Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How did I get into your office? - Disobey 2020 presentation

How to get into buildings without social engineering?Different vulnerabilities and tricks that can be used to bypass the access controls, without social engineering.

  • Be the first to comment

  • Be the first to like this

How did I get into your office? - Disobey 2020 presentation

  1. 1. Get inside! Without social engineering Antti.Virtanen@Solita.fi Twitter: @Anakondantti 2020
  2. 2. Our focus today • Bypassing the access control or lock • Without social engineering prowess • (Preferably) without damaging the lock / door • (Preferably) without leaving any evidence • Mitigations and risk management • Not covered: • Bypassing alarm systems. • Traditional lock picking • Buildings and companies. Some things are ”unpatched”.
  3. 3. Trick 0: Bypass the lock (latch attack) My childhood adventures.. Abloy lock, year 1990 unpickable for a 12 year old? Ice cream: 1 mk Access granted: priceless J Why did they remove the security patch?
  4. 4. Who am I now? • Security chief at Solita 2019 - • Hacker at Team ROT • Red-teaming hobbyist, not pro! • Still bad at social engineering. • Twitter: @Anakondantti
  5. 5. Legal disclaimer
  6. 6. Don’t get into trouble • Never ”pentest” access controls without a permission! • Even with the permission, agree on the rules • If you break something, who will pay for it? • If you copy the keys, what happens? • Can you ever talk about it, NDA? • Physical access without a permission = quickly a police matter.
  7. 7. Attack!
  8. 8. Preparations • Recon • Around the building, all backdoors etc. • Model and type of access control system • Who has access to different parts of the building? • Where are the valuable assets? • The alarm system? When does it automatically switch on? • Are some employees prone to ask for id cards and some never ask? (tailgating) • Get proper tools and software • Proxmark, Keysy, Chameleon • Magnets, screwdrivers etc.
  9. 9. Let’s get physical!
  10. 10. Trick 1, the oldest trick: Just walk in? • I did this accidentally last autumn. • Tailgating is not the only game plan. • Follow the dress code, don’t look nervous. • You don’t need props. • Props = not an accident or honest mistake. Prisma shopping center 2019, Probably nothing interesting there.
  11. 11. Trick 2: Bypass the door • Just go around the door. • This might be enough • big objects can’t be stolen. • I did this a lot when I was a kid.
  12. 12. Trick 3: Bypass the lock • Hook, film,wire.. – 10-50 usd • Reach the door handle inside • The doors are rarely airtight • Leaves no trace My finger can fit here… J
  13. 13. Trick 4: Lock tampering Privesc. • Force the bolt on the lock to stay unlocked. • The door will close and it looks like it’s locked. • Authorized access leads to unauthorized access. • Done this for fun, but others use it for profit too.. Excert from a notice, 2019
  14. 14. Trick 5: Obscure path leads to profit • I got inside a restricted hospital area through a path like this.. • (extremely stimulating!)
  15. 15. Digital access control.. Part 1: Technology
  16. 16. It works roughly like this 1. Reader -> Tag: “Who are you?” 2. Tag -> Reader: “I’m 123456XYZ” 3. Reader -> Server: “Can 123456XYZ get in?” 4. Server -> Reader: “Yes” 5. Control box -> Lock: Open sesame! Door Reader Tag Lock Server Control box
  17. 17. It’s 2020 … that communication surely is.. • Encrypted • Authenticated • Signed with a master key • After all, it’s 2020. We use HTTPS and all. Right?
  18. 18. Reality: That communication.. • Is often not encrypted! • Is often not authenticated • The tag talks to hacker’s reader as well • Is often not signed • (Google “Wiegand”. It was a great idea, decades ago.)
  19. 19. How difficult is it to copy / read a tag? • Depends. Some can’t be copied! • You need to get close to a tag. • Reading takes seconds, leaves no traces anywhere. No magic inside
  20. 20. Zero hacker magic required! • Phone + 0 eur • Distance 1-2 cm • Mifare Classic • Keysy, 50 eur • Distance 1-2 cm • 125KHz legacy tags • Cloner, 15 eur • Distance 1-2 cm • 125KHz legacy tags • Cloning-As-A-Service • Very trustworthy J
  21. 21. Professional tools • Proxmark, 380 eur • Distance 1-8 cm • Multi-standard, multi-freq • Not a duplicator! Real hacking J • 100-200 eur • Long-range antenna • Distance 10cm - 1m! • Rebadge Enterprise, 3500 eur • ”autopwn” for police etc.
  22. 22. Your office is safe? • Tampere, bus card: DESFire, safe • Tampere, Ratina center : DESFire, safe • Your office? Don’t count on it! • How to check? • Ask • This tag says “Indala”. Google “Indala tag cloning”. • Check with Proxmark. • Reverse image search for tag or reader if no labels.
  23. 23. That was Trick 6: Copy an access tag • No need to panic J • The biggest risk: You don’t know what is possible. • Demo: video (thank you Jarkko Vesiluoma)
  24. 24. Bonus variations • You can also attack the reader. • Or the communication between server and the reader. • Capture tags as they are used.. https://hacker-gadgets.com/product/esp-rfid-tool/ • Wiegand protocol sniffer, 30 USD • Requires physical access to building • Requires skills
  25. 25. Trick 7: Exit sensors • The door opens automatically when somebody goes out. • How does the sensor know that? • Not very prevalent in Finland, but possible. • Sensor will trigger from heat change. • Slip in some smoke, suitable sprays, heat bags.. • The door is not airtight. Exit sensor door in a Finnish building
  26. 26. Digital access control.. Part 2: Process
  27. 27. Lobby in a big office building (multiple organisations) • The lobby/info desk has access keys and may be able to program them • They hand out keys to different companies and visitors • They will not destroy (usually) the key tags, but will redistribute them with updated access permissions for the next user. • They have a master key. • What could possibly go wrong? • (apart from obvious social engineering plays)
  28. 28. Trick 8: Steal from the lobby • The master key often is in a simple drawer, rarely in a safe. • The access tags are often within reach • You don’t need to touch them to copy the tags • The access tags are returned off-hours to a simple box, unsupervised. • Get in when doors are open, visit the lobby after 17.00 -> Profit.
  29. 29. Trick 9: Evil visitor • Get a tag as a visitor to organisation A. Copy the access tag (go to a toilet and use Keysy) • Return the tag at the end of the day. • Come back later… • the lobby has updated the permissions • you can get access to other parts of the building. • Or don’t return the tag? It might still work and you could wander around unsupervised..
  30. 30. Trick 10: Illogical area permissions • The access control software is door-oriented, not area-oriented. • Complex topology leads to mistakes. • The software could check these things, but it often doesn’t. • (Apparently graph coloring algorithms are too fancy?)
  31. 31. Digital access control.. Part 3: installation issues
  32. 32. Trick 11: Wank the door handle (Special thanks to Tapio Vuorinen) • Video • Rough handling may break the lock or the door handle! • Why did that even work?
  33. 33. Trick 12: Power the motor • Access the wiring between lock and the control box • Apply voltage to the motor, bypassing the reader completely • This should not happen if everything is installed properly.
  34. 34. Variation: cut the power • Will the lock fail open? Or fail closed? • For safety reasons, people need to be able to get out if power is lost. • If there is no mechanical backup, the lock will almost certainly fail open • -> fail open lock will open if you cut the power somehow.
  35. 35. The locked office The public space Trick 13: Control box on the wrong side (2019) • This really really surprised me! • Encryption, heavy locks or doors can’t help.. • Do they check this in audits? Did you check? Door Reader Lock Control box Iifting the panel: 10 seconds Screwdriver: 1 euro My face: priceless J
  36. 36. Mitigations
  37. 37. Mitigations • PIN codes – copied key not enough • Proper implementation (control box properly etc.) • Proper standards (MIFARE DESFire, encryption) • Tamper resistant stuff ($$$) • Proper doors, windows etc. • Alarm system (separate from access control if vulnerable to key replays) • Check, don’t assume! • Proper administrative controls
  38. 38. Risk management
  39. 39. Risk management and audits (Thank you Heikki Stark & Nixu for the Awesome sticker J ) • Security costs money. Some of the mitigations are not free. • Do you know the risks? I didn’t. • Who made the trade-off? Did you or the owner of the building? • I can’t tell you what is an acceptable risk to you. • Most security audits are not thorough • Katakri or other auditors don’t care about copied tags. • They don’t check the control box locations and such.
  40. 40. Thank you Let’s be careful out there J

×