Hacking Access Control Systems
•Download as PPTX, PDF•
10 likes•11,436 views
Presentation: https://www.youtube.com/watch?v=-cZ7eDV2n5Y Access control systems are everywhere. They are used to protect everything from residential communities to commercial offices. People depend on these to work properly, but what if I had complete control over your access control solution just by using my phone? Or perhaps I input a secret keypad combination that unlocks your front door? You may not be as secure as you think. The world relies on access control systems to ensure that secured areas are only accessible to authorized users. Usually, a keypad is the only thing stopping an unauthorized person from accessing the private space behind it. There are many types of access control systems from stand-alone keypads to telephony access control. In this talk, Dennis will be going over how and where access control systems are used. Dennis will walk through and demonstrate the tips and tricks used in bypassing common access control systems. This presentation will include attack methods of all nature including physical attacks, wireless, telephony, network, and more.
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Hacking Access Control Systems
Similar to Hacking Access Control Systems (20)
Recently uploaded
Recently uploaded (20)
Hacking Access Control Systems
- 1. Are We Really Safe? HACKING ACCESS CONTROL SYSTEMS
- 2. Dennis Maldonado Security Consultant @ KLC Consulting Twitter: @DennisMald Houston Locksport Co-founder http://www.meetup.com/Houston-Locksport/
- 3. Agenda Physical Access Control System Linear Commercial Access Control Systems Attacks Local Remote Demo/Tools Device Enumeration Techniques Recommendations
- 4. Physical Access Control Systems
- 5. Physical Access Control What do they do? Limiting access to physical location/resource Secure areas using: Doors Gates Elevators floors Barrier Arms
- 6. Access control systems Keypad Entry (Entry/Directory codes) Telephone entry Radio receivers for remotes Proximity cards (RFID) Swipe cards Sensors Physical Access Control How do they work?
- 7. Where are they used? Use cases: Gated Communities Parking Garages Office Buildings Apartments Hotels/Motels Commercial Buildings Recreational Facilities Medical Facilities
- 8. Doorking
- 9. Chamberlain
- 10. Sentex
- 11. LiftMaster
- 12. Nortek Security & Control/Linear Controllers
- 19. Linear Commercial Access Control
- 20. Nortek Security & Control/Linear Controllers AE1000Plus AE2000Plus AM3Plus
- 21. Linear Controller Commercial Telephone Entry System Utilizes a telephone line Supports thousands of users Networked with other controllers Can be configured/controlled through a PC Serial Connection
- 22. Linear – TCP/IP Kit AM-SEK Kit (Serial-to-TCP) Converts Serial to Ethernet Allows Management over TCP/IP network Allows for remote management (over the internet)
- 23. Linear – Typical Installation Serial Cable Ethernet Cable Management PC 192.168.0.40 AE1000Plus Controller Ethernet Cable Router/Switch 192.168.0.0/24
- 25. Software - AccessBase2000 Add/remove users Entry codes Directory codes Cards Transmitters Manually toggle relays View log reports Communicates through serial Requires a password to authenticate
- 28. PC to Controller Communication Request 5AA5000A1105010008000000CB97 Response Acknowledged:5AA50004110C462 5 Not Acknowledged: 5AA50005110D024C23 Invalid Checksum: 5AA50005110D017EB8 No response (not authenticated) 5AA5000A11013635343332319A71 5AA50005110D024C23
- 29. 5AA5000A11013635343332319A71 Packet Header Minimum Data Length Maximum Data Length Data (Hex) Checksum Net Node Command { Password = 01 Poll Status = 02 Poll Log = 03 Command = 04 Time = 05 Put Flash = 06 … } String is Hex Encoded
- 30. Attacks LOCAL AND REMOTE ATTACKS
- 31. So how do we target these controllers? Physical Access Local Programming Serial port inside the controller
- 32. Local Attacks
- 33. AE-500 – Default Password Hold 0 and 2 on the keypad Type the default password: 123456# Input the commands to add a new entry code 31#9999#9999#99# Type in your new code (9999) Access Granted!
- 34. 123456#31#9999#9999#99# Enter Programming Mode Enter Entry Code Confirm New Entry Code Exit Programming Mode New Entry Code
- 36. Master Key Same key for all AE1000plus, AM3plus controllers Purchase them from a supplier or on eBay Or just pick the lock Full access to the device
- 37. Physical Access Manual Relay Latch buttons Toggle Relay Lock their state
- 38. Physical Access Manual Relay Latch buttons Toggle Relay Lock their state Programming buttons Program device locally Erase Memory Active Phone Line Serial connection to the controller
- 39. Tamper Monitoring? Magnetic tamper switch inside enclosure No active alerts Can be bypassed by placing a magnet on the outside of the enclosure
- 41. So how do we target these controllers? Physical Access Local Programming Serial port inside the controller
- 42. So how do we target these controllers? Physical Access Local Programming Serial port inside the controller Internal Network Access IP of Serial to TCP device TCP Port 4660 External Network Access IP of Serial to TCP device TCP Port 4660 open to the internet 5AA5000A11013635343332319A71 5AA50005110D024C23 Bad Guy 5AA5000A11013635343332319A71 5AA50005110D024C23 192.168.0.32:4660 74.12.x.x:4660
- 43. Remote Attacks
- 44. Demo
- 45. Brute-force attack No rate limiting No password lockout Small key space Exactly 6 characters Numeric only Scriptable
- 46. Demo
- 47. No Password Necessary Authentication not enforced! Send unauthenticated commands Any commands will execute May not get any confirmation data Hacker Raw Connection AE1000Plus Controller
- 48. Open Doors Remotely Send one simple command 5AA5000A1105010000080000E88D Triggers a relay for 2 seconds thus opening a door or gate Great for movie style scenes 5AA5000A1105010000080000E88D Hacker Raw Connection AE1000Plus Controller Door 1 Access Granted
- 49. Lock Doors Open/Closed Keeps Doors/Gates open or closed Will not respond to user input (RFID cards, remotes, etc) Persist until manually unlocked or rebooted
- 50. Delete Logs From The Controller Controller keeps logs of events Downloading logs deletes them from the controller Hide evidence of entry or tampering
- 51. Change the Password Upload configuration settings Change password without needing the previous password Normal functionality remains Upload other configuration changes
- 52. Denial of Service Fake database update will disable controller connected to or rebooted Overwrite device firmware Lock relays to prevent access
- 53. ACAT – Access Control Attack Tool Demo
- 55. Device Enumeration Techniques Scan the network Look for any COM port redirectors Default port = TCP 4660 Send broadcast packet to UDP 55954 Devices will respond Send a password request string to port 4660 5AA5000A11013635343332319A71 5AA50004110C4625 5AA50005110D024C23 5AA5000A11013635343332319A71 5AA50005110D024C23 UDP Broadcast Broadcast Response Client Response
- 56. Demo
- 57. Recommendations Always change the default password Change physical locks Use a direct serial connection If networked, utilize authentication Resist opening the controller to the internet
- 58. Final Thoughts Other vendors Ongoing research Tool – More work is needed Tool located on https://github.com/linuz/Access-Control-Attack-Tool It’s currently just a prototype Continue updating it/take it out of “PoC mode” Working on an Nmap script Slides uploaded to SlideShare www.slideshare.net/DennisMaldonado5
- 59. Questions? If you have any questions, you can: Twitter: @DennisMald Find me here at DEFCON23 Email me at: dmaldonado@klcconsulting.net
Editor's Notes
- Thank everyone for the opportunity to speak!
- Passion for Physical security and combining with with electronic aspects
- Physical Access Control System What they are Use cases Vendors Talk about a specific vendor of access control, the architecture, and how it communicates Attacks, local and remote Demo and tools Device enumeration Recommendations TALK ABOUT DEMO
- Control a variety of devices
- Selectively permit access to a protected resource or area. Authenticate users in a variety of ways. Some solutions utilize only some of these methods SHOW EXAMPLE: Use transmitters to open Doors 2-4
- Talk about the use cases I have seen while going through pictures on the next few slides Not limited to
- DKS (Doorking) Model 1834, 1835, 1837
- Elite EL2000, Elite Icon 26
- Owned by Chamberlain – Sentex Infinity S, Infinity M, Infinity L
- Owned by Chamberlain - EL1SS, EL2000
- Linear AE1000, AE1000plus, AE2000plus, AM3plus controllers Finally talk about what we will be focusing on Linear 1000plus, 2000plus, AM3plus are all the same 2000plus offers a bigger screen and more buttons AM3plus headless, no interface for users. Used for certain access situations (RFID only for example) or expansion of an existing system
- Condominiums downtown (note the use of a keypad and RFID reader)
- Gated communities
- Commercial buildings
- Elevator access on the left On the right, room with locked controllers for access control, networked together
- Access control controller (AM3plus) found in a bathroom. HERE IS ANOTHER ONE I FOUND
- Access control controller (AM3plus) found in a bathroom.
- Linear AE1000, AE1000plus, AE2000plus, AM3plus controllers Finally talk about what we will be focusing on Linear 1000plus, 2000plus, AM3plus are all the same 2000plus offers a bigger screen and more buttons AM3plus headless, no interface for users. Used for certain access situations (RFID only for example) or expansion of an existing system
- Smarter access control system
- Controllers are the ae1000,2000,am3plus Active phone line used for calling users or potentially managing the device in certain configurations AM-SEK used to allow these devices to be managed on a conventional TCP/IP network or potentially remotely over the internet. The managing computer will create a virtual serial port which will then connect to this serial-to-tcp device The most common use case I have seen in the field Network scan
- Controllers are the ae1000,2000,am3plus Active phone line used for calling users or potentially managing the device in certain configurations AM-SEK used to allow these devices to be managed on a conventional TCP/IP network or potentially remotely over the internet. The managing computer will create a virtual serial port which will then connect to this serial-to-tcp device The most common use case I have seen in the field Network scan
- Controller is connected to the serial-to-tcp interface which is then connected to the network. From there a computer on the local network can manage the controller using special software to interface with it. Documentation encourages external internet access by forwarding ports to the serial-to-tcp/ip interface. No authentication required -- So now that we understand how [this] is set up, lets talk about how a computer interfaces with the Linear Controller
- Software used to connect to the controller Requires a password to authenticate. Talk about how to download
- Putting in the password. Password is exactly 6 characters, numeric only. Application attempts the password when connecting Application will not do anything unless the correct password is put in
- Example of managing users
- PacketHeader is fixed, hard-coded Mimimum length of the data that will be sent Maximum length of the data Net Node which is the address of the controller relative to the other controllers on the network Command (1-16) such as pull log, push firmware, query status, etc Data itself. The data is the ASCII encoded values of each character which is then converted to hex and sent over the virtual serial connection Check sum which is used to check the validity of the message. Calculated from the NetNode, command, and data values.
- Find devices by scanning the network (nmap)
- So now that we talked about the remote attacks, lets assume that these devices are not networked or are the versions that do not support networking.
- AE-500 does not support networked configuration and is programmed locally from the keypad. The AE-5000 is used for much smaller installations Default password, rarely ever changed from what I have seen in the field Use key combination with the default password to backdoor the controller in under 10 seconds
- PacketHeader is fixed, hard-coded Mimimum length of the data that will be sent Maximum length of the data Net Node which is the address of the controller relative to the other controllers on the network Command (1-16) such as pull log, push firmware, query status, etc Data itself. The data is the ASCII encoded values of each character which is then converted to hex and sent over the virtual serial connection Check sum which is used to check the validity of the message. Calculated from the NetNode, command, and data values.
- Video of utilizing the default password on the keypad to create my own entry code Commentate video while playing
- At least all AE1000plus and AM3plus share the same key regardless of supplier Obtain the key from the vendor, a supplier, or purchase them off eBay (enclosures) You could also pick the lock if you are so inclined Physical access to the inside of the controller will give you full access
- Toggle relays to open doors or gates
- Manually re-program some controllers or completely reset the controllers Active phone line, find the phone number and use it to call the device. You may be able to program the device from the phone if you know the master password (default=123456) Serial connection to the controller for attacks (raspberry pi to make it networked/backdoored)
- Tamper switch used for monitoring when the enclosure is opened or closed No active alerts, need to download the logs and view the logs for any tamper events Can be rendered useless by placing a magnet at the right place
- Video of bypassing magnetic tamper switch Commentate video while playing
- So now that we talked about physical access, lets talk about targeting these devices via the network or internet
- Find devices by scanning the network (nmap)
- Lets get into the fun stuff
- Show the accessbase software and trying to log into it resulting in “Wrong Password” (Client password should be set to 123456 while controller should be set to 000051 or something else)
- A password is “required” to configure the device. There is no rate limit or password lockout so you can just keep sending guesses in a typical bruteforce fashion. The speed is limited by the speed of the virtual serial connection Exactly 1,000,000 combinations to test Testing full keyspace would take about 114 hours which is about 4.75 days
- Demo the brute force script. Finish talking BEFORE the attack is finished! Show the access base software, logging into it and triggering relays Demo downloading logs normally after bruteforcing password
- Authentication is “required” but not enforced You can send serial commands through the virtual serial connection which will be executed by the controller Does not require a password or prior authentication Most commands will not return any data if the user has not authenticated recently, however, they will still execute. What can we do wit this?
- Trigger the controller’s relays! Send one command and the specific relay will trigger for x number of seconds depending on configuration (2 by default) Just like if someone was granted access normally using an entry code or RFID card for example Logged as request to exit so it would be hard to detect this was done illegitimately after the fact Scenario: Classic movie scenario where you have a team of jewelry thieves who enter the building after the hacker on the team who is setting in a van across the street hacks into the access control network with his or her laptop and grants them access into the building
- Lock relay state to either open or closed Effectively locks doors, gates, or whatever to open or closed state, making them unresponsive to valid user. Keep a door open or keep it closed Persists until manually unlocked or the controller is rebooted
- The controller logs most things including access denied, access granted, controller enclosure is opened (tamper switch) device rebooted, and more Every time the logs are downloaded from the controller into the application, the logs are deleted from the controller to save space. Initiate a log download, and the logs are deleted from the controller! Hides any evidence of entry or tampering with the controller
- Upload configuration without authentication which can be used to change the password without needing the previous password Controller continues to function normally Can upload other changes such as entry codes or transmitters (backdoor)
- Prevent people from using the controller Lock relays to prevent access to doors or gates Fake a database update which will effectively disable the controller until someone else authenticates to it or the device is rebooted Overwrite the devices firmware to brick the device
- Show entire tool in windows, including deleting logs
- UDP broadcast is animated
- Demo of DetectLinear tool
- Always change the default password Do not network these if you don’t have to (direct serial connection) If you have to network this, utilize authentication everywhere (including the serial-to-tcp device) Don’t open this to the internet Change the lock to something more secure
- Still working on my research. I do hope to cover more on this and other vendors as well. These issues are not limited to any one vendor Need to finish the tool (make some fixes/updates) Working on more security research on that focuses to joining the physical and electronic space.
- Q/A session