Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Are We Really Safe?
HACKING ACCESS CONTROL SYSTEMS
Dennis Maldonado
 Security Consultant @ KLC Consulting
 Twitter: @DennisMald
 Houston Locksport Co-founder
http://www.m...
Agenda
 Physical Access Control System
 Linear Commercial Access Control Systems
 Attacks
 Local
 Remote
 Demo/Tools...
Physical Access Control Systems
Physical Access Control
What do they do?
Limiting access to physical location/resource
 Secure areas using:
 Doors
 Gat...
 Access control systems
 Keypad Entry (Entry/Directory codes)
 Telephone entry
 Radio receivers for remotes
 Proximit...
Where are they used?
 Use cases:
 Gated Communities
 Parking Garages
 Office Buildings
 Apartments
 Hotels/Motels
 ...
Doorking
Chamberlain
Sentex
LiftMaster
Nortek Security & Control/Linear Controllers
Linear Commercial Access Control
Nortek Security & Control/Linear Controllers
AE1000Plus
AE2000Plus
AM3Plus
Linear Controller
 Commercial Telephone Entry
System
 Utilizes a telephone line
 Supports thousands of users
 Networke...
Linear – TCP/IP Kit
 AM-SEK Kit (Serial-to-TCP)
 Converts Serial to Ethernet
 Allows Management over TCP/IP
network
 A...
Linear – Typical Installation
Serial
Cable
Ethernet
Cable
Management PC
192.168.0.40
AE1000Plus
Controller
Ethernet
Cable
...
Software - AccessBase2000
 Add/remove users
 Entry codes
 Directory codes
 Cards
 Transmitters
 Manually toggle rela...
PC to Controller Communication
 Request
 5AA5000A1105010008000000CB97
 Response
 Acknowledged:5AA50004110C462
5
 Not ...
5AA5000A11013635343332319A71
Packet
Header
Minimum
Data Length
Maximum
Data Length
Data
(Hex)
Checksum
Net
Node
Command
{
...
Attacks
LOCAL AND REMOTE ATTACKS
So how do we target these
controllers?
 Physical Access
 Local Programming
 Serial port inside the controller
Local Attacks
AE-500 – Default Password
 Hold 0 and 2 on the keypad
 Type the default password:
123456#
 Input the commands to add a
...
123456#31#9999#9999#99#
Enter
Programming
Mode
Enter Entry
Code
Confirm
New Entry
Code
Exit
Programming
Mode
New Entry Code
Master Key
 Same key for all AE1000plus,
AM3plus controllers
 Purchase them from a supplier or
on eBay
 Or just pick th...
Physical Access
 Manual Relay Latch buttons
 Toggle Relay
 Lock their state
Physical Access
 Manual Relay Latch buttons
 Toggle Relay
 Lock their state
 Programming buttons
 Program device loca...
Tamper Monitoring?
 Magnetic tamper switch inside
enclosure
 No active alerts
 Can be bypassed by placing a
magnet on t...
So how do we target these
controllers?
 Physical Access
 Local Programming
 Serial port inside the controller
So how do we target these
controllers?
 Physical Access
 Local Programming
 Serial port inside the controller
 Interna...
Remote Attacks
Demo
Brute-force attack
 No rate limiting
 No password lockout
 Small key space
 Exactly 6 characters
 Numeric only
 Scri...
Demo
No Password Necessary
 Authentication not enforced!
 Send unauthenticated commands
 Any commands will execute
 May not...
Open Doors Remotely
 Send one simple command
 5AA5000A1105010000080000E88D
 Triggers a relay for 2 seconds thus
opening...
Lock Doors Open/Closed
 Keeps Doors/Gates open
or closed
 Will not respond to user
input (RFID cards, remotes,
etc)
 Pe...
Delete Logs From The Controller
 Controller keeps logs of events
 Downloading logs deletes them
from the controller
 Hi...
Change the Password
 Upload configuration settings
 Change password without
needing the previous password
 Normal funct...
Denial of Service
 Fake database update will disable
controller connected to or
rebooted
 Overwrite device firmware
 Lo...
ACAT – Access Control Attack Tool
Demo
Locating Controllers
Device Enumeration Techniques
 Scan the network
 Look for any COM port redirectors
 Default port = TCP 4660
 Send broa...
Demo
Recommendations
 Always change the default password
 Change physical locks
 Use a direct serial connection
 If network...
Final Thoughts
 Other vendors
 Ongoing research
 Tool – More work is needed
 Tool located on https://github.com/linuz/...
Questions?
 If you have any questions, you can:
 Twitter: @DennisMald
 Find me here at DEFCON23
 Email me at: dmaldona...
Hacking Access Control Systems
Hacking Access Control Systems
Hacking Access Control Systems
Hacking Access Control Systems
Hacking Access Control Systems
Hacking Access Control Systems
Hacking Access Control Systems
Hacking Access Control Systems
Hacking Access Control Systems
Hacking Access Control Systems
Hacking Access Control Systems
Upcoming SlideShare
Loading in …5
×

Hacking Access Control Systems

8,615 views

Published on

Presentation:
https://www.youtube.com/watch?v=-cZ7eDV2n5Y

Access control systems are everywhere. They are used to protect everything from residential communities to commercial offices. People depend on these to work properly, but what if I had complete control over your access control solution just by using my phone? Or perhaps I input a secret keypad combination that unlocks your front door? You may not be as secure as you think.

The world relies on access control systems to ensure that secured areas are only accessible to authorized users. Usually, a keypad is the only thing stopping an unauthorized person from accessing the private space behind it. There are many types of access control systems from stand-alone keypads to telephony access control. In this talk, Dennis will be going over how and where access control systems are used. Dennis will walk through and demonstrate the tips and tricks used in bypassing common access control systems. This presentation will include attack methods of all nature including physical attacks, wireless, telephony, network, and more.

Published in: Technology
  • Be the first to comment

Hacking Access Control Systems

  1. 1. Are We Really Safe? HACKING ACCESS CONTROL SYSTEMS
  2. 2. Dennis Maldonado  Security Consultant @ KLC Consulting  Twitter: @DennisMald  Houston Locksport Co-founder http://www.meetup.com/Houston-Locksport/
  3. 3. Agenda  Physical Access Control System  Linear Commercial Access Control Systems  Attacks  Local  Remote  Demo/Tools  Device Enumeration Techniques  Recommendations
  4. 4. Physical Access Control Systems
  5. 5. Physical Access Control What do they do? Limiting access to physical location/resource  Secure areas using:  Doors  Gates  Elevators floors  Barrier Arms
  6. 6.  Access control systems  Keypad Entry (Entry/Directory codes)  Telephone entry  Radio receivers for remotes  Proximity cards (RFID)  Swipe cards  Sensors Physical Access Control How do they work?
  7. 7. Where are they used?  Use cases:  Gated Communities  Parking Garages  Office Buildings  Apartments  Hotels/Motels  Commercial Buildings  Recreational Facilities  Medical Facilities
  8. 8. Doorking
  9. 9. Chamberlain
  10. 10. Sentex
  11. 11. LiftMaster
  12. 12. Nortek Security & Control/Linear Controllers
  13. 13. Linear Commercial Access Control
  14. 14. Nortek Security & Control/Linear Controllers AE1000Plus AE2000Plus AM3Plus
  15. 15. Linear Controller  Commercial Telephone Entry System  Utilizes a telephone line  Supports thousands of users  Networked with other controllers  Can be configured/controlled through a PC  Serial Connection
  16. 16. Linear – TCP/IP Kit  AM-SEK Kit (Serial-to-TCP)  Converts Serial to Ethernet  Allows Management over TCP/IP network  Allows for remote management (over the internet)
  17. 17. Linear – Typical Installation Serial Cable Ethernet Cable Management PC 192.168.0.40 AE1000Plus Controller Ethernet Cable Router/Switch 192.168.0.0/24
  18. 18. Software - AccessBase2000  Add/remove users  Entry codes  Directory codes  Cards  Transmitters  Manually toggle relays  View log reports  Communicates through serial  Requires a password to authenticate
  19. 19. PC to Controller Communication  Request  5AA5000A1105010008000000CB97  Response  Acknowledged:5AA50004110C462 5  Not Acknowledged: 5AA50005110D024C23  Invalid Checksum: 5AA50005110D017EB8  No response (not authenticated) 5AA5000A11013635343332319A71 5AA50005110D024C23
  20. 20. 5AA5000A11013635343332319A71 Packet Header Minimum Data Length Maximum Data Length Data (Hex) Checksum Net Node Command { Password = 01 Poll Status = 02 Poll Log = 03 Command = 04 Time = 05 Put Flash = 06 … } String is Hex Encoded
  21. 21. Attacks LOCAL AND REMOTE ATTACKS
  22. 22. So how do we target these controllers?  Physical Access  Local Programming  Serial port inside the controller
  23. 23. Local Attacks
  24. 24. AE-500 – Default Password  Hold 0 and 2 on the keypad  Type the default password: 123456#  Input the commands to add a new entry code  31#9999#9999#99#  Type in your new code (9999)  Access Granted!
  25. 25. 123456#31#9999#9999#99# Enter Programming Mode Enter Entry Code Confirm New Entry Code Exit Programming Mode New Entry Code
  26. 26. Master Key  Same key for all AE1000plus, AM3plus controllers  Purchase them from a supplier or on eBay  Or just pick the lock  Full access to the device
  27. 27. Physical Access  Manual Relay Latch buttons  Toggle Relay  Lock their state
  28. 28. Physical Access  Manual Relay Latch buttons  Toggle Relay  Lock their state  Programming buttons  Program device locally  Erase Memory  Active Phone Line  Serial connection to the controller
  29. 29. Tamper Monitoring?  Magnetic tamper switch inside enclosure  No active alerts  Can be bypassed by placing a magnet on the outside of the enclosure
  30. 30. So how do we target these controllers?  Physical Access  Local Programming  Serial port inside the controller
  31. 31. So how do we target these controllers?  Physical Access  Local Programming  Serial port inside the controller  Internal Network Access  IP of Serial to TCP device  TCP Port 4660  External Network Access  IP of Serial to TCP device  TCP Port 4660 open to the internet 5AA5000A11013635343332319A71 5AA50005110D024C23 Bad Guy 5AA5000A11013635343332319A71 5AA50005110D024C23 192.168.0.32:4660 74.12.x.x:4660
  32. 32. Remote Attacks
  33. 33. Demo
  34. 34. Brute-force attack  No rate limiting  No password lockout  Small key space  Exactly 6 characters  Numeric only  Scriptable
  35. 35. Demo
  36. 36. No Password Necessary  Authentication not enforced!  Send unauthenticated commands  Any commands will execute  May not get any confirmation data Hacker Raw Connection AE1000Plus Controller
  37. 37. Open Doors Remotely  Send one simple command  5AA5000A1105010000080000E88D  Triggers a relay for 2 seconds thus opening a door or gate  Great for movie style scenes 5AA5000A1105010000080000E88D Hacker Raw Connection AE1000Plus Controller Door 1 Access Granted
  38. 38. Lock Doors Open/Closed  Keeps Doors/Gates open or closed  Will not respond to user input (RFID cards, remotes, etc)  Persist until manually unlocked or rebooted
  39. 39. Delete Logs From The Controller  Controller keeps logs of events  Downloading logs deletes them from the controller  Hide evidence of entry or tampering
  40. 40. Change the Password  Upload configuration settings  Change password without needing the previous password  Normal functionality remains  Upload other configuration changes
  41. 41. Denial of Service  Fake database update will disable controller connected to or rebooted  Overwrite device firmware  Lock relays to prevent access
  42. 42. ACAT – Access Control Attack Tool Demo
  43. 43. Locating Controllers
  44. 44. Device Enumeration Techniques  Scan the network  Look for any COM port redirectors  Default port = TCP 4660  Send broadcast packet to UDP 55954  Devices will respond  Send a password request string to port 4660  5AA5000A11013635343332319A71  5AA50004110C4625  5AA50005110D024C23 5AA5000A11013635343332319A71 5AA50005110D024C23 UDP Broadcast Broadcast Response Client Response
  45. 45. Demo
  46. 46. Recommendations  Always change the default password  Change physical locks  Use a direct serial connection  If networked, utilize authentication  Resist opening the controller to the internet
  47. 47. Final Thoughts  Other vendors  Ongoing research  Tool – More work is needed  Tool located on https://github.com/linuz/Access-Control-Attack-Tool  It’s currently just a prototype  Continue updating it/take it out of “PoC mode”  Working on an Nmap script  Slides uploaded to SlideShare www.slideshare.net/DennisMaldonado5
  48. 48. Questions?  If you have any questions, you can:  Twitter: @DennisMald  Find me here at DEFCON23  Email me at: dmaldonado@klcconsulting.net

×