 Okay, everyone. Thank you for coming. Welcome. Uh, I'm calling this talk, Ghosting the Paxman, basics of physical access control and uh, physical access control systems and beyond. This is a very fast and abridged but hopefully fun comprehensive crash course uh, into physical access control systems. This is not only going to talk about RFID. A lot of people like to focus on RFID and that's just the very tip of the access control iceberg. And so we're going to be jumping around a lot. We're going to be talking about a lot of different things. I hope that it all makes sense. Uh, this is normally content that it takes me two days, two eight hour days to train folks on. Uh, I just spent the last few hours collapsing it all into 80 minutes or less. So fingers crossed. If there's any questions, uh, there will be time at the end. If not with me in front of the microphone, certainly with me standing right over there behind the table so there won't be a problem. So without further ado, let's get started. Who am I? My name is Babak Javadi. I'm a lock picker, hardware hacker and covert entry instructor. I have been teaching methods of covert entry for over ten years. I'm the co-founder of the open organization of lock pickers, otherwise known as tool. Who knows about tool? Yeah, that's right. It's pretty awesome, right? It's amazing to me how much that organization has grown over the years and I continue to be, uh, thoroughly impressed by all of the people who, uh, continue to be so passionate about it. Uh, served as the director there for, uh, oh, for about 13 years and, uh, finally decided it was time to let other people dump in their passion in the project so I have some room for some other things. I'm also founder and director of research for the core group. Uh, that is my consultancy. We specialize in penetration testing, reverse engineering and research, just like about every other company here. So not very exciting. Also co-founder of the red team alliance. We specialize in physical security training and certifications and that's all I'll say about that. So let's jump right into it. Who has used an electronic door lock? Yes, that's right. When most people think of electronic door locks, this is what they think of. Let's see if, that's so easy. Yeah, that's one of the main reasons why we use access control, right? It's easy for everyone. It's easy for the user. You get to pull out your card, you just wave it, some magic happens and the door is open. It's great. From the administrative side, it's also pretty easy, right? If someone says, oh no, I lost my card, no problem. Credential revoked. Someone decides they want to do something against company policy. They get terminated. Credential revoked. Very, very easy, right? Uh, you can want to do time of day access. You want to only let someone in during, you know, the hours of eight and five, no problem. Just punch that into the access control system. It's all taken care of. Very, very easy. But ultimately, anything electronic, there's some feedback, isn't there? Is that, is that bothering anyone else? I want to make sure y'all are comfortable. Yeah? All right. I, I have to pick the right distance somewhere between like here, deeper. I got to eat the ice cream. Like, is this, all right, we're going to do our best. So anytime you have something electronic, meeting physical, there has to be an interconnect, right? Where the electronic world meets the physical world has to have an interface of some kind. And when it comes to modern access control, that comes in usually one of three different ways. So first you have this. What is this? What are we looking at in these photos? Can anyone tell me? Electrified strike. That is correct. So this would take place of the existing strike plate. And, uh, it's a little solenoid in there. Whenever you apply a voltage to it, allows the, the little strike thing to swivel out of the way and you can just pull the door open without even turning the handle. What's this? Mag lock. Yes, magnetic lock. Two piece construction. You have a electromagnet and the giant boxy thing on the right. You have a steel plate and the boxy thing on the left. And when you apply power, they stick together really, really, really well. That's also very, very popular. Third kind is an electrified lock set. Uh, this is an example of an electrified lock set. So this does not use an electrified strike or a magnetic lock plate, but rather it has a solenoid hidden inside of the lock. And, uh, I used to have a photo of this, of a different lock. This was the official manufacturer's photo. Does this photo bother anyone else? No? Like, is, is it, what bothers you about this photo, sir? What's that? Well, there's a lock. Okay. Yeah. No. Uh, red, red and black wires really in general should never be designed to like go right into each other. That just seems like bad design, but that is the official manufacturer's photo. But regardless of all of those things and all of these cases, what's happening is you have a source of power, whether that be a transformer, a C or otherwise, and a backup battery perhaps if the crap has really hit the HVAC system, so to speak. And, uh, these are powering these, uh, secure, uh, entry and exit devices, whether they be maglocks or electrified strikes. The simplest form can be sometimes seen in your friendly neighborhood cheap discount jewelry store. If you have ever walked up to a store where the door is locked and you have to like knock on the glass or press a doorbell and someone like presses another button underneath the counter, that's not access control that we're talking about today. What we're talking about is something a little bit more common in enterprise. So this is, this is a better example of what we're talking about in terms of physical access control systems today. What we're looking at is a door controller. What is a door controller you may ask? A door controller is a fancy term for embedded Linux device with some relays on it. That's about it. So this door controller is actually what's in charge of all the logic that takes place in an access control system. Every time you use the door, every time you open a door, every time you close a door, every time you present a card to the reader, there is a signal or a series of signals of some kind that is monitored by the door controller and that's making decisions. The most common type of input into a door controller is what? Credentials of course. So I'm going to go ahead, in parts of this talk, I'm going to insult your intelligence a little bit, not literally, but I like to use analogies. I like to use analogies because it demystifies how opaque some of this technology is. I want to really break it down into the simple, simple building blocks. So if this seems overly simplistic, I hope that you're not too bothered by it, but I do know that for a lot of folks, it helps kind of drive the point home. So we are going to, and I'm going to have trouble with this word, anthro... Someone help me out here. What these groups of people here just said, we're going to do that to the access control system. And here are our players. We have our RFID credential in the lower left there, his name is Alberto. And then we have our RFID reader as a security guard. That executive manager person over there, that's the door controller panel and then of course our electrified strike is played by the door hardware, pretty straightforward. So basic idea, the card reader is always going to be interrogating the credential, whatever that credential is. It's going to be saying hi, who are you? Over and over and over again. The credential is going to identify itself. It's going to supply a means of identification to the card reader. The card reader is going to interpret that response, convert it and sanitize it into a format that the door controller can understand and send that information to the door controller. The door controller receives that response, processes some logic. It says, hey, I know who that person is. I know that card number. I'm going to go ahead and let that person in and I'm going to fire the electrified strike and that's going to let them in. Pretty straightforward, right? That's the whole system in a nutshell. So credentials are one type of input that goes into an access control system. Of course credentials, we're going to talk about them a little bit more in depth in a moment. They come in a couple different formats. They can be something you have, something you know, or in the case of biometric systems, something you are, such as fingerprint, iris, facial, all that stuff. These are all different forms of inputs that go into the door controller. There is another really common type of input. We're going to get that out of the way first. It's this. Who can tell me what this is? This is a Rex otherwise known as a request to exit sensor. This is the most common use of this type of sensor. It is basically a fancy name for a motion sensor. And that also gets tied into the door controller. And there's a couple of different ways that a Rex can be set up. The most common type of way, show of hands, whoever walked through a secure door, and as you approach the door, the door unlocks. Yep. So that's using a request to exit sensor. Here's the basic concept behind it. Here's a request to exit sensor right over here. So our credential comes, or user rather, comes along. The sensor says, hey, I see some motion. Someone's probably trying to leave. Let the door controller know. Door controller says, hey, some there's motion on the secured side of the door. We're going to go ahead and let them out. Fire the electric strike. They can exit. Easy peasy. Now here's the thing. This guy doesn't have a great vision plan. He can't see very well. So as a result, you can kind of trick him sometimes. And a lot of folks have probably seen this, but I want to show it to those who haven't just again to drive the point home. Here's a couple of examples of how you can do that and how you can mess with that. So what did we just see happen? We were standing on the secured side of the door and our friendly neighborhood doctor, Tran, himself, used not a credential. What did he use instead to enter? Can of air. That's right. So he's turning that upside down, spraying it through the gap in the door. And magically the door opens. Here's another example. Research lab in Philly. I'm showing my colleague how this works and trying to teach him, building owners to standing behind us. And initially he's using it wrong. And so I have to correct him a little bit. And notice we're not interacting with the card reader on the right at all. We're just interacting with the gap in between to get into that particular lab. And he's going to go ahead and spray that, turn that upside down. And door is open. Well, why does that work? That's really dumb. Like this, this, this shouldn't be a thing, right? Like, and, and, and it works, and it works all the time. You can do this in a couple of different ways and we're not going to go in depth into all of them. But basically the most common type of the sensor is called a PIR sensor. Anyone know what PIR stands for? Yes. That's right. Passive infrared, infrared is really good at detecting a change in what? Heat. Right. So heat is a 2D heat map, right? So they're very good at detecting change in heat. Now the problem with that is if you folks in the audience have the sensor and I take one step back or one step forward, has a 2D heat map that you can see change in an appreciable way? No, not really. I got to do this, right? So as a result, in order to prevent users from running smack into the door, they have to turn the sensitivity up really, really high so people can get in really, really easily, right? Because you don't want angry users. So as a result, they're very, very easy to manipulate. There's another type of sensor we're not going to get into really much. It's called RCR, a range-controlled radar, also known as microwave. That detects change in distance. It's very good in this forward and backward direction. Not quite as good as the side to side. And so these RCR sensors are usually dual technology sensors that incorporate both infrared and microwave. And you have to activate both in order for it to fire usually. You'll see these all over the place. They'll be mounted above door frames, on the side of door frames. Sometimes you'll see them like in really, really high up places. Like take a look at where the sensor is here. It's all the way up top in this corner. And because you have this huge wide hallway, we don't actually have to be very close to it in order to trigger it. Now, you don't have to use Candare. Here's our colleague, Dave Kennedy. And what he's going to do is he's just going to use his fancy physical security compromise tool in his hand. What is that? Yeah, it's a vape. Pretty straightforward. And it's our favorite door. And he's just going to blow right through. It's not going to work the first time. So he's going to give it another shot. And on the second draw, that vape was just hot enough and warm enough to go ahead and activate that door. And we're in. Of course, if you don't vape, maybe you like whiskey, right? Here's my business partner, Deviant, out on a night on a town. And he's looking at this ATM lobby. And he's like, I don't feel like using my card. I'm just going to go ahead and do that. And the door will pop open. And again, you can use a lot of different varieties of substances to do this, but this is just one type of input in a access control system. So there's a couple of things that we need to consider when looking at an access control system. We have our credentials and they can come in a variety of different formats. We're going to talk about that. We have our readers. They can also come in a variety of different architectures and formats. We'll talk about that as well. We have our door hardware, whether they be maglock or electrified strike. We have our motion sensors and door contacts. We will talk about door contacts in a bit. We have our door controller, which all this is connected to that makes the logical decision. And of course, we have our administrative software that door controller has to know which users are allowed to get in and which users are not. All of this is one happy family, right? Kind of. So each one of these links speaks a different language and that creates some really fun security situations, as we will find out. So when most people talk about RFID, what they're actually talking about is only that first link, right? When most people think of RFID, they're actually thinking of the whole system, right? They're like, oh, that whole thing is RFID. No. False. Only that very first link is RFID. Like I said, RFID is the very tip of the access control iceberg. So whether you have prox, myfarer, i-class, magstripe, who's a what's it, biometric, doesn't matter. It's still all only talking about that first link. So let's talk about that first link. Let's learn a little bit of history of access control. Who's heard of Wiegand? Yeah. Who knew Wiegand was a person? Ah, a couple people. Impressive. So let's learn about John Richard Wiegand, a very badass OG German hacker born in 1912, immigrated to the U.S. to study choral conducting at Juilliard, right? Huge music nerd. And while he was there, you know, in order to reproduce music, he had to use what? Speakers, right? So he became really interested in audio amplifiers and through that, electromagnetics. And he went through a couple of different really interesting jobs. He for a while made tape recorders for the U.S. government and stuff like that. And eventually, he became so interested in electromagnetics that he made some really interesting discoveries. He came up with something called Wiegand wire. Originally patented 1974. Very old technology. You can look up the patents yourself. It's really, really cool stuff. To put it bluntly, it is a little piece of wire with a soft inner core and a hard outer shell. Now, that may not make any sense. You might be thinking, Bobbock, metal is hard. What are you talking about? Soft metal. That doesn't make any sense. Well, what we're talking about is relatively speaking, right? So if you ever take a paperclip and you bend it back and forth, what happens to the material right before it breaks? Yeah, work hardening. It gets brittle, right? It's characteristics. It's physical characteristics change. And you can twist wire and you can do interesting things to it, such that the outer shell, the outer layers of the wire become more hard and more brittle than the inner layers. And when you do that to certain iron alloys, really interesting things happen. We don't have to get into the science really, really deeply. However, weekend wire is literally pieces of wire embedded in a plastic card, drum or encoder of some kind that passes by two permanent magnets with a sense coil in between. And as it passes in between, some really cool stuff happens inside the wire. Basically, the outer core of the outer surface of the wire magnetizes first, then the inner core magnetizes. And as you pass the wire, pass the second magnet, the inner polarity, the magnetic polarity of the inner core flips and that flip is actually detected as a electromagnetic pulse by the sense coil. And that's actually how original systems worked. This is an example of an original weekend card, okay? So the original access control cards, when access control, modern access control was first invented, were not proximity. They were swipe cards, not mag stripe. We'll talk about that in a moment. And they literally had two rows of wires. The wires physically represented the zero bits and the one bits. So as you slid this card through the reader, they would pass over two different read heads and those wires would physically produce little blips on the line, right? So here we have 26 wires in the card and as you slide that through the reader, there's a data zero and data one line. It's a five volt signaling protocol and every time a little wire passes by the sensor, one of those signal lines is shorted to ground for a very short amount of time and a signal is sent down the wire representing zero or one. This became very, very, very popular. So it was invented in 74. By the 80s it was considered leading edge, best of the best. And by the, by the mid 90s this thing was everywhere. It was widespread. Everyone was using it. I mean everyone. To such an extent that by 1996, SIA, the Security Industry Association adopted it as the official standard communication protocol for card readers and door controllers and everyone began to use it to make things backwards compatible. So I want to show you an example of what weekend wire looks like because it's not something you get to see very, very often and we're going to place this here and let's see if we can get our camera working. We'll do, there we are, we'll do this and we'll, we will flip over to duplicate mode. All right. So what we have here is a, just a neat little demo, demo tool that we've created. All right, this is a original weekend swipe card reader and we have, we have a weekend card. Now for those of you that can't see, you'll notice that as I tilt it, you can actually see physically something embedded in the card and what I'm going to do is I'm actually going to shine a flashlight through the bottom. You'll actually be able to see the physical zero bits and one bits. So you can actually see as we move the flashlight, there's literally wires embedded in the card and that's actually what's going to be detected by the reader as I swipe this through. So we're going to go ahead and try that. And that's it. And so this screen here is a little decoder. It's going to take that, those little blips of weekend data and it's going to try to decode it in a number of different human readable formats. Now here's what's interesting. We're going to talk about this a little bit later in the presentation. Notice how there's 36 bits but there's a number of different ways to decode them. There are different facility codes and card numbers and these are all just different ways of decoding the same physical data. So we're in a little bit going to talk about bit formats and how it's kind of a nightmare when it comes to access control. And that's a very important thing to understand about weekend cards. So we'll go ahead and minimize that. And let's talk about another old technology because context is really, really important. You might be thinking, man, we're in wireless village. Why are we talking about weekend? Because you got to know where you came from before you know where you're going, right? So let's take a look at a magnetic stripe card. One of these guys here, right? So we'll again switch back to our camera. Here's our mag stripe card. We'll go ahead and pop that into focus, increase our exposure so we can actually see what we're doing. All right. So, mag stripe, I like to think of it as fancy barcode. Not literally, it's not quite the same encoding but it is close. What I'm going to use is a pretty cool stuff. It's really, really basic actually. This is magnetic developer, which is just a fancy way of saying really fast evaporating solvent with really, really tiny particles of iron in it. And I'm going to drip this on the card and you're going to again see the physical representation of that credential data encoded on the card. That is not my favorite example but you can actually see on the left hand side especially, you can see where that strip has been magnetized and where those iron particles are sticking. Again, these are all just different ways of physically encoding logical data, right? So, if you have a card number, say 1, 2, 3, 4, 5, 6, there are different ways that you can encode it, right? We can use weekend wire, we can use mag stripe, we could use a barcode, we could use a QR code, we could use a keypad. These are all just different ways of physically, oh man, sorry guys, these are all different ways of physically encoding the same data. And this is what we need to keep in mind when we talk about RFID and access control is, let's go back here, there we go. These are all just different ways of saving different types of data on a physical card. How many different ways are there to save data? A lot. This is a really, really awesome website that one of the Proxmark developers created, card info.barcweb.com.au. And just to show you what it looks like briefly, I wonder if I can zoom in, let's see. There we go. So this is just 70, and this is not all inclusive, this is just 70 different card formats, these are weekend bit formats. And if you look, there's a lot of these that are the same number of bits long and they all represent different ways of encoding the same data, right? So for example, I just clicked on a random one, this is ATS weekend 32 bit, this is 32 bits of data and they're saying when used with an ATS system, we're gonna use the first 12 bits as the site code or facility code and then we have a card number and then we have some parody bits as well. And again, we are not going to be dealing with that a whole lot, but what's important to understand is these are the physical bits that are encoded on the card and the card number is just how that particular vendor decides to decode that weekend information and is something human readable, right? Because a sysadmin or physical security person, they're not gonna be sitting there typing in 47, 50, however many ones and zeros for each user to encode their credential, right? They want to just encode card number 4256 or card, you know, 555137 and they want to be done with it. So these are just different ways of representing that raw data as something that we can more easily and colloquially understand as we use our access control system. So let's take a look at a modern credential, right? So things that that system became really, really popular and they said, hey, this weekend stuff is awesome, but we have something new for you, right? So we've got this new awesome card reader, it's a prox reader, it's a whatever reader and the best part about all this is, is you don't have to rip and replace your existing system. You can take it and it's backwards compatible, you can keep your same door controller and all you have to do is replace your card readers and your cards and it just works. Isn't that wonderful? Yeah, it isn't, it isn't, right? Saves you a lot of money, but it means that even today in 2019 we're still using a communication standard developed in 1974 for transporting credential data. How awesome does that sound? Yeah, really great. So let's see how things changed over time. So again, we're still just dealing with card numbers, we're still just dealing with different ways of physically encoding that credential data. Let's look inside of an RFID tag, right? What's inside of an RFID card? It's literally a chip and an antenna and we are going to zoom in and focus here. All right. So here we are, these are two different credentials actually physically encode uh placed into the same piece of plastic. So we have a low frequency uh traditional prox credential that is actually the uh the thicker antenna in the middle and then we have a high frequency, high freak uh 13.56 megahertz credential, it happens to be eye class. That's actually the thinner antenna around the outside. Generally speaking, you're going to find that low frequency readers and cards are going to use more turns, more loops of wire and the higher frequency uses a shorter piece of wire. So fewer turns of wire. So one of the easiest ways to tell if something is low frequency or high frequency is literally just to shine a flashlight through it and see if the antenna looks like it's low frequency or high frequency without even having to connect it to your prox mark or anything like that. So when we talk about prox as I mentioned we're talking about uh credential to reader communication. So there's different types of credential readers. They represent different types of technologies. Here in North America we have a couple of really really popular low frequency and high frequency credentials. On the low frequency side we have prox and indola, uh IO prox, EM and AWID. Those are less popular but they are still here in North America and Europe. They have a lot of other credentials that they like to use. On the high frequency side we have some other uh common brand names, HID i-class and NXP my fair and stuff like that. And we already talked about this right what's happening here. Well when we talk about cloning a credential what we're doing is we basically learn the language that these the card and the card reader are speaking. And so what we do is we pretend to be a card reader right? So we go and we talk to the credential and we say the same thing that the card reader says to and says hi. Who are you? The credential identifies itself and now we have that information. And as long as we can produce it in the same way and reproduce that signal for the reader on demand then the reader has no way to discriminate between an original and a clone right? So we approach the reader, we present our credential, we can say the same thing. It's kind of like a replay attack basically right? That's what a clone is. A clone is a delayed replay attack and everything works as you would expect it to. The most common type of tool that we use today to do this is the Proxmark 3. That's not this. This is the original Proxmark. It's gone through a couple of iteration originally designed by a student named Jonathan West Hughes back in 2006. Really 2004 and then he kept developing it. Made the Proxmark 2, made the Proxmark 3, open sourced it and then people had this wonderful contraption to drag around with them. Here's mine with the hand wound antenna that I had to make to make it work and then eventually was remixed a couple of different ways. If anyone saw Ice Man's Talk yesterday morning he actually went really in depth into all the different hardware visions that have been out there but we have the Proxmark 2 and they had some really good antennas then there was the Proxmark 3RDV3. Then now we have the current in my opinion best iteration which is the Proxmark 3RDV4. This is the same base hardware remixed to be more stable, more efficient in its use of physical space so it's very compact. The antennas are really beautifully built into it and it's really just a delightful, wonderful package. So that was developed, code developed by Ice Man and Proxgrind of the RFID research group. You can buy them at Hacker Warehouse. They're really awesome. So yes you can use a Proxmark like this. You can use it in simulate mode. Here's one of my original Proxmark 3's. Way back in the day and I can do that and that's really really great but that's not very practical is it? So let's take a look at an example of what cloning a low frequency credential looks like just so just so folks can see what I'm talking about. So what we have here is we're going to connect our Proxmark 3. We have some credentials once I find the little plastic bag where the credentials are. Let's see. Here we are. Alright so we have our credential and just to show you folks what we have here this is a simulated access control system very similar to that more beautiful one in larger one that you see in the case over there. So we have two card readers. We have a real live genuine door controller making all of our decisions with some credentials cached and programmed into it and of course what demo is complete without very pretty pretty lights right so we have those two. I mean it looks pretty good right it's not bad. So let's take a look and we have our Proxmark 3. We have our credential right we've we have our baggage handler that we're going to target and at the moment this credential will go ahead and open that door. If you want to make a door controller go or door rather and card reader go green you two can do that. We're running a CTF right now where you two can try your hand at cloning some credentials and seeing how many points you can accrue. So we have our Proxmark 3. We have our credential but that's not enough we also need to run our client. So I'm going to very awkwardly try to do that while using this microphone. Alright and if I don't move it will work. So we have our Proxmark 3 client. This talk is not about how to use Proxmark 3 so we're going to go pretty quick. I'm going to use a command called LFsearch and actually I'll make it a little bit easier for you folks to see what I'm doing I'm going to go ahead and bump that font size up to twenty and hopefully that will be less awful. Is that less awful? Yeah okay I'm seeing some nodding that's good. So we'll do LFsearch and oh my goodness we found a Prox tag yay and what we can do is we can just go ahead and grab that raw data and we can use a different command called LF sim sorry LF HID sim and that and in theory if all went well there we go green but that's not it's really easy trust me like I know you want to clap because that's like the polite thing to do but I'm sitting up here going no don't clap for that but thank you so let's talk about something a little bit more practical than that let's see here oh that is the wrong presentation you will see that at the end if we have time we'll go back here and we'll jump back so we saw how we can clone a credential just by simulating it and there are a lot of different credentials out there we have Prox by HID sometimes their cards are labeled really really obviously sometimes less so their readers are really really easy to recognize if they're original readers although there are a lot of third parties that also make readers there is another brand that they sell called andala those are different credentials different ways of encoding that same card number data and of course their readers also look different they look very cool in my opinion they have that fun little four lights and what's really important in my opinion and this is something I go more in depth when I have more time usually what's important to understand about these different readers is being able to identify them in advance allows you to tell what tools you need to bring with you if you're on an engagement you need to do your proper recon on your target you know here's cantek taiko ioprox they have different tags different readers they all have a certain visual aesthetic that works really well there's other tags em they make them in a couple different formats they make a couple different readers again we're not going to deep dive into all this stuff because this is just a light overview of some of the different components of the system so you can see how it all works as a whole we have awid applied wireless ID they make their own special tags they make their own special readers but all of these things these are just different ways of encoding the same data so when we talk about cloning you know it's not really practical to hang a proxmark 3 off of your badge holder that's not that's not really going to make you blend in very very well is it so instead we want to have a legit looking badge and since we can't just take our badge stick it in a copy machine and call it good we're going to use the proxmark 3 and we're going to use another type of credential called the at malt 5577 this was not a chip that was originally designed for pen testers this was originally designed for OEMs that were tired of making their own chips they said hey instead of making your own silicon you can buy our chip you can make it emulate almost any credential you want you know you can change the frequency you can change the data rates and the modulation we don't have to worry about all that stuff because it's built into the proxmark and the proxmark allows you to use that same T5577 to recreate almost any low frequency credential regardless of whether or not it's prox or indola or IO prox or EM or AWID it's really really cool we're not going to go super deep in the cloning other than I'll just show you really quick how that works actually I don't have any 5577's in front of me so for the sake of time I'll actually do it with this same credential which is not as exciting I realize because this is actually a T5577 so what I'll do is I will copy this which is our original enrolled credential and I will wipe the card first and we'll make sure it's wiped by doing search there's no known tags so it does nothing oh no we broke our credential never fear proxmark is here LF HID clone and to check our work we'll go ahead and do LF search that says it's working and that is basically how you would make a clone and you can do that with almost any low frequency credential because these are all different ways yes thank you these are all different ways of encoding different types of data different types of signals but it's still following the same physical communication medium right so we're able to emulate different types of cards as long as they're all low frequency with this particular card and that is really really cool because you can actually get this in a couple different formats they even make stickers and implantables so you too can embed a T5577 in your hand if you want and now you'll never forget your apartment key again you can just wave your hand in front of the door and the door will open for you they make them for my fair cards as well so if you want to open your hotel room with your hand you can you can do that as well now in the field we're not using a proxmark proxmark's only worked for very short distances in the field what we do is we take a reader and we weaponize it doesn't that sound great doesn't that sound hackery and cool well it's actually very very simple reader is remember they take power and they take credentials and they spit out zeros and ones that's it it's not a bi-directional system it's very very simple so that reader once it gets that credential information it's just sending that down the wire to the door controller so when we talk about long range readers or weaponized readers all we're doing is we're really just taking a long range reader that is used to say for parking lots for garages any application where you don't want the user to have to get within two inches of the reader and you install like an Arduino or a Raspberry Pi or something just to record those ones and zeros that's basically it it's not a very complicated system but it allows you to get very reliable longer range reads out of the device I have to apologize I realize I'm going pretty fast but I am worried about getting everything done in time so if you have questions please forgive me I'll do my best to answer them at the end of the talk if you watch TV you might have seen a show called Mr. Robot who's seen Mr. Robot yeah they use a long range reader in the show it's actually fairly accurate how they do it although it's a little bit dramatized they go a little bit over the top right so here we are there we go we won't make it quite so loud here's a scene that a lot of you folks might remember they have their long range reader and you know he's getting himself psyched up he's prepping and he does something that in my opinions unnecessary it attracts undue attention to yourself but it drives the point home for the non hacker folks out there right he kind of bumps into the guy physically and is able to read that credential of course in real life you don't have to do that you don't have to get that close you don't have to physically almost assault someone to get that credential information and it's very easy to get credentials because credentials are usually very very you know obvious right people are hanging them off their hip you see them in trains you see them in you know when people are standing in line very easy to get to you see them where people are their most vulnerable I I wish I could say that I was I was better than the idea of of not doing this but I I I have to say that I if you've ever been to a bathroom you a stall you might have sometimes seen like a like a toilet seat cover dispenser right to make you feel a little bit better about using a public restroom so you can actually buy those toilet seat cover dispensers and you can put RFID reading electronics behind them and then you go into the bathroom stall and you just kind of stick it with double stick tape as a convenience right you're offering a hygiene like product to everyone and in exchange for this toilet seat cover all you ask is for a copy of their credential and it works out well people seem to be really happy with that exchange so what about high frequency right what about these smart cards these high-end secure credentials right well again I'm going to insult your intelligence a little bit because I think it's helpful to understand the main difference between low and high frequency so if you pretend our low frequency credential is a piece of paper with a number written on it right we don't we understand that we don't care if that number is in English or if it's obfuscated in some sort of weird wing dings type language we can just take that piece of paper and stick it in a copy machine as long as we produce another piece of paper with the same markings that's going to work right so that's basically what low frequency is in a nutshell as long as we're able to reproduce that signal which is relatively easy to do the readers going to be able to talk to it because that that credential information itself isn't protected really it's just using a different communication medium it's basically just a very fancy barcode now what we do when we talk about high frequency credentials I'm going to shut this off for the moment when we talk about high frequency credentials is we're going to take that piece of paper that has our very sensitive secure credentialing information we're going to fold it up we're going to put it in an envelope we're going to put that envelope in a safe all right and that's basically what a high frequency smart card is it's a digital lock box it's a digital safe for sensitive information and in this case it happens to be RFID so this is actually a really cool example or analogy in my opinion because this particular safe has a serial number plate on the side and has a combination open it so similarly if you imagine that you could use a special algorithm and pre-shared secret key to based off of the serial number which is on the outside of the safe calculate what the combination is going to be you can unlock the safe and get to the credentialing information right so if you're designing an access control system you wouldn't use the serial numbers of the safe as the credential data right because anyone can read that you would try to protect it in some way and when we talk about high frequency credentials whether it's i-class or my fare or desfire that's what we're talking about we're talking about taking a credential information putting it into a block of data and that block is read protected by a key by a password by some authentication mechanism of some kind so by way of example let's for example talk about my fare classic very very popular credentialing format used by a lot of transit systems by a lot of events and by a lot of access control systems in Europe and abroad so again we're not going to get too technical into it because I don't think it's actually necessary to understand how the technology works as a whole here you have a my fare credential memory map right so you have your your credential and then the memory is broken up into different sectors and blocks and in order to read those different sectors you have to have the right key so when you do cracking of my fare when you run my fare dark side attack or the nested attack or this or that these are all just different methods of recovering these keys that are on the card that protect the information encoded onto the blocks right so you would not use the serial number which happens to be encoded and block zero you would not use the serial number to run your access control system instead you would store your credential in one of these other blocks and you would protect it with a key and again this is how all these different credentialing formats work there is some method of authentication that is used that unlocks the card and that's what the reader is doing that moment when you present your card to the reader it's doing a little handshake right there's some mutual authentication that's taking place and it's unlocking the card and it's reading protected memory inside the card so in order to clone that particular card you actually have to figure out how to unlock it first and so you have to either find the key whether it's leaked or cracked or otherwise or find a way to brute force the key in order to clone it we're not going to go in depth into how to do those things because again this talk is talking about high level how a modern access control system works so let's talk about another way that these things can be abused right so we've talked about how we have low frequency and high frequency credentials but how does one switch from low frequency to high frequency it's easy when you only have one door because you go up to it on a weekend you rip out all the stuff and you replace it and you're done right but imagine your company imagine you have hundreds or thousands of doors and hundreds or thousands of users is it reasonable to expect that in one weekend during non-business hours you could go in and rip and replace everything no absolutely not that sounds incredibly infeasible and impractical so they make these things called migration and I wish I had jammed a photo of a migration reader in here I apologize that I don't have one at the moment but imagine you have actually this is a migration reader this is an example of a migration reader it reads both high and low frequency credentials so again by way of example I'm going to go ahead and power this system on I will grab the credential for it and to show you that these are two different credentials that was a low-frequency prox card what I'm going to do is we're going to pop back over to our prox mark and here we are here's our research assistants credential Louise McDougal and her credential if I run my hf search command you will find once it switches all the FPGA code let's see if we can get that into the right spot there we go so this is an eye class credential these are two different technologies and yet we have both the old credential and once that door closes we'll try our high-frequency eye class credential and we'll see that they both unlock the door this reader can talk to two different technologies both old and new and the reason that exists is the idea is okay don't worry you guys want to upgrade to our newest readers they can read both your old cards and the new cards and you'll slowly upgrade your readers at your own pace and once all those readers are upgraded remember meanwhile everyone's old credentials they're still working right once you've upgraded all the readers then you can take everyone's credentials again at your own pace and you can replace them right make sense now here's the thing after you do that the new reader can still read old ass credentials so what that leaves you open to is what I call a format downgrade attack this is something where you would take a secure credential such as a seos credential which is hi datagram everyone oh nothing just came up set high and left all right so you can take your secure credential and maybe you can't clone it but you can find a reader that reads it and remember what does every reader use as a communications protocol to send credential data back to the door controller weekend right it still converts it to the same end format so you can take this high security credential you can read it with something besides the prox mark you can read it with a regular reader made by that particular that weekend data you can save it onto an older format card and now you can downgrade the format of the card to something that is more easily cloneable and manipulatable and the door controller will treat that card the same way because there's no way for the door controller to know the difference between the different types of credentials that were presented at the reader the reader doesn't give that information to the door controller the door controller just sees 26 bits of weekend right so that's also another important consideration if you have questions about this please feel free to ask I'll do my best to clarify it I know we're jumping around a lot so let's talk about door contacts and sensors we were talking about different types of inputs into physical access control systems whoops there we go so what we're seeing here is a tall and we're going to use our mirror and it's really hard to see in this particular photo but as we slide our mirror over what we see here let's see if it works is the very edge of a little door contact and what that is that's a little magnetic read sensor that tells the door controller the state of the door how is that used well that's often used as a way of detecting forced entry remember that door controller is always monitoring a bunch of different types of inputs so for example let's say you have a door that you're monitoring and you have a card reader on the secured side and you have a motion sensor like this on the other side right so what the door controller does it says okay if I detect that the door is opened and there is no valid card read and there is no motion detected before the door was opened what do I assume happened what's that I heard it forced entry right so logically again the access control system says hey this door has been opened the door contact sensor is no longer in contact I'm assuming the door is open no one presented a card first and no one exited so then it triggers an alarm condition so again by knowing that that's how the system is designed we can take advantage of that so what we're going to see here here's a rec sensor it is not used to automatically unlock the door it is instead used to decide if there's a forced entry alarm or not so what you're going to see is I'm going to use canned air and you can tell from the noise where are we we're in a server room right so we use the canned air to trigger the motion sensor and then we just slip the latch with some plastic and because of this process that video you just saw an entry but what did the door controller think took place an exit that's right by simulating motion first before bypassing the door we told the door controller that we're actually leaving instead of entering and so no alarm was triggered how do you find door contacts one of the easiest ways is to use a tool like this this is really cool this is a door contact sensor that's what I call it it's actually just a little magnet on a swivel I'll show you what it looks like here it is and basically any time it comes near a magnet this little guy here points in the direction of the magnet and you can just kind of wave this around the edge of the door and anywhere where there's a magnet in the door it'll tell you that's where the door contact is so if you're not as fortunate as being able to say just use a mirror to look into the side of the door and see that that door contact is there like this and again what we're looking at is right here there's our door contact by the way in this example we're about to try to break into this data hall we see the door contact what's the easiest dumbest way to bypass this door contact magnet yeah I didn't have a lot of fancy tools with me we were overseas so what I did is I just took out my hotel key card and I bent it at 90 degrees just to create a little shelf and I taped a magnet to it I taped a magnet to it and I shoved that in the door and that was enough to bypass that sensor so here our door into the data hall has opened but according to the door controller according to the access control system what is the current state of this door it's closed that's right so these are all over the place you'll see them on the top of frames you'll see them on the sides of frames here's a really close up photo of a door contact what have we done to this door contact yeah we stuck a magnet on there but what do we do to make it extra clever our tape is in the shape of a circle so unless I would have told you that hey this is a door contact that we've bypassed your average user is not going to notice that and these are the small things about modern access control systems besides RFID that you want to be aware of in order to know okay what is the lowest easiest path of entry often times it's not the RFID card it's finding a combination of bypasses to make the system behave or think differently so we've talked about RFID and we talked about how all these different credentials whether they're mag stripe or smart card or high freak or low freak these are all just different ways of encoding the same data that is stored on the card right and that's still sent over weekend right so we talked about this we talked about how this is all just different ways of doing the same function but once that data leaves the reader it's still usually weekend now there are other communication protocols that technically exist they are not very popular and even the other ones that do exist with the exception of one protocol which we will talk about everything in red here these are protocols that transport that credential information without encryption without any protection you can just connect to the wires and read that information and this has been done for years like over ten years ago Adam Lorian, Zach Franken they came up with something called the gecko reader and it was a literal man in the middle you would connect it to the weekend data wires and you would try to read that information as it goes across the wires and then replay that information and that's a very very old technique you don't even need a special tool to do it you can use an Arduino or anything you want that can record and replay two minutes holy crap they said eighty minutes someone said it was an eighty minute talk is that not correct oh well that's unfortunate okay someone in the audience said it was on the schedule for eighty minutes so that's why I had adjusted my talk okay that's what the schedule says that's what people are saying alright alright well I will show you this last thing and then I guess if you have more questions unfortunately we'll just have to okay so everyone is looking at their phones and they're saying yes so I'm going to who's the next talk are they here okay alright so we're going to finish up this one section with apologies and then if you have more questions please find me afterwards so we can intercept the data it's really really easy there's a couple different tools to do it there was the gecko there was the BLD key a few years ago one of our friends made an even better tool Kenny McElroy octo-savvy on twitter he created this tools called the ESP key and the ESP key is the interception tool that you install behind the reader and it's a literal man in the middle right look at that cool hacker looking guy right so that man in the middle is going to monitor those communications and as that credential information goes across the wire we can replay that information so what I'm going to do is we're going to skip through a couple slides as the very last thing and then this is this is brave I'm going to try to show you a demo of how this all works you're going to watch we install one of these keys in the video and while that's happening I'm going to try to set up my demo here and we're going to see if it works video paused so I can't do that so I'm going to fast forward through it so we have our ESP key I'm going to pop that out I'm outside of a server room door I have not disconnected the reader from the door controller I'm just getting those data control wires out of there I've got my power I've got my ground I'm just going to punch down tool to punch those wires down onto the wall there and once it's all said and done we're going to fast forward just a few seconds here we go you can see our ESP key is turned on and we're going to feed that back into the wall and we're done so this is a bold demo attempt in the wireless village I'm going to see if this is even a possibility if I'm able to connect to my ESP key or not or if someone's going to screw with it instead fingers crossed yep demo gods are not smiling upon us today we'll try two more times nope of course wi-fi village can't connect any wi-fi such as life right all right and last time nope so in any other space but this one we would be able to connect to our ESP key and be able to replay intercept and replay that credential information without interacting with the card reader at all later on I will try to have this thing I don't know how possible that's going to be with all of this stuff going on in the airwaves right now but you get the idea we can replay the information and that works so let's see I think that's going to have to be it I can't think of we're going to shut this off let's see if there's any last minute great things that we can talk about in 30 seconds oh yeah I'll share one thing there's an easy fix for interception it's a new standard it's called OSDP if you install a new system you absolutely 100% should be using OSDP it protects the panel to server communication it allows you to encrypt and secure that communication between the reader and the door controller it's bi-directional so you can do cool things like preventing eavesdropping it can do if you want to learn more about it go to securityindustry.org or ask me more questions about it later and then with sincere apologies we're going to call that done and I'm going to go ahead and put my contact information up on the slides here if you have any questions we'll do this we'll scroll all the way down and there you go thank you I'm really sorry that was so much information that we couldn't get through as I said this is normally two days worth of material that we tried to cram into just a few minutes so if you have any questions please come find me over there while Woody sets up his next awesome talk thank you again