How Threats Are Slipping In the Back Door - SANS ICS Security Summit 2017

Video Statistics and Information

Video

Captions Word Cloud

Captions

all right a lot of people back from lunch a lot of people full of lunch hopefully you're not all too low-key from that but we're gonna we're going to snap up with some fun stuff here I think so yes I am a physical side penetration tester I also really loud so free if you're getting feedback or from screaming at you just you know throw something at me because I don't know how to be indoor voice II you can see me at at conferences and nice clothes you can see me in meetings and such where I get all dressed up with a you know collar or suit but the consultant side of my job is not the fun side of my well I mean I like it I like talking to you all I like being up here I like I like solving problems I like being the problem a lot more though so the fun side of my job is bragging and stuff physical side physical entry covert entry that's what my team and I does this is us somewhere we completely shouldn't be just you know blazing in there with cloned badges and popping the alarm system and so on and so forth my fiancee in an interview she was given she was like oh you know my man he's basically professionally dangerous and my whole team just decided that was that too moniker we love so we just want to make that our marketing brochure because we have a whole lobster vision and PPD and other such but the covert entry side is what I love to do and most of the people in this room more than most of the rooms I show up at most people here get this a lot of times you'll see me it you know a lot like the sands Nationals or like a blackhat event or a very IT focused event and they're the physical side just kind of doesn't even resonate with a lot of folk in that world here you you really grasp the technology is a hands-on thing the network infrastructure is a hands-on thing I used to be a sysadmin right like I am I lost all my keyboard food just about nowadays but if I'm on a physical entry I can still get to the infrastructure and like throw console cables into stuff I'm a dummy but I can do that and that's going to get me there's my rewriting you know single user mode firewall rules whoo like if I can get to your infrastructure if I can touch it that the ballgame so most of you get that and you fortunately have to kind of kick that argument uphill really hard sometimes but the idea that you can do everything right when you're standing up your equipment and then undermine it all with like a trip to Home Depot is something I love to share and I love to talk about now because I work with a lot of public firms and utility companies and they really do you know like well forget about like someone getting into the IDB IT and here it is here is the infrastructure you can like this is a water company I was like what is these ups them down once I press up a bunch of times what's this arrow like don't do that I was like well I won't but like I didn't just I just walked in here not to mention you know depending on your industry there's just a lot of bad things and like back rooms that people shouldn't be able to just walk out the building with and again you'll see later in this presentation where this cart of chlorine gas was being stored so as you heard of the bio right I'm known as a lock picker if you see me at conferences many times if you see videos of me online it's me clicking through images like this like who has a lock on their door and do you know what's in your looks and that's fine like I understand that not everyone has taken a lock apart and you don't really know how the pins work and has anyone in this room pick the lock was I always always asked this that's a respectable number of hands maybe you've learned from some of us that a hacker event maybe you've learned from other people at different walks of life but what goes on inside of a lock is not hard to understand so I've always been up you know on stage is talking about this and saying well you could open a lock with a key but you can also use picks but a while back someone asked me they're like man I wish I was a good a lock picker like you met first of all I'm not a tremendous lock picker like there's better people but picks in the world but they were like but man even if you know I wish that was my job like breaking into stuff in my locked it's I was like you know as cool as this is and I can I could teach any of you if you want to learn this later like I always have picks on me I always have locks laying around but the person who asked me that made me really think I was like I don't remember the last time I use my locked X on a job covert entry in the real world isn't this like yeah you could pick a lot of oxen get into places you shouldn't be and as fun as that is and as cool and James Bondish as this looks that's not what we really do on our covert entry exercises that's not what we do on most client sites so I said well maybe I'll put together a presentation that's way lower Dumber level but it's the actual stuff that we do all the time so instead of picking why not talk about bypassing so that's the entire focus of this talk and some of its going to be really silly like let's let's get stupid right away right do you know how many hinges I've knocked out on jobs like pop the hinge pins just walk that door away from the frame on that side they even make a special little like tool for it so you don't have to bang a nail and do your thumbs like this little orange tool I've used this a lot if you can see the hinges chances are that door is accessible to you like this is the inside of a door it's got all these locks down it you see all these locks that's funny what you don't see are hinges hinges are on the outside of this door completely valid attack vector we've used it all the time now something I believe in very strongly I'm going to throw a lot of crazy stuff at you in this talk but I believe in throwing solutions like as fast as I hit the attacks stupid easy solution to this problem it's called a security hinge look at the little peg and the little hole on that left side image completely innocuous it doesn't interfere with how the door works but if you swing this door shut that little peg goes in the hole and from the outside if I'm out there banging your hinge pins out the door is still wedged into the door jamb I can't walk it away from the door what is on the right side by the way if you don't want to combine new hinges for everything in your facility you don't want to like rehang all your doors those are called jamb pins they're modelled JP 10 or JP 12 depending on the thread spacing that's made by a company called major manufacturing they make a lot of locksmithing supplies what are jammed pins well let's see you have a regular hinge right back these two screws out replace them with jammed pins back these two screws out replace them with nothing you just made a security hinge without rehanging your door and it's super fast it's very cheap it's super easy and it completely for all intents and purposes that like hinge pin problem right there you don't have to flip the door around or anything crazy it's super simple want to get even like sillier let's talk about another silly thing here this is a photo from a long time ago when I first met a friend of mine named Keith a lot of videos of me online or with this British guy named Keith he's a good friend of ours he's been all over the world with us talking about lock-picking but when I first met him I was in DC I was like I've emailed him for a while Keith you're gonna be in DC you live in DC yeah we'd love to have you come to this event I was excited because I was like Keith you're an actual trading locksmith like in the industry I've never been a locksmith I'm certified as a safe technician with the GSA and all this but I've never been like in the field fixing doors and breaking into stuff professionally before this job so I said Keith I would love to get a look at your like daily carry kits that you used he's like oh yeah I still have that pulls out this little zipper pouch and dumps all this stuff out and I was like huh all right well that's that's kind of anticlimactic I guess you're servicing things in the field you're not really like breaking into stuff he's like oh yeah this is my entry kit these are my top three entry tools right here what this is back when I was a lot bigger I wasn't a buy passer I wasn't covert entry guy I was a kid I was like what you just like your slip and latches that really works like a TV he's like oh yeah this thing in the middle is my favorite thing ever I found it at a yard sale and what is it he didn't even know I eventually figured this out by going through old catalogs and it's called a traveler hook it's used in the garment industry of all things but it's a trick it's perfect but here we have a locked door we're just going to traveler hook this let's do that again this is the water security possibly public infrastructure completely locked door door shut yeah so what is going on there right well it's just as silly as it sounds right we're we're reaching in we're reaching into the strike area grabbing the latch just hooking and pulling the latch it's just like if you were to use like a slim jim tool you can get me slim jim you think of an automotive entry but you can use chopped down slim jims in regular door entry or you're just getting into the strike plate area you're getting into the latch hooking and pulling it's actually a technique that used to be called loading way back in the day because when celluloid was a common medium around you just like credit card in a door loitering latch slipping these are all latch based attacks and you think they shouldn't be possible and even some doors you know they put a big old plate so you like can't get to the latch that's so quick let's see about this with a little bit of piano wire here blow loop so what's happening here what why is this why is this going on well the problem is not the play or the lack of a plate or I can reach the latch you shouldn't be able to do this to a latch a proper modern door should be dead latched it should be anti loitering or anti thrust mechanism they're all different terms that mean the following the latch of your door is highlighted in yellow here that's what actually holds the door shut like I can lean on the door and it's not going to fall open that's the job of the latch and many people will remember when that's all doors ever had sometimes you still see doors like this like an interior passage door like a closet door but as most of us know like this is what an adorably looks like now some variation of this theme where you have the main latch and you also have an additional mechanism an additional little plunger or sometimes it's a button beneath the main latch it's an additional mechanism that is the dead latch engaging mechanism or the dead latch engagement plunger sometimes it's called you might not know this because when you see this the doors open so it's all sticking out when the door is shut do you know that little plunger is supposed to be held back that's how this works if the latch sticks out into the strike plate into the doorframe that little plunger is not supposed to stick out its supposed to be pressed in and when it is that latch is now dead you can't slip hook grab shove Lloyd the latch is dead the problem with a lot of the stuff that's in that video and many others that are super hilarious is just door fitment if you have the wrong strike Hardware if you have the wrong spacing or the doors not hung clean you're something I've actually seen people they'll close the door and they'll say hey you didn't close it all the way and I'm like look I'm dumb but I'm not that dumb and how the door work so they said no and actually go up to it they go okay see now it's really closed now I've seen people do this there they're pushing the door so hard that they're actually popping that button out they are undermining the whole purpose of a dead latch that we've had since the 80s here is RFID card enabled or heavy-duty lock this is a piece of garbage like literally let's watch that again that's a piece of plastic clamshell packaging that we pulled out of a trash can in the office I just chopped it with my knife shoved it in here and this is the server room now look at the strike plate huge hole and that strike plates massive is this a regular off the rack metal like strike plate speak it up no it's not what kind of stir I said what kind of card axe it's electronic right it's an electronic strike you've seen these the solenoid buzzes or pops when you badge in there are a lot of different models and the problem you will get sometimes is that installers and integrators when they're ordering parts they'll literally be like hey mommy remember we got that job on Main Street order the 4950 that's the one with a real big hole that always works no matter what doors the client has like no man you need the right one that fits otherwise you're completely undermining your experience another water facility hopper sergeant lot but again here we are door fitment [Music] yeah so like again five-dollar hook and this really nice I mean it properly pay was a nice lock I could have probably picked that in twenty thirty minutes like if I just wanted to bang my head under that door but in twenty thirty seconds on the long side of like that's including taking it out of my pants the hook so like get it it boom like and I don't belong in here you don't want me in here at all but a five dollar hook and no monitoring on that door gets me in here there's a lot of things you can do if there if I can find any little gap in the doors I can usually leverage that in interesting ways here we have this is not a latch this is a crash bar what happens here though literally just reached through the gap and slap the crash bar from the other side that is completely feasible attack they have capacitive sensitive like galvanic response crash bars that use like a black pad on them you just have to use a better you know conductive medium so like a heavy copper rod that will usually trigger it but anytime you see like here's that weather stripping a weather stripping is not a security device and you can even kind of like stand to the side and look a little bit you see the light coming through this door by the way that you're seeing right here which is right out to the street that is where the chlorine tanks were being stored this one facility there's a photo of me later like show I was like could I change the levels of chlorine could I just wheel this out onto the street where my car is like because I bent a piece of metal slap the crash bar which is always going to be a uniform height because of code compliance right there was just nothing protecting me because I again weather stripping is an environmental seal it didn't have any sort of astragal or plate running down the door keep that in mind it's really not hard and they you don't have to just make BS tools like they make really nice tools that are very rugged if you want to do this proper like here's Robert pop it into a secured meeting room space and that's just a factory-made till these are leaving government grade tools that exist just for this purpose and they're just for you can feel exactly where you want to hit exit paddles same thing these are all exploitable and you can even see the gap right there with the light now you can I don't know how the lighting is in the projector here but usually we'll get somebody in a few of those videos there's something else on the door you can barely see it it's further down the door what else is going on in this door that some of somebody's using like hey well wait a minute you could have blah blah blah can you see it yeah I'm hearing it it's a dead bolt deadlock yeah you can just about see there's a little thumb turn down there now this is probably not going to be like a door you could deadbolt during the day - it's an occupied structure again you're dealing with code compliance but that one video at like 2:00 in the morning but like all come on you could I could have dead bolted that door and I was just laziness yeah they could have done that but let's keep in mind even dead bolts usually are not double-sided with a key usually there's a thumb turn again code compliance well this tool exists you know this tool is a thumb turn flipper stick you through the door you go rude and use free to slap the door like this these tools are out there man and they're in all of our kits and we destroy worlds with these things and it is not hard to understand this is just a completely different tack the idea of exploiting gaps it's a locked door what happened there that they stick they stuck something through the door something very ephemeral let's look from the other side here this is yes I heard somebody a few people know what's up here so in the Hat we have Babak he's our electronics expert he just showed our buddy Ross this is this attack we're in a development lab space that we use to build out some of our chips and gear and Ross is like all come here I just learned this guy's check it out so it's a locked door card reader door and he's sticking something in a little bit of a gap and you can even see through the glass what happens Oh door suddenly opened he's using a very sophisticated very restricted government tool if you have clearance like talk to your people if you're I think if you're TS or STI you can order this tool there's special catalog it comes with the instruction manual that is it's like eyes only and it's a one-page manual it says hold it like this and all you do is your just gassing off that butane which boils off in the atmosphere you're creating a cloud of super cold air and we're tricking out what are called Rex sensors or requests to exit sensors this is a locked door mag lock electronic lock system and you can you can see the sensor right there gets tricky what are we triggering it with temperature well these sensors are designed to tell if a human being is exiting a facility many of you have these if you badge in but don't have to badge out many facilities unless you have a push to exit button you just kind of walk towards the door and the door is unlocked and you can egress these sensors are designed usually just to detect them thermal differential in fact the cheapest one the one of the bottom in the middle right there that Honeywell man that is far and away percent of what we see in the field that exact sensor or a rebrand of that sensor all they're looking to do is is something temperature different here because you don't want false negatives you don't want someone with a bunch of boxes to like bang into the door and fall over because that's going to be a bad user experience and that vendors going to get calls and they're going to have to keep coming out and servicing it they want to order the part that always picks up motion it always is going to open the door there are better types of Rex sensors there are microwave based radar our CR range controlled radar they are much more difficult to fake out but again cost reliability usability PIR passive infrared is what we see everywhere and you can trick them out with a bunch of silly stuff if you ever attend a wonderful conference called Derby con this is Dave Kennedy former marine runs Derby con he runs trusted SEC he is a big ecig guy he likes uh bones his coils and does really big vape clouds so he learned this trick he's like Nickerson our buddy Chris Nickerson taught him is he's like hey try try blowing some of your big smoke through that door sure enough took up a couple of get brig lungfuls here when you can huge listen for the solenoid flick that's wonderful to me I think that's so I mean I've done stuff like this not with I don't smoke I drink too much this was in Montana really late at night I was walking home with my fiancee this is a bank I just walked out of the bar with like my whiskey was directed but I heard the rec center oops you know it's funny - I didn't even know if she filmed that because it's the only funny because I'm all dressed up like that's the only thing that make that video cool but I was like hey honey check this out - she's like oh I know what that means get my phone out something's going to happen so absolutely anything that I can get to that gap or the on the bottom gap let's talk about the bottom of a door most doors have a gap on the bottom or the top right how do you exploit this you exploit this with the lever style door handle that almost every door in a major commercial facility has when is the last time you've seen a doorknob on anything like a long time you don't usually see that again why code compliance people with limited grip limited tactile ability need to be able to operate doors the lever style handle set is what we see in all commercial and those are cervezas what can you do with this there was a little bit of footage that was being filmed for a special where I demonstrate what you can do with this here is what's called an under door attack well I'm nowhere near the lock I just kind of reach down I grab something I lean into it and the door flies open what did i do there let's just this is on an actual job doing it again this is not like the sort of camera and that footed this is not Hollywood hocus-pocus this is Robert on an you know 2:00 in the morning getting into some IDF closet and again he's nowhere near the lock but he's going to be able to unlock this door and pop it open here we go he thinks he's on it he's a little more meticulous than I am I'm kind of the bull in the china shop of the team he leans on it he's got a little bit of pressure with his head that's using your head Robert and sure enough that door just click right open what we're doing could not be simpler we are sending a rod under the door with a string on it you feel where you are you feel where the handle is and you yank you're just pulling the inside handle this tool exists for no other purpose than to reach on to the door and hit because if you imagine you're inside of a door you're inside of like a secured room usually if you just hit the handle and leave that unlocks the door you're not fumbling with like keys and like I'm gonna flip the thumb turn on this lock almost always again for code compliance if it's not a low occupancy structure hitting that door handle is going to egress or in your case ingress how do you prevent this there are products because you know the vertical gap you're just you're putting a big plate the bottom you can't like have the door dragging on the ground there are products called dynamic door bottoms though just a little plunger and you can see when the plunger hits the side of the wall it will drop this bottom down now this little animation is not really showing you a security product this is just an environmental seal for heating and cooling but that principle of the door closes the bottom drops that exists in other high-end products so a company called pemko PE mko I believe pemko which is a division of ASSA ABLOY who who owns like everybody now the pemko i think is i have a model number for you the pemko 530 is a semi mortise or external fit Door Bottom that is it's not just a little rubber seal I mean this is a heavy metal plate that interacts with a contoured floor plate when you close this door that plate drops and locks and there is no way to get under this door now is that something you want to put on every single door in your facility no that's overkill it's like a hundred dollar item pick your four or five most sensitive doors and completely annihilate my ability to swing it under door tool under there I would not say that's a bad allocation of fun here we have a commercial door within eighty-eight handle it's harder to prevent luck this is great room that we want to get into so instead of locked this is an over door attack we to use 35 millimeter film cheaper tool with our a loop that we've already previously made if you can find someone who's the filming Lynch anymore nowadays but I don't that look so you want to obey to find yourself some 35 millimeter film and you shove it into the crack if there's going to turn the volume down and away through the rest of this video here weather stripping you can try to so if you can imagine what's going to happen this is not a pulldown attack this is a yank it up attack this person this is someone named InfoSec Pope he was on mute ah good guy works at the 801 space and he shows us people all the time because remember if you're looking at a door and you've got a handle on your side you know where the handle is on the other side you can just kind of measure with your arm like this is how much room I've got he makes a little tick mark in the film feeds it over the door sticks a little bit extra so it bows out as a loop and just Yanks on it he just walks it over and Yanks on it and you're pulling the handle up many people might not even realize it's possible to pulley you know an internal handle up it'll operate the door 90 times out of 10 so this is obviously on this side of the door it's a little not clear but here's on the inside you can see we'll race it along it it's almost comical right like you're just watching this loop imagine if you were working in the server room you just watching this kind of what's happening on that door but he's great I mean he can do it perfectly he's done it so many times he knows exactly how to flip and pull then yank and there you go really hard to prevent these kind of attacks if you're complying with code for a low occupancy for a regular occupancy structure if you're low occupancy have legal so you can get a variance a lot of times you can throw out a lot of these problems if you can't want some more really awesome cheap solutions get one of these this is a blocking shroud I saw this on a door once only after we couldn't get underwear like get trying to run under it run it and like I know I'm on it what Robert try this thing Roberts down there cursing eventually I went out to the truck came back with our borescope which I use for safecracking and I looked I was like awesome bitch what the hell is that you know and then we talked through it's like half an hour and got the damn thing open I was like demanding the client though where did you get this thing this made us kick our heads in for half an hour at the server room he's like oh I found it like a Grainger catalog or something it's not a security product it's like so in service areas you don't bash into door handles it's just for that it's for carts going by doors and I think that's why they had at the server room because they had equipment carts but it's completely ruined my day have you seen maybe you've stayed in hotels where the door handles are mounted down who's seen this it happens a lot and I've asked hoteliers I'm like hey I just I got a no door handle is that like the underdog and like oh you've heard about that big problem in hotels under door attacks as like room theft problems I've seen hotels do this this was really cool because not not that it's so it's a effective solution I could not imagine trying to negotiate film over the top or under door tool but again like I was staying in a hotel for a week made friends with the staff and I was like hey you got to tell me obviously you're preventing like illegal entries where did you get this product you like oh yeah that so you know if you have like closet doors and carpet in your bedroom it's the little clips that you put in the floor four dollars at Home Depot screwed into every one of their hotel room doors completely stops anybody from feasibly executing this attack in a reasonable matter I love that I think that is that I love that more than the freaking pemko 530 bottom this is awesome and it's cheap and it's effective so there's a lot of different ways that we can get in there's a lot of different odds things that we do as covert entry teams not all of them are this dumb there's some high-end stuff and high speed things that if you you know hang out in our classes man like will do clamshell key copying with clay molds and you know you're pouring liquid in I teach safecracking I've taught it sans before I teach it elsewhere I'm a GSA certified safe tech I can teach anyone in this room to manipulate probably a group to safe style in about a day you would it is not as hard as you think so we love approaching the whole picture we love the audience's that we'll listen to like the crazy stuff like this I got a couple more gems for you that right I know we've still got some time here my favorite thing to like laugh about these days and it applies a lot to this room is key to like systems manufacturers that ship everything key to like and a lot of customers don't know I'm standing next to both Dennis and I are both standing next to a little like they're called telephony access control boxes you see them on the front of a lot of buildings and apartments and such dennis is standing next to a linear cabinet I'm standing next to a door King system both of those the manufacturers have one key there's linear a 126 key for all linear commercial-grade cabinets every single linear of like the higher higher end the a 180 1200 you just you know open the cabinet and then all the door relays they have little momentary switches right there just press all until the door opens like there it is he just buys you can buy this right now online this is not a restricted key door king systems the door king what 12:16 completely every door king install since 1992 has used this key and it's everywhere everywhere if I show you like how to identify door king boxes they be three big silver buttons the a the Z and the enter like you'll start seeing them on every building its I got these keys on me right now I am literally calm pretty sure I'm carrying them yeah I there's the door kinky right there there's the linear key right there what is there I got another key right here this is this is a really fun one this is a twelve eighty four X key Google twelve eighty four X and you start seeing a lot of a certain kind of vehicle Ford Ford's fleet T is the twelve eighty four X it shows up in you know big vehicles it shows up in their expeditions and excursions it shows up a lot in Crown Vic maybe if a city gets a whole bunch of Ford vehicles and they want them all key to like that happens a lot it's probably the twelve eighty four X this is a home depot copy that you can see there's no chip in this key it's not a modern T this will open and start and open the trunk and the glove box of probably about forty percent of the black and white rollers in this country it's like just they're all the same there are cities right now big huge cities where most of the taxis in the city have the same key as the police cruisers in that city key to like systems are to variously crazy exploitable how does this relate to facilities besides the front door you know to laughs anything many electromechanical key switches are all stock and key to like if you've ever seen my buddy Howard and I talked about elevator systems exploiting elevators you can turn on and off a lot of security features in elevators the key switches are manufacturer specific here you can actually see this is an interesting install here like this is a mixed but batch of keys you can see the little graffiti inside the the cabinet right so it says fire service phase 1 and two is e^x five one five that's innovation fixtures but clearly this is a Montgomery coding elevator because it's cone a4 and cone a1 and cone I have all these keys I have them in this bag right here we just have all the default keys for base every elevator and mechanical key switch interestingly enough montgomery coney elevators here in this building but they use innovation fixtures don't ask me no I know that and what's an example of this sort of thing right like you've been in buildings I'm not saying this is not footage from this hotel and that and Larry but like buildings where you need a keycard access to drive an elevator to different floor here is a building like that here is a building where you can maybe place some low-level calls but if you want to go to like the top nice floors you can't get up to the executive levels and so forth okay so I can't get up to 33 32 why well there's a card reader there but this is a notice Siri seven elevator so that's the bgm 30 key and I go card reader off yay and now that floor has latched its call so I can turn the card reader back on and re-secure the panel and just go up to the executive level and bang around like literally that's what it's card reader on/off this is perhaps if any of you take this away man four key to like big building risks this is the story of the FE okay one ask me later I won't get into the whole background of what happened to create this standard it is a super standard fire key that many buildings will use for fire access so so they're all different keys and all different areas but the FE okay one will take you just a little red box on the wall and then all the fire keys all the important keys in the building are inside this one box this is walking around the building that happen to use the FE okay one standard call the elevator pretend you're getting on the elevator when in fact you reach up really quickly with your FB okay one swing open that fire box and take some stuff out of it what does this then allow you to do as we walk around somebody walks around this building we were totally okay here but so we get into this machine room which it's a small building small office so they were also using it you could barely see as their Security office and then it's all their industrial controls for the elevator right there including this is actually the drop key storage inside the machine room but again there's like a whole elevator hacking talk I've given talking about what you can do if you're in the machine room of the motor room what you can do at the elevator controller and the fact that we were able to get around this building now this was the fire service key for that building like if we wanted to throw the elevators on the fire service it was the alarm panel key to get into the alarm annunciators and turn on and off the alerts the sprinkler valve lockout we could have unlocked and changed the sprinkler valve flows and you know turn them lock them on or off all of this including the elevator controls themselves in the controller panel for a key that sells on eBay right now for about eight bucks key to like systems are crazy man mechanic electromechanical key switches are not as secure as you might think and to wrap that to an even sillier electromechanical whole story storefront building late at night friends of ours they said how man you should see what we had happened the other night week we had an alert and we came in the next morning and everything looked fine it looks like no one was there nothing got touched but we asked the neighbors across the street for some footage this is what we saw we saw a guy come up late at night he's standing near this big roll-up door he does something and the freaking garage door comes up and the guy they said he looked around a little bit kind of didn't want I don't know if he got spooked or something he was very polite he rolled the door back down and walked away so they immediately saw this they ran around the alley and they said what the hell today they looked at their things I don't know if you can see what happened here that is a Medeco lock which is a nice lock medico makes a lot of key switches and you know a lot of interesting industry here it wasn't installed correctly the whole cylinder didn't have its mortise set screws on the side they just had the rear bolt someone just took vice grips and turned the whole cylinder to like open and like drove the door and then they were really nice man it was San Francisco they're still polite the criminals I guess because he turned the door all the way over the clothes and drove the door shut again and then walked away so that is unreal the the confluence of both the mechanical and the electronic world we talked about the electronic side this is not an electronic talk if you want to learn more about that I'm happy to have the cell you saw on the Hat Babak our director of research Kizer he's the guy who weaponized is like long-range readers will take RFID credential readers that are you see these in like parking garages their long range is you know a couple feet but he'll gut them he'll weaponize them for the power supply in there put any peachie in their bluetooth module and then that's you know we just call it the hunt pad we'll just walk around client sites with that in our backpack and here's Dennis he's going to do a card grab on this guy on the bench dennis looks like he's on his phone he's really just grabbing credentials realize oh I got a good badge Reed he's going to get up and leave so this is not Hollywood hocus-pocus if you have questions about that sort of thing cloning of credentials replaying attacks yes crocs can be killed yes i class can be killed yes i class se is vulnerable even if you're using really high-end like super your integrator sold you like AI class SEOs or Mifare DESFire NX like noose the latest stuff from an XP we can put sniffers on the back side of the reader that's our new thing we like to do a lot now you install a little weekend sniffer on the protocol side put the reader back on the wall and then we can just sniff credentials as they're being sent down the wire in the clear and like we play those from our phones completely valid like line of attack man and it's easy to do we do this in class you will let you take readers off the wall and click them in get the sniffers will show you how to decode the credentials it is really fun to be that person at your facility who can do this and show people oh yeah you know I really understand that we paid all this money for the system but because we didn't put a tamper resistant screw on the bottom of this reader I was able to click in a little you know sniffer tool and now I got everyone's badge and I just cloned myself to be any badge I want if you like this kind of stuff we are happy to talk to you about it more a different day you can he'll you're all Sam students you're all here like we are an odd duck that we don't show up at a lot of the Sam's events this is not a logistic that fans is used to running but we do run these occasional physical penetration courses and we're a small niche but if this interests you you can always ask us about that another time mostly though I'm not here to sell you on anything I'm not here to I don't work for any of the names that I mentioned like major manufacturing and I just liked those solutions I like those Jam pins I I like simple fixes and when you keep the physical side in mind and you understand that if someone physically can get to the infrastructure that's the ballgame physical attack is a data attack that they are not two separate worlds if you get that you can protect it pretty easily I love what I do because when I show people these really scary things I'm not like already well I hope you budgeted $50,000 to fix this like this is me being like yeah well see this is striking here you could probably reset this door by a quarter-inch this was an article in the locksmith Ledger years ago you can see it was literally a strike plate that was misaligned and the locksmith didn't even order a new one he or she just unscrewed it pop riveted a piece of scrap metal and made it just a little bit narrower and then the door fine they make products called like an ax justice strike where you can just really jank just kind of kludge easy fix man but these are the solutions this is what correcting a problem in my world is like it's not oh my god how are we going to provision budget to like completely re-engineered everything we did wrong here your solution is usually a hardware store solution it's not deploying a whole new security center and spending all this money your solution is send somebody to the store and fix this for eight bucks and then guys like me can't get back in [Music]

Info

Channel: SANS Institute

Views: 39,536

Rating: 4.9484239 out of 5

Keywords: physical cybersecurity penetration, industrial control system penetration testing

Id: qg-zK2zv4ng

Channel Id: undefined

Length: 38min 28sec (2308 seconds)

Published: Sat Jul 29 2017

Reddit Comments