DEF CON 23 - Dennis Maldonado - Are We Really Safe? - Bypassing Access Control Systems

Video Statistics and Information

Video

Captions Word Cloud

Captions

Wow so many so uh that thing over there is it translating everything I say is it does it does it does it do naughty words at all nan no I shouldn't okay no okay welcome oh okay so Wow uh there are a lot of people this is a lot bigger than the first one on one track up over there next to track four it's made me kind of nervous but it's okay I'll take ever so okay so I'm Dennis some of you know me most of you don't uh so let's just let's just jump right into it are we really safe hacking access control systems so I'm going to talk about a lot about access control systems that matter to you guys you've seen it you see it up here you've seen these in your apartment your graded communities everywhere so let's uh let's just dive right in first actually I'm Dennis I'm a security consultant at KLC consulting we do security stuff right I my job is to hack things this is one of those things so you'll hear a lot about what I've done in the past beer with my research of this you can give me up on Twitter I love to use a Twitter especially here at Def Con I'm also for those who are interested I'm co-founder of Houston lock sport or a lock-picking Club Hey there you go right my other co-founders are here with me a dead and Jake or we just drink beers and Piccolo's I I was so I was going to heckle and I'm getting heckled um so I'm also rebooting haha if people are interested the Houston area hackers anonymous similar to aha Austin hackers anonymous I'll be rebooting that so if you're interested in you're in the Houston area come talk to me alright so the quick agenda just real quick I'll be talking about that what physical access controls is a busy box control is then I'll talk about a specific vendor that I've been doing research on and the reason why I'll be talking mainly about this one vendor is just because of time and money right this thing cost $1,700 and I don't have enough money to buy every single one out there so I focused on one for now and then will well after we talk how they work in kind of the architecture of them we'll talk about tax local/remote I'll demo some things got a tool that I might release and then of course some device enumeration and some recommendations because I had to so let's get started physical access control systems so first what are they there there are there are systems with the purpose of limiting access to a specific physical resource right there outside many things that you've got seen that can be commercial building shared office spaces so on and so forth they they secure areas by hooking up with doors whether it be an electronic electrode or magnet or door strike or anything they also use gates for apartment communities elevator floors and barrier arms for like parking spaces right how do they work you have many different ways of authenticating to an access control system a lot of you guys who do live in gated communities or such have a little key fob like this where you press a button and it opens a door or maybe it's an rfid reader or you can go up to this keypad over here and press the button or you know whatever you need to do and so real quick I'll talk about what this demo is because I kind of forgot to talk about that so here I have a linear access controller it's set up all like how it really would be in a large apartment complex except there's only one not twenty of them what you see is picture frames with lights underneath one two three four every time you see a picture frame light up that means door 2 in this case or door 3 has opened so imagine that unfortunately you'll never see door one open during my experimentation I kind of blew up literally exploded relay one that controls door 1 so it's never going to work just warning you guys ok so moving on you've got swipe cards you've got all these things that you can do to authenticate to these where are they used again like I said earlier they're used in gated communities parking garages office buildings uh you know all that stuff it's it and it's even used in commercial facilities you know walking downtown Austin I would see it you know guarding some I don't want to know what it was a post office or something so there they're pretty much everywhere you can walk up to them here's just some a bunch of different vendors I've seen so there's door king you guys may recognize some of these Chamberlayne Syntex Liftmaster I'll go back since X is a kind of too fast right liftmaster and linear of course now they're calling themselves North tech security control but all the boxes still have the word linear on them so we'll talk about this one more in a bit here's some pictures I took walking around you've got a bunch of these mounted outside buildings you can use your RFID card or keypad whatever you want to do you've got some outside apartments or outside offices right more commercial buildings these were I think this one was in a nursing home you have some next elevators because they can control elevators you can authenticate whether someone can be in an elevator and specific floors and what you see on the right is you see three grey boxes those are also access control systems much like this one here but they're headless they don't have keypads or screens or anything they're used for expanding on an existing installation or just installations that only require for example RFID readers doesn't require keypad or anything so that's what those are used for here's what they look like inside same thing same components as the one I have here on the table just without a keyboard without a big big display this one's actually pretty funny because you see this one's kind of mounted on the wall you'll never guess where I found this one right so I don't just I wanted to use bathroom and I was very curious what was inside that grey box so it may or may not have already been opened and so I took a peek and voila you know access control it was protecting the doors for that building that was pretty funny okay so let's talk about linear access control I showed you this picture earlier linear the Devender linear also known as north texas acuity and control they have a few different models of commercial access control systems the eighty one thousand two thousand and am3+ am3+ is that toilet one I just showed you but they're all pretty much the same they're all the same they all do the same thing they interface the same way the only difference is that the 1000 and 2000 it has a bigger screen right you see it's much bigger a bigger screen that's the only difference the am-3 like I said doesn't have a keyboard or anything but they all do the same thing so anything we talk about is going to apply to all this so let's go a little deeper into those so this is a linear controller it's pretty pretty fancy it's got a lot of cool features it's great for big installations because it can be networked it utilizes a telephone line so someone can go up there press a specific directory code it calls someone else and they press 9 to let you in we volved on that so it can also it supports thousands of users so it's great for any big installation it can be networked with other controllers so you can you know these can only control 4 doors at a time if you want more doors you add more to the network of controllers and the best part is that can be configured and controlled through a PC it can be networked so you know apartment management in a different state can manage all those small communities they have all over the United States so this is a kit so so these things are they're rarely installed just by themselves because they're pretty expensive who would want to do it just for their home right so they're they're usually installed in big installations and to do that they use this kit the tcp/ip kit which is just a device that pretty much turns the serial connection into it IP connection a TCP connection and that'll allow the management of the community to actually manage it from a computer whether it be on the network locally or remotely online so in that example of a management company at a different state so let's talk about a little bit of the architecture and how that works so the controller here the 81,000 Plus interfaces through serial and connects through a serial cable to the serial to TCP device and that pretty much turns the converts a connection into a TCP connection which is then plugged into a conventional network a switch or anything like that and then a management PC anywhere can connect to it yeah it's pretty much simple that this is a typical installation I've seen and now to refer to that controller you're just referring to a specific IP in port in this case 1 & 2 1 state 0 to 32 port 4 4 4 6 6 0 which is a default so here is pretty much the same diagram except this actually came from the documentation you have the controller you have the serial TCP converter connected to a network you've got a computer and of course the documentation actually does encourage that you hook that up to a DMZ or you know an Internet device so that you can actually control this from the internet so that's pretty cool mmm well pretty cool for some people so how does the computer communicate with the controller they use the software called access phase 2000 developed by the same guys made just for this it's pretty a thorough software it allows the management to add and remove users like entry codes or any transmitters like this you know anything like that you can even control the the controller you can manually toggle the relays that you can open a doors remotely you can lock them so you can keep them closed you can even view log reports this controller stores logs every time someone accesses a door it controls or anything like that Oh or even opens the door right here this the controller it logs all of this so that's pretty cool it's pretty thorough log it does communicate through serial like I said but again when you have that TCP converter like most installations do then it's a TCP connection in your eyes and it does require a password to authenticate so here's the screen of I hope you guys can see it's kind of small but what you see here is you see you need to type in a password to authenticate and use the software to the controller but it's pretty interesting because the password is just six characters exactly no less no more exactly 6 and numbers only so you can you can imagine the key space 1 million passwords exactly that's it so maybe a problem let's look into that but well we'll look into that in the attack so first how does it communicate you know and yeah just how does it actually communicate how's the software communicate with the controller so first when someone's using the soft in the computer you have the software sending a string a hex encoded string over this connection to the controller whether it be a string to open a door or request the logs or anything like that and the controller will respond back with another string and the string is consistent whether it acknowledged the command and performed the command or it could be not acknowledged meaning the command was a bad command let's say you tried to open relay 5 and that doesn't exist you'll get you know not acknowledged or invalid checks up this this does utilize a checksum to to you know just ensure data integrity so if the message is wrong you get a bad connection or something it'll spit back and bellow checksum or it will actually do no response if you're not authenticated if you didn't prior you know put the correct password first you won't get a response at all so if you get no response you're probably not authenticated so let's break down the message real quick just you guys have a background so this is hex encoded and it's sent to the controller in hex so every 2 characters is one byte so the first two bytes is going to be the packet header that's fixed that's hard-coded the packet header is always going to be 5a a5 the next two bytes is a minimum data left length you'll see highlighted in yellow is the data and so when you send a command the minimum length of that data can be 0 the maximum data length is the next byte and that could be in this case 0 a and for those who know hex it that's 10 and decimal so the length of the data can be 10 then you have the net node and so what that is is that's just the identification number of the controller relative to any other controllers on the network so it's 11 in this case if there was another controller here that might be another number it's there's an algorithm for computing that then you have the command and the command can be different in this case this whole string is a password command it's submitting it's trying to say hey is this the password so that's 0 1 there's a bunch of other commands like polling the logs polling status you know up doing a flash firmware update so there's a bunch of different commands from 0 1 to 0 F right which is 16 or 15 one of those numbers and then the next in this case is 5 bytes you have actually 6 bytes scuse me this is the actual data so like I said this is a password request so what I'm doing is I'm saying hey is 1 2 3 4 5 6 the password and that the data there you see 36 35 that is 1 2 3 4 5 6 hex encoded and then reversed for some reason it likes it wants to reverse the data and then sends it through so that translates to 1 2 3 4 5 6 the last 2 bytes is a checksum like I said it ensures data integrity and make sure it's a message of what it's supposed to be and that checksum is calculated through you know these from everything from the beginning of the net know to the end of the data so it calculates a checksum from that and if it's correct oh you know all systems go alright so we've talked about how this work you guys to have a good understanding where am I on time I'm good on time let's uh let's talk about attacks so first how can we target these controllers well these are well they're meant to be walked up to they have number pads that have displays you walk up to them at a gate or building and so you have physical access what can you do with bigs Laxus well maybe we can do local programming because the some of these things can be programmed locally if you don't want to do it to a computer if you have a much smaller installation or maybe an older version that doesn't support computer management you can do local programming there's also a serial interface inside these devices if you do want to configure it through a computer so let's talk since we have physical access let's talk about local attacks first so default password so first this is a e 1000 right here on this desk we have there is an AE 500 what that is it's pretty much similar to these it's just much smaller it only supports 2 doors instead of 4 it doesn't allow for computer configuration no serial interface or anything like that because it's meant for much smaller installations it's a lot cheaper it's meant for you know one or two doors or gate inside a really high-end home so you have those those have a default password those can those can be always programmed locally from the keypad because you can't control it from computer so to get to that part where you can start typing the password you hold 0 and 2 and that will pop up a password and in the documentation all this documentation is available online does default passwords one two three four five six and hi and who changes that right when you're paying a contractor to install this the lowest bid contractor they're most likely not going to care about the password so they're going to leave it like that you're not going to notice and the default password to manage these devices is one two three four five six regardless of what your entry code is so try one two three four five six and see what happens pound is just the enter button you press pound and see if it works once you're in because trust me you're going to get in in put it in put the following commands you have 31 pound 999 pound you have all that string and I'll talk about what that is in a next slide and what that does is that inputs your own back door it put inputs your own entry code into the system so now when you walk up to the device you type in your new entry code 9 9 9 9 in this case and access granted so let's talk about what we just did so hold on huh we've got we've got more 1 2 3 4 5 6 pound we just hide the default password we're in 31 pound that enters the entry the entry code enter mode right that's where you enter a new entry mode program it then 9 9 9 9 pound is our entry code you can do whatever you want 1 2 3 4 5 6 9 9 9 9 is better because no one has that right then you do it again 9 9 9 9 just to confirm it because it wants you to do it twice and then 9 9 pound exits programming mode going back to normal functionality then you just type in your entry code and you're in oops I forgot I did that so boom that's that that's the summary so I'm going to show you how quick it is to do that so all that I just talked about oh you'll see how quick it is so there you go and access granted and that and that's where they applaud should come in but and you see that was lit that was done in less than ten seconds so I can literally if I find one of these devices quickly do my thing walk off and now I have full access to whatever that's controlling forever because there's no way that I found where you can actually list the entry codes you just have to you know if you're suspicious about it just you know erase everything and start over so it's really cool hidden backdoor so what else can we do master key hmm this is going to be interesting so I bought this uh well my company bought this for me for research and of course it came with a key right it turns out when I found this out I was flabbergasted to say the least same key for every device this one thousand plus you see here you most of you some of you have probably seen it this is one of the most common ones I've seen in the United States when you see this the key that it came with right here I'm holding in my hand works for this but also works for all of my other apartments that I may or may not have tried it it works but so I confirmed that it works for every one thousand where no one has changed the locked and I've never seen someone changed a lot it also works with am3+ the one that I saw in it I didn't try it on the toilet but the same one that was on the toilet it works for that too it might work the 8500 never tried it but I you know why wouldn't it right so this same key works it works for all of them and you can purchase them on eBay if you if you're lucky enough I haven't found one but if you're lucky enough you might find one on eBay you could pay $1,700 and buy this whole thing and get the key or you can if you're lucky the am3+ a smaller one find the enclosure alone just for that it should come with the key it's a hundred bucks and now you've got access but don't please don't buy the key you don't need it of course you can just pick the lock it's a fairly simple lock for anyone who's decent at lock picking they can try to pick it and of course it gives you full access device so let's talk about that but first you know for those who are into key you know making keys that may or may not be the exact bidding code so you know powerpoints will be online physical access so what is physical access get you well if you are able to open this device whether picking lock are having a mask key or it's just left open in this device in this specific 81,000 there is a relay latch button so relays are how the doors are controlled when it really is triggered the door is open and if something is wrong like if the software is not working whatever maintenance can come up open it and press the button to manually open a gate just to leave it open so people aren't locked up so guess what there's buttons in there to open all the doors so let me show you real quick test s awesome so if I were to open this and I don't have an entry code or anything all I have to do is open it and boom I'm in and that's it and if I were mean and I lock this up everything stays open because those buttons stay locked open until I either press them again or reboot the device so that's a cool way of entering if you want to enter with the key let's turn this off there you go leave that open now so like I said you can lock their state so you can leave the gate open and you know finally have that cool house part of the you guys always wanted but didn't want to break the lease okay by the way I mentioned relay one exploded literally if you can see there there's a bunch of soot around the capacitors next to relay one that's yeah that was pretty fun I had to fan out the house for that what else does physical access gets you programming buttons you get to program the controller there's programming buttons right there and this one at there and other versions they're located somewhere else you can program the device or if you just want to you know be a dick you can erase the memory so you know have fun with that there's an active phone line for those you know who maybe want to steal the phone line find out the phone number and put it back and maybe you can call it and mess with it or do some pen testing if you want to steal the phone line and there's also a serial connection so you can just connect directly to the controller and all the remote attacks we're going to talk about work either remote on a network or direct serial connection so you you'll figure out soon why you would like serial connection so oh so last thing is I just want to mention there's a tamper monitor switch there's a little magnet on the corner right there that will detect when the case is open or closed so in the logs that I talked about you'll see tamper switch open tamper switch closed so that's you so people know you know if someone's messing with the device the problem is there's no active alerts right there is you can you know connect to the controller go to a bunch of these buttons and then you can actually view a log that of someone opening and closing it but nothing's active there's no red alert there's no email notifications you'll never know it happened until much later when you decide to download the logs and do it so really temper monitoring there's also a problem it's magnet right so for those who are doing to defuse a bomb competition right next door that way you can just use a magnet to bypass this tamper switch so let's show you how to do that let's play probably press play where is it here we go so I'm opening the controller and you'll see the screen it pops up tamper switch open and then tamper switch close that closed it and so what I'm going to do is I'm going to grab my big powerful magnet it's pretty powerful so I have to wear gloves put it right there where it is be careful not just to you know put in the wrong place and I open it and when I open it you'll see absolutely nothing logs you'll see the two existing log entries from earlier but nothing new so tamper switch completely avoided thank you oh yeah okay we need rittany more of that not being sarcastic okay so we have we've talked about physical access so what's next the fun stuff right remote access remote access can be done depending on the configuration of course through an internal network so let's say you're at the leasing office looking for a new apartment and in a leasing agent busy with someone else and you plug into the network port behind their desk so that's you know an example of internal access or guest Wi-Fi network is not segregated properly then you also have external access some people do have it remotely available on the internet so that would work too everything works over the IP and usually the default port for six60 it can be changed but usually who does that so let's talk about remote attacks so first let me show you the software let's see if this works hopefully I've sacrificed to the demo gods so okay so you have the software here it's pretty nifty so the how you connect is you press this little button and you connect but you see here we get a new the message wrong password I hope you can see that so we're getting wrong password so we don't have the password to authenticate so as we mentioned earlier how can we fix that brute force attack so this is fun because like our Metro car told you guys earlier of six characters exactly numbers only tiny key space so that's 1 million passwords there's no rate limiting so you're only limited by the connection speed and there's no password lock ups you can guess as much as you want and this is scriptable since this is you know the backbone is all serial you can just script all this you don't have to touch the application so let me show you that let's go so we don't have the password here but I did write a nice little Python script that may or may not get released that'll do just that so what you're seeing now is it's brute-forcing it's guessing the common codes and if it doesn't find it it will iterate through one two three four and so what you're seeing is you're seeing it guess more than once on the same password that's because I'm having it if you don't if it doesn't get a proper response whether it's valid or invalid it just keeps guessing it until it gets a proper response cereal is kind of you know not very reliable so that's why and there you go master code zero zero zero zero five one it guessed it it found it and we're done so let's go try that let's go to setup here's how you type in the password one two three four five there you go I'm connected no error let's go to let's let's show you what I can do with that trigger there you go all three doors are open all four doors are open yeah I'll quickly show you also here if I just downloaded the logs let's go to how do I go to logs again I forgot there you go and just so you guys see these are all the logs that I just downloaded you know certain people I've granted access locked open and so on and so forth so I just want to show you guys so okay we'll go back brute force attack so that's cool what's next hmm so we have the password now but did we really need it apparently not so normal ways you know you got it you have you have to authenticate first you get submit the right password first before you send any commands or D right so what i did what i found out is when i send this device a command without the pet without sending in a password first i wouldn't get a response but it turns out it'll just run the command anyway it won't tell me it did it it'll just execute it so I won't get in response but it'll still work so any command I most commands work that way so what can we do with that open doors remotely we can send a simple command to open a door that's that that's an example of the camera that actually opens a specific relay we send it over and it processes that command and executes whatever it's supposed to do doesn't send me a response but it still does it right so it's still good and it's great for movie style scenes because you know let's say you have the for museum robbers whatever and the hacker in the van so that when the hacker is ready the hacker presses on the computer packs into this opens or the techno music starts and everyone goes and steals the Declaration of Independence so that it's it's great for scenes like that kind of red team engagements so that's what we can do there we can also what we can do is we can lock doors open and close you can send the command to lock the relays just like if I were pressing that button and that'll keep the doors or gates either open if I want to you know have that house party or closed if I want to prevent everyone from ever getting in and so that will once the relay is locked in the specific state it will not respond to any you know key fobs or any actual you know legitimate access after that until I unlock it or the device reboots it persists yet its it persists until is rebooted another thing to do is those fancy logs you can just delete all of them all those logs are stored on the controller and because the controller has limited space whenever they're downloaded using the access based 2000 software they're deleted from the controller so what do we do we initiate a download for those logs with our Python script we don't get the logs we don't care because they've all just been deleted and we've hidden all the evidence of us doing anything so another thing to do is if you so if you so want to use the access base 2000 software because it does have some cool functionality you can change the password turns out you can submit a database update update and it'll just like okay and it'll change everything including the password back to default or whatever we want and now we can get in with the default password so you can pretty much upload anything you can upload a directory codes transmitters any backdoor you want right so pretty much that and then the last thing I'd like to talk about is a denial of service which you can you know if you want to be a dick about it you can fake a database update and when you send it the database update you don't tell it that you're finished you just send it the request and go home and this device will just keep flashing database update in progress and when when a database update is in progress it locks itself and nothing will happen no transmitter will work no entry code nothing and the only way to fix it is to stop the debase update there's a command to stop it and or you can just reboot the device another thing you could do is you could overwrite the device former if you want to brick it again be a dick you know you can just break the device and make it completely useless to everyone or like we talked about earlier you can lock the relays and keep the door shut or something like that so that no one can get in so all those attacks we've talked about what I've done is I've developed a pretty simple tool to use tool to demonstrate these attacks so what I call it is I really couldn't find a good name for it so I call the access control attack tool because I do want to expand on more access control systems not just this one but it is pretty neat that I can say hey let's go down with you you guys can go download a cat off the Internet so let's show off this tool let's see if the demo gods have been nice so I have this Python script it works on Windows it works on Linux as well though some things don't work you refer to it you can either refer to it through a serial connection com1 through whatever or IP address so let's do that let's maximize okay so here's my tool pretty simple it's like as point-and-click as you can get in command-line you just type whatever you want you have a bunch of options here and so let's let's just try to relay so what this does this will trigger the relay for two seconds by default whatever it's configured to be and so on I open one well let's open all of them 1 2 3 4 there you go and so this Python script just opened all 4 doors and no password was sent nothing was sent it was completely authenticated is just I woke up walked up to my laptop with the script plugged into the network found it and sent it these packets so relays are now open another thing you can do is lock them open so 3 4 so now all four are locked open trust me one is locked so now those will stay locked until I unlock them or you know reboot the device so let's uh let's unlock those real quick 4 1 2 3 4 now they work again another thing to do is lock them close oops wrong there you go lock them closed so let's lock to closed so two is now locked closed and if I were to try to use the normal transmitter nothing happens no one can get in with relay 2 or any of the relays and so let's unlock them again to lock it's unlocked and there you go it works again so that's a cool thing so let's let's let's show what's okay so this is the one that sometimes doesn't work but we'll hope it works deleting the lock so everything we just did either was Python script or this transmitter that I'm holding or even opening and closing that enclosure it's being logged in the internal memory so when I download that I'll get all that all those logs so what I'm going to do is I'm going to initiate a download and what that's going to do is it's going to download the logs never get them but they're going to be deleted from the controller so I've initiated that process it's working on it it's trying to see if it's getting any feedback back and then once it's done locks have been deleted so let's exit here and let's see if that works so I'm going to go to here connect there you go connected and this button is used to download logs it'll show a dialog box with the number I'm downloading if it shows zero then the demo were so let's do it six so it worked but what I did notice is when this device has been rebooted and I did reboot it earlier before the demo started there are six log entries of it starting up that never get deleted for some reason so just take my word for it that it worked and we're going to applaud for that too yeah so if you did look at the log it's kind of a mess now you wouldn't see any of this access granted stuff so let's uh let's connect back to my script so there you go so we're connected back the next thing you can do is let's do upload default converge so we're connecting to this with default with the password of zero zero zero zero five one I'm being attacked am i no okay I guess we're good so we're connecting with the password that we boot for us earlier so let's go back to the default password okay while they're doing that I'm so what I just did is I uploaded a default password to the device so let's see if that works so ideally if I connect with the existing password it should fail wrong password there you go so now let's go back to using default password one two three four five six and I'm connected there you go so just upload the full password who needs to boot force you guys are so kind I'm going to scare this hey hey how's it going oops excuse me okay have fun so Wow are you giving me your computer that's awesome I'm right here I'm not moving from this fun press so you want really I know just just press tempo I assure you something happened Shh everybody clear the room you all know how this works how is he doing as a new speaker are you are you hungover nope you will be what is this oh no no oh you giving me that question mother there's got to be better than that - okay after you drink that I'll be back with something better oh hi - to DEFCON 2 newspapers you still want that next one come at me bro thank you very much thanks poof I'm not used to that I don't do a lot of shots so it's burning my insides speaking of burning my insides Donna last service thank you very much no I'm gonna I'm gonna ride this out okay so the last thing I want to show that this tool can do denial service so you have the normal functionality is that letting up no yes no okay I think something just broke right now but this one still lights up so normal people coming up you know going in the gate going home wanting to watch Spongebob or whatever except I you denial-of-service patroller has been done so I'll take your word for it but what you should see on this screen is this should show database update in progress no no not working mm-hmm that's right again ooh okay boss no longer works let's try this for one thing my controller got drunk okay what this will do is this a flash database update in progress and it would stop working and then all I have to do is in the same script you can stop it and then everything's back to normal so that's pretty much the extent of my tool I'm going to give it one more try trust me one more yep still doesn't work okay so trust me it works and it's really getting hot in here okay I'm a new drinker I'm hung is it normal that I'm hungry so now that we've talked about attacking these controllers and I'm good on time let's talk about locating these so how do we find these device Nemer a ssin technique so one thing you can do is you can scan for these devices on a network if they're hooked up the typical installation scan for them look for any comp or tree directors because that's what they are they're usually default port 4 6 6 0 there's a specific one that's branded linear that comes with this of course theoretically anyone would work so you can scan the network the fault port 4 6 0 other you can do is you can send a UDP broadcast to UDP port 5 5 9 5 4 and if any devices are on the network it'll respond so if you look at that little graphic there an attacker can send a UDP broadcast to the network with that specific unity port and any devices will respond back to the network with that broadcast packet and subscribe ack to the person who initiated that broadcast and so that's how you can identify any of those devices on the network another thing and then once you've found it you can send it a password request ring so regardless of if you've authenticated to it or not you will get a response back whether the password you try to guess is valid or invalid so you can send this device a password request ring and if it's a linear box it will respond back whether it's a valid or invalid password so that's again the same if you saw earlier that's how it works you send it something good response back so let's demo yet another tool that I uh that a third tool that I wrote just for that so what this will do is this will send a broadcast packet through UDP and listen for any responses and it'll find them if it finds any response it will take that step further and send a password request to that IP address it found and check if it's an actual linear controller so let's do that so it did find a device now let's scroll up and now it's going to check we'll make sure it actually is linear and there you go linear access controller actually detected it is linear it's a hundred percent confirmed at its linear and if you see that Asterix it also by the way confirmed that it's using the default password of one two three four five six so so that's what that tool does and that may also get released so cool we talked about all the fun stuff now we have to go to this stuff recommendations how so I mean I'm not really going to talk about you know how you know the specific vendor can fix these issues I'll just talk about how you as a apartment management for example can can kind of remediates some of the issues so some of the obvious being always change default password don't use one two three four five six use something different I would love to say use a more complex password but that just doesn't exist for these devices um another thing while it's really fighting back I tell you man ooh drinker uh and I can't burp for some reason so okay so change physical locks the met the master key here works so changed lock you have the ability to change it I see a screwdriver there so I imagine you can remove it and put a new core in there so change that lock you don't want the gut the apartment manager next door having act the same access to your apartment as he does his apartment or her apartment so change lungs another you can do to fix you know kind of remediate these remote attacks is use a direct serial connection instead of having this on a network if you had a direct serial connection these vulnerabilities aren't fixed but you are at least not exposed on a tcp/ip network so doing that you know just would make it a little harder or a lot harder for an attacker to attack these controllers if you do network these devices utilize authentication these comp or tree directors the serial to TCP devices do allow for authentication no one ever ins uses it it's not pretty intuitive to use but learn how to use it and utilize that authentication set not anyone can connect to the IP address of the device another thing is of course resist the urge connect this to the Internet like don't have it online just don't forward the port and you know just like anything keep it off the internet unless it really needs to be so final thoughts so I didn't I didn't write this talk to you no crap all over one vendor I just you know this is don't you know the one I had time and money to invest researching but I just wanted to open the door and open people's eyes to the fact that if all these issues exist on one vendor they're most likely exist on other vendors so just because you have a syntax or Chamberlayne doesn't mean you're not it doesn't mean you're secure it you could have the exact same issues maybe in just different ways so you know be cautious out there hopefully I'll do some more research on this so I do plan on doing more research on this device and more research on others whenever I can you know get my hands and those things so that's ongoing the tool so these are prototype tools they're more work as needed until one has already failed but a tool is already uploaded it is located on github it's open source I whatever license I'll put some open-source Creative Commons what a license to it I do it's called it a access control attack tool I do intend on furthering it to do a lot more with this and a lot more with other controllers as well so feel free to mess with it feel free to download it I need a completely overhaul it to make it more idiomatic right so if you guys wanna help me with that that'll be great so it's up there already I do want to work on an nmap script to do what my Python script does I want it to detect device on the network and that'll be great for actual Red Team assessments if you know the client is using any of these maybe even a Metasploit module to if you guys want and last but not least the slides are on SlideShare so you can download the full version of these slides they're available don't think you'll have to download it from SlideShare to view the videos but it's all there so so that's all I have any questions and the physical location so you mean you see it right and okay so most of the time unless they're configured properly you won't be able to tell where it is now if that device if people you know you know upload hey this device is named this into the firmware then you might be able to find it that way but that's sometimes not the case another thing you can do is these comp or tree directors there's a specific UDP packet that you could send to it and what that'll do is if you can see this device somewhere if you send it that UDP packet it'll actually beep so you can locate it so you can always I didn't want to talk about it because I want to spend too much time but that's that's one way you can find it other than that you're pretty much screwed from there so I have oh yes one more question because I have only one minute then you can talk to me later so Oh RTFM read the manual I I was hooking up one a little test light little red light to this and I didn't read the manual so I found out that the relay was rated for 30 volts not 120 so that message so anyways that's all I got I'm out of time you can any questions you can hit me up on Twitter at any time email me or find me right here at DEFCON thank you thank you very much

Info

Channel: DEFCONConference

Views: 93,179

Rating: 4.942029 out of 5

Keywords: physical security, Access Control, DEF CON (Conference Series), DEF CON 23, DC23, dc-23, Dennis Maldonado, access control systems, conference, security, security conference, DEFCON 23, hacker, hack, hacking, hacker conference, DEF CON 2015, Computer Security (Software Genre), security research

Id: -cZ7eDV2n5Y

Channel Id: undefined

Length: 46min 17sec (2777 seconds)

Published: Wed Sep 09 2015

Reddit Comments

One of my favorite talks of DC23.

👍︎︎ 2 👤︎︎ u/thesle3p 📅︎︎ Nov 17 2015 🗫︎ replies

Are there anymore talks of this nature!? Im absolutly obsessed with things that are supposed to function as "security" but offer little resistance. I was followng a story line where a guy named logan lamb was going to expose Home alarm systems for what they are, but had to cancel due to "external pressure" as he put it i think.

please excuse my lack of knowledge , im just recently learnign about this stuff. Fascinating.

👍︎︎ 1 👤︎︎ u/Raka_ 📅︎︎ Feb 12 2016 🗫︎ replies