Dennis Maldonado, profile picture
Uploaded byDennis Maldonado
PPTX, PDF11,653 views

Hacking Access Control Systems

The document discusses the vulnerabilities in physical access control systems, highlighting local and remote attack methods, including brute-force and serial port exploitation. It emphasizes the importance of security measures like changing default passwords and utilizing authentication for networked controllers. Recommendations are provided for enhancing security and mitigating risks associated with these access control systems.

Technology
Related topics:
Information Security

Embed presentation

Downloaded 185 times
Are We Really Safe? HACKING ACCESS CONTROL SYSTEMS
Dennis Maldonado  Security Consultant @ KLC Consulting  Twitter: @DennisMald  Houston Locksport Co-founder http://www.meetup.com/Houston-Locksport/
Agenda  Physical Access Control System  Linear Commercial Access Control Systems  Attacks  Local  Remote  Demo/Tools  Device Enumeration Techniques  Recommendations
Physical Access Control Systems
Physical Access Control What do they do? Limiting access to physical location/resource  Secure areas using:  Doors  Gates  Elevators floors  Barrier Arms
 Access control systems  Keypad Entry (Entry/Directory codes)  Telephone entry  Radio receivers for remotes  Proximity cards (RFID)  Swipe cards  Sensors Physical Access Control How do they work?
Where are they used?  Use cases:  Gated Communities  Parking Garages  Office Buildings  Apartments  Hotels/Motels  Commercial Buildings  Recreational Facilities  Medical Facilities
Doorking
Chamberlain
Sentex
LiftMaster
Nortek Security & Control/Linear Controllers
Linear Commercial Access Control
Nortek Security & Control/Linear Controllers AE1000Plus AE2000Plus AM3Plus
Linear Controller  Commercial Telephone Entry System  Utilizes a telephone line  Supports thousands of users  Networked with other controllers  Can be configured/controlled through a PC  Serial Connection
Linear – TCP/IP Kit  AM-SEK Kit (Serial-to-TCP)  Converts Serial to Ethernet  Allows Management over TCP/IP network  Allows for remote management (over the internet)
Linear – Typical Installation Serial Cable Ethernet Cable Management PC 192.168.0.40 AE1000Plus Controller Ethernet Cable Router/Switch 192.168.0.0/24
Software - AccessBase2000  Add/remove users  Entry codes  Directory codes  Cards  Transmitters  Manually toggle relays  View log reports  Communicates through serial  Requires a password to authenticate
PC to Controller Communication  Request  5AA5000A1105010008000000CB97  Response  Acknowledged:5AA50004110C462 5  Not Acknowledged: 5AA50005110D024C23  Invalid Checksum: 5AA50005110D017EB8  No response (not authenticated) 5AA5000A11013635343332319A71 5AA50005110D024C23
5AA5000A11013635343332319A71 Packet Header Minimum Data Length Maximum Data Length Data (Hex) Checksum Net Node Command { Password = 01 Poll Status = 02 Poll Log = 03 Command = 04 Time = 05 Put Flash = 06 … } String is Hex Encoded
Attacks LOCAL AND REMOTE ATTACKS
So how do we target these controllers?  Physical Access  Local Programming  Serial port inside the controller
Local Attacks
AE-500 – Default Password  Hold 0 and 2 on the keypad  Type the default password: 123456#  Input the commands to add a new entry code  31#9999#9999#99#  Type in your new code (9999)  Access Granted!
123456#31#9999#9999#99# Enter Programming Mode Enter Entry Code Confirm New Entry Code Exit Programming Mode New Entry Code
Master Key  Same key for all AE1000plus, AM3plus controllers  Purchase them from a supplier or on eBay  Or just pick the lock  Full access to the device
Physical Access  Manual Relay Latch buttons  Toggle Relay  Lock their state
Physical Access  Manual Relay Latch buttons  Toggle Relay  Lock their state  Programming buttons  Program device locally  Erase Memory  Active Phone Line  Serial connection to the controller
Tamper Monitoring?  Magnetic tamper switch inside enclosure  No active alerts  Can be bypassed by placing a magnet on the outside of the enclosure
So how do we target these controllers?  Physical Access  Local Programming  Serial port inside the controller
So how do we target these controllers?  Physical Access  Local Programming  Serial port inside the controller  Internal Network Access  IP of Serial to TCP device  TCP Port 4660  External Network Access  IP of Serial to TCP device  TCP Port 4660 open to the internet 5AA5000A11013635343332319A71 5AA50005110D024C23 Bad Guy 5AA5000A11013635343332319A71 5AA50005110D024C23 192.168.0.32:4660 74.12.x.x:4660
Remote Attacks
Demo
Brute-force attack  No rate limiting  No password lockout  Small key space  Exactly 6 characters  Numeric only  Scriptable
Demo
No Password Necessary  Authentication not enforced!  Send unauthenticated commands  Any commands will execute  May not get any confirmation data Hacker Raw Connection AE1000Plus Controller
Open Doors Remotely  Send one simple command  5AA5000A1105010000080000E88D  Triggers a relay for 2 seconds thus opening a door or gate  Great for movie style scenes 5AA5000A1105010000080000E88D Hacker Raw Connection AE1000Plus Controller Door 1 Access Granted
Lock Doors Open/Closed  Keeps Doors/Gates open or closed  Will not respond to user input (RFID cards, remotes, etc)  Persist until manually unlocked or rebooted
Delete Logs From The Controller  Controller keeps logs of events  Downloading logs deletes them from the controller  Hide evidence of entry or tampering
Change the Password  Upload configuration settings  Change password without needing the previous password  Normal functionality remains  Upload other configuration changes
Denial of Service  Fake database update will disable controller connected to or rebooted  Overwrite device firmware  Lock relays to prevent access
ACAT – Access Control Attack Tool Demo
Locating Controllers
Device Enumeration Techniques  Scan the network  Look for any COM port redirectors  Default port = TCP 4660  Send broadcast packet to UDP 55954  Devices will respond  Send a password request string to port 4660  5AA5000A11013635343332319A71  5AA50004110C4625  5AA50005110D024C23 5AA5000A11013635343332319A71 5AA50005110D024C23 UDP Broadcast Broadcast Response Client Response
Demo
Recommendations  Always change the default password  Change physical locks  Use a direct serial connection  If networked, utilize authentication  Resist opening the controller to the internet
Final Thoughts  Other vendors  Ongoing research  Tool – More work is needed  Tool located on https://github.com/linuz/Access-Control-Attack-Tool  It’s currently just a prototype  Continue updating it/take it out of “PoC mode”  Working on an Nmap script  Slides uploaded to SlideShare www.slideshare.net/DennisMaldonado5
Questions?  If you have any questions, you can:  Twitter: @DennisMald  Find me here at DEFCON23  Email me at: dmaldonado@klcconsulting.net

More Related Content

PPTX
Biometrics security
byVuda Sreenivasarao
 
PDF
Medidas de seguridad_en_documentos_parte_II
byUnidad Academica CANG
 
PPT
Biometric Security advantages and disadvantages
byPrabh Jeet
 
PPTX
Fake Currency detction Using Image Processing
bySavitaHanchinal
 
PPTX
Steganography and its techniques
byFatema Panvelwala
 
PDF
Investigacion en la Escena del Crimen
byCesar Jesus Chavez Martinez
 
PPT
Chaincustody
byMdu
 
PPTX
Expert testimony and expert witness
byTanmay Gujarathi
 
Biometrics security
byVuda Sreenivasarao
 
Medidas de seguridad_en_documentos_parte_II
byUnidad Academica CANG
 
Biometric Security advantages and disadvantages
byPrabh Jeet
 
Fake Currency detction Using Image Processing
bySavitaHanchinal
 
Steganography and its techniques
byFatema Panvelwala
 
Investigacion en la Escena del Crimen
byCesar Jesus Chavez Martinez
 
Chaincustody
byMdu
 
Expert testimony and expert witness
byTanmay Gujarathi
 

What's hot

PPTX
Fingerprint recognition presentation
byVivek Kumar
 
PPTX
1609 Fraud Data Science
byAlejandro Correa Bahnsen, PhD
 
PPTX
Las nuevas tecnologías transforman las investigaciones policiales (UNY)
byroccab
 
PDF
Email Forensics
byGol D Roger
 
PPTX
ppt on credit card and debit card
byGovernment Institute of Forensic Science Nagpur
 
PPTX
Multi modal biometric system
byAalaa Khattab
 
PPTX
Thesis presentation ist
bydeep sharma
 
PPT
Brain Finger Printing
byGarima Singh
 
PPTX
Alexander Pichushkin : “THE CHESSBOARD KILLER” OR “THE BITSA PARK MANIAC”
byPalash Mehar
 
PPTX
FAKE CURRENCY DETECTION PDF NEW PPT.pptx
byBasavaPrabhu14
 
PPT
Forensics Ch 2 notes
byLeah Morgan
 
PPTX
Cryptography & Steganography
byAnimesh Shaw
 
PPTX
One time password(otp)
byAnjali Agrawal
 
PPTX
Image Processing Based Signature Recognition and Verification Technique Using...
byPriyanka Pradhan
 
PPTX
Atm frauds
byGPERI
 
PPT
Crime scene investigator
byprofdr El-ghamry
 
PPT
Biometric Access Control Systems
bySafe-Systems Inc.
 
PDF
Fingerprint recognition
byvarsha mohite
 
PDF
crimescencinvestigationevidencecollection-091001080950-phpapp01.pdf
byResielleMacaranasSol
 
PDF
Barcode invention & evolution
byfactscomputersoftware
 
Fingerprint recognition presentation
byVivek Kumar
 
1609 Fraud Data Science
byAlejandro Correa Bahnsen, PhD
 
Las nuevas tecnologías transforman las investigaciones policiales (UNY)
byroccab
 
Email Forensics
byGol D Roger
 
ppt on credit card and debit card
byGovernment Institute of Forensic Science Nagpur
 
Multi modal biometric system
byAalaa Khattab
 
Thesis presentation ist
bydeep sharma
 
Brain Finger Printing
byGarima Singh
 
Alexander Pichushkin : “THE CHESSBOARD KILLER” OR “THE BITSA PARK MANIAC”
byPalash Mehar
 
FAKE CURRENCY DETECTION PDF NEW PPT.pptx
byBasavaPrabhu14
 
Forensics Ch 2 notes
byLeah Morgan
 
Cryptography & Steganography
byAnimesh Shaw
 
One time password(otp)
byAnjali Agrawal
 
Image Processing Based Signature Recognition and Verification Technique Using...
byPriyanka Pradhan
 
Atm frauds
byGPERI
 
Crime scene investigator
byprofdr El-ghamry
 
Biometric Access Control Systems
bySafe-Systems Inc.
 
Fingerprint recognition
byvarsha mohite
 
crimescencinvestigationevidencecollection-091001080950-phpapp01.pdf
byResielleMacaranasSol
 
Barcode invention & evolution
byfactscomputersoftware
 

Similar to Hacking Access Control Systems

PDF
Access-Control-System.pdf-mohamed abd el samiea
byabdsamea761
 
PDF
Catalogue controle d'acces v2
byGhomsi Adrien
 
PPTX
Project ppt
byakash devadiga
 
PDF
Bosch AIM-AEC21-CVT Data Sheet
byJMAC Supply
 
PPT
Access control basics-2
bygrantlerc
 
PDF
Step Into Security Webinar - Physical Security Integration & Access Control -...
byKeith Harris
 
PDF
MATRIX Cosec Introduction New
byGateway Business Solutions
 
PPT
experience_and_perspective_of_security_installation.ppt
byPawachMetharattanara
 
PPTX
PASSWORD PROTECTED DOOR OPENING SYSTEM BY HEMANTA
byHEMANTA SAHU
 
PDF
All Your Base Still Belong To Us Physical Penetration Testing Tales From The ...
byEC-Council
 
PPTX
AXIS 1001
byJohn Allen
 
PDF
IEEE Standard for Securing Legacy Scada Protocols (Sequi, Inc)
bysequi_inc
 
PPT
The Future is Wireless - Novation
byrfields56
 
PPTX
Rfid security access control system
byEdgefxkits & Solutions
 
PDF
Matrix cosec acm_presentation_v1_r1
byGateway Business Solutions
 
PDF
Matrix Cosec Acm Presentation V1 R1
byGateway Business Solutions
 
PDF
The Stuxnet Worm creation process
byAjay Ohri
 
PPT
Protege Hardware Sales Updated October 2008
byjeremyomeara
 
PPT
Matrix Security Solutions: COSEC - Access Control and Time-Attendance
byMatrix Comsec
 
PPT
Sig Sensor Presentation 2008
byFrans Vonk
 
Access-Control-System.pdf-mohamed abd el samiea
byabdsamea761
 
Catalogue controle d'acces v2
byGhomsi Adrien
 
Project ppt
byakash devadiga
 
Bosch AIM-AEC21-CVT Data Sheet
byJMAC Supply
 
Access control basics-2
bygrantlerc
 
Step Into Security Webinar - Physical Security Integration & Access Control -...
byKeith Harris
 
MATRIX Cosec Introduction New
byGateway Business Solutions
 
experience_and_perspective_of_security_installation.ppt
byPawachMetharattanara
 
PASSWORD PROTECTED DOOR OPENING SYSTEM BY HEMANTA
byHEMANTA SAHU
 
All Your Base Still Belong To Us Physical Penetration Testing Tales From The ...
byEC-Council
 
AXIS 1001
byJohn Allen
 
IEEE Standard for Securing Legacy Scada Protocols (Sequi, Inc)
bysequi_inc
 
The Future is Wireless - Novation
byrfields56
 
Rfid security access control system
byEdgefxkits & Solutions
 
Matrix cosec acm_presentation_v1_r1
byGateway Business Solutions
 
Matrix Cosec Acm Presentation V1 R1
byGateway Business Solutions
 
The Stuxnet Worm creation process
byAjay Ohri
 
Protege Hardware Sales Updated October 2008
byjeremyomeara
 
Matrix Security Solutions: COSEC - Access Control and Time-Attendance
byMatrix Comsec
 
Sig Sensor Presentation 2008
byFrans Vonk
 

Recently uploaded

PDF
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
PPTX
Introduction to Industrial-Arts Grade 8 ppt Lesson 1
byFSBTLEDNathanVince
 
PPTX
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
 
PDF
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
PDF
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
PDF
How to build hackthon projects from ZERO!
byishantyadav1111
 
PDF
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
PDF
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 
PDF
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
PDF
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PPTX
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
PPTX
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
PDF
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
PPTX
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
PDF
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
PDF
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
PPTX
Career-Opportunities in Industrial Arts Grade 8 PPT Lesson 2
byFSBTLEDNathanVince
 
PDF
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
 
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
Introduction to Industrial-Arts Grade 8 ppt Lesson 1
byFSBTLEDNathanVince
 
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
 
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
How to build hackthon projects from ZERO!
byishantyadav1111
 
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
Career-Opportunities in Industrial Arts Grade 8 PPT Lesson 2
byFSBTLEDNathanVince
 
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
 

Hacking Access Control Systems

  • 1.
    Are We ReallySafe? HACKING ACCESS CONTROL SYSTEMS
  • 2.
    Dennis Maldonado  SecurityConsultant @ KLC Consulting  Twitter: @DennisMald  Houston Locksport Co-founder http://www.meetup.com/Houston-Locksport/
  • 3.
    Agenda  Physical AccessControl System  Linear Commercial Access Control Systems  Attacks  Local  Remote  Demo/Tools  Device Enumeration Techniques  Recommendations
  • 4.
  • 5.
    Physical Access Control Whatdo they do? Limiting access to physical location/resource  Secure areas using:  Doors  Gates  Elevators floors  Barrier Arms
  • 6.
     Access controlsystems  Keypad Entry (Entry/Directory codes)  Telephone entry  Radio receivers for remotes  Proximity cards (RFID)  Swipe cards  Sensors Physical Access Control How do they work?
  • 7.
    Where are theyused?  Use cases:  Gated Communities  Parking Garages  Office Buildings  Apartments  Hotels/Motels  Commercial Buildings  Recreational Facilities  Medical Facilities
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
    Nortek Security &Control/Linear Controllers
  • 19.
  • 20.
    Nortek Security &Control/Linear Controllers AE1000Plus AE2000Plus AM3Plus
  • 21.
    Linear Controller  CommercialTelephone Entry System  Utilizes a telephone line  Supports thousands of users  Networked with other controllers  Can be configured/controlled through a PC  Serial Connection
  • 22.
    Linear – TCP/IPKit  AM-SEK Kit (Serial-to-TCP)  Converts Serial to Ethernet  Allows Management over TCP/IP network  Allows for remote management (over the internet)
  • 23.
    Linear – TypicalInstallation Serial Cable Ethernet Cable Management PC 192.168.0.40 AE1000Plus Controller Ethernet Cable Router/Switch 192.168.0.0/24
  • 25.
    Software - AccessBase2000 Add/remove users  Entry codes  Directory codes  Cards  Transmitters  Manually toggle relays  View log reports  Communicates through serial  Requires a password to authenticate
  • 28.
    PC to ControllerCommunication  Request  5AA5000A1105010008000000CB97  Response  Acknowledged:5AA50004110C462 5  Not Acknowledged: 5AA50005110D024C23  Invalid Checksum: 5AA50005110D017EB8  No response (not authenticated) 5AA5000A11013635343332319A71 5AA50005110D024C23
  • 29.
    5AA5000A11013635343332319A71 Packet Header Minimum Data Length Maximum Data Length Data (Hex) Checksum Net Node Command { Password= 01 Poll Status = 02 Poll Log = 03 Command = 04 Time = 05 Put Flash = 06 … } String is Hex Encoded
  • 30.
  • 31.
    So how dowe target these controllers?  Physical Access  Local Programming  Serial port inside the controller
  • 32.
  • 33.
    AE-500 – DefaultPassword  Hold 0 and 2 on the keypad  Type the default password: 123456#  Input the commands to add a new entry code  31#9999#9999#99#  Type in your new code (9999)  Access Granted!
  • 34.
  • 36.
    Master Key  Samekey for all AE1000plus, AM3plus controllers  Purchase them from a supplier or on eBay  Or just pick the lock  Full access to the device
  • 37.
    Physical Access  ManualRelay Latch buttons  Toggle Relay  Lock their state
  • 38.
    Physical Access  ManualRelay Latch buttons  Toggle Relay  Lock their state  Programming buttons  Program device locally  Erase Memory  Active Phone Line  Serial connection to the controller
  • 39.
    Tamper Monitoring?  Magnetictamper switch inside enclosure  No active alerts  Can be bypassed by placing a magnet on the outside of the enclosure
  • 41.
    So how dowe target these controllers?  Physical Access  Local Programming  Serial port inside the controller
  • 42.
    So how dowe target these controllers?  Physical Access  Local Programming  Serial port inside the controller  Internal Network Access  IP of Serial to TCP device  TCP Port 4660  External Network Access  IP of Serial to TCP device  TCP Port 4660 open to the internet 5AA5000A11013635343332319A71 5AA50005110D024C23 Bad Guy 5AA5000A11013635343332319A71 5AA50005110D024C23 192.168.0.32:4660 74.12.x.x:4660
  • 43.
  • 44.
  • 45.
    Brute-force attack  Norate limiting  No password lockout  Small key space  Exactly 6 characters  Numeric only  Scriptable
  • 46.
  • 47.
    No Password Necessary Authentication not enforced!  Send unauthenticated commands  Any commands will execute  May not get any confirmation data Hacker Raw Connection AE1000Plus Controller
  • 48.
    Open Doors Remotely Send one simple command  5AA5000A1105010000080000E88D  Triggers a relay for 2 seconds thus opening a door or gate  Great for movie style scenes 5AA5000A1105010000080000E88D Hacker Raw Connection AE1000Plus Controller Door 1 Access Granted
  • 49.
    Lock Doors Open/Closed Keeps Doors/Gates open or closed  Will not respond to user input (RFID cards, remotes, etc)  Persist until manually unlocked or rebooted
  • 50.
    Delete Logs FromThe Controller  Controller keeps logs of events  Downloading logs deletes them from the controller  Hide evidence of entry or tampering
  • 51.
    Change the Password Upload configuration settings  Change password without needing the previous password  Normal functionality remains  Upload other configuration changes
  • 52.
    Denial of Service Fake database update will disable controller connected to or rebooted  Overwrite device firmware  Lock relays to prevent access
  • 53.
    ACAT – AccessControl Attack Tool Demo
  • 54.
  • 55.
    Device Enumeration Techniques Scan the network  Look for any COM port redirectors  Default port = TCP 4660  Send broadcast packet to UDP 55954  Devices will respond  Send a password request string to port 4660  5AA5000A11013635343332319A71  5AA50004110C4625  5AA50005110D024C23 5AA5000A11013635343332319A71 5AA50005110D024C23 UDP Broadcast Broadcast Response Client Response
  • 56.
  • 57.
    Recommendations  Always changethe default password  Change physical locks  Use a direct serial connection  If networked, utilize authentication  Resist opening the controller to the internet
  • 58.
    Final Thoughts  Othervendors  Ongoing research  Tool – More work is needed  Tool located on https://github.com/linuz/Access-Control-Attack-Tool  It’s currently just a prototype  Continue updating it/take it out of “PoC mode”  Working on an Nmap script  Slides uploaded to SlideShare www.slideshare.net/DennisMaldonado5
  • 59.
    Questions?  If youhave any questions, you can:  Twitter: @DennisMald  Find me here at DEFCON23  Email me at: dmaldonado@klcconsulting.net

Editor's Notes

  • #2 Thank everyone for the opportunity to speak!
  • #3 Passion for Physical security and combining with with electronic aspects
  • #4 Physical Access Control System What they are Use cases Vendors Talk about a specific vendor of access control, the architecture, and how it communicates Attacks, local and remote Demo and tools Device enumeration Recommendations TALK ABOUT DEMO
  • #6 Control a variety of devices
  • #7 Selectively permit access to a protected resource or area. Authenticate users in a variety of ways. Some solutions utilize only some of these methods SHOW EXAMPLE: Use transmitters to open Doors 2-4
  • #8 Talk about the use cases I have seen while going through pictures on the next few slides Not limited to
  • #9 DKS (Doorking) Model 1834, 1835, 1837
  • #10 Elite EL2000, Elite Icon 26
  • #11 Owned by Chamberlain – Sentex Infinity S, Infinity M, Infinity L
  • #12 Owned by Chamberlain - EL1SS, EL2000
  • #13 Linear AE1000, AE1000plus, AE2000plus, AM3plus controllers Finally talk about what we will be focusing on Linear 1000plus, 2000plus, AM3plus are all the same 2000plus offers a bigger screen and more buttons AM3plus headless, no interface for users. Used for certain access situations (RFID only for example) or expansion of an existing system
  • #14 Condominiums downtown (note the use of a keypad and RFID reader)
  • #15 Gated communities
  • #16 Commercial buildings
  • #17 Elevator access on the left On the right, room with locked controllers for access control, networked together
  • #18 Access control controller (AM3plus) found in a bathroom. HERE IS ANOTHER ONE I FOUND
  • #19 Access control controller (AM3plus) found in a bathroom.
  • #21 Linear AE1000, AE1000plus, AE2000plus, AM3plus controllers Finally talk about what we will be focusing on Linear 1000plus, 2000plus, AM3plus are all the same 2000plus offers a bigger screen and more buttons AM3plus headless, no interface for users. Used for certain access situations (RFID only for example) or expansion of an existing system
  • #22 Smarter access control system
  • #23 Controllers are the ae1000,2000,am3plus Active phone line used for calling users or potentially managing the device in certain configurations AM-SEK used to allow these devices to be managed on a conventional TCP/IP network or potentially remotely over the internet. The managing computer will create a virtual serial port which will then connect to this serial-to-tcp device The most common use case I have seen in the field Network scan
  • #24 Controllers are the ae1000,2000,am3plus Active phone line used for calling users or potentially managing the device in certain configurations AM-SEK used to allow these devices to be managed on a conventional TCP/IP network or potentially remotely over the internet. The managing computer will create a virtual serial port which will then connect to this serial-to-tcp device The most common use case I have seen in the field Network scan
  • #25 Controller is connected to the serial-to-tcp interface which is then connected to the network. From there a computer on the local network can manage the controller using special software to interface with it. Documentation encourages external internet access by forwarding ports to the serial-to-tcp/ip interface. No authentication required -- So now that we understand how [this] is set up, lets talk about how a computer interfaces with the Linear Controller
  • #26 Software used to connect to the controller Requires a password to authenticate. Talk about how to download
  • #27 Putting in the password. Password is exactly 6 characters, numeric only. Application attempts the password when connecting Application will not do anything unless the correct password is put in
  • #28 Example of managing users
  • #30 PacketHeader is fixed, hard-coded Mimimum length of the data that will be sent Maximum length of the data Net Node which is the address of the controller relative to the other controllers on the network Command (1-16) such as pull log, push firmware, query status, etc Data itself. The data is the ASCII encoded values of each character which is then converted to hex and sent over the virtual serial connection Check sum which is used to check the validity of the message. Calculated from the NetNode, command, and data values.
  • #32 Find devices by scanning the network (nmap)
  • #33 So now that we talked about the remote attacks, lets assume that these devices are not networked or are the versions that do not support networking.
  • #34 AE-500 does not support networked configuration and is programmed locally from the keypad. The AE-5000 is used for much smaller installations Default password, rarely ever changed from what I have seen in the field Use key combination with the default password to backdoor the controller in under 10 seconds
  • #35 PacketHeader is fixed, hard-coded Mimimum length of the data that will be sent Maximum length of the data Net Node which is the address of the controller relative to the other controllers on the network Command (1-16) such as pull log, push firmware, query status, etc Data itself. The data is the ASCII encoded values of each character which is then converted to hex and sent over the virtual serial connection Check sum which is used to check the validity of the message. Calculated from the NetNode, command, and data values.
  • #36 Video of utilizing the default password on the keypad to create my own entry code Commentate video while playing
  • #37 At least all AE1000plus and AM3plus share the same key regardless of supplier Obtain the key from the vendor, a supplier, or purchase them off eBay (enclosures) You could also pick the lock if you are so inclined Physical access to the inside of the controller will give you full access
  • #38 Toggle relays to open doors or gates
  • #39 Manually re-program some controllers or completely reset the controllers Active phone line, find the phone number and use it to call the device. You may be able to program the device from the phone if you know the master password (default=123456) Serial connection to the controller for attacks (raspberry pi to make it networked/backdoored)
  • #40 Tamper switch used for monitoring when the enclosure is opened or closed No active alerts, need to download the logs and view the logs for any tamper events Can be rendered useless by placing a magnet at the right place
  • #41 Video of bypassing magnetic tamper switch Commentate video while playing
  • #42 So now that we talked about physical access, lets talk about targeting these devices via the network or internet
  • #43 Find devices by scanning the network (nmap)
  • #44 Lets get into the fun stuff
  • #45 Show the accessbase software and trying to log into it resulting in “Wrong Password” (Client password should be set to 123456 while controller should be set to 000051 or something else)
  • #46 A password is “required” to configure the device. There is no rate limit or password lockout so you can just keep sending guesses in a typical bruteforce fashion. The speed is limited by the speed of the virtual serial connection Exactly 1,000,000 combinations to test Testing full keyspace would take about 114 hours which is about 4.75 days
  • #47 Demo the brute force script. Finish talking BEFORE the attack is finished! Show the access base software, logging into it and triggering relays Demo downloading logs normally after bruteforcing password
  • #48 Authentication is “required” but not enforced You can send serial commands through the virtual serial connection which will be executed by the controller Does not require a password or prior authentication Most commands will not return any data if the user has not authenticated recently, however, they will still execute. What can we do wit this?
  • #49 Trigger the controller’s relays! Send one command and the specific relay will trigger for x number of seconds depending on configuration (2 by default) Just like if someone was granted access normally using an entry code or RFID card for example Logged as request to exit so it would be hard to detect this was done illegitimately after the fact Scenario: Classic movie scenario where you have a team of jewelry thieves who enter the building after the hacker on the team who is setting in a van across the street hacks into the access control network with his or her laptop and grants them access into the building
  • #50 Lock relay state to either open or closed Effectively locks doors, gates, or whatever to open or closed state, making them unresponsive to valid user. Keep a door open or keep it closed Persists until manually unlocked or the controller is rebooted
  • #51 The controller logs most things including access denied, access granted, controller enclosure is opened (tamper switch) device rebooted, and more Every time the logs are downloaded from the controller into the application, the logs are deleted from the controller to save space. Initiate a log download, and the logs are deleted from the controller! Hides any evidence of entry or tampering with the controller
  • #52 Upload configuration without authentication which can be used to change the password without needing the previous password Controller continues to function normally Can upload other changes such as entry codes or transmitters (backdoor)
  • #53 Prevent people from using the controller Lock relays to prevent access to doors or gates Fake a database update which will effectively disable the controller until someone else authenticates to it or the device is rebooted Overwrite the devices firmware to brick the device
  • #54 Show entire tool in windows, including deleting logs
  • #56 UDP broadcast is animated
  • #57 Demo of DetectLinear tool
  • #58 Always change the default password Do not network these if you don’t have to (direct serial connection) If you have to network this, utilize authentication everywhere (including the serial-to-tcp device) Don’t open this to the internet Change the lock to something more secure
  • #59 Still working on my research. I do hope to cover more on this and other vendors as well. These issues are not limited to any one vendor Need to finish the tool (make some fixes/updates) Working on more security research on that focuses to joining the physical and electronic space.
  • #60 Q/A session