 Let's give, uh, let's give Zeke a big round of applause. Okay, uh, so I think we're about out of time. Thank you everybody for coming out. Um, so yeah, my, my name is, um, Ricky, I'm with Zeke, um, this was my talk, and let's just get right into it. And do do do. Okay, so, um, I'm a security researcher at, uh, Tipping Point, DV Labs, uh, now Trend Micro Tipping Point, um, until just recently HPE, and before that HP, before that 3Com. Um, I wasn't there during that time, but whatever. Um, most of my hacking, um, involves things that I find laying around the house and things that I have easy access to, which ends up being a lot of IOT things. Um, this is actually my third time, uh, speaking at DEF CON, um, my first time with an actual DEF CON beard. Um, thank you. Um, so yeah, but I've, I've spoken at, like, Ruxcon, Recon, uh, InsomniHack. Um, and I actually used to install physical security systems for a living, um, which is, um, kind of where part of my motivation came from for doing this talk. Uh, my first ever talk period was at DEF CON, it was a little lightning talk about a super overly complicated attack that I found in HID card readers. Um, it was like a, uh, TCP replay attack where you like capture an un, a remote unlock command and then re-inject it into the session later on and you could reopen that same door for that same period of time, but I couldn't compose my own unlock commands and so it was really limited and I, I feel like I could do better, um, and I didn't work for, um, here. Um, but I also, um, had a conversation with a friend or two, um, about how cool it would be to be able to, like, mess with video streams and stuff and, and so, um, I started, I started kind of formulating an idea for a talk and here we are. Um, so, um, um, I'm trying to decide what all I should skip through since we're still behind in time. Um, so physical security, um, basically it's just a way to protect your, your valuable assets and your facilities. Um, and when I talk about physical security I'm talking about access control, so the reader stuff, uh, surveillance and alarms. Um, so basically no matter how big your organization is you've got some kind of, uh, physical security, um, whether it's just like, you know, a manual physical lock on a door, um, whatever, whatever it is, um, it's, it's in every single organization. Um, but the larger the organization, uh, the more untenable managing, uh, physical security system becomes. Um, so piece by piece, um, people are starting to move it to the network, uh, to make remote management really easy and really convenient. Um, but with that convenience comes the worries of, you know, network attacks and, and things like that. Uh, so yeah, what you end up with is, you've got these embedded devices, um, that are accessible via the network and they're protecting all of your valuable assets and they're in every single organization out there. Um, so you should take a look at them. Alright, so access control is, uh, by far, uh, the most complicated piece of this puzzle. Um, so it's, um, I'm, I'm gonna go, go through it in detail to describe, uh, like the layout of everything. Um, but basically you've got your locking mechanism, hang on I'm gonna grab. Uh, so you've got your, your locking mechanism, um, which is, is what, uh, keeps the door from being able to open. ID mechanism, which lets you open the door. Um, and then you're gonna have various, uh, sensors and, um, oh, sorry. I just, that was the equivalent of me forcing open the door. Um, so I'm gonna have to acknowledge that alarm or maybe I'll just power cycle it. Hang on. Sorry door. Okay, and then of course you've got some management software, um, on a remote terminal somewhere that, you know, when somebody says like, hey, I forgot my ID. Um, you can buzz them in or you can push down schedule changes and things like that. Alright, so a little bit, a little bit, uh, more detail about, about the door. Um, when I'm talking about the ID reader, um, that covers the entire span of, of like, you know, from the low end, like pin pad and mag stripe readers to the high end, like biometric, retinal scanners and things like that. Um, then you've got, uh, what's called a request to exit, which lets the door know that somebody is leaving from the secured side. So even though you don't see, um, like a, um, a card read or anything like that, it's okay for them to open the door because they were already inside. Um, the door contact is the magnet that shows you whether the door is open or closed. Um, the lock or strike is, um, the locking mechanism, blah, blah, blah. Um, the most important part is, uh, the door controller. Are you guys following along well with the slides the way I'm doing them? Okay. Um, so the most important part for my purposes, um, was the door controller, um, which is, is, uh, the part that, um, holds a local copy of the database, um, all the other pieces of the door wire into it and that's what's connected to the network. Uh, so here's a diagram of how that all wires together. Um, you see above, above the door in the middle, you've got a passive infrared, that's your request to exit or rex. Um, it's just a motion sensor that says say somebody's walking up to the door and you've got a little magnet on top of the door. You've got a lock on the side of the door, reader on the side of the door. Um, all of that is wired into the door controller, which then goes out to the cloud or, you know, the LAN or whatever. Alright, so let's cover some attack factors. Um, first I'll, I'll start by, uh, talking about some existing things and, um, things that aren't really network based. Um, so like, uh, I'm sure you've all heard a lot about RFID spoofing and, uh, brute forcing pin numbers and even like pulling the reader off of the wall and tapping into the weekend, uh, data lines and brute forcing the pulses, um, for a valid ID. Um, so there are lots of attack factors there, there are most of them, uh, seem, um, I guess RFID spoofing isn't that, um, or like cloning cards, um, isn't that hard to pull off, but like if you're talking about like yanking a reader off of a wall, it's kind of destructive and obvious. Um, so there's some funny attacks on, uh, request to exit. Um, so have any of you guys seen, um, I think it's Rift Recon, they've got that like loop on a stick thing where you like reach under the, meet the door and you hook on to the inside handle and then you pull down and it opens the door. Um, hilarious things like that and like tripping motion sensors and stuff. Um, of course you could attack the management software if it's running on a vulnerable host or has an unsecured, uh, database, um, a little, little unpredictable. Um, or we could go after the door controller because it's a network connected embedded device which is notoriously bad with security and every single piece of the door is wired into it. So it has, it's basically like an embedded device that has a bunch of software controlled relays on it. So if you can control the device, you can control the relays. Um, so, let's focus on the door controller now. Um, basically the way I see it, there are uh, two main ways that we could go after this thing. Um, you guys could probably think of way more, but um, so the, the first um, and probably most obvious is uh, API exposure. Um, so if you can see kind of like, uh, what I did in my, my uh, little rinky dink def contact, um, where if you can see an unlock command go into the door, um, and you can replay it later on. Um, but, um, so I do want to talk a little bit about this PSIA, um, which is a, a uh, an interoperability standard that uh, is starting to take off a little bit. Um, I should say that this, this is strictly speculation. I don't have access to a controller that implements this standard, but just reading through the spec, it looks like something I would like to take a look at, um, because it's based on um, HTTP requests to URIs. And I saw this one, uh, access override URI that um, it's used for like uh, like if there's an incident out of facility and you need to like either unlock all the doors or lock, lock off some areas, um, you can override the access schedule by uh, sending a put request to the access override URI and um, set the access override state to unlatched and it would unlock all of the doors just like that. Um, it had mentioned something about um, having like a, I'm starting to run out of breath from this, I'm going through this so fast. Um, so it had mentioned having like an ID number in the request, um, to use as like an authentication mechanism. Um, but that was just in the spec and you know, individual implementations may vary. Okay, on the other hand, um, you could look for running services, uh, since it's a network device. Um, so they usually have like an onboard management system. Um, if I had my display working, I would show you what this, what the onboard management system looked like on this guy. Um, but um, so that's one thing you know, usual web app attacks. Um, or you could look for um, like standard UNIX services, Atlantic services that are just out of date because they haven't been keeping up with patching other, other services that are running on their device. Um, and also they are a great place for uh, fuzzing proprietary services that haven't been examined very closely. Which is what I did. Um, so um, this is an HID door controller. Um, every single one of HID's door controllers across their entire product line was running a service called Discovery D. Um, which is a way to send out um, a UDP packet to the broadcast address. And every door controller on the network would then send a packet back to you that said like, yeah, here I am. Here's all my info. Uh, blah, blah, blah, blah. Um, but that was, that was the only, that was the only purpose of the service from what I could tell, but it wasn't the only function of the service. Um, there was also an undocumented command called uh, command blink, command blink on. Um, that uh, excuse me. So the command blink on, um, it took a number of times as an argument and that, that number of times uh, was how many times to blink the LED on the door controller. And the way that worked was they would build up a path to the blink binary and then send, um, send that path and that number that you just gave it, um, and call system on it with no sanitization at all on the, on the uh, user or the attacker supplied information. Um, so it was vulnerable to a command injection. And um, even the Discovery D service was running his route. Um, so this was, um, across their entire product line, like the Verdex, Edge, Evo, their entire product line was vulnerable to this. Um, it has been patched, um, since I think like March or April. Um, you can actually uh, find these door controllers, um, on showdown. I don't know why anybody would ever put their doors, um, on the internet, but they're there. Um, there's like over 300 last time I checked. And um, the patch rate, um, is really low. Even though the patch has been available for a while. Um, so there's that. Uh, surveillance is a lot simpler. Um, so you usually have a video camera that's either going to be an IP camera or hardwired. Um, and then you're going to have some sort of recording device, like a VCR DVR, and then again some kind of management software. So same deal as before with the management software, as far as attack vectors go. Um, the DVR, uh, gets a little more interesting. Um, there have been some, some attacks recently about, um, being able to dump, um, creds to, to log into DVRs and things like that. Um, you could also maybe try dossing the DVR so the camera can't reach it. If it's an IP camera and avoid, um, recording. Um, you can also do the same thing with dossing the camera. Um, but, um, what would be way cooler is if you could man in the middle of the video stream, um, since it's a, since it's an IP camera and it's just streaming across the network. Um, so let's take a look at that. Um, this demo I'm definitely not going to be able to show you with all my display working, which is a shame because that was the one that I was really proud of. Um, but so, so most, uh, most video streams are going to be either RTP or motion JPEG. Um, haven't seen a lot of encryption although it's starting to catch on a little bit. Um, the basic idea here is, um, when you see a frame, you, uh, you grab it, you modify it in whatever way you want and then you forward it on. Um, and that allows you to do things like, uh, like you would see in the movies, like, you know, loop X number of playback seconds, you know, so you like record, record like three seconds of playback and then like jump and just like keep replaying it over and over again. Um, or you could, uh, cut the feed by just, uh, replacing all the images you see with like the fuzzy static. Um, one, one cool thing that I did was, um, um, are there any fans of uh, Ghost in the Shell? Let me honest. Yeah. So I used, um, I used OpenCV to do face, face detection, um, on the images that I was, that we were going through and then I would replace that face with the Laughing Man logo. Um, so I could actually like, you know, get in frame and my face would be covered up with the Laughing Man thing. Um, if you guys want to, you know, whenever you see me out there somewhere, um, I can run through these demos for you then. Um, I guess I could, I could still show you the card reader attack. I'll do that. Um, okay, so yeah, the, the camera that I was working with was a, a Ubiquiti Aircam. Uh, it's a couple generations old but my friend let me borrow it. Um, and, um, the latest firmware, they actually got rid of RTP, um, which made things a lot easier. They were just doing motion JPEG. So I, all I had to do was write some custom plugins for, um, for a man in the middle proxy, um, to handle the images and it was super duper easy. Uh, oh, also I should mention, I'm not, I'm not calling out Ubiquiti. There's not like a, a vuln in their camera. This is vendor agnostic. Um, so don't, don't sue me. And then alarms of course, um, so we've got like fire, fire alarms, uh, tamper sensors, motion sensors. Uh, buh-buh-buh, starting to run out of time. Um, so one cool thing that you could do with, um, with a, um, a networked fire panel is, um, you could cause a, uh, a false positive or a false alarm in one area as like a distraction for like what you're trying to do in another area, something like that. Um, motion sensor, um, is probably the easiest thing that you would have to deal with. Um, because if they can't send their alarms, then they're useless. Um, so if you can either, um, just straight up DOS, straight up DOS the, uh, motion sensor and then like if it's sending out a heartbeat to say like I'm still alive, then you have to spoof the heartbeat. Um, or you could just selectively DOS if, if they're not using any encryption and you can recognize the alarms, just selectively not let those alarms through. And then that's all there is to it. Um, this doesn't make any sense since I'm not able to do any of my demos. But, um, I, I ran out of time, uh, trying to configure my, um, so I've got, um, I've got an IoT motion sensor, um, that just was not pairing with its management software. Um, so I ran out of time trying to get that demo working. Okay. So here was the hypothetical scenario that I had set up that I was going to pull off for my demo section. Um, typical, typical office. They've got a card reader on the unsecured side and a door controller on the secured side. They've got a video camera watching the entire office. And then like, like you do, you've got the, the hope diamond and the, uh, all of the CEO's credit card info laying out on your desk. Um, because you can, you're, you're totally secured. Um, so I'm gonna, I'm gonna hop over to this machine real quick. I don't know if those mics are on or not. Um, but, um, so I won't be able to show you the video camera stuff because I don't have a display. Um, but I will be able to show you, show you, uh, sending my exploit to permanently unlock, unlock the door. So bear with me. It does work. Okay. So, um, I can't show you the code but, um, basically there, there was a, a CGI script that was running on this thing. Or it was a compiled binary, um, that handled send, sending all of the settings to the relays to control their state. Um, and so I, I just, uh, sent it the unlock state and then removed execute permissions from that, from that CGI binary. Um, so that it unlocked the door and then wouldn't let you relock it. Um, and since, since this works on, um, you can find all the door controllers, um, by sending a packet to broadcast. Um, I just like send out that broadcast probe and then iterate through all of the door controllers that, that come back and I can permanently unlock every single door on an, in an entire facility. Um, so hang on one second. Okay. And it, hang on, that's not the, that's not a good point. Um, so it's just injecting commands over and over again because there was like a character limit on, on how, how big the packet. Okay. So now, so now the door, now the door is, uh, permanently locked and this, or permanently unlocked and this is where I would have brought up the management portal, um, to, to click on the relock button and show you that it wasn't relocking. Um, so yeah, there's, there's that. It's not as impressive as I had, uh, originally planned out that these things happen. Heh. Thank you. Okay. And then the, the camera thing was gonna be like, uh, you know, loop, looping the playback so that you can like walk in front of the camera without being seen and, and stuff like that. Um, so there's that. Okay. So let's talk a little bit quickly about, um, mitigations. Um, so first off most obviously is to segregate these devices, um, from your normal network traffic. Um, make it so that you, you know, regular Joe blows on your network, can't reach these devices. Um, also if, if the network that you've got them on is very, um, static and, um, predictable, you can look for anomalous activity pretty easily. Um, keep on top of firmware updates, which is actually an interesting problem with these kinds of situations, especially with like the, uh, the, um, access control system. Where, you know, once upon a time, IT handled computers and like facilities or whatever handles, uh, locks. Um, but what do you do when it's both? You know? So you have to clearly define who owns what and who's gonna be in charge of updates and things like that. Um, also think before you link. Um, and as, you know, I, I think I give this advice in like every single one of my talks, but hack yourself because that's how you learn what, what you're vulnerable to and, um, how your overall security posture looks. Um, third party resailers. Um, so that a lot of this stuff is really, uh, closed off to just like the general masses. Um, but third party resailers, um, are a little looser. Um, like I bought, I bought this entire rig preassembled, um, from a company that I'm not going to name because I don't know what their opinion of me naming them in a DEF CON talk would be. Uh, maybe talk to me afterwards, but yeah, it was like 300 bucks for that entire, uh, preassembled demo door system. Um, also I was able to find some, some firmware images, um, that I wouldn't have otherwise been able to get access to. Um, um, okay. Um, so yeah, that's basically it. Sorry, I had to rush and not show my fantastic demos, but um, if you ever are interested in any of the code or, or have any questions, things that I didn't have time to go over properly or anything like that, I have an email and I have a Twitter and I'm way more responsive on Twitter than I am on email. Uh, so yeah, hit me up.