July 2016 Presentation Proximity Based Attacks

Jonesy Olaf you haven't met me before I run the group's now sitting in a sec if you're not here for steel city infosec in the wrong place there's the door uh-huh we have Kevin to do so i think it was great talk tonight about some of his experience with productivity proximity cars and you know rfid stop technology here's a lot of experience in this area and we have a bunch of fun things up here too if you'd like to take a look after the talk I brought a bunch of hardware on how we can you know thinks that you can use to play with this and next month will be a hands-on labs will be using this hardware out kind of the

plan is to set up a couple stations and we can use the hardware and actually see how this stuff works you know read some cards play some cards you know I'm working on getting an actual access controller and reader and so I out the whole a whole set up there so that'll be really interesting i'm looking forward to that it's going to be fun one one thing that i do want to mention i wanted to give a big shout-out to our sponsor for this quarter which is arista if you guys have never heard of a rishta before I don't know where you've been they're doing some really cool things in switch networking switching I think I

personally have used them for a tab aggregation they have a good 71 50s which I've used for tap aggregation we use that to kind of food a lot of our security tools and it works really well so if you guys have any needs in that area let me know I can keep with those guys but big shout out to them for helping us out with with hosting but sponsors of them that's that's pretty much all my god so I'm going to hand it over to Kevin to do so and I just talk on the problem with prox buddy thanks for coming out hopefully this is interesting information in the past along I've had some really good

I guess success with explaining this issue to a couple of different organizations and actually see changes be made to their infrastructure to accommodate some of these vulnerabilities so get right to it well structure like this tell you who I am background to the problem some of the threats that you know these access control systems kind of face and then some mitigations and we'll do a Q&A so my name's Kevin janu so I am in the advanced persistent pittsburgher I use that joke too much but worked in the city for the last 20-something years 18 of that doing cybersecurity a kind of purple team I've been on the red and the blue side of life and I enjoy working in

both very much and I'll talk your ear off about this stuff so don't get me started so the background why we doing this so 125 megahertz that should say kilohertz sorry on a 25 kilohertz Crocs guard credentials are used in about eighty percent of all deployments for this type of yo keyless entry right just blocking up and tap in a badge to the reader nearly a hundred percent of these use a back-end protocol called white that has its own very interesting security vulnerabilities and we'll talk about it this is not new in any way this research everything I'm going to be telling you here is pretty well no not the world right the first that i can find

presented at DEFCON was in 2009 so nothing nothing new here it's almost an annual topic at black hat esides thermicon dovarganes ray saw talk last year about blet was done by some guys an octave we have one sitting right there and we'll talk more about what that they can do that so I guess one of the other things is the attack technology has really really improved stuff to play around with these frequencies in to read and write cards has become pocket-sized you know even even like quarter sized you know so the fact that the technology is taking off so much and you know it seems like that industry that is selling this stuff really isn't keeping up

they're really not saying anything to their customers about any of this and I know that because last year had an opportunity to speak at the IOC squared security Congress and amp Anaheim which is merged with a conference called assets which I didn't know anything about going into it but it turns out it's the largest physical security conference in the US so you know over here is a guy with a really awesome turnstile you know this guy's got a bulletproof door this guy's got a you know police baton they can really beat a dude you know like that's what that conference is about and this prox technology was everywhere you know and i went up to some of the

vendors i actually started taking a list just going to walk you through the Convento floor okay who supports prox to you know and i ended up with like 14 or 15 vendors before i just gave up and was second on the phone then is everywhere it's just everywhere and so i went to a couple of guys in there a couple of booze and i was like give me your technical person you know let me talk to the technical person who knows this stuff and it was all right all ways like some kind of dodgy answer well you could increase the bid length of your carpets yeah okay but if I can still read those cards because it's unencrypted what's

the point right so very edit so there's a real disconnect between the people who are the users and the system owners on the security of these systems compared to how IT people kind of see these things so the heart of it is the legacy hid prox do and other contactless cards are unencrypted so you know hold the card up to a reader and the card is going to give up the ghost what's interesting about that is you know the physical security guys will say well we disabled the card no you didn't disable access using that card the car doesn't know it's dead right so if you have a card that's no longer valid on a system

it's still going to give up some sort of information so these type of cards are susceptible they're susceptible to prove forcing because of the first thing right if I can read a card that was once active and I can sequential II increment and go up and up and up or down and down and down maybe I'll get a valid card right there's also very sensitive information printed on these cards I'll show you the one of the screen shots but it's there's actually a good chunk of information about that credential printed right at the bottom and usually there's like three additional digits sometimes for right before that and that's your credential that's what allows you and of

course you can read those three digits if it's unencrypted again dozens of companies still support this thing and sell it as a secure solution and I don't see a lot of upselling from these organizations saying hey look what you're using is really bad we just sold you for years ago horrible right nobody wants to say that so it's kind of where we are the other interesting side aside from just the actual wireless piece of this is the backend so wagon protocol does the support authentication it's very closed it was never really thought of as a system where you need authentication it's like a bus protocol almost where certain signals are sent from the access controllers that say to

you know some door door lock a unlock for five seconds and then ReWalk so because that that protocol has no authentication if you can somehow sim direct signals over the wagon back end you kind of don't even need any of these cards or encryption you know readers any of it so the embedded devices these access controllers are what actually doing the sake of the signaling they are like the interface between the tcp/ip network and delight in back in and these things are typically Linux embedded linux boxes they're usually installed with the defaults vendors don't either don't know to change them or they could always just done that right they are forgotten in the patch management's like their

computers but they people generally overlooked them as devices that they need to worry about patching or checking from default ratings or this kind of thing a lot of obscurity by the vendors you can't go to HIV and say let me look at the source code for your access control boards you know it's just not going to happen so it's it's it's unfortunate it's you know especially for what these things are doing and they're guarding physical access to things like banks hospitals you name it this is deployed out everywhere i'm sure you all who has prox technology in their environment in the room right so so lots of places okay so we'll talk about first the cloning threats and

we'll just we'll just go down the list I'm not saying this is a comprehensive list but it's a pretty good one so number one is your cheap Chinese corner so twenty bucks on eBay and even comes with some blanks that's Hannah clones a single single card at a time no storage capabilities power goes on so this is the last credential there grab limited read little distance we're talking a few centimeters max with this thing there's what looks like by now twenty bucks you know a very simple device right but with this I'm making ten copies of my baggage or of any baggage that i happen to come across or yeah it's it's only cloning and that's it but still it's i would say

that making you know ten copies of a key to your house and be bad okay then we have the arse fiddler actually brought mine this was a hundred bucks at DEFCON two years ago sliquid aboard it's open source designed so that the actual hardware you can make it yourself and the firmware that runs on it also open source it's going after the proxy to do stuff it's all can do a little bit higher up in the frequency range so it can do things like my favorite cards which are used for things like transit systems Chicago has it I haven't tested the CFO Pittsburgh uses it i have a sneaking suspicion based on what's printed on the card that i can

clone my connect card hundred bucks us be controlled and powered which is cool so you can as a few different modes where you can read write or emulate so if you want to go in to emulate mode and you've captured a credential and you've stored it in memory here you can just connect the USB battery to it and walk around and you now have that card repeating over and over and over again to important reader pointed to native storage is is to credentials but that can be increased to thought with some updates a limited read distance again this stuff is pretty low power so you have to be pretty close to be able to actually use it but one cool thing is

there is a scripted brute force attack so like I mentioned these if you find a dead card you might be able to increment and get a valid card there are actually scripts to do with this thing so pretty pretty powerful this is a output from what you see on an art fiddler so I set the tag to the hid prox to turn it into a reader and there it is pulling credentials from from cart now the part that's ready is the three digit facility code if you remember I said that there's the information that's printed on the card and then information that's secret the stuff that's revealed is information is printed on the cart that's the card number right and these

come in batches from HIV big tall batches sequentially numbered okay so if you get one you're probably going to be able to get another one lower or higher and then that facility code is essentially the widening password that said you know that says this is our domain right this is our ligon implementation and so whenever you actually you know talking to the door controller you're saying here is our facility code and here's my card number that goes to a back-end system that says does this person have access to this particular door yes or no signal is sent to the door controller there you go that's how the whole thing works and yeah I just got that three digit

password because unencrypted and the thing about that three digit facility code is that it's a very difficult thing to change once it's exposed now you're talking about going to your entire access control system and changing that every word okay a very painful thing to change so you really don't want it exposed in the first place okay this is a video of me using the art fiddler the reason this video was produced was because I gave this presentation to our loss prevention team minus this video and they said you know what the slide deck really doesn't do it we need a WOW factor so wow i just opened up door with a computer okay and after seeing this we have now made to

move to encrypted cards and it actually did drive change but they literally asked for a WOW factor because the PowerPoint didn't do that so there you go rocks mark three got one thanks to the John a little more capable this device 120 5 kilohertz plus the high frequency stuff which includes to my fare cards about 200 bucks pre-built if you want to do it yourself you can get a cheaper again with the limited mean distance a small little thing sighs of adaptive cards right so not going to get a whole lot out of it but it does allow you to do cloning very quickly it can output the USB storage you can do the script and groom force attacks the

interfaces probably the easiest of all these things to use just as far as moving around the different types of cards setting replays and reads and writes great device very cool there's a lady so that you know I'm just talking about the brute force that tag a little bit you started a known good place doesn't matter if the card was good and bad lost you know whatever it is and then go up and down that numeric sequence to try to gain initial access or maybe gain elevated access so maybe you know you already know you already have a valid baggage but you know you figure that maybe the CEO has some matches its way earlier than yours and maybe that will

get you into some more interesting doors another trick would be into the outside I've seen places where they just have these badges sitting out you know and stack getting ready to make new ones for visitors or something like that just get a peek at one real quick you know and start going backwards now limited read distance right keep hearing this but it kind of depends on how you approach your target right social engineering is always a thing and so what if what if you were walking around and just happen to have a clipboard don't you look so authoritative with a clipboard and asking questions clipboard yeah so somebody came up with clip up okay the

clipboard and it's gotten our fiddler in the bottom row proxmark or whatever right you could go ask them anything and they're going to tell you have a clipboard and so get the exact spelling of that name you also get that badge we get her off your back ok write that down yes 2 2 n's yeah ok pretty pretty slick way I thought of trying to social engineer somebody need to actually giving you their credential / luck short period of time enough time to actually clone the thing ok blet obey that is BLET miniature little buddy with storage powered by battery and the way this thing works is you actually have to connect it to a reader so you have that

physical access to move a rear not terribly difficult to open one of those things up and this connects to the wagon back end and so it can actually read signals that are sent from the door controller to the doors and it can also grab credentials and it can also transmit those up to a thousand credentials over bluetooth so if I have one of these planted somewhere in a reader somewhere I can just walk up to it sucked down the credentials walk away go make my thousand cards or send it over to one of these little buggers and transmit any of those connections again this was plugged by the octave guys 1500 that's it the tastic rfid theme this is the one

this is the big day okay you could it's the original design this came out three years ago four years ago and somebody actually brought one to be sides of Pittsburgh a couple years back I remember and the original design used in our do we know which you can very easily substitute the Arduino with the ble key and increase the functionality of this thing you have to be able to transmit store thousands of credentials uses a modified reader which is what's so cool about it so if you go to a parking garage downtown or something like that you see people presenting their cards those guys those readers can go about three feet okay much larger range for

the same collecting the same stuff right it's battery-powered I'll show you a picture of it when you see the battery set up its ancillary but you know you could essentially build your brief case of doom type scenario the batteries last about an hour and so the way I've seen it described as you go do the cell phone dance in a busy place for an hour and the cell phone dances is just saw himself on the whole time walking around people walking past you within three feet you got to you got credentials there's not a student that's at mess so right here that's the actual reader that's what comes inside the device everything on the left is the

upgrades the mods to be able to do the trick really the power is that giant antenna you know that's that's what you're getting there beyond three feet you're not going to be able to energize the circuit inside the prox card and actually get a read back so this is about the maximum that you can go with this technology but in the close range you know it's pretty pretty effective attack refitted in and you know saves off to memory or an order displays on on the LCD screen if you do that the whole build out this is find all the all the schematics everything to build one of these is on the Internet hard to find the readers of

everybody's gobbling up the spare readers okay so sounds horrible but wait there's more so we'll talk about some of the other ones vulnerabilities patch management this kind of stuff so everyone's favorite default credentials we've never seen this before in the industry where somebody would use a default credential I mean it's just insane route blank root root admin admin the vendor vendor these tend to be full access accounts to the miniature little Linux instance that's running on these things anytime you got a root on a computer on the network that's a really good place to be so the unfortunate for one of those endpoints to be your security system and trying to keep people out there very rarely changed by

the vendor if you got a vendor who install you know how they install this stuff there's a very good chance that they do it the same way every implementation and again making changes to these particular accounts after the fact is a very impactful thing because what happens is you have the central system that's constantly communicating with all these door controllers access control panels and saying hey you know let me update your credential cabbage because there's a catch on the each one let me make sure you know you have or I have your logs and it's actually logging in as a route to perform these functions from the central server so if you change that moon

password after the fact that you got an implementation of 500-1000 you know who knows endpoints it's going to be very difficult to change that password because you have to change it everywhere all at once much like the facility code in the blind side so it really stinks to try to fix this after the fact Amanda they love unencrypted protocols on these things my goodness isn't telling that the greatest you know I'll show you really funny screenshot come but if it has a web-based interface its of course over HTTP and probably doesn't require authentication to that access that management page you know the type of traffic that's flowing over these unencrypted protocols authentication traffic management traffic centralized

synchronization all those credentials that you're you know using throughout the environment they're getting pushed around over unencrypted protocols convenient central server and that he got some UI flaws with the management interface right super duper so in 2012 this guy trying to say his last name but then I've seen him in a couple couple talks at black ink on really great presenter I suggest you look a lot in the launch at YouTube because it really good stuff he presented that he found a vulnerability in the web management interface of one of these HIV controllers and then provided of a proof-of-concept Python script that allowed you to with an IP address you just type in the IP address and it uses

the default credentials for these devices to unlock and lock the door okay simple Python script right again with my guys with the wow factor and just didn't believe me so I took his script and changed it a little bit so that it didn't lock the door it just unlocked it that's all it did and then I took one of his guys and said okay you got to come see this mess worked up with my corporate laptop ran sesame TX EE click the door unlocks and he gets no alert he calls down to the to the security desk okay if you see that door go we mean who's the last person imagine no no that I did that like 10 minutes ago who else

could not believe that there was a Python script that does not locked that door and he got zero indication no alert whatsoever that door would not walk again until i scented the command to lock so crazy whatever it faults aren't reported the central server I don't know why there's what the management interface looks like the the particular devices if you're interested in have and vertex access control systems in your environment the models you need to worry about are the be 1000 be 2400 those three models in particular are known to be vulnerable to that particular attack so just FYI but if you're if you're skinning your network and you come across one of these babies

and then you got ye oldie custom protocol because it's always a good idea to do that so this was just discovered a couple months ago by trend micro they found that they could have full control full control over one of these devices same devices using a single UDP packet full control okay the reason for that is they have a demon that runs it's called their discovery d and if you query it in the right way this demon comes back and says hey you know I'm this version of control around this model this is my IP address this is the name you have given me and that service runs his route as it should and it has a command injection

vulnerability so literally you do what the normal query should look like given three extra characters and then give it your Linux command where you go you you can now create entries in etsy password you can I mean whatever you want to do with full control on box right one unique t packet

I know so who is even thinking about patching is it on anyone's radar it's an atypical upgrade cycle right these are not systems that you know might have you might have a policy it says hey every five years we throw away our laptops and get new ones because they're old and terrible right it doesn't work like that with these systems these things will stay in the wall until they break and that's when they get replaced was it one organization where you know we were finding stuff that had been out there since the 90s and then never looked at and broke horribly when we ran a abilities game against them you know just a vulnerability scan dead so the

patches make sense to linux admin srate the IT people patching these things make sense doesn't really make sense to the guy that installs closed circuit TV cameras and that's really the primary views of these are installer guys right there putting cable down and they're turning the devices on making sure everything talks and that's it they're not thinking about hardening it from an IT perspective certainly okay this this is my favorite slide and it's difficult to read but this is the actual security bulletin for that UDP ulnar ability okay from the vendor and if you look at line two they're telling the admin to open a command window log in to the controller via telnet using the root account ok

that's the vendor telling you how to patch their system okay over ftp and telnet and then you can overwrite the part right like your then you upload the new property or the the path version that's right so not only like not only not only your logging in is drew you clearly have ftp access to modify the that's right yes that's right you're transferring those brand-new unborn erable of binaries radar and now who knows if vulnerable because you just did over clear text super duper guys again with the security guy security like not what he knows this jock nobody knows if this stuff is floating around out there or what the real I mean you know they say

kinetic impact this is real world internet of things before Internet of Things was ever Internet of Things right these systems have been deployed for years and years and years and this is you get to it then you can have you can affect physical change in an environment you can unlock the doors of an environment that's stupid you EP thing will respond to a broadcast packet so you send that you know whatever evil command you want to send you can send it to one IP address and it will do everything on that subnet okay like just awful awful there's never an in-house expert for these systems you might you know your loss prevention person might know how to add users subtracting from

the system this kind of stuff the inner workings of the actual access control software but they don't know anything about what's actually going on on the backend and as it turns out it doesn't seem like the vendors do a whole lot either and and this is a big one the physical security teams really aren't too interested and having their stuff poked and prodded it's called a lot of feedback from these guys and I understand like I'm messing with something again that is in your domain and you have a very closed mindset for your domain but it does cross that I key boundary and it's worth auditing like the other IT system and then it's kind

of broken into for a little bit to the wagon thing is rough because you know the readers and access control systems are only there to actually do the logic if I know what a proper lighting signal looks like to unlock the door with a credential if I have physical access I can actually just send that signal and bypass the entire everything now you're talking about getting you know access to physical cable and that kind of stuff so not necessarily something that's just going to happen but again if you're in a high security environment you might want to think about where those access control panels are placed where the readers are placed anything that might be able to send a signal over those

wires because you know that traffic can be sniffed replayed and you will never get detected by centralized system because you're communicating very wrong you know the wrong lady later in this thing some mitigation let's talk about something happy for a change okay how we protect themselves RFID shields are a way of doing it now you get marginal performance you really got to find the right device out there right you know protection prayer and I think John has some information on that that will talk about for august and not after this but it's been something so that some situations a good solution a better solution is to come towards the encrypted stuff and the thing about that

though is so in the typical deployment like we've seen through this entire presentation vendor tends to install their stuff with the defaults write so encrypted spa solution is fantastic creates a great idea but not if they ship with the default master encryption keys right which is what they tend to do and those have been leaked and process for cloning and cryptic cards is out there right so if you're going to make this move do it right from the start and make sure that the vendor is going to change out for you and they will change it for you it's not something that's completely out of left field they certainly offer the service but you just have to tell them

to do it and know to tell them to do which is unfortunately another way if you're using the crappy stuff you know and you're at least hey you have visual confirmation on everybody who walks in the door you know you got crappy card but you hit that button and up comes the person's picture on a guard screen or something like that that works too I mean you know having somebody do verification like that is a great way to many of you or if you have the readers that actually do the batch plus the pin so it doesn't matter if you have the badge occurred actually still need to know to get in the door that's not a bad

way to do and tamper resistance on readers which all of these readers actually come with you have to turn it on not there by default it's like everything wrong is there by default but everything right you have to do something the tamper resistance will actually fire an alert off to your centralized system and say hey this reader has been compromised and you can choose to take action like shut off the reader you do that kind of stuff and at the end of the day embedded access control devices like any embedded anything running operating system it's a computer call which will its computer trigger like a computer patching the older I've done so I got thank you so

much