 Hello everyone, welcome to Locked by Past Village and welcome to my talk all about alarms and access control systems and how to hack them. This talk is going to be fairly high level, so we'll talk about the full range of hardware that is common to experience in the wild, as well as the general attack methodologies that we can use against them. We won't go too much into the weeds about specific makes and manufacturers and specific attacks that can be used, but that is generally quite inferrable from what we'll be talking about today. So let's start by considering a simple door, purely mechanical, and this is what all of the rest of Locked by Past Village is about, various ways that we can get through this door if it is locked. So you might be able to pick the lock, use an under-the-door tool on the handle, you might be able to remove the hinges, etc. What happens if we want to make this an access control door? At the bare minimum, we'll need to add some sort of credential reader and some sort of electronically controlled actuator that will lock and unlock the door, and some sort of controller that will determine is the credential valid, and if so, go ahead and unlock that door. At this point, it's very easy to add a little bit of sensing to sense anomalies, such as brute force entry or bypassing being done, and that can be done quite cheaply by adding a magnetic reed switch. So this bottom unit here is a simple magnet, and in the top, there is a wire that's going to be balanced within a magnetic field, and if the field becomes too strong or too weak, it will break or make an electrical contact, letting the controller know that the magnet has moved. The purpose of this is to detect when the door has opened. So one problem with doing that is if someone's trying to exit the door. If they're trying to enter, they're going to swipe the credential, the controller will unlock the door, it detects an open, that's okay. If they're trying to exit, it's now going to trip this type of sensor here, which is a request to exit sensor, is the general term, and very frequently what we see with these is passive infrared technology being used. So it will detect the black body emission spectrum of the human body on the secure side of the door, meaning someone's trying to exit. And if that's the case, if it detects that, and then it detects the door opens, that is okay. That's a valid exit sequence of events. If, however, it detects that the door has opened, there was no valid credential swiped, and no one was standing on the secure side of the door waiting to exit, that is an alarm condition, and that indicates that the door might have been forced open, might have been bypassed open, et cetera. But it will send that alarm to the access controller. We're missing one more component that we need, if that happens, which is that the access controller needs some way to communicate to the outside world that there's an alarm that needs to be investigated. So there's going to be some line out from the access controller to do that. There's usually going to be a line in as well. So this way we can say set what the public building hours are so that the door will be open. This way we can set who is allowed to access it. We can revoke credentials as necessary, et cetera. So let's look at some of the technologies that are available for these various parts of the system. For the credential reader itself, we have RFID-based, which is the most modern and generally the most secure. We have MagStripe, so cards that are encoded with a number in magnetic polarities along the card. We can use a biometric reader, such as a fingerprint scanner here, a key code entry system, so instead of being something that the user has or something that the user is, it's something the user knows, so the code. And we can also have a camera where some human on the other end of that line is going to look at the camera, see who it is, and make the go or no-go decision of is this person authorized to enter this facility. In terms of technologies available for the actuator, so this one that is the most common by far is a MagStrike or magnetic door strike. This plate here is going to be loose and allowed to swing open when the door is supposed to be unlocked, and it will seize up and not move and prevent the door from opening when the door is supposed to be locked. Over here we have a MagLock, so this larger unit will be mounted to the frame and the smaller one onto the door. These will magnetically couple and hold very very tightly with generally 2,000 pounds or more of holding force when the door is supposed to be locked and then the system will let them separate when the door is supposed to be unlocked. We might have an electronically controlled set of handle hardware, so just like how the key can be used to lock and unlock the door, we just have an electronic actuator inside that does the same. In higher security applications, we might see a turn-style based system here, so very good system to prevent piggybacking in after someone. It only lets one person in at a time, and we might also see various vehicle control systems as well. In terms of the sensor, ultimately the goal of this as it attacks is the door open or not. Most commonly we see magnetic based sensors, so these two are mounted on the frame of the door, on the inside or outside of the frame. They should be mounted on the secure side. If they're mounted in the insecure side, that then opens up a whole host of attacks that we can use. We also have magnetic sensors that are mounted within the frame, so drilling a hole in the frame and at the top of the door to mount both the sensor and the magnet that goes with it. We can use optical based sensors, so detecting light or dark where the door is supposed to be. Some hinges are capable of sensing what their position is and reporting that back, and as well we have some mechanical based sensors, so this arm getting tripped when the door is in the current position. In terms of the request to exit sensor, that is often done with a passive infrared sensor like these two here. Sometimes it's a button that the user pushes to cause that door to unlock and allow egress. It might also be the exit hardware itself, so pushing a push bar there that will mechanically unlatch will also tell the controller that someone is trying to exit and this is not an alarm situation. And finally, in very high-security environments, we might see another credential reader. So you actually have to swipe your credential to say that yes, I am an authorized user and I am exiting this facility normally. In an emergency situation, there of course do need to be overrides, but that could cause an alarm. So this is what these tend to look like in the field. You'll see your request to exit sensor mounted here, and then at the bottom we have our in-frame type magnetic contact sensor. On the door side, here's the magnet that goes along with it. So this is the general setup that we need at a bare minimum for an access control and alarm system. We can add a few peripherals such as there might be a mechanical key switch that can be used to turn the door on and off, so to lock the door or unlock it, say for public building access hours. This might be used by a security guard. It allows someone with much less training and much less complexity of integration to the network controller to actually lock and unlock the system. We might also see accessibility features such as buttons that will trigger an automatic door opener. Generally, the button on the outside or the unsecured side of the door will only open this door if a credential has been swiped validly or if the door is supposed to be unlocked such as during building public open hours. On the inside, that's generally not required and the mere act of pressing this button will cause the mag strike to unlock and the door to then automatically open. And finally, we also see it tied into the fire system in a lot of cases because if we're using a mag lock, there is no mechanical override to cause that to unlock. If it's a mag lock, the access controller must unlock it for us. If it doesn't do that, that door will stay locked. That can be a fire hazard if someone needs to exit in an emergency situation. So the way that that is done is by code, there must be a fire alarm pull near any mag lock store that is a fire access. And if the fire alarm is triggered, that mag lock is then going to open and allow egress from the building. Because of that, there needs to be a tie in from the fire alarm system. All of these aspects require power. So sometimes there's separate power required for credential readers. There always is for the access controller and the fire controller and large power draw components such as a door opener here. We can disable the alarm or breach the door entirely causing it to open by attacking any of the hardware power or comms lines in this relatively complicated system. So let's talk about how we can do that. Starting with the power, we can cut power to the access controller. And when that happens by code, things like mag locks need to fail open. We can likewise cut power to the fire controller that of course has life safety implications. But it will also cause the mag lock to open because if the fire controller goes offline, then there's no way to effectively cause egress if that because it's not necessary in an emergency. Incidentally, it is very, very difficult to kill power for this. It has all sorts of backups available. And then we can also kill power directly to the mag lock and to other peripherals of the system that might be able to cause us entry or disable the alarm. We can attack the door contact sensor. So if it doesn't sense that that door opens, it will not trigger an alarm. And we'll talk about a number of ways to do that. We can attack the request to exit sensor. So if it thinks someone's trying to exit, then even if it does detect the door opens, it will not trigger an alarm. We can attack the mag strike, so to cause the door to open up. We can attack the credential reader to cause it to think that a valid credential has been swiped or to clone a credential, etc. We can attack the inside, the secure side accessibility button. So if that gets pressed or the controller thinks it's been pressed, it's going to unlock the door, open the door, and disable any alarm that might come along with that otherwise. We can attack this key switch, make the controller think that the door is supposed to be open. We can attack the fire system, make it think that we are in an alarm state, and so the mag locks need to open. We can attack the line out. So, most simply, by blocking any attempted communication of an alarm from getting out to an external control center, we can attack the line in. So by telling the controller that my credential is a valid one and you should let it in, or by, say, telling the controller that the building public hours are nine to five, as well as two to two one a.m. on Friday nights, and then we can come back at that specific time and it will just let us in. We can attack the controller itself, so it is, of course, a fairly complicated piece of ICS equipment and is vulnerable to all sorts of cyber attacks that are the subject of all the other DEFCON villages. We can also attack all of the comms lines everywhere throughout this, and that's something that we'll talk about fairly extensively in the rest of this talk. And there's one more attack factor that we can take in this overall system. Take a stare at it and see if you can figure out what it is. The answer is the door itself. If we can cause some way to mechanically get ourselves through this door without interacting with all of this other equipment, then we've effectively disabled the alarm. So, one very brute force way is to saw a hole in the middle of the door. There are other options as well. So, many doors have these vent looms in them. Frequently, we see these with the screws facing the outside, which is a terrible security decision. You can just unscrew that and then slide on through. Doors with windows in them as well can be attacked, and so you can go through the window to achieve a similar effect. And this is something that is seen on occasion. So, here's an example of a residential burglary. These burglars have seen the contact sensors on the doors. They know that they can't actually cause these doors to open. So, what they're going to do instead is break the window and rather than reaching through and depressing the handle, they're just going to climb through these wide open windows. And so, we see them doing that now. Incidentally, those very wide open windows make this particular house more vulnerable to burglars because they can see all of the valuables that are inside, where they are, what the alarm system is like, etc. It's a much less risky endeavor for them. And so, the burglars are just reaming that out and we'll see them crawl through in a minute. And just like that, they are in bypassing the alarm system. So, let's talk about the communications lines. Every aspect on this system has communications lines going into it or coming out saying, should I be enabled or not? And we can attack those. We'll focus on the magnetic contact sensor because it's the one that's sort of most readily attackable, but this applies to all the others as well. So, in the case of the contact sensor, we have a normally closed situation. That's normally what we see for security alarms. And that is that in the secure state, the door is closed. That means that the circuit is closed as well. So, it's a short circuit. We have power flowing. And if that gets interrupted, we know it's an alarm state. So, if the switch opens up, that becomes an alarm. And what we can do is jumper the line from one to the other. And that way, if that switch opens up, it will not send an alarm. In the normally open state, we have the line is broken. So, the switch is open and there's no power flowing. And that's the normal situation. When we open the door, the switch closes. And then the controller sees low impedance and sends an alarm. We can just then cut that line. And at that point, it simulates the switch being open and the door being closed no matter what we do at the switch ends. What can we do to defend against these? Most commonly, what we see is having end of line resistors. So, the effect as seen by the controller is the door switches between two different resistances. The way we accomplish this in practice, rather than having a three-lead switch, usually is having a series resistor that runs on one of the lines in series with it and a shunt resistor that crosses across those two lines. So, we always have some power flowing through the shunt resistor, even when that switch is closed. And when the switch is open, it must flow through that series resistor as well. There are ways to defeat that and we'll talk about those in a minute. But the absolute best that we can do is an encrypted digital line that has denial of service detection heartbeats, and we'll talk a little bit more about digital lines shortly. What we'll look at first is a game that we're actually releasing this year for DEFCON Safe Mode with Locked Bypass Village that will let you practice rewiring alarms to disable the actual alarm on the end of them. So, this is mirroring a physical demonstration that we were planning to do at DEFCON in real life, but of course that can't happen. So, this is the best that we can do as a surrogate. What we have here is a simulated door with this contact sensor and an alarm controller here. We'll talk about what a zone is in a minute, but it means for the sake of this demonstration, a single door. We have a supply current of 25 milliamps and zero volts that are coming across that system. That tells us that there is a short circuit here. And an equivalent resistance of zero. So, a short circuit and that is an alarm status of OK. If we open this door, we now have an open circuit. So, the circuit has been broken. The line voltage becomes indeterminate because there's no current going through and this is an alarm state. So, it's simply looking for short circuit or open circuit. In order to defeat this system, what we can do is cut the line and strip it and then take a jumper cable and hardwire those two wires together. And so now we have an OK state. We see a short circuit on the controller end and the door is totally disconnected. So, we can open and close that door all we want and the alarm or the controller will have no idea. You'll notice that when I initially cut that line to strip those wires that did trigger the alarm. We wouldn't generally want to do that in the field. The way to get around that is using this tap piece of hardware. So, we would actually strip just the outer sheath and then tap the inner wires and bridge those taps together. So, that's something that you can practice for yourselves using this game. In the next situation of a normally open switch, so we have an open circuit when the door is closed when we open the door that's then going to complete this circuit and we now see zero ohms, so a short circuit situation. The way that we defeat this is very simple, cut the line and now we have an open circuit no matter what happens because the line is cut. The most secure situation is where we have these end of line resistors. So, we have a series resistor here and a shunt resistor connecting these two lines there. And that happens right at the end of the line right before the sensor exists. And so, what happens now is if I have an equivalent resistance of 45 ohms when the door is closed, it jumps up to 500 when the door is open. So, we have our okay state and our alarm state. If I were to cut the line, it's going to detect an open circuit which is different than those other two states. And that indicates tampering has happened on the line. Likewise, if I go through and actually bridge that connection, it's going to detect a short circuit which it also normally would never see because of these end of line resistors. So, that also indicates tampering along that line and that would send a different alarm that hopefully would be responded to with greater severity. The way that we can defeat that is by adding our own resistances along the line. And so, there's a number of ways that you can play around with doing that in these games such as adding potentiometers that you can then control as well as a whole slew of resistors. And you can play around with that to get a situation where you can both disable an alarm once as well as go through the whole situation of disabling an alarm where it never actually sent an alarm while you were tampering with those wires. So, that's something that you can play with as well in the lock bypass village this year. So, let's talk a little bit about digital communications lines and the various attacks and defenses that exist on those. So, a digital communication line is going to be sending a zero or a one. So, here's an example of 0101001101 being sent in the ideal case. Communications lines have some parasitic capacitance. So, because those lines are two plates close together effectively, just very long, it acts like a capacitor. And that causes some capacitive effects here. So, we see the line getting charged up and then charged back down. It also has some parasitic inductance. So, that line is going to induce a magnetic field around it as the electric current and it changes. And so, as a result, we see this higher order Fourier effect that happens on the line. And so, the combination of those two is this pattern that we see down here, a slightly distorted digital signal. There's also noise. So, there's noise in the environment. There's magnetic and electric noise and that's going to inductively couple with the line. And there's noise in the sender and the receiver electronics as well. All of that contributes. And so, we're going to take this slightly distorted signal from our non-linear line and we're going to add on to it this noise and we get a further distorted electrical signal. This, as you can see, would still be relatively easy for the receiver to decode and determine what bits were being sent at what time. Noise, though, is a somewhat powerful phenomenon. As the amplitude of the noise relative to the amplitude of the signal increases, the noise starts to overtake the signal until the signal is no longer decipherable. And that's the situation where we have a breakdown of communications. That's something that is often the case just naturally, but it can also be used by an attacker to cause a denial of service. And mathematically, what we see is the zero bit is going to form some normal distribution, normal because the noise usually is gaussian, and the one as well is going to do that. As the noise increases, these distributions widen until determining which one is which becomes very difficult because this overlap becomes huge. So how can the red team attack a digital communication line knowing bad information? So to attack confidentiality on the line, they can tap that wire. That can be with a physical tap, like the one that we looked at when we were attacking the analog alarm wire lines. It can also be with an inductive-based tap, so just listening for RF frequency generated by what that line is communicating on. To attack integrity, they can introduce packets on the line, so tapping into it and then sending data down. And to attack availability, this is the easiest they can introduce noise. The defenses against this is you want to physically shield the line, and that's going to help both stop tapping as well as sending power down the line, sending rogue signals down the line. You can encrypt the digital signal, so that will then prevent both confidentiality and integrity attacks. And to protect availability, you want to send heartbeats so that the line can at least detect if it's being denied service. And that will then let you respond appropriately. So a denial of service attack in a very secure environment is the same as an alarm it needs to be responded to as if it were an alarm because it could be an attacker doing this on purpose. In the wireless world, what we have is a slightly varied situation. So we can't put a DC current across empty space. That's because of the laws of physics and the laws of the land further constrain what we can do. We must act within a certain frequency band so we don't interfere with all the other frequency bands. And so there's a number of ways that we can use what's called a carrier frequency to send a digital signal along through the air in the wireless world. There's frequency modulation or frequency shift keying that you're familiar with from radios where we change the frequency depending on if it's a zero or a one. We can change the amplitude in an AM digital situation or we can phase shift based on if it's a zero or a one. Those are the three main ones that we see. The red team attacks there is for confidentiality, we just sniff because these are being broadcast for anyone to intercept. And we can then read what's being sent without any wiretapping required and read that data. For integrity we can transmit new and we can transmit to overwrite the data that's being sent out. And for availability of course we can jam that signal. So again for a wireless alarm if jamming happens that's something that we want to treat as an alarm situation in a high security environment. One interesting aside about FM versus AM is FM is easier to jam and easier to hijack the signal by sending your own data because whichever signal in a frequency modulated situation is stronger by even a small amount the receiver is going to pick up that signal and only that signal. With AM it's going to pick up a mixture of the two. So you can actually try this with your radio if you put it halfway between channels on the FM band it's going to flip from one to the other. If you put it halfway between channels on the AM band you're going to hear both channels blended in with one another. But in a security situation with sending signals across the empty space that means that FM is easier to jam and to take over with integrity based attacks. The blue team defense of course is encrypt as well that is the only way to protect confidentiality. For integrity encrypting works for that as well. We also have the added option of locating where this transmitter is that's trying to take over our communication and trilaterate their position and take them out by various means. We can of course also increase the signal strength to avoid their ability to drown us out. And for availability it's very similar we can locate and take out the jammer we can increase our power and we can also use heartbeats to detect if availability has been compromised. So that's sort of a very high level overview of how we can attack digital communications lines. We'll take a step back to the physical systems that we see on these doors and what can we do about them. So for these magnetic read switches one very sort of brute force-ish attack is we can literally unscrew the magnet and hold it in place relative to where it was beside the door frame and then open the door with the magnet staying where it is. Of course that's only possible with sensors that are mounted on the outside of the frame on the unsecured side of the door but it's a very low tech attack that if it's possible is virtually undetectable by the controller. We can use a surrogate magnet to maintain the magnetic field while the door opens and the real magnet moves out of place and so we actually have another game that we're releasing with Bypass Village that you can practice this on. So here is our door and we can swing it open and closed and we can see this magnet along the top and we can see the magnetic field that's measured by our sensor up here and then we can move a little stick with a magnet on it in and out and around that sensor and we can try to use that to make the door or make the controller think that the door is closed when it's actually open and so if we get it to the right place here it now thinks that that's the case and as we close the door we can now open and close it without actually triggering that alarm. So that's something that you can play around with yourselves in this game that we are releasing in terms of the defenses available to the blue team using an in-frame magnetic sensor helps a lot and putting it on the secure side also helps to avoid these attacks being mechanically possible and we can make them more difficult by using what's called a balanced magnetic switch so it doesn't just look for the presence of a magnetic field above a certain intensity it looks for the presence of a magnetic field above a certain intensity but below another one so if the field is too strong it's also going to set off that alarm and it makes it a whole lot harder to actually use this surrogate magnet attack and that's something that you can also practice how to defeat those systems with the game that we are releasing in terms of the request to exit systems if it's a passive infrared you can send hot or opaque gas or aerosol or something through that door near to the sensor and cause it to think that someone's on the other side so there's a fairly well-known attack with taking a can of compressed air turning it upside down and squirting it and then that condensation that's created is enough to trigger many low-security PIR sensors if it's a push to exit button or a handle, an egress handle you can manipulate it from the other side so for instance if this is a request to exit sensor and we did an under-the-door tool attack that would give us two for one it would also defeat this request to exit sensor and from the blue team's perspective using a hybrid PIR and radar sensor is going to help immensely with avoiding people faking a human signature on the other side and using a token reader for egress is incredibly powerful it effectively means that we cannot use request to exit sensor based attacks we may as well just attack the credential reader on the unsecured side itself and so that does increase significantly the difficulty of attacking this particular system so using a PIR or a token reader on the exit side as well is sort of the electronic equivalent of a Euro-style double-barreled debt bolt very good design for security purposes of course at the cost of user convenience in terms of PIR sensors we can set them to have high security settings so that it will only trigger if a person is in the very specific right area and not this giant large range here long range is really meant for convenience and accessibility so it'll open the door as someone's walking towards it it's not meant for security at all in terms of attacking these actuators we can separate the electromagnet slightly so if you ever catch the door open that's equipped with a mag lock you can take a piece of gaffer tape or something fairly thin and put that onto the surface of it and that's going to separate those components just enough that it will reduce the holding force from 2,000 pounds down to say 50 at which point the door feels secure but it can be forced open and that's something that you can then come back and do and attacks like that attacking the magnetic-based retaining system are possible with some designs of mag strikes we can attack the comms line and the power so in the case of mag locks they fail unlocked if there's power that's gone and we can of course attack the comms line to any of these to make the hardware think that the controller is telling it to open up and we can use physical bypasses as well so mag strikes are often poorly sized the dead latch is going to fall into that hole and we can loy that latch if you don't know what that means check out our bypass 101 talk and the blue team what they can do to help against these attacks is of course shield their communications lines and use hardware that fails at a locked state that might not be allowed due to fire code but wherever possible you should try to do that so here's an example of where we can read that actually there is a mag lock on the other side of the door that's what these two bolts are telling us as well as this conduit coming through here what's interesting though is this conduit is of course the power that's going to that mag lock that is telling it to stay locked in this case turning power on and off is the communications line and so we can just unscrew any of these junction boxes here and break that wire cut that connection somehow and this mag lock is going to then fail in an unlocked state and we can open this door fairly simple attack there in the case of this type of hardware where we have a key switch we can of course pick the lock or do weather attacks like that we can unscrew the enclosure casing and then jump her out those lines and make it think that the key has been turned and of course we can perform an attack like that anywhere along the comms line where it's accessible to us what the blue team can do to defend against this is put the key switch on the secure side of the door I really don't know why this isn't seen more often possibly so that the guards can do it when they come on to shift to open up for the first time but they really should be given a key or some other better credential to get in if that's the case and that will avoid this this threat entirely because if you're on the secure side then you're already in you can use a lock of equal or higher security as the facilities front door so too often we see crappy weaver locks on these key switches where the front door might be a high security medico and installing a tamper switch within this box so if the controller sees that this box has been opened it will not honor that if the key switches turn no matter what happens as a bit of a defense with that of course that can be bypassed as well there's loads of ways to bypass tamper switches let's talk a little bit about the communications protocols that are used by the credential readers so we have the vegans protocol is sort of the original most well known one and it is based off of magnetically charged wires in the card that are going to be placed in either a zero or a one position and as we swipe that card it's going to then have sensors that detect that and give us the data from there we can have magnetically encoded information on a mag stripe which is similar and then we can have RFID technologies as well down the line though for backwards compatibility almost every reader and almost every controller still supports the vegans protocol and that's just to make sure that we can mix and match any reader with any controller and there's something they can fall back on that will work and so that vegan protocol looks like if this is the data that we're sending so the zero one zero one oh oh one one oh one that we saw before we have our data zero line and our data one line and they're normally a one and we pull either the zero or the one down to a zero when we want to send a zero or a one respectively so here we send zero then a one zero one zero zero etc because we have that vegan protocol in use for backwards compatibility if we can access excuse me if we can access those lines we can then read the vegan encoded data that's being sent as well as replay or send our own reconstructed packet in that same format and that's what the BLE key does which was released at Black Hat 15 by two very smart individuals they designed a piece of hardware that would clip on to the alarm wires so we see here the green and the white vegan wires as well as our black ground it clips onto that and it listens to every credential that gets swiped and it can communicate with your phone via bluetooth and that phone can then get the raw credential data as well as replay any valid credentials and cause that door to open on demand so that's one particular attack against that communication line a good remediation for this is OSDP it's one of the well it's really the only encrypted communication protocol that we see in somewhat widespread use it's still not very widespread and there are some proprietary systems that will use other encrypted forms as well and hook up your damn tamper wires so when you remove that credential reader from the wall to get access to the wires behind it almost all of them the good ones at least are equipped with a tamper switch that will send the controller a signal saying hey this reader has been removed from the wall if that happens the controller should respond appropriately set up the appropriate alarms etc all too often we see that not even hooked up so here is a quick example we can take a look at we have our reader here and we can assume that there's some sort of actuator on the other side very likely a mag lock as well as we have an accessibility door here with a visible magnetic strike system and that will be opened by some other situation so there's a couple items that we can notice in the wild one thing to note about all of this hardware we've been talking about is it is blazingly expensive here is some of the standard retail costs for what a new construction building might pay for these pieces of hardware so things like not hooking up your tamper wires putting poor quality locks on the unsecured side that can disable the system not shielding your communication lines and letting those be accessible from the public etc all of those are really simple fixes and very cheap in comparison to the cost of this hardware and something that really should be looked at if you have a facility that cares about security enough to pay this kind of money for these systems but anytime you see a door that's equipped with this equipment these are the kinds of costs that are involved in actually setting that up so we've talked a lot about access controllers determining or giving the go or no go decision on a door based on a credential swipe and sending an alarm if there's an unauthorized access we can also talk about alarm systems and they are more state based so on a very high level we have three states an armed state disarmed and an alarm state and we can enter the arming and disarming sequence to move between these top two if a sensor is tricked when it's armed it's going to alarm and then the reset sequence will move us back to disarmed in order to attack these systems our starting state is armed we're assuming that since it needs to be attacked and the two routes that we can take is we can cause the disarming sequence to be entered or cause the controller to think it has been and move it to a disarmed state or we can prevent these sensors from being tripped and prevent it from going into an alarm state so to give one example of the first type of attack this is a typical timeline that happens in older less well designed systems we have our controller here the sensor gets tripped as time moves along in a normal situation a normal entry the disarmed code is entered the panel enters a disarmed state and then the timeout happens but because the code has been entered in time nothing happens at that point the police are never contacted if however a valid code is not entered in time then when the timeout happens the panel will then contact the police and they will be dispatched to see what's happening with this alarm this allows for what's called a crash and smash attack which is that if at any point between the sensor being tripped and the timeout the panel is rendered inoperable the communications lines are rendered inoperable etc it will then prevent it from sending that call for help out when the timeout happens because the panel no longer operates this of course assumes that your keypad panel is the same as the controller which in many systems it's not but many good burglars know which ones are and which ones are vulnerable to this and so that's something that you do see on occasion a better way to handle this is to have an intermediary server that's off-site as soon as that sensor is tripped the server is notified when the disarmed code is entered that server is notified as well if the disarmed code is not entered then when timeout occurs the server then will dispatch the police without requiring any more communication from the local facility that way if there's a crash and smash attack and that panel is rendered inoperable an alarm will still go out so that's the disarming sequence or at least sort of a pseudo situation to move us to a disarmed state we can also prevent the sensor from being tripped and there's a load of ways to do that depending on what type of sensor exists so we have a number of different types we have cameras that are usually human operated but increasingly we have computer vision systems that are going to look for motion where there shouldn't be we have these door open sensors as well as a glass break sensors are common so to prevent that through the window attack we have passive infrared sensors that we looked at for request to exit those ones we did want to trip to make the door think someone was exiting these ones as a red team we don't want to trip because that will tell the alarm system someone's here and there shouldn't be so they detect the presence of a human body infrared spectrum and then we have various underground seismic based systems to detect someone walking on ground as well as fence climb sensors that we see on the outside both of these by the way are incredibly prone to false positives so they're only usually seen in very high security applications in terms of how the controller combines all of these we have what's known as alarm zones so zones are the individual circuits that one or more of these sensors is put on so in this case we have a normally closed zone that has two magnetic read sensors on it a second normally closed zone that has only one on it and for normally closed we need to wire them in series and then a normally open zone that has two wired in parallel for security systems you usually have them wired in series if not only a single one on a zone which is generally better and then for fire systems you're going to wire in parallel and have normally open systems there so that is how all of these devices get handled by the controller and what that means is if multiple different sensors are on the same zone the controller cannot tell which one was tripped just that one of them was and so the idea is they generally tend to be aligned in space so the controller can identify where physically in the facility this alarm is coming from so there's a number of specific defeats for each of these one that we'll talk about for passive infrared sensors is to block the infrared signature from your body actually reaching the sensor so you can use these space blankets that will then reflect the ambient ambient thermal signature back onto the sensor and cause it to not see you you have to be very careful with those because if you touch it with your hand then your hand is now going to it won't radiate but it will conduct through because you're touching it and that's going to defeat your efforts there we've actually found anecdotally that for many of the commercial PIR sensors their yoga mats work incredibly well a lot better than these do to block your IR signature you can move very slowly because these things have to get a sense of what the environment is and so if you move slowly it might think that you were just part of the ambient environment you can move out of its focus range so many of these in facilities that might have animals walking around which is usually a residential setting will be set to only focus on above two or three feet on the ground that's the default setting in many cases and in some cases that is just a physical limitation of the device that's being shipped out if that happens you can then effectively get down to that level away from the focus range and avoid these entirely and as well passive infrared sensors are much more sensitive to motion across them moving towards and away from them they're less sensitive towards so if you can make your motion in that direction it will help you avoid being detected so here is another example that we see that is no longer available so taking a look at one particular hypothetical layout of passive infrared sensors this is a bad layout take a stare at it and see if you can figure out why the reasons are number one way at the edge of the range is a large part of the room that is accessible by one of the doors and so we can now get around and access large parts of this room through that as well as this particular door here gives us access to the back of two of the sensors and so by doing that we can then place an IR shield in front of it from behind and effectively blind them to almost all of the room and finally the way that these are laid out it allows motion in a towards and away from direction to help avoid it detecting on its more sensitive perpendicular axes the last thing I'll actually mention about this particular layout is someone who's entering this room and seeing that this layout is the case will wonder well why are they clustered along this particular wall one potential reason might be this shaft here that x indicates a shaft in the wall that's likely a pipe riser shaft through which comms lines run as well so if someone can infer from that that the comms lines for these are running through this shaft they can enter that instead where there are no sensors and cut them off along the comms lines instead a better layout surrounds the room and makes sure that all doors are firmly in the coverage range and there's no way to get in any of these doors without moving entirely perpendicular to these sensors in their sensitivity direction as well there's no way to get behind any of the sensors let alone all of them and there's no way to get anywhere appreciable within this room without setting off at least one of our motion sensors so this is a much better layout the last thing that we can look at and this is getting a little bit more into social engineering so we'll only touch on it briefly is attacking the response that happens when alarm gets sent out so when the responding forces are distracted they might be sleeping they may be on other calls etc it might just be a human factors problem in the control room which we see very very frequently they will not respond effectively to an alarm and so that can be induced as well or you can choose to attack at the times that you know they're most likely to be in a state like that response fatigue is the term that we use to describe when an alarm has too many false alarms and security decides they're going to stop responding to it is probably just a raccoon climbing the fence or jumping up against the fence or whatever kind of like the boy who cried wolf so by setting off one alarm many many times making security think it's a false alarm you can cause them to stop responding to that they might have higher priority calls that come along so you can set off more critical alarms than where you actually want to go security is going to go to that higher priority location and you now have a lack of response for where you are setting off whatever alarms you want to they're often just plain old slow so if there's not on-site security if it's either an off-site security service or police that are called they can take upwards of 30 minutes maybe more to get to the site and actually do a sweep and see if anything is amiss there that is way too long the vast majority of criminals are in and out well within that period of time so just being fast enough that you outrun the response is usually sufficient as well in terms of dealing with the response in an ethical hacking situation so most commonly we see this with physical pen testing there are a number of considerations to keep in mind we don't want to diminish the ability of the facility to respond to a real threat that could do real damage so that could happen both if we disable alarms but also if we cause security to say have response fatigue on a particular alarm or if we cause them to be one place where there's a real incident and another so that's something to consider and we also don't want them to especially if it's the police to have responding to us as ethical hackers at their expense of other potential calls so fairly famously now within this community is the Iowa courthouse pen test case where two individuals were hired to penetration test a courthouse and they ended up getting arrested and charged as a result of it a lot of people made a lot of mistakes in that particular case but one mistake that in my humble opinion the red team made is it was irresponsible of them to have those police officers called to the site without prior notice to the force at the possible expense of other higher priority calls someone could possibly have died as a result of that if there had been a higher priority life or death call that was averted as a result of responding to this so that is a number of considerations for attacking the response and for dealing with any of these alarm situations we want to make sure that we do it responsibly and in a way that does no harm or does no unreasonable harm as determined by the client and external stakeholders so I encourage you to try it out we've released a couple of little games that let you practice these aspects that we've talked about throughout this talk it has been a lot so feel free to ask me questions feel free to give suggestions for something that you'd like to see at a future bypass village that you can practice hands-on hopefully in person at DEF CON 29 but for now you can practice rewiring alarms and using magnets to disable read switches and with that I would be happy to take any questions that you might have