 Hello! I hope you're as psyched as I am for me to talk at you for 45 minutes all about wires. The hacker community has picked to bits many other aspects of physical access control, but the communication lines themselves remain largely a black box, and thus despite them being manifestly exploitable, which we'll look at today. So I'm sure you've seen this particular trope, the laser hallway where the protagonist does all sorts of incredible gymnastics to get by these lasers without tripping them and get to whatever goal exists. That's one defeat mechanism is avoiding the sensors entirely, but if we can access any part of the wire that connects the actual light detector to the upstream controller, we can then walk through all these lasers without a care in the world, knowing that our activity will not be reported on. In a more real-life example, you'll see these all over, and if you haven't yet, you will now that you know what to look for them, magnetic door contact sensors, they might look like this, or they might be mounted inside the frame, and they will detect when this door gets opened. The hackers among us will likely look at this wire here and say, there's gotta be something we can do with that to avoid this device actually reporting when the door gets opened, and of course, there is. So this is a talk about the sensor communication wires. We'll give a brief high-level overview of alarm systems and access control first, and then we'll talk about two ways to defeat those and to defeat end-of-line resistors, which is the most common defense and anti-tamper mechanism applied, and then we'll talk about some defenses that work against these attacks. I encourage you to go try it yourself in the Lock Bypass Village. Everything that I'm talking about today and everything that I'm showing is available as hands-on demonstrations for you to go try. So let's look at a couple of the sensors that are available. There are a lot of magnetic contact-based sensors that detect door and window opening. You might also have an area sensor, such as passive infrared, or one that seismically detects someone walking on ground, or that uses vibration to detect fence climbing. In this example, we have the floor plan schematics for a number of different ways to protect windows. So there is a contact sensor to detect the window being opened, and two different types of glass break detectors to detect someone breaking the glass through. If the window can be opened or broken, we might want to have both. Now in days gone by, electronics were expensive and difficult to build, and so we wouldn't want to have an input to the controller for each of these individual sensors when they're all on the same window. The way that was handled was with alarm zones. So a zone is multiple sensors wired together. If any of them get tripped, the alarm gets tripped for that zone. So a normally closed zone will have switches that are normally connected, but they'll disconnect in the event that the sensor gets tripped, and then they're wired in series. So either disconnecting creates the alarm, and normally open zone are wired in parallel. So if either of them connect, then the alarm will go off. Those are also often applied to rooms, and that's why they're called zones. So any sensor in a particular room will trigger a single zone in the controller, and they'll all be wired together in that way. So we might have all of these sensors for the door being opened into the vestibule being wired into a single zone, or all the various window glass break type detectors on this room being wired into another zone. You can see an example of alarm zones with fire control systems. They are a lot more publicly viewable than security systems, and in the foyer of many large buildings, particularly with Western Hemisphere fire codes, you can look at what the zones specifically are. So it's stairwell number three having a fire alarm in it. Are various other aspects that this system needs to monitor behaving correctly, and are the wires intact, and that is all going to be displayable there. The second aspect where these technologies get used is with access control systems. Alarms that we've just talked about so far at least, are relatively binary, they're trying to look for any person entering the perimeter without discriminating who it might be. Access control systems will make that determination of is it an authorized user, and it should only alarm when it's not. So the most basic access control system has an authentication device such as a card reader, and it has some means of physically allowing or denying the door to open. We might want to add a contact sensor to the door, so if the door gets opened, and there was not a card swiped, it can then trigger an alarm and indicate an unauthorized entry. If someone's leaving, that creates a problem, so we also want to have in what's called a request to exit sensor, and this particular type is uses passive infrared to detect a person on the secure side of the door waiting to leave. If it detects that, and the door is subsequently opened, there's no alarm. We'll look at some of the technologies available for these different systems. So the authentication can be done with various different technologies of card readers, and there's lots of great talks so far about how to defeat those, which I won't go into anymore. It could also involve biometric, or a code, or even a video doorbell, where a human remotely makes the go or no go decision of whether this person should be admitted. In terms of allowing the door to open or keeping it locked, we can use magnetic strikes, or a magnetic lock that magnetically holds the door shut. We can also use hardware that can be remotely controlled to lock or unlock, turnstile-based systems, or even a vehicle entry door. Everything that the door is open is usually done with a magnetic switch, almost always like these three here. It might be an optical-based switch, though, or even a mechanical switch that is pushed in when the door is closed, and some hinges can detect their position as well. And finally, the request to exit is usually done with passive infrared. It might be button that you press, or pressing on the egress hardware itself will trigger the request to exit, saying that there is someone on the far side, and in secure installations it might be another card reader, so you have to badge in and out. Here's an example of one of those in the wild, so it's a passive infrared detector mounted over the door, and we also see an in-frame door contact sensor over here that will pair up with this magnet in the top of the door, and when the door is closed, those are going to be together, and it will detect that the door is closed. Here's a couple other pieces of hardware we can potentially exploit. One is if there's a key switch that tells the controller when it's supposed to be building open and closed hours. Another is accessibility buttons, particularly the one on the secure side of the door. If it gets pressed, that will usually also trigger an unlocking sequence, and disable the alarm from the door being detected to be open, and the fire system. So when a mag lock is installed, if there is a fire situation, it has to unlock by code, otherwise people will be stuck inside, because otherwise the security system would be keeping it locked, and so if we trick it into thinking that there's a fire going on, that will also unlock the door for us. We won't look at these communication lines to the mag strike and the reader. That's a bit outside the scope of this talk, but everything else that's remaining on this screen is a binary communication line. It carries a yes or a no, and we can attack that to disable the alarm and cause the door to open, and in other ways, defeat these systems. So we can attack the contact sensor itself to make it think the door remains closed when we've actually opened it and gone inside. We can attack the request to exit sensor to make it think someone is exiting, and then we can safely enter without triggering an alarm. We can attack the accessibility button to make it unlock, open the door, and disable the alarm. We can attack the key switch to make it think the building is open, and the fire alarm or the communication from the fire alarm to make the security controller think that we're in a fire alarm situation, and then it will open things up accordingly. So here's one relatively straightforward example of where those wires can be accessed. So this key switch here, you can see that this can just be unscrewed, but also anywhere up this conduit will also have access to disable that alarm at the wire. The wire is often running conduits like this, and so we need to find those and then determine which ones contain the wires we're interested in. Well, how is that done? Sometimes it's labeled for us. This one says FA means fire alarm, so that is generally not one that we'd want to be looking at for this purpose. One that says door contacts is much more interesting. This one also does contain fire alarm wires, but also the door contacts. And this one's security junction box is also likely one we'd want to look into. In this case, we can tell contextually, well, this conduit is going to about the right position for a contact sensor to be mounted on the door. But we can tell from this bolt pattern that likely that's not what it's for. It's likely to a mag lock, and they generally get mounted with this type of bolt pattern. It might also have a contact sensor here as well. And that can be defeated as well, but it's beyond the scope of this talk. Of course, sometimes it just tells us, do not unplug. Well, the wire has been cut. I guess that's technically not unplugging. And sometimes there's very subtle contextual clues to tell us what general area of the building contains the wires we're interested in. Sometimes we can find the sensor itself and just follow the conduits back from it to figure out which wires we need to attack. And if we see a card reader or other access control type hardware, that does tell us that there will likely be intrusion detection sensors that we need to find and defeat. And then the last thing that sometimes gives us access is when conduits run outside. It's a very bad idea to run your security wiring outside. But it is seen particularly in historical buildings where there's not adequate duct space inside. And that's something that we can open this right up and defeat the security system from the outside. Here's a particularly egregious example where we have the contact sensor. And this is actually all mounted on the unsecure side of the door. Definitely something to avoid. If we wanted to apply our attack, it might not make sense to do it right here because it's extremely obvious to anyone passing through this area. So how would we find way back on the line which one is the right one? If we follow it to a conduit, and that conduit might have a rat's nest of cables in it, we need to determine which one is correct. Let's take a look at how to do that. Now if we have access to the wire at one point, we want to know where it goes, possibly to place our attack payload at a more desirable location. There is a tool we can use called a toner and probe. So we'll take our toner and clip it on to the line we want to follow. And it will put a tone down that line, which we can then listen to with our probe device. And so anywhere down the line, we can then tell that of these two, this is the one connected to what we're toning and not the other one. So once we've found the correct wire to attack in a good place to apply the attack, how do we actually do it? So in the situation of a normally closed sensor, so it's connected in the normal situation and it disconnects when there's an alarm condition. In that case, all we need to do is jump over the line and that will then simulate the switch being connected and no alarm will be raised. So in this case here, it's a normally closed system. And we see that there is zero equivalent resistance seen normally. When I open the door, it becomes an open circuit, so it's disconnected. To defeat that, all we have to do is cut the line and that briefly causes an alarm, but we'll fix that momentarily. And then we'll strip the outer sheath and then the inner sheaths. And we just need to jumper from one to the other. And now the controller continues to see an equivalent resistance of zero and the door can be opened with a band of course that does trigger the alarm initially, so a better way to do it is to strip just the outer sheath. And then tap into the inner wires, but leaving them intact. And once that's done, we can now apply a jumper wire between these two taps. And it has the same effect. When we open the door, it continues to see no equivalent resistance and no alarm is triggered. The second case is a normally open switch. So in the normal situation, it is disconnected and the switch will connect when the door gets opened. To defeat that, all we have to do is cut the line and then it always sees an open circuit. So in this case, when we open the door, it goes from open circuit to a short circuit. If I cut this line, it now always sees an open circuit. The defense is against this. So it's vulnerable to have just a simple high or low resistance listening for. Instead, we're going to switch between two different resistance values. So this is what's called an end of line resistor. And it's less vulnerable. It listens to see is it the resistance one for a normal situation or two for an alarm condition. If we detect an open circuit, so a cut line or a short circuit, it will then trigger a different alarm indicating a tamper situation. And of course, the best defense would be a well designed encrypted digital communication line. Those are much more expensive and have limitations for the maximum wire run. So they're much less common to see. These end of line resistors though are ubiquitous. So how do we defeat those? Well, before we get into that, we'll do some very brief review of resistors in general. So, there's only three slides, I promise. The first concept to remember is that resistance measured in ohms is how hard it is to put power through it. And by Ohm's law, it is the voltage applied across the resistor divided by the current that then gets flowing through. The second aspect to keep in mind is two resistors wired in series. We'll have an equivalent resistance that the sum of them and when they're wired in parallel, it's going to be this harmonic sum, which makes some sense when you think about it. One over resistance is how easy it is for power to pass through, just like resistance is how hard it is. And in fact, there's a name for it, conductance. And so with resistors wired in parallel, the conductances add up. There's sort of a fun graphical computation available to us here. By taking three equal scales at 60 degree angles, we can apply a line from our two resistances. So if our one and our two are both 1000 ohms, the equivalent for them in parallel will be 500 here. 800 and 400 will then give us about 267 ohms equivalent in parallel. So that's kind of a cool tangent there. Keeping that in mind, we usually don't have switches that flip between two separate resistors. Instead, we have a simple normally closed or open switch that will engage one resistor while the other is always connected. So in this case, when the switch gets closed, we now have the equivalent resistance of these two seen in parallel. But I'll continue to use this style of diagram for clarity in the rest of these demonstrations. The last part that we'll have to consider is how does the controller measure resistance? So it can put a voltage across the line and measure the current through based on Ohm's law. What's more common is to have it put a voltage across the line and have some sort of internal resistance. And then it measures the voltage between that internal resistance and the end of line resistor. This is what's called a voltage divider. So there's going to be a certain voltage applied by our power source. There's going to be a voltage drop across the internal resistor and a voltage drop across the end of line resistors. The sum of those two resistor voltage drops is going to equal the applied voltage. And how much of a voltage drop applies on each is going to be dependent on the relative resistance values of those two, which we can then measure by this voltage in the middle. So two special cases that are relevant here. When we have an open circuit situation, no current flows, the ammeter will measure zero. And because no current is flowing through this internal resistor, it has no voltage drop across it by Ohm's law. And therefore the voltage measured is equal to the source voltage. In the case of a short circuit, a lot of current will flow. If there's no internal resistor, it's going to do some damage. And we're wiring now the top and the bottom of our voltmeter together. And so the voltmeter was going to measure zero volts. For instance, one commonly seen system is Honeywell Design Systems, where there's a 2.8 kilo ohm internal resistor and two kilo ohm end of line resistors. When this circuit gets closed or completed, we then have a voltage divider that creates five volts measured by the controller. And when it gets opened, we have the full 12 volt source that is measured by the controller. What do these end of line resistors look like? Well, they're a lot easier to spot with fire systems where they tend to be in large well-labeled boxes. Such as these supervising the alarm bell, these end of line labeled devices here, or this supervising the firefighter's telephone. This is called line supervision in fire alarm systems. And it's done because if the line gets accidentally or environmentally damaged, people could die. And they tend to be in large well-labeled boxes because for fire alarms, it's important that they be easily accessible and inspectable. With security, the opposite is true. So security end of line resistors tend to be installed directly inside the sensors that they're supervising. In this case, we have one installed between these two leads here, which ends up being in series with the tamper and the regular infrared detector relays. And that will then detect whether either of those gets tripped. And if they're both in the normal state, we will see this resistance at the controller. And so we can see that a little bit zoomed in here. So attacking these end of line resistors is a somewhat involved process because we don't know from the outset what the end of line resistance value is, what the polarity is, etc. So let's take a look at how that might get accomplished. So first, we'll strip the line and we'll tap it in two places. And this is going to enable us to measure the voltage on this line. We'll install a voltmeter and wire it up. And it now measures five volts across this line. If we would open the door, we would now see 12 volts across. The second thing we need to measure is the current. Once we have voltage and current, we can divide the two and get the equivalent end of line resistance. And to measure current, it has to pass through our ammeter. So we'll tap this line in a second place and install an ammeter here. And then we'll have the current run into our ammeter. And we'll have it run through a switch. You'll see why in just a second this is so that we'll be able to engage our attack when we're ready to do that. And so I'll run the wire to the switch. And then from the switch to our tap device. And now we're seeing zero current. This makes sense because it's still passing through the line right here. So I'm going to need to cut this line and then we'll actually measure the current passing through. And we now see that this is 2.5 milliamps approximately. So what can we do here? Well, we have the voltage, it's about five volts. And the current about 2.5 milliamps. And if we divide those two, we get 2000 ohms or two kilo ohms because this is milliamps. So we'll now find an appropriate resistor that's as close to two kilo ohms as we can. And the one we have that's closest is 1.96 kilo ohms which we'll install right here. And now what we need to do is on the other side of the switch, when we flip it, we'll instead route current through this resistor and then over to the negative line. So let's install that now. So wire the switch to the resistor and then the resistor to the negative line. And so now when we flip this switch, current is now getting routed through the resistor. So from this positive line, over through the switch, through the resistor, up to the negative line. And so now the controller sees the same equivalent end of line resistance as it saw when the door was in the normal situation. When we open the door, the controller still sees our attack resistance and no alarm is raised. Of course, if we flip the switch back and when we open the door now, it's all systems as normal. So that's how that attack gets implemented to make this easier in the physical world. I've designed a couple of modifications to be made to a standard multimeter to allow you to clip onto the positive and negative leads of the alarm wire. And then somewhere downstream on the positive leads so we can cut the line and measure current in between. We can flip a switch to measure the voltage. And we can measure then the resistance value between the green and white switches. And then when that's all set up and ready to go, we can flip this star switch here and that will engage the attack and re-route power so that the black is connected to the yellow through the resistor and then green gets connected to red and back to the controller. The schematic for this looks like this. I won't go into it in detail, but this should be enough for you to design and build your own. And the wiring is this rat's nest here and we can see how it's wired directly into the measurement ports of the multimeter so that it can measure our voltage current and resistance as we perform the attack. So let's look at what this looks like physically. So I have here a system simulating an alarm system. We have our controller, which measures the current and voltage being provided, the transmission line, and then our door at the end. So here's our door contact sensor, the end of line resistor. When I open the door, it open circuits it so disconnects and we then get no current and the full supply voltage of 10 being read at the controller. When the door closes again, we get a one to one voltage divider. So the end of line resistor being the same as the internal controller resistance and we get half or five volts and 50 milliamps flowing through. Let's see how we'll attack this. So this is a standard twisted pair wire. So we'll open it up and give ourselves some room to work. And then I'm going to use these devices here. They're made by Scotchlock by 3M. They're called the Scotchlock tap devices. And I put one wire into here and get that fully in past the little plastic clips. I then take the other wire that I want to connect to the line that I'm tapping into and insert it into the other port of our tap device, insert it all the way. And once I'm satisfied that those are fully in, I'll clamp it down. So we've now tapped into this wire. We'll do the same on the other side and clamp it down firmly. And we now have access to the positive and ground lines. We can now use our homemade alarm wire defeat device. And I'm going to clamp onto each of these and I can measure the voltage across now. So I'll put it in voltage mode and then flip this switch to send the red and the black to the leads of our multimeter and we get about five volts. To measure the current, we need to tap it a second time. So I will on the hot wire. I know that this is the hot wire because the voltage measured was positive. We'll take another tap and we'll tap it a second time on this line. This will then force all of the current to flow through our multimeter and we can measure the current when we cut the line in between. So make sure those are firmly on. Then we can clamp this down and then I'll take this yellow lead. It's for measuring current. Make sure it's good and securely on there. I'll flip this into current measuring mode and flip the switch to send the multimeter leads to red and yellow. We get zero, which makes sense. All the current is still flowing through this line. So we now have to cut that line at which point we'll be able to measure the current. So we've done that and we now measure 50 milliamps. With those two measurements, we can now calculate what resistance we need to attack this line. In this case, 5 volts divided by 50 milliamps is 100 ohms. And that's ohms because it's milliamps. So we get our measure in kilovolts and have to convert. So here's a 100 ohm resistor and I'm going to use this as my attack resistor. I'll clip it on to our green and white leads. These are our attack leads. Again, making sure that it is fully securely connected. Actually, I'll clip on right at the base and you'll see why in a moment. And just to double check, flip it back out of current measuring mode, turn it into resistance mode and flip this switch to send the green and the white to the leads. And we can measure that this is indeed 100 ohms. With all that done, we're now ready. When I flip this switch to actuate the attack, it's going to reroute power instead of going from red through to yellow through the door back to black and back to the controller. It's going to cut the line between red and yellow and send red to green through the resistor and white to black and back to the controller. So I'll flip that switch now. We've now engaged the attack. At this point, the door is no longer connected. All of the power is going through our attack resistor and I can safely open the door and the controller is none the wiser. The last thing that we can do is to make this a permanent setup. We can wire these in directly using these 3M Scotchlok joins. So I will insert, we need to match white to black, insert the wire all the way, insert the wire all the way as far as it will go, and then I will clamp that down to connect those two. I can now safely remove the white and the black leads and I'll do the same to connect red to green. Take another join, insert that as far as it will go. So you'll notice that the controller just detected a short circuit and that's because I accidentally let these two wires touch on the wrong side of the resistor so that would have been a fail had this been a real life circumvention of an alarm. Make sure those don't touch again. And then I can safely remove all of the leads and we've now instituted an attack. The ground wire is still connected but it doesn't need to be and just to illustrate the point I will cut that as well. And so now we've successfully measured what the end of line resistance is and installed a new surrogate resistor that power is flowing through and now of course it's disconnected. Opening the door does not set off the alarm. So we can see in our schematic what was happening there. When we flip this switch to measure voltage, it sends the red and the black wire to the leads of our multimeter and it can then measure the voltage. Likewise for the current with the red and the yellow wire and for the resistance sending the multimeter ports to green and white which is what contains our attack resistor. So we can ask ourselves can we do better than that? There were a number of problems with the resistive based approach. One is measuring current is incredibly tedious and requires cutting the line. If we can avoid having to cut the line then we can potentially remove the attack and restore it to its original state if that's necessary. And the second bigger problem is that when we flip the switch to engage the attack two pole switches when you flip them have a brief period of time where neither pole is connected and at that point the controller would see an open circuit. It's very brief and the vast majority of controllers would not be able to detect that but some will answer that something that we want to avoid. So what would be ideal is if we can tap each line once and have something across it that maintains exactly the voltage that we need and just enforces that and then we don't need to worry about the current. Well such a component actually does exist and it's called a Zener diode. So diodes as you know allow current to flow one way and block it the other. When it blocks the current it acts as an insulator and all insulators will break down when exposed to a high enough voltage. Zener diodes are designed to do this at a lower and at a very specific voltage level. So when we reverse bias the Zener diode i.e. apply a voltage in the reverse direction so it's an insulator above a certain breakdown voltage it turns into a very good conductor. So what that then lets us do is when we open the door and it jumps say from 5 to 12 volts if this is a 5 volt breakdown Zener diode it's now 12 volts it becomes a conductor and it pulls that voltage down to 5 at which point it becomes an insulator again and it doesn't pull it down any further we get a feedback system where this maintains exactly 5 volts. Let's apply this so we have the same type of system we can strip the wire and right now it's 5 volts we open the door it open circuits it and it's all the way up at 12 volts and so we'll try to find a Zener diode that will adequately maintain that first we'll tap each line once now we can see the controller in this game but in real life we would just have access to the line so we'll have to add a voltmeter so we can actually tell what is the voltage and so we'll wire that into our tap devices and that tells us indeed it's 5 volts so we need a Zener diode with a breakdown as close to 5 volts as possible well 5.1 is pretty close and that should be within the parameters of what the controller deems acceptable and we can wire that in as well I have to wire it somewhat in reverse because we need this to be in reverse bias so that's why it crisscrosses over itself there but now that we've done that when I open the door it now only increases up to 5.1 volts which is the breakdown voltage of our Zener diode anything above that and the diode begins conducting and pulls the voltage back down to 5.1 volts and that's well within the acceptable range for our controller so it does not trigger an alarm we can make one addition to our multimeter adapter to help ease this process and that is adding an internal power source that we can flip a switch that will then apply that across the measuring leads of the multimeter and the green and white component leads so that we can actually test a Zener diode and make sure that it pulls down from the supplied voltage to what the Zener should be pulling it down to now let's take a look at this in real life and applying the Zener diode attack so let's see how we'd apply the Zener diode based approach we have the exact same setup here and we're going to start the exact same way by tapping each wire but only once this time we only need to do two taps of course the door opens we get the same behavior and so we'll try to avoid that happening this time so we can perform the defeat without setting off the alarm so get that wire onto our tap device put in the other wire as far as it will go then we're ready to clamp this down that's now good and connected we'll tap the other wire in much the same way make sure that's fully on insert this as far as it will go make sure both are in place and we can then clamp this down as well of course you want to be careful that these two don't touch if they do we will short out the system the current jumps up and the voltage jumps down to zero and the controller will detect that as we're seeing it does here so in a real life scenario we want to make sure we don't do that but now we can measure what the voltage is as measured by the controller so we'll take our handy measuring device clip it on switch into voltage mode and flip this switch to send the red and the black to the two ports of the multimeter and we read 5 volts so we need a 5 volt breakdown vener diode which I've got right here and we'll clip it onto our component leads and we could perhaps also test that this is actually 5 volts so to do that first along clip we'll leave it in voltage measuring mode flip this switch to send these two leads to the ports of the multimeter we get zero which makes sense I'll flip this last switch to apply an internal 12 volts supply so we're reading 12 volts when it's open circuited if I connect it through the vener diode it then pulls it down to 5 volts which is what we want turn off that measurement we're now ready to apply the attack and all we need to do is flip the switch to engage the attack it then turns on that vener diode and now if I open the door it will regulate the voltage accordingly it isn't perfect, it's not a perfect match to 5 volts but we see that this would be within the acceptable parameters for the controller here and of course if I flip the switch back to disconnect it it now operates as normal I should note that this fancy setup is not actually required because we never cut the line we do not need to switch quickly from connecting the yellow port which isn't used to our attack component so all I really needed was any old voltmeter that could have measured across here and at that point I can then connect these up any old way I please and with those connected I'm free to open the door as well and of course if they disconnect it behaves as usual and so in this case as well as last I could take some joins and connect this in to leave it as a permanent fixture defeating the alarm after everything we've talked about it may be tempting to say well wireless must be more secure and we should use that instead here's why that's not the case this particular example we have here communicates on 433 megahertz so if we open the door it will send a signal and the alarm is triggered we can listen to what that signal is with our trustee Bao Feng so we'll listen to 433 megahertz 3 0 0 0 and when we open the door we hear that signal of course we can use the transmit feature to jam the signal and so we've now successfully opened the door and the controller has no idea now any frequency it might use not just 433 megahertz is jammable possibly not so easily Wi-Fi is another point that has a known vulnerability and that is the authors here's one that I particularly like made by Maltronics but any will do you can open it up and it will take advantage of the Wi-Fi protocol to listen for specific devices and kick them off of the network whenever they join you can use the hardware MAC address to kick off specifically those devices made by alarm manufacturers so if using wireless is not a great solution what can we do to defend against these attacks so the first thing is anywhere we run these wires we might have to use armored conduits and places where it's easy to unscrew a junction box and access the wires underneath should be placed high or out of reach or under a camera to deter the ability for an attacker to do that we might also consider placing tamper switches in those junction boxes where that is not possible we obviously want to avoid doing this having bare wires out right at hand level easy for anyone to access we also want to install optical security hardware and the wires for it on the secure side of the door so we should never have a contact sensor mounted on the unsecured side of the frame like this and the wires themselves should be as well in particular we want to give some thought to where the wires get routed throughout the building in reference to the security levels at different areas in the building for instance, rooms 103 to 105 are more secure in this case the wires for them go to this controller in room 103 we would want to run them in the rooms themselves and not in the hallway that has a lower security level we also want to give some thought to timing as well as spatial aspects so if part of the building is open to the public during some hours but not others it might be possible for an attacker to modify these systems during open hours and then come back afterwards and that's something that needs to be considered as well we want to avoid at all costs running security wires outside of the building or outside of all security perimeters and that's not just if this is in your threat model and let's be honest for the vast majority of installations these types of attacks are not in your threat model but also if the outside of your building is ever exposed to weather it's a rare phenomenon I know but it can wreak absolute havoc on communications lines when it infiltrates into there and of course the ultimate of defense here is to use a well designed encrypted digital line so that would be one that uses nonces to prevent replay attacks and has heart beats to detect denial of service etc but that's very expensive and often not justified in terms of that cost so thank you very much for listening I hope this has been interesting and a foray into an area of physical security that has not yet been given a huge treatment in this community I'd like to extend an enormous thank you to Paul, Karen, Jenny and Bobby for their help in preparing this talk in particular to Paul for his expertise in the telecom industry I encourage you to go try it yourselves all of these games that I've shown in this talk are available for you to try in the comfort of your own home give that a try in the Bypass Village at Defconn or at BypassFillage.org and I'd be happy to take any questions either in person at Defconn or over email or Twitter thank you very much