How did I get into your office? - Disobey 2020 presentation
Our focus today
• Bypassing the access control or lock
• Without social engineering prowess
• (Preferably) without damaging the lock / door
• (Preferably) without leaving any evidence
• Mitigations and risk management
• Not covered:
• Bypassing alarm systems.
• Traditional lock picking
• Buildings and companies. Some things are ”unpatched”.
Trick 0: Bypass the lock (latch attack)
My childhood adventures..
Abloy lock, year 1990
unpickable for a 12 year old?
Ice cream: 1 mk
Access granted: priceless J
Why did they remove the security patch?
Who am I now?
• Security chief at Solita 2019 -
• Hacker at Team ROT
• Red-teaming hobbyist, not pro!
• Still bad at social engineering.
• Twitter: @Anakondantti
Don’t get into trouble
• Never ”pentest” access controls without a permission!
• Even with the permission, agree on the rules
• If you break something, who will pay for it?
• If you copy the keys, what happens?
• Can you ever talk about it, NDA?
• Physical access without a permission = quickly a police matter.
• Around the building, all backdoors etc.
• Model and type of access control system
• Who has access to different parts of the building?
• Where are the valuable assets?
• The alarm system? When does it automatically switch on?
• Are some employees prone to ask for id cards and some never ask? (tailgating)
• Get proper tools and software
• Proxmark, Keysy, Chameleon
• Magnets, screwdrivers etc.
Trick 1, the oldest trick: Just walk in?
• I did this accidentally last autumn.
• Tailgating is not the only game plan.
• Follow the dress code, don’t look nervous.
• You don’t need props.
• Props = not an accident or honest mistake.
Prisma shopping center 2019,
Probably nothing interesting there.
Trick 2: Bypass the door
• Just go around the door.
• This might be enough
• big objects can’t be stolen.
• I did this a lot when I was a kid.
Trick 3: Bypass the lock
• Hook, film,wire.. – 10-50 usd
• Reach the door handle inside
• The doors are rarely airtight
• Leaves no trace
My finger can fit here… J
Trick 4: Lock tampering Privesc.
• Force the bolt on the lock to stay unlocked.
• The door will close and it looks like it’s locked.
• Authorized access leads to unauthorized access.
• Done this for fun, but others use it for profit too..
Excert from a notice, 2019
Trick 5: Obscure path leads to profit
• I got inside a restricted hospital area through a path like this..
• (extremely stimulating!)
It works roughly like this
1. Reader -> Tag: “Who are you?”
2. Tag -> Reader: “I’m 123456XYZ”
3. Reader -> Server: “Can 123456XYZ get in?”
4. Server -> Reader: “Yes”
5. Control box -> Lock: Open sesame!
It’s 2020 …
that communication surely is..
• Signed with a master key
• After all, it’s 2020. We use HTTPS and all. Right?
Reality: That communication..
• Is often not encrypted!
• Is often not authenticated
• The tag talks to hacker’s reader as well
• Is often not signed
• (Google “Wiegand”. It was a great idea, decades ago.)
How difficult is it to copy / read a tag?
• Depends. Some can’t be copied!
• You need to get close to a tag.
• Reading takes seconds, leaves no traces anywhere.
No magic inside
Zero hacker magic required!
• Phone + 0 eur
• Distance 1-2 cm
• Mifare Classic
• Keysy, 50 eur
• Distance 1-2 cm
• 125KHz legacy tags
• Cloner, 15 eur
• Distance 1-2 cm
• 125KHz legacy tags
• Very trustworthy J
• Proxmark, 380 eur
• Distance 1-8 cm
• Multi-standard, multi-freq
• Not a duplicator! Real hacking J
• 100-200 eur
• Long-range antenna
• Distance 10cm - 1m!
• Rebadge Enterprise,
• ”autopwn” for police etc.
Your office is safe?
• Tampere, bus card: DESFire, safe
• Tampere, Ratina center : DESFire, safe
• Your office? Don’t count on it!
• How to check?
• This tag says “Indala”. Google “Indala tag cloning”.
• Check with Proxmark.
• Reverse image search for tag or reader if no labels.
That was Trick 6: Copy an access tag
• No need to panic J
• The biggest risk: You don’t know what is possible.
• Demo: video (thank you Jarkko Vesiluoma)
• You can also attack the reader.
• Or the communication between server and the reader.
• Capture tags as they are used..
• Wiegand protocol sniffer, 30 USD
• Requires physical access to building
• Requires skills
Trick 7: Exit sensors
• The door opens automatically when somebody goes out.
• How does the sensor know that?
• Not very prevalent in Finland, but possible.
• Sensor will trigger from heat change.
• Slip in some smoke, suitable sprays, heat bags..
• The door is not airtight.
Exit sensor door in a Finnish building
Lobby in a big office building
• The lobby/info desk has access keys and may be able to program them
• They hand out keys to different companies and visitors
• They will not destroy (usually) the key tags, but will redistribute them with updated access
permissions for the next user.
• They have a master key.
• What could possibly go wrong?
• (apart from obvious social engineering plays)
Trick 8: Steal from the lobby
• The master key often is in a simple drawer, rarely in a safe.
• The access tags are often within reach
• You don’t need to touch them to copy the tags
• The access tags are returned off-hours to a simple box, unsupervised.
• Get in when doors are open, visit the lobby after 17.00 -> Profit.
Trick 9: Evil visitor
• Get a tag as a visitor to organisation A. Copy the access tag (go to a toilet and use Keysy)
• Return the tag at the end of the day.
• Come back later…
• the lobby has updated the permissions
• you can get access to other parts of the building.
• Or don’t return the tag? It might still work and you could wander around unsupervised..
Trick 10: Illogical area permissions
• The access control software is door-oriented, not area-oriented.
• Complex topology leads to mistakes.
• The software could check these things, but it often doesn’t.
• (Apparently graph coloring algorithms are too fancy?)
Digital access control..
Part 3: installation issues
Trick 11: Wank the door handle
(Special thanks to Tapio Vuorinen)
• Rough handling may break the lock or the door handle!
• Why did that even work?
Trick 12: Power the motor
• Access the wiring between lock and the control box
• Apply voltage to the motor, bypassing the reader completely
• This should not happen if everything is installed properly.
Variation: cut the power
• Will the lock fail open? Or fail closed?
• For safety reasons, people need to be able to get out if power is lost.
• If there is no mechanical backup, the lock will almost certainly fail open
• -> fail open lock will open if you cut the power somehow.
The locked office
The public space
Trick 13: Control box on the wrong side (2019)
• This really really surprised me!
• Encryption, heavy locks or doors can’t help..
• Do they check this in audits? Did you check?
Iifting the panel: 10 seconds
Screwdriver: 1 euro
My face: priceless J
Risk management and audits
(Thank you Heikki Stark & Nixu for the Awesome sticker J )
• Security costs money. Some of the mitigations are not free.
• Do you know the risks? I didn’t.
• Who made the trade-off? Did you or the owner of the building?
• I can’t tell you what is an acceptable risk to you.
• Most security audits are not thorough
• Katakri or other auditors don’t care about copied tags.
• They don’t check the control box locations and such.