctly this time. So using that same or bypass that we ran before uh we ran the attack and then you can see here we're printing out uh those credentials. So we know the IP address of the server. That's an easy thing to mop or broadcast for. Now we've got the

credentials. Um I'm doing this the lazy way. I'm just opening up metas-loit. Wow. So hard to press play button. >> I think it's the space. Um, so now I can just take those credentials, throw them into whatever tooling uh I like or into metas-loit. Um, show my options. There you can see. So, and this one I'm just going to run the the who am I command. Uh, run that. And there we go. So, it's as simple as that. So, full remote code execution over the network direct um onto the server uh itself. So, we've now compromised the authentication. we've compromised the server. We've got the MSSQL stuff. Um, but these are all attacks against the

server that's running. Uh, that server might not always be on. Uh, and like these things may get patched in the future. They may also just change the hardcoded key and an offset. Um, and I can't freely download it. So, like, okay, so we've done this. Is there anything else we can look at? again wanting to get into the hardware attacking side of stuff. I wanted to switch my focus and start looking directly at the ACU at the controller that sits behind the door behind the reader. So, as we saw before, um these things have to operate independently. They have to be able to operate without the server there. In the event of power loss or fire alarms or the server goes

offline, you can't be locking people in and not letting them out. So the way this works is once you've got um a set of configured cards, a set of configured credentials and users, you push those to the ACU. And I was like, great, can I do that? Can I just talk directly to this ACU? Uh turns out yes, you can. So went through that same flow that we saw earlier. First thing to do, jump into Wireshark, run this as if we were a normal user. So add some credentials, add some details, set some uh times and then just push those to the ACU. This one uh all ran a load of stuff over UDP. So um looking at when we configure this,

when we install it, uh you can actually done run a UDP broadcast and then every access control unit will respond with all of its details. Its serial number and its MAC address. Those will be important later on. its IP address, the gateway, the firmware version, the interface mode, and this TCP port. All of that just a single UDP broadcast onto network, and they all respond. That's fun. So now I can find them. Um, now I can start thinking about attacking them. Now there's no authentication on the UDP side. That being said, there is this thing called commissioning mode. So the idea is you put them into commissioning mode, which is how they come. you deployed them across your building and

then you go back and you set them out of commissioning mode. This is not something that a lot of installers remember to do. Uh it's also the commissioning mode is just an IP lock. So it's just only the server IP address is allowed to talk to these ACUs. It's a UDP packet. Those of you not familiar with the difference between UDP and TCP, uh UDP doesn't care about the IP address. It does know sync handshake. So you can just trivally spoof any IP address. Uh it's also a UDP broadcast to put them in and out of commissioning mode. So yes, there is commissioning mode, but we can really easily turn off with a 6 by UDP

broadcast. Uh TFTP uh for the firmware. So if you want to update the firmware, you just push that over TFTP. Uh there is no signing. There's no checks. Uh not even a maybe there's a check some, I don't remember. Uh but really easy. We can just like write our own firmware and push that up if we wanted to. Again, no orth uh on any of that stuff. Um but then there was that TCP port that was hidden there. So, okay, let's switch over then. Let's look at the TCP side. That's where the actual data is going. The UDP is just for configuration. Um the default is uh 10001. If it's not on the default, you can just

run the broadcast and it will give you the port that it's configured to run on. Uh there's a keep alive. Um so the server, if the server is on, it's talking to all of the ACUs and it's constantly running a pingpong pingpong kind of keep alive. Uh more of that B 64 traffic. This one was not XML. Um and this one was more binary underneath and replay attacks didn't work. So there's definitely some kind of crypto or something going on here. So again, jump into our server logs. Uh find the com channel and here we can see uh we just control F for the IP address of the ACU. And here we can see there's three

interesting things that are happening. We've got send message, create encrypted message, and my favorite request encryption key. So let's have a look at the flow. This one I had a much easier time than Ben did because I'm not in BB. I'm in.net. This was offiscated with a commercial off-the-shelf offiscator. So, we just download the deoffiscator, run it through that, and we get nice clean code again. So, thanks for making me waste 10 minutes. [clears throat] Um, so looking through the code, and we can see like there's a really easy float. This is well doumented code. Um, so if there's no key set in memory, then it goes and requests a key. um it uses that key to

derive a traffic encryption key and then encrypts the packet with that derived key. So this is the request key. Literally anybody on the network can just go hey ACU please give me the crypto key that you use to sign all of your packets. And the ACU goes here you go have the crypto key like great thanks. Then it encrypts the packet. So it takes that key and then encrypts the packet. It's like, all right, this now gets a little more uncomfortable. Uh, we can see this is referencing another DL. It's not net. Um, and I hate this stuff. So, bet. >> Yeah, absolutely. So, we [clears throat] we kind of got to the third round of

encryption now. So, the same system, but three different implementations of encryption. It's It's interesting, but if everyone gets their notebooks out, we're going to just go over each line indiv. >> I tell you what, let's not bother with that. It's a VL. Let's just call the DL. We don't have to worry about reversing any of this encryption. It's just a DL file. Now, when we told Paxton uh this like it's just a DL. I can just call it. Uh they tried to patch this by making other things check the DL file, but it's like it's still just a DL file. I can just call this however I like. So, that's what we did. Um we implemented it

in the code so that instead of having to um figure out all the crypto, we just give it the DL file. So if they ever change those horrible [snorts] horrible rounds of randomness, uh you can just import the the function and where we go. And again, now we can talk directly to the each of the individual controllers. We can do all the things we could do before. We can control the doors. We can lock them, unlock them. Lockdown mode is really fun. Um so you can just say, "Hey, put all of your doors into lockdown mode. Nobody in, nobody out." The only way you can do anything is with the physical uh fire exit doors, the

door access request sensors. Those are all disabled as well. So, it's literally just lock them all in. Uh, going back to my prison scenario, what we can do with all of these attacks is exactly what you saw there. We can lock all the doors that the guards are in and unlock all the doors that the prisons are behind. So, uh, yeah, lots of fun. >> We wouldn't do that, by the way. [laughter] >> Um, so this is a quick demo of that. Again, we're not talking to the server here. So, there's my broadcast. Hey ACUs, tell me where you are. Give me your MAC address and your serial number. Those are the things that I send. Uh derive

that encryption key. Ask it really nicely to give it to me. It gives it to me. Uh and then uh the door uh unlocks. Nice and simple. There is that other issue though that um these things are single threaded on the network stack. So if the servers talking to it, you can't interrupt and break that. Except you kind of can. Remember this thing talks over two protocols. So, we've got the TCP where all the fun stuff happens and you got the UDP uh UDP port for configuration, no orth. So, all we have to do is just send a payload that says, "Hey, reconfigure yourself and just set a random gateway that does a soft reset." The server will take about 15

seconds for it to reconnect. So, now all I have to do is just reconnect to the ACU quicker than the server does. So, really simple race condition. Now I can just at will disconnect them all from the server and then take control uh over all of them. How we do it for time. Cool. Um this one also kind of fun. Um so we saw earlier MSSQL is how this thing operates. So if you're using uh any third party clients then a lot of the ways they work is they'll use an embedded SDK user account uh that has full permissions. So you connect over my SQL that's why it's listening on all the ports and you can do all the things that

you can do in the normal software from any client that you want to write yourself. It's got those same permissions. It's an SDK user account. Um so you'd think something like API tokens or you provision account. No, this thing comes hardcoded. Uh so there are a number of hard-coded credentials um for the SDK user and we've got the SA account so we can just go in and have a look at them. Also this software is available to download without registration or any of that stuff. So anybody in the world can just go download the software, install it in a VM uh and then unpack um and then just recover those accounts. That SDK account has all the permissions. Uh so there we

go. I've got 5 minutes left. So, a couple of shoutouts. Uh, so these people here, >> we weren't the only ones doing this at the same time. Um, through some fellow colleagues, we found out that other people had arrived at very similar research or, um, were looking at the same things. Um, so it shows that if a random group of people who are looking at this for fun, the likelihood is that people who want to use this for actual evil uh, also find this uh, as well. I think yeah I think it's important to talk about the disclosure process um you know Paxton was actually very good to us we've heard some horror stories u with

this particular company but um you know when we disclosed it we gave them the original 90 days they were like we need more time and then we were like fair enough so we kind of consulted a little bit about how to uh update and become a little bit more uh secure but obviously as as we were saying earlier you know it's evident that that this tool has just grown over time and it's just been sort of patched together by different things and the biggest evidence of that is the three different encryption implementations. Um so yeah where do we go from here? Uh Paxim just released well when I say just released recently released net 10 which is their new

system uh completely different architecture actually so very interesting. uh Kerry systems. Um we we don't want to put all of the names of places up there, but a lot of them are going to be uh you know similarly architected. The law that we have uh in our minds is that we have the same design team go from Paxton to Kerry to whatever and then they just sort of implement everything in the same way. Um but yeah, so if you do end up having a look at any access controls, please add us on LinkedIn, you know, chat to us about it. I want to see, you know, people uh having a look at this stuff. >> So, the git repo will be live probably

next week. Uh we'll share all of the PC code. So, all those attacks, all the CVS. We will not be sharing all of the uh hardcoded keys. So, the elephant and zap mill strings, they'll be in there. We're not including the DL just cuz it's not ours and there's some weird restrictions on that. It's a paid for DL. >> U, but there's there are ways that people can go and find those things, but we'll release all of the code uh for all those things. Um, I think we've run right up to the end, but uh any questions? Got two minutes for questions? >> Question at the front. >> This man here, >> somebody's running at you with a

microphone.

>> Um, I've heard of this um up and cominging encryption protocol called TLS. Um, are there any um are there any access control systems that do use proper normal encryption? >> What use TLS? [laughter] >> Um, so there is uh so we've been talking about direct access. Uh there is an API. Uh the API does use TLS. It uses self-signed certificates um and stuff but like that is there. Um we do have some other findings uh in that like um there's no rate limiting or any of that stuff. uh net 10 their new architecture um that is entirely web- based application rather than a thick client um don't all rush to get net 10 just yet

there are a number of issues uh in the net 10 setup as well again credit to Paxton over the last 12 months they have been a lot more open about working with security researchers um and like I know a few people in the in the audience have been reporting vulnerabilities to them and they are patching them they're not incredibly fast and efficient But they are patching them. The final thing I'll say specifically about a lot of access control systems is you don't operate directly with them. You they will sell to uh installers and installers then come and install it for you. So whilst Paxton have patched everything we've talked about or have mitigations uh for

everything we've talked about, it's actually up to your office space or your installer to actually go and patch those things. Um, and for things like, um, the card cloning attacks, uh, I think Warren, I don't know if he's here or not, uh, there's a nice downgrade attack, um, that you can run on that. Um, that they cannot fix. The only way to fix that is by looking at replacing all of the hardware, uh, in place as well. So, um, yeah, it's like Ben was saying, these things are big and bulky and expensive. You can't just pull them all out and put new systems in. But yes, some of these things do use TLS. Um but

they still have some design flaws implementations as well. >> Any other questions? Oh, one there. >> Um what uh uh underlying technologies do the cards used on the system you're investigating support? And what do you think are the what what's kind of the top tier and what's easily clonable and breakable? >> Uh so these ones park is 125 kHz. Uh so basically just based on the the UU ID um so really easy to clone this net 10 uh their new version does some better stuff. Um I can't remember all the details on that but again there's some stuff you can do to uh to attack those systems uh as well. Um, when it comes to

like any specific thing, um, like there are some things like hidden and my not my classic uh, but some things aren't the crypto isn't broken on them. Um, but there's things like, uh, proxs and proxs and pen, two factor, no backtracking and all that kind of stuff. So, I've just been shown the end and I have to stop talking otherwise I will just keep going. Um, thank you everybody. We'll be in the ocean. [applause]