 Wow so many so that thing over there is it translating everything I say does it does it does it Does it do naughty words at all? No, no, I shouldn't okay Okay Welcome. Oh, okay. So wow There are a lot of people this is a lot bigger than the first one-on-one track over there next to track four It's made me kind of nervous, but it's okay. I'll take it so Okay, so I'm Dennis some of you know me most of you don't so let's just let's just jump right into it Are we really safe? Hacking access control systems, so I'm gonna talk about a lot about access control systems that matter to you guys You've seen it. You see it up here. You've seen these in your apartment. You're graded communities everywhere So let's let's just dive right in first actually I'm Dennis I'm a security consultant at KLC consulting. We do you know security stuff, right? I my job is to hack things. This is one of those things, so you'll hear a lot about what I've done in the past beer With my research of this you can hit me up on Twitter. I love to use the Twitter especially in here at Defcon I'm also for those who are interested. I'm co-founder of Houston locksport. We're a lock-picking club Hey, there you go, right My other co-founders are here with me dead and J. Gore. We just drink beers and picklots I was told I was gonna heckled and I'm getting heckled So I'm also rebooting ha ha if people are interested the Houston area hackers anonymous similar to aha Austin hackers anonymous I'll be rebooting that so if you're interested and you're in the Houston area come talk to me Alright, so the quick agenda just real quick. I'll be talking about the what physical access control system What physical access control is Then I'll talk about a specific vendor that I've been doing research on and the reason why I'll be talking mainly about this one vendor Is just because of time and money right this thing cost $1,700 and I don't have enough money to buy every single one out there So I focused on one for now And then we'll after we talk about how they work and kind of the architecture of them We'll talk about attacks local remote. I'll demo some things got a tool that I might release And then of course some device enumeration and some recommendations because I had to So let's get started physical access control systems So first what are they there? There are systems with the purpose of limiting access to a specific physical resource, right? They're outside many things that you've guys seen that can be commercial building shared office spaces so on and so forth they they secure Areas by hooking up with doors whether it be an electronic electro door Magnet or door strike or anything. They also use gates for apartment communities Elevator floors and barrier arms for like parking spaces, right? How do they work you have many different ways of Authenticating to an access control system a lot of you guys who do live in gated communities or such have a little Key fob like this where you press a button and it opens a door Or maybe it's an RFID reader or you can go up to this keypad over here and press the button or you know Whatever you need to do and so real quick I'll talk about what this demo is because I kind of forgot to talk about that so here I have a linear access controller It's set up all like how it really would be in a large apartment complex except there's only one not 20 of them What you see is picture frames with lights underneath 1 2 3 4 every time you see a picture frame light up That means door 2 in this case or door 3 has opened so imagine that Unfortunately, you'll never see door 1 open during my Experimentation I kind of blew up literally exploded relay 1 that controls door 1 so it's never gonna work just warning you guys Okay, so moving on you got swipe cards got all these things that you can do to to often to get to these Where are they used again? Like I said earlier, they're used in gated communities Parking garages office buildings You know all that stuff it's it and it's even used in commercial facilities, you know walking downtown Austin I would see it, you know guarding some I don't know what it was a post office or something So they're they're pretty much everywhere you can walk up to them Here's just some a bunch of different vendors. I've seen so there's door King You guys may recognize some of these Chamberlain Sintex lift master. I'll go back since it's a kind of too fast right lift master and linear Of course now they're calling themselves nor tech security control, but all the boxes still have the word linear on them So we'll talk about this one more in a bit Here's some pictures that took a walking around you've got a bunch of these mounted outside buildings You can use your RFID card or keypad. Whatever you want to do you've got some outside apartments or outside Offices right More commercial buildings these were I think this one was in a nursing home You have some next elevators because they can control elevators You they can authenticate whether someone can be in an elevator and specific floors And what you see on the right is you see three gray boxes Those are also access control systems much like this one here, but they're headless They don't have keypads or screens or anything. They're used for expanding on an Existing installation or just installations that only require for example RFID readers doesn't require a keypad or anything So that's what those are used for Here's what they look like inside same thing same components as the one I have here on the table Just without a keyboard without a big big display This one's actually pretty funny because you see this one's kind of mounted on the wall You'll never guess where I found this one right so I don't know just I wanted to use a bathroom and I was very curious what was inside that gray box So it may or may not have already been opened and so I took a peek and voila, you know access control It was protecting the doors for that building. That was pretty funny Okay, so let's talk about linear access control. I showed you this picture earlier Linear the defender linear also known as Nordic security and control They have a few different models of commercial access control systems the 80 1000 2000 and the AM 3 plus The AM 3 plus is that toilet one. I just showed you but they're all pretty much the same They're all the same they all do the same thing they interface the same way The only difference is that the 1000 and 2000 it has a bigger screen, right? You see it's much bigger bigger screen That's the only difference the AM 3 like I said doesn't have a keyboard or anything But they all do the same thing so anything we talked about is going to apply to all those So let's go a little deeper into those so This is a linear controller. It's pretty pretty fancy. It's got a lot of cool features It's great for big installations because it can be networked Utilizes a telephone line so someone can go up there Press the specific Directory code it calls someone else and they press nine to let you in we've all done that So it can also it supports thousands of users, so it's great for any big installation It can be networked with other controllers So you can you know these can only control four doors at a time if you want more doors you add more to the network of controllers And the best part is they can be configured and controlled through a PC. It can be networked so You know apartment management in a different state can manage all those small communities. They have all over the United States So this is a kit so so these things are They're rarely installed just by themselves because they're pretty expensive who would want to do it just for their home right so they're they're usually installed in big installations and To do that they use this kit the TCP IP kit Which is just a device that pretty much turns the serial connection into a IP connection a TCP connection and that'll allow the management of the community to Actually manage it from a computer whether it be on the network locally or remotely online So in that example of a management company at a different state So let's talk about a little bit of the architecture and how that works so the controller here the a1000 plus interfaces through serial and Connects through a serial cable to the serial to TCP device and that pretty much turns the Converts the connection into a TCP connection Which is then plugged into a conventional network a switch or anything like that and then the management PC anywhere can connect to it Yeah, it's it's pretty much simple as that this is a typical installation I've seen and now to refer to that controller You're just referring to a specific IP in port in this case one or two wants to say zero thirty-two port for Four six six zero, which is a default So here is pretty much the same diagram except this actually came from the documentation You have the controller you have the the serial to TCP converter connected to a network You've got a computer and of course the documentation actually does Encourage that you hook that up to a DMZ or you know an internet device so that you can actually control this From the internet, so that's pretty cool Well pretty cool for some people so how do how does the computer communicate with the controller? They use the software called access base 2000 developed by the same guys made just for this it's pretty Thorough software it allows the management to add remove users like entry codes or any transmitters like this You know anything like that You can even control the the controller You can manually toggle the relays that you can open the doors remotely You can lock them so you can keep them closed you can even view log reports This controller stores logs every time someone accesses a door it controls or anything like that Or even opens the door right here this the controller It logs all of this so that's pretty cool. It's pretty thorough log It does communicate through serial like I said, but again when you have that TCP converter like most installations do Then it's a TCP connection in your eyes And it does require a password to authenticate So here's the screen of I hope you guys can see that it's kind of small but What you see here is you see you do need to type in a password To authenticate and use the software to the controller But it's pretty interesting because the password is just six characters exactly no less no more exactly six and numbers only so You can you can imagine the key space one million passwords exactly. That's it. So May be a problem. Let's look into that, but we'll we'll look into that in the attack. So first How how does it communicate, you know, and Just how does it actually communicate? How's the software communicate with the controller? So first when someone's using the soft on the computer You have the software sending a string a hex encoded string over this connection to the controller Whether it be a string to open a door or request the logs or anything like that And the controller will respond back with another string And the string is consistent whether it acknowledged the command and performed the command or it could be not acknowledged Meaning the command was a bad command Let's say you tried to open relay five and that doesn't exist. You'll get, you know, not acknowledged or invalid checksum this this does utilize a checksum to You know just ensure data integrity So if the message is wrong you get a bad connection or something it'll spit back invalid checksum Or it'll actually do no response if you're not authenticated if you didn't prior, you know, put the correct password first You won't get a response at all. So, uh, if you get no response, you're probably not authenticated So let's break down that little message real quick just so you guys have a background So this is hex encoded, uh, and it's sent to the controller in hex. So every two characters is one byte So the first two bytes is going to be the packet header. That's fixed. That's hard coded The packet header is always going to be 5a a 5 The next two bytes is a minimum data length You'll see highlighted in yellow is the data and so when you send a command the minimum length of that data Can be zero The maximum data length is an x byte and that could be in this case 0a and for those who know hex that's 10 in decimal So the length of the data can be 10 Then you have The net node and so what that is is that's just the Identification number of the controller relative to any other controllers on a network So it's 11 in this case if there was another controller here that might be another number It's there's an algorithm for computing that Then you have the command And the command can be different in this case. This whole string is a password command. It's submitting. It's trying to say Hey, is this the password? So that's zero one. There's a bunch of other commands like pulling the logs pulling status Um, you know Doing a flash firmware update. Uh, so there's a bunch of different commands from zero one to Zero f right, which is 16 Or 15. What one of those numbers and then the next In this case, it's five bytes. You have uh, actually six bytes. Excuse me. This is the actual data So like I said, this is a password request So what I'm doing is I'm saying hey is one two three four five six the password and that The data there you see 36 35 that is one two three four five six Hex encoded and then reversed for some reason it likes it wants to reverse the data and then sends it through So that translates to one two three four five six the last two bytes is a checksum Like I said it ensures dating integrity and make sure is the message of what it's supposed to be And that checksum is calculated Through you know these from everything from the beginning of the net node to the end of the data So it calculates a checksum from that and if it's correct, uh, you know all systems go All right, so we've talked about how this work. You guys now have a good understanding Where am I on time? I'm good on time. Let's uh, let's talk about attacks. So first How can we target these controllers? Well, these are well, they're meant to be walked up to they have number pads They have displays you walk up to them at a gate or building And so you have physical access What can you do with physical access? Well, maybe we can do local programming because Some of these things can be programmed locally if you don't want to do it to a computer If you have a much smaller installation or maybe an older version that doesn't support computer management You can do local programming. There's also a serial Interface inside these devices if you do want to configure it through a computer So let's talk since we have physical access. Let's talk about local attacks first So default password. So first this is a 1000 right here on this desk We have there is an 8500 what that is. It's pretty much similar to these. It's just much smaller It only supports two doors instead of four. Uh, it doesn't allow for, uh, computer configuration No serial interface or anything like that, uh, because it's meant for much smaller installations It's a lot cheaper. It's meant for, you know, one or two doors or a gate inside a really high-end home So you have those Those have a default password those can those can be always programmed locally from the keypad because you can't control it from a computer So to get to that Part where you can start typing the password you hold zero and two and that'll pop up a password prompt And in the documentation all this documentation is available online The default password is one two three four five six And right and who changes that right when you're paying a contractor to install this the lowest bid contractor They're most likely not going to care about the password So they're going to leave it like that you're not going to notice and the default password to manage these devices is one two three four five six regardless of what your entry code is so Try one two three four five six and see what happens pound is just the enter button You press pound and see if it works Once you're in because trust me you're going to get in uh input It input the following commands you have 31 pound 9 9 9 pound We have all that string and i'll talk about what that is in the next slide And what that does is that inputs your own back door it puts inputs your own entry code Into the system so now when you walk up to the device you type in your new entry code 9 9 9 9 in this case And access grants it So let's talk about what we just did so Hold on We've got we've got more One two three four five six pound we've just had the default password. We're in 31 pound that enters the entry The entry code enter mode, right? That's where you enter a new entry mode program it Then 9 9 9 9 pound is our entry code. You can do whatever you want one two three four five six 9 9 9 9 is better because no one has that right Then you do it again 9 9 9 9 just to Confirm it because it wants you to do it twice and then 9 9 pound exits programming mode going back to normal functionality Then you just type in your entry code and you're in oops. I forgot I did that so Boom that's that that's the summary. So i'm going to show you how quick it is to do that So all that I just talked about i'll you'll see how quick it is so There you go and access granted and that and that's where the applaud should come in but And you see that was that was done in less than 10 seconds So I can literally if I find one of these devices Quickly do my thing walk off and now I have full access to whatever that's controlling forever because there's no way That I found where you can actually list the entry codes You just have to you know if you're suspicious about it just you know erase everything and start over So it's a really cool hidden back door. So what else can we do master key? Hmm. This is going to be interesting. So I bought this uh, well my company bought this for me for research and of course it came with a key, right? It turns out When I found this out, I was flabbergasted to say the least Same key for every device this 1000 plus you see here You most of you some of you have probably seen it. This is one of the most common ones. I've seen in the United States Uh, when you see this The key that it came with Right here. I'm holding in my hand works for this But also works for all of my other apartments that I may or may not have tried It it It works for so I confirmed that it works for every 1000 where no one has changed the lock And I've never seen someone change the lock It also works for the am3 plus the one that I saw in it I didn't try it on the toilet But the same one that was on the toilet it works for that too It might work for 8500 never tried it, but I you know, why wouldn't it right? So this same key Works it works for all of them and you can purchase them on ebay if you if you're lucky enough I haven't found one but if you're lucky enough you might find one on ebay You could pay 1700 dollars and buy this whole thing and get the key or you can if you're lucky The am3 plus the smaller one find the enclosure alone just for that. They it should come with the key It's a hundred bucks and now you've got access but don't please don't buy the key you don't need it Of course You can just pick the lock It's it's a fairly simple lock For anyone who's you're decent at lockpicking they can try to pick it And of course it gives you full access to the device. So Let's talk about that. But first You know for those who are into key, you know making keys That may or may not be the exact bidding code. So, you know power points will be online Physical access So what does physical access get you? Well If you are able to open this device whether picking the lock or having the master key or it's just left open In this device in this specific e5 1000 There is a relay latch button. So Relays are how the doors are controlled when a relay is triggered the door is open And if something is wrong like if if the software is not working, whatever maintenance can come up open it and Press the button to manually open the gate just to leave it open so people aren't locked up So guess what there's buttons in there to open all the doors. So let me show you real quick test that's awesome So if I were to open this and I don't have a An entry code or anything all I have to do is open it and Boom, I'm in and that's it. And if I were mean and I locked this up Everything stays open because those buttons stay Locked open until I either press them again or reboot the device. So that's a cool way of entering if you Want to enter with the key? Let's turn this off Leave that open for now So like I said, you can lock their state so you can leave the gate open and you know Finally have that cool house part of the you guys always wanted but didn't want to break the lease Okay, by the way I mentioned relay one exploded literally if you can see there there's a bunch of suit around the capacitors Next to relay one. That's yeah, that was pretty fun. I had to fan out the house for that What else does physical access get you programming buttons you get to program the controller There's programming buttons right there in this one at there and other versions. They're located somewhere else You can program the device or if you just want to you know be a dick you can erase the memory so you know Have fun with that There's an active phone line for those You know who maybe you want to steal the phone line find out the phone number and put it back And maybe you can call it and mess with it or do some pen testing If you want to steal the phone line and there's also a serial connection So you can just connect directly to the controller and all the remote attacks We're going to talk about work either remote on a network or direct serial connection So you you'll figure out soon why you would like serial connection. So oh so last thing is I just want to mention there's a tamper monitor switch There's a little magnet on the corner right there that will detect when the case is open Or closed so in the logs that I talk about you'll see tamper switch open tamper switch closed So that's you so people know you know if someone's messing with the device the problem is There's no active alerts, right? There is you can you know connect to the controller go to a bunch of these buttons And then you can actually view a log that Of someone opening and closing it but nothing's active. There's no red alert. There's no email notifications You'll never know it happened until much later when you decide to download the logs and do it So really tamper monitoring. There's also a problem. It's magnet, right? So for for those who are doing the diffuse a bomb competition right next door that way You can just use a magnet to bypass this tamper switch. So let's show you how to do that Let's play. How do I press play? Where is it? Here we go So I'm opening the controller and you'll see the screen it pops up tamper switch open and then tamper switch closed I closed it and so what I'm going to do is I'm going to grab my big powerful magnet. It's pretty powerful So I have to wear gloves Put it right there where it is be careful not just to you know put in the wrong place and I opened it And when I open it, you'll see Absolutely nothing logs. You'll see the two existing log entries from earlier, but nothing new So tamper switch completely avoided Thank you. Oh, yeah, okay. We need we're gonna need more of that Not being sarcastic. Okay. So we have we've talked about physical access. So what's next the fun stuff, right? remote access Remote access can be done depending on the configuration. Of course Through an internal network. So let's say you're at the leasing office looking for a new apartment And the leasing agent is busy with someone else and you plug into the network port behind their desk So that's you know an example of internal access or guest wi-fi network is Not segregated properly Then you also have external access. Some people do have it remotely available on the internet. So that would work too everything works over The ip and usually the default port 4 6 6 0 it can be changed but usually who does that So let's talk about remote attacks. So first Let me show you the software. Let's see if this works. Hopefully I've sacrificed to the demogod. So Okay, so you have the software here. It's pretty nifty. So the how you connect is you you press this little button And you connect but you see here. We're getting the message wrong password. I hope you can see that So you we're getting wrong password. So we don't have the password to authenticate. So As we mentioned earlier, how can we fix that? brute force attack so This is fun because like our we're met work. I told you guys earlier Six characters exactly numbers only Tiny key space. So that's one million passwords. There's no rate limiting So you're only limited by the connection speed and there's no password lockouts. You can guess as much as you want And this is scriptable since this is you know, the backbone is all serial You can just script all this. You don't have to touch the application. So Let me show you that Let's go. So we don't have the password here But I did write a nice little python script that may or may not get released That'll do just that so What you're seeing now is it's brute forcing. It's guessing the common codes and if it doesn't find it It will iterate through one two three four. And so what you're seeing is You're seeing it guess more than once on the same pattern. That's because I'm having it If you don't if it doesn't get a proper response, whether it's valid or invalid It just keeps guessing it until it gets a proper response. Serial is kind of you know Not very reliable. So that's why and there you go Mastercode 00051 it guessed it it found it and we're done. So let's go try that. Let's go to setup Here's how you type in the password one two three four five one boom There you go. I'm connected no error. Let's go to uh, let's let's show you what I can do with that trigger There you go. All three doors are open all four doors are open I'll quickly show you. I'll also here if I just downloaded the logs Let's go to how do I go to logs again? I forgot. There you go And just so you guys see these are all the logs that are just downloaded You know certain people have that granted access locked open and so on and so forth. I just wanted to show you guys Okay, we'll go back brute force attack. So that's cool. What's next? Hmm. So we have the password now, but did we really need it? apparently not So Normal way, you know, you got it you have you have to authenticate first You get submit the right password first before you send any commands or do you right? So what I did what I found out is when I send this device a command without the without sending it a password first I wouldn't get a response, but it turns out It'll just run the command anyway. It won't tell me it did it, but it'll just execute it So I won't get a response, but it'll still work. So any command I've most commands work that way So what can we do with that open doors remotely? We can send a simple command to open a door that that that's an example of the camera that actually opens a specific relay We send it over and It processes that command and executes whatever it's supposed to do Doesn't send me a response, but it still doesn't right? So it's still good And it's great for movie style scenes because you know, let's say you have the four Museum robbers whatever and the hacker in the van so When the hacker is ready the hacker presses something on the computer the hacks into this opens the door the techno music starts And everyone goes and steals the declaration of independence. So That it's it's great for scenes like that kind of red team engagements So that's what we can do there. We could also what we can do is we can lock doors open and close You can send the command to lock the relays Just like if I was pressing that button And that'll keep the doors or gates either open if I want to you know Have that house party or close if I want to prevent everyone from ever getting in And so that will once the relay is locked in a specific state It will not respond to any, you know key fobs or any actual, you know Legitimate access after that until I unlock it or the device reboots It persists. Yeah, it's it persists until it's rebooted Um Another thing to do is those fancy logs You can just delete all of them. Uh all those logs are stored on the controller Uh and because the controller has limited space whenever they're downloaded using the access space 2000 software They're deleted from the controller. So what do we do? We initiate a download for those logs with our python script We don't get the logs We don't care because they've all just been deleted and we've hidden all the evidence of us doing anything So Another thing to do is if you so if you so want to use The access space 2000 software because it does have some cool functionality You can change the password turns out you can submit it a database update And it'll just like okay, and it'll change everything including the password back to default or whatever we want And now we can get in with the default password. So You can pretty much upload anything you can upload, uh, directory codes transmitters any backdoor you want, right? so Pretty much that and then the last thing I'd like to talk about is a denial of service Which you can you know if you want to be a dick about it you can fake a database update And when you send it the database update, you don't tell it that you're finished You just send it the request and go home and this device will just keep flashing database update in progress And when when a database update is in progress It locks itself and nothing will happen No transmitter will work. No entry code nothing and the only way to fix that is to um Stop the database update. There's a command to stop it. Uh, and or you can just reboot the device Another thing you could do is you can overwrite the device firmware if you want to break it again You know be a dick. Yeah, you can Uh, just break the device and make it completely useless to everyone um Or like we talked about earlier you can lock the relays and keep the doors shut or something like that So that no one can get in So all those attacks we've talked about What i've done is i've uh developed a pretty simple tool to use tool To demonstrate these attacks. So what i call it is i really couldn't find a good name for it So i called it access control attack tool because i do want to expand on more access control systems Not just this one, uh, but it is pretty neat that i can say hey, let's go down You know you guys can go download a cat off the internet Uh, so let's show off this tool. Let's see if the demo gods have been nice. So I have this python scripts. Uh, it works on windows. It works on linux as well. Uh, though some things don't work Uh, you refer to it. You can either refer it to it through a serial connection com one through whatever or ip address So let's do that. Let's maximize Okay, so here's my tool pretty simple. It's like as point and click as you can get in command line Uh, you just type whatever you want. You have a bunch of options here And so let's let's just try trigger relay So what this does is this will trigger the relay for two seconds by default whatever it's configured to be Uh, and so if I want to open one, well, let's open all of them one two three four There you go. And so this python script just opened all four doors and No password was sent nothing was sent. It was completely authenticated. It's just I Walk walked up to my laptop with the script plug into the network found it and sent it these packets So relays are now open another thing you can do is Uh lock them open so Three four so now all four are locked open. Trust me one is locked. Uh So now those will stay locked until I unlock them or you know reboot the device So let's uh, let's unlock those real quick four One two three four now they work again. Another thing you do is lock them close. Oops wrong. There you go Lock them closed. So let's lock two closed So two is now locked closed and if I were to try to use the normal transmitter Nothing happens. No one can get in with relay two or any of the relays. Um, so now let's unlock them again Lock two Lock it's unlocked and Come on. There you go. It works again. So that's a cool thing So Let's uh, let's let's show let's okay. So this is the one that sometimes doesn't work But we'll we'll hope it works deleting the lock So everything we just did either was python script or this transmitter that i'm holding Or even opening and closing that enclosure. It's being logged in the internal memory So when I download that I'll get all that all those logs So what I'm going to do is I'm going to initiate a download And what that's going to do is it's going to download the logs never get them But they're going to be deleted from the controller. So I've initiated that process. It's working on it It's trying to see if it's getting any feedback back and then uh, once it's done logs have been deleted. So let's Exit here and let's see if that works. So I'm going to go to here Connect there you go connected and this button is used to download logs It'll show a dialog box with the number i'm downloading if it shows zero and the demo works. So let's do it Six so It worked But uh, what I did notice is when this device has been rebooted and I did reboot it earlier before the demo started There are six log entries of it starting up That never get deleted for some reason. So just take my word for it that it worked And maybe we're going to pull out for that too But yeah, so if you did look at the log it's a kind of a mess now you wouldn't see any of this access granted stuff So let's uh, let's connect back to my script. So Here you go. So we're connected back. Uh, the next thing you can do is Let's do uh upload default configuration. So we're connecting to this with default with the password of 000051 I'm being attacked am I? No, okay. I guess we're good. Uh, so we're connecting with the password that we bootforced earlier. So let's go back to the default password Okay, while they're doing that i'm so what I just did is I uploaded default password to the device So let's see if that works. So ideally I if I connect with the existing password it should fail Wrong password. There you go. So now let's go back to using default password One two three four five six And I'm connected. There you go. So just upload the fault password who needs to boot force You guys are so kind I'm really scared Hey, how's it going? Excuse me. Okay. Have fun So wow, are you giving me your computer? That's awesome. I'm right here. I am not moving from the spot Here press so you want really? Just just press that button I assure you something happened Everybody clear the room You all know how this works. How is he doing as a new speaker? Are you are you hungover? Nope, you will be What is this? Oh No, I went up. Oh, you give me that course. Come on. This has got to be better than that. Okay Uh, after you drink that I'll be back with something better Oh, no All right to to defcon to new speakers You still want that next one? Come at me, bro. Thank you very much. Thanks Oof, I'm not used to that. I don't do a lot of shots. So it's burning my insides Speaking of burning my insides Donal of service Thank you very much. No I'm gonna I'm gonna ride this out Okay, so the last thing I want to show that this tool can do denial of service. So You have the normal functionality. Is that lighting up? No, yes. No, okay I think something just broke right now, but this one still lights up So normal people are coming up, you know going in the gate going home wanting to watch munch baba whatever except I you denial of service controller has been doth so I'll take your word for it. But what you should see on this screen is this should show database update in progress. No, no not working Let's try it again Oof, okay Doth no longer works. Let's try this I think my controller got drunk Okay, what this will do is this is a flash database update in progress and it would stop working um, and then all I have to do is in the same script you can stop it and Then everything's back to normal. So that's pretty much the extent of my tool. I'm gonna give it one more try trust me one more Yep, still doesn't work. Okay, so trust me it works And it's really getting hot in here, isn't it? Okay I'm a new drinker. I'm hung. Is it normal that I'm hungry? Um So Now that we've talked about Attacking these controllers and I'm good on time. Uh, let's talk about locating these. So how do we find these? Device enumeration techniques. So one thing you can do is you can scan for these devices on a network If they're hooked up the typical installation, uh scan for them. Uh, look for any comport redirectors because that's what they are They're usually default port four six six zero. There's a specific One that's branded linear that comes with this. Of course theoretically anyone would work So you can scan the network The fault port four six zero. Another thing you can do is you can send a udp broadcast to udp port five five nine five four Uh, and if any device is on the network it'll respond. So if you look at that little graphic there, uh An attacker can send a udp broadcast to the network With that specific udp port and any devices will respond back to the network with that broadcast packet And respond back to the person who initiated that broadcast and so that's how you can identify any of those devices on the network Another thing uh, and then once you found it you can send it a password request string So regardless of if you've authenticated to it or not you will get a response back whether the a password you try to guess is Valid or invalid so you can send this device a password requesting And if it's a linear box it will respond back whether it's a valid or invalid password So that's again the same that you saw earlier. That's how it works. You send it something it responds back So let's demo yet another tool that I uh that a third tool that I wrote just for that So what this will do is this will send a broadcast packet through udp And listen for any responses and it'll find them if it finds any response It'll take that step further and send a password request to that IP address it found and check if it's an actual linear controller. So let's do that So it did find a device There let's scroll up and now it's going to check to make sure it actually is linear And there you go linear access controller it actually detected it is linear. It's a hundred percent Confirmed that it's linear and if you see that asterisk it also by the way confirmed that it's using the default password of 1 2 3 4 5 6 so So that's what that tool does and that may also get released So Cool, we talked about all the fun stuff now. We have to go to this stuff recommendations how So i'm i'm not really Going to talk about you know how You know the specific vendor can fix these issues I'll just talk about how you as a apartment management for example can can kind of remediate some of the issues So some of the obvious being always change the default password don't use 1 2 3 4 5 6 use something different I would love to say use a more complex password, but that just doesn't exist for these devices. So One other thing it's really fighting back I tell you i'm a new drinker And I can't burp for some reason so okay, so change physical locks The master key here Works so changed lock. You have the ability to change it. I see a screwdriver there So I imagine you can remove it and put a new core in there So change that lock you don't want the the apartment manager next door having the same access to your Apartment as he does his apartment or her apartment. So change locks another thing you can do to fix, you know kind of remediate these remote attacks is Use a direct serial connection instead of having this on the network if you had a direct serial connection These vulnerabilities aren't fixed, but you're at least not exposed on a tcpip network So doing that, you know just would make it a little harder or pretty a lot harder for an attacker to attack these controllers If you do network these devices utilize authentication these comport redirectors the serial to tcp devices Do allow for authentication? No one ever uses it. It's not pretty intuitive to use But learn how to use it and utilize that authentication so that not anyone can connect to the ip address of the device And another thing is of course resist the urge to connect this to the internet like don't have it online just don't forward the port and You know just like anything Keep it off the internet unless it really needs to be So final thoughts So I didn't I didn't write this talk to you know Crapple over one vendor. I just you know, this is the one I had time and money to invest research in But I just wanted to open the door and and open people's eyes to the fact that if All these issues exist on one vendor. They're most likely exist on other vendors So just because you have a syntax or a chamberlain doesn't mean you're not you doesn't mean you're secure It you could have the exact same issues maybe in just different ways so You know be cautious out there. Hopefully I'll do some more research on this So I do plan on doing more research on this device and more research on others Whenever I can you know get my hands on those things. So that's ongoing the tool So these are prototype tools or more work is needed. You can tell one has already failed but uh Tool is already uploaded. It is located on github. It's open source. I whatever license I'll put some open source grade of commons. What a license to it I do and it's called it Access control attack tool. I do intend on furthering it to do a lot more with this and a lot more with other controllers as well So feel free to mess with it. Feel free to download it. I need to completely Overhaul it to make it more idiomatic, right? So if you guys want to help me with that, that'll be great So it's you know, it's up there already I do want to work on an nmap script to do what my python script does I want it to detect device on the network and that'll be great for actual red team assessments if you know The client is using any of these Maybe even a metasploit module too if you guys want And last but not least the slides are on slideshare. So you can download the full version of these slides They're available. I don't think you'll have to download it from slideshare to view the videos But it's all there. So So that's all I have any questions In the physical location So so you mean you see it, right and okay, so Most of the time unless they're configured properly You won't be able to tell where it is now if that device if people, you know You know upload hate this device is named this into the firmware Then you might be able to find it that way But that's sometimes not the case another thing you can do is these comport redirectors There's a specific udp Packet that you could send to it and what that'll do is if you can see this device somewhere If you send it that udp packet it'll actually beep so you can locate it So you can always I didn't want to talk about it because I don't want to spend too much time But that's that's one way you can find it other than that you're pretty much screwed from there So I have okay. Yes one more question because I have only one minute then you can talk to me later. So Oh RTFM read the freaking manual I I was hooking up one of a little test light little red light to this and I didn't read the manual So I found out that the relay was rated for 30 volts not 120. So That happens So anyways That's all I got. I'm out of time you can any questions you can hit me up on twitter at any time Email me or find me right here at defcon Thank you. Thank you very much