The document discusses the security vulnerabilities of electronic door access controllers (EDAC), emphasizing the need for better security and awareness in this area. It outlines common issues with various EDAC technologies, real-world vulnerabilities, and recommendations for improvement from manufacturers and users alike. Key insights include the importance of device management and the need for ethical hacking to identify and address these security flaws.

1. “We don’t need no stinkin’ badges!”Hacking electronic door access controllersShawn Merdingersecurity researcherDEFCON 18

2. Obligatory Speaker SlideShawn MerdingerFormer Cisco STAT, Tippingpoint, non-profitsIndependent security researcherUniversity of Florida, Health Science CenterFounder of LinkedINMedSec groupCurrently researching medical device security <groan>Past security research on VoiP phonesBasic VxWorks debug stuff (see HDM’s talk) Quick rant: We need more women in security!

3. OutlineEDAC technologyTrends, landscapeVendorsArchitectureEDAC real-world analysis S2 Security NetBoxResearch, exposure, vulnerabilities, attacksCountermeasures & recommendationsWarning: stupid bugs ahead

4. Learning outcomesAwareness of security issues in EDAC systemsMajor players, vendorsPen-testing knowledgeResearch and testing methodsBenefitting EFF via ethical hacking

5. Choice quotations“When hackers put viruses on your home computer it's a nuisance; when they unlock doors at your facility it's a nightmare.”John L. Moss, S2 Security CEO STAD, Volume14, Issue 1, January, 2004Q . …about the security of buildings around town….what was your response? ATTY GEN. RENO: “Let's do something about it.”Q. Is this a good thing that has happened? ATTY GEN. RENO: I think any time you expose vulnerabilities, it's a good thing. Department of Justice Weekly Media Briefing, 25 May 2000

6. EDAC Technology OverviewTrend is towards IP from proprietary solutionsConvergence of IP, Video (cameras, DVR)Adding other building systems (HVAC, elevators, alarms)Cost savings, integration, increased capabilities (LDAP) Many controllers use embedded LinuxWide range of vendors in EDAC space. Vulns appearing.S2 SecurityHoneywellHID Global VertxIngersoll-RandBosch SecurityReach SystemsCisco Systems (Richards Zeta) BrivoDSX AccessRS2 TechnologiesSynergisticsLeneland many others….

7. EDAC DeploymentOften you’ll seeManaged by building facilities peopleStuck in a closet and forgottenLong lifecycles of 5-10 yearsDistanced from IT Security“Physical security is not your domain. It’s ours.”Patching, upgrades, maintenance. What? Huh?Policies regarding passwords, logging don’t apply3rd party local service contractor adds doors, hardware configuration

8. Anyone really question the importance of EDAC Security? Really?Yale lab murderClark access log

9. S2 Security NetBoxBuilt by S2 Security9000+ systems installed worldwideSchools, hospitals, businesses, LEA facilities, etc.Same box is sold under multiple brand namesBuilt by S2 SecurityNetBoxDistributed by LineareMerge 50 & 5000Reseller brandingSonitroleAccess

10. S2 Security NetBox

11. S2 Security EDAC Architecture

12. Reading up on S2 SecurityPreparation and information gatheringS2 Security docs, case studies, press releasesSearch engines (Google, Bing, etc.)Lexis-Nexis, ABI-Inform (tip: access these at college campus libraries)Example: able to determine from tinyurl.com/s2mysqlMySQL, SambaLineo Linux distribution (same as Zarus! )Processor is ARM Core IXP 425 chip @ 533 MHzOnly 15 months from design to 1st customer shipping“S2 did not have much prior experience with open source”“MySQL is used to store everything from reports, user information, customized features, facility diagrams, and more”

13. S2 Security Marketing“Data security features built into the software and hardware assure that it is safe to deploy systems across any network, even the public Internet” “Remote locations are easily handled”“S2 NetBox can operate for years without maintenance of any kind”

14. NetBox ComponentsHTTP ServerMySQL / PostgresNmComm custom applicationFTP/TelnetOther features…

15. NetBox Component: HTTP ServerGoAheadWebserverTCP/80Poor choice Sixteen CVEs CVE-2003-1568, CVE-2002-2431, CVE-2002-2430, CVE-2002-2429, CVE-2002-2428, etc.No vendor response for severalTypical example in CVE-2002-1951“GoAhead….contacted on three different occasions during the last three months but supplied no meaningful response.”"Data security is a challenge, and unfortunately, not everyone has risen to it.“ John L. Moss, S2 Security CEO

16. NetBox Component: MySQLMySQL server listening on 3306Outdated SQLVersion 2.X uses MySQL version 4.03.X uses PostgresJust how old is MySQL 4.0? End of life? How about end of download…

17. NetBox Component: NmCommService listening on TCP/7362Performs multicast discovery of nodesCustom daemon coded by S2 SecurityPatent issued 15 December, 2009“System and method to configure a network node”http://tinyurl.com/s2patentReads like a RFC (tip: grep for “must not” ;)“Ladies & Gentlemen, start your fuzzers!”

18. NetBox Component: FTP & TelnetCleartext protocols for a security device?!?!Telnet to manage (as root – use diagnostics tools ;)FTP for DB backupsPoor security-oriented documentation"We see some vendors fitting their serial devices with Telnet adapters, which simply sit on the network transmitting unsecured serial data.”John L. Moss, S2 Security CEO

19. NetBox Components: Features!Lots of extras and licenses optionsElevator, HVAC, Temp, BurglarAPIVoIP Increases complexityExpands attack surfaceMore devices, protocols

20. NetBox Components: Features!View building floorplans

21. S2 NetBox unauthenticated resetVU#571629Remote, unauthenticated factory reset via crafted URL

22. S2 NetBoxUnauth Access Backup DBCVE-2010-2466 Unauth attacker can dload DB backupsNightly DB backup is hardcoded CRONFile name is “full_YYYYMMDD_HHMMSS.1.dar”Predictable time range and naming conventionAttacker gets backup DB = Game OverUncompress the.dar format/var/db/s2/tmp/backup/all.dmpEntire system data in DB!

23. NetBoxUnauth Access Backup DBExtract admin MySQL_64bit hash Affects NetBox 2.X (mysql) and 3.X (postgres)Hash is trivial to crackCVE-2010-2468

24. NetBoxPwnage: DoorsOpen any doorRight nowOr schedule

25. NetBoxPwnage: CamerasBackup file contains IP camera infoName, IP address, admin username and passwordNetBox2.X and 3.X systems vulnerableAttacker now owns IP cameras"Most hackers don't care about watching your lobby. If they gain access to the network, they're going to go after financial data and trade secrets.” Justin Lott, Bosch security marketing

26. NetBoxPwnage: DVRsUser/Pass to DVRs in backup DBPoor setup guides for DVRsRecommends keeping default user/passOn-Net Surveillance Systems Network Video Recorder document

27. More HTTP directory grief…CVE-2010-2465Unauthenticated accessNode logsEmployee photographs

28. NetBox Remote FingerprintingRemote IdentificationMAC OID registered to S2 Security Nmap service fingerprint submitted (nmap 5.20)/blank.html (props to SkipFish)

29. Enter ShodanGame changerNetBoxsdifficult to find, not on Internet, blah blah..“Behind a firewall, accessible only by VPN”“Deep within the corporate network”Targeted searchesUnique fingerprint341devices today. 150 in March, 2010

30. Recommendations: VendorVendorConduct security evaluations on your productsProvide secure deployment guidesTighten-up 3rd party integration ImproveLoggingMore details: changes, auditing, debug levelsAbility to send to log serverHTTPUse a “better” HTTP daemonHTTPS by defaultModify banners, reduce footprint, etc.FTP/Telnet to SCP/SSH

31. Recommendations: CustomersDemand better security! From vendor, reseller, and service contractorExpect fixes and patchesManage your EDAC like any other IT systemPatching, change management, security reviewsTechnicalIsolate eMerge system componentsVLANs, MAC auth, VPN, restrict IP, etc.

32. S2 Security CEO LetterFrom John L. Moss to System Integrators

33. Offer: EDAC Evaluations for VendorsRecordedat CarolinaConGet a “phase 1” product security evaluationDonate to a non-profit like EFF (and gettax-deduction)Will sign NDA (non-disclosure agreement) Eval the box, report & outbriefAdd’l advice for product security response/security page, email POC, PGP, vulnerability policy, etc.Introduction to CERT/CC, US-CERTSecurity conference support

34. So Far….Approached by 2 EDAC companiesTalk…establish trust…NDA…gear shipped 1st company donated to EFFWon EFF’s Defcon Giveaway Contest : $2560 raised

35. Thank you! Questions?