 I'm I'm Zach Frankin. Thank you Right, we're gonna talk about physical access control systems. I did a talk last year and I have Put together a very quick talk this year Because we've been doing some some fun things I Major who spoke before me has Has been my bitch for the last six months and it's been code monkey Yeah So Yes But code monkeys dead useful once you get them to stop masturbating and throwing shit at the walls Okay now on of our Okay, so This was going to be an all singing all dancing extravaganza and then I realized Fuck that's a lot of live demos So we're going to do one super super super live demo Which has great possibility for extreme messy disaster You'll see what's going to happen in a minute. Okay, so we're going to talk about defeating a biometric system access control credentials in general and How to emulate a physical access control token? Okay, so in case you're not familiar with it This is the basics of an access control system Should I actually try and hold the mic or not? This is the question. Fuck it Okay, so here we have a basic access control system You have the access controller Request to exit device Normally a button or sometimes a passive infrared device mounted over the door not a good idea by the way An electric lock and a reader of some kind typically a Proximity card readers Why gand readers mag stripes or biometric readers these days now This demo is going to take a little while to get going. So we're going to jump straight into it so I'm going to talk about a hand geometry scanners and I have one here Which I picked up on eBay for The stunning Price of two dollars. I love eBay. eBay is your friend Okay, however, I when I when it arrived it did appear to have been pried off the wall. So Slightly bent out of shape and required a little bit of muscling to get it back working Touch wood. It's going to work now. So this access control system knows about me and the way these particular ones work is You enter you either hold a card up to a reader Or you enter a code on the keypad and it'll ask you to present your hand and You pop your hand. I don't know if you can see on the the screens here I You pop your hand on this platen and there's there's little pegs that help you line up your fingers because One of the big issues with biometrics is we're just big squidgy bags of mostly water and In the digital age We have alignment problems. So and that's a big issue with most biometrics. So There's normally something to help you line up to kind of Interface you with the digital world So in this case you have a set of pegs you have a set of little lights on the reader and When you close your hands up around the pegs the light goes out the lights go out and when you get all of them out It it takes a reading And it's just an image the base of the platen is highly reflective and There's a camera or there's a set of mirrors and there's a camera here 45 degree mirror and it takes an image of your hand on this platen this guy's quite nice because and I Swear to God. I truly believe it was a hacker that thought this up So you've got your camera taking your picture of your hand And someone said hmm What happens if we put a mirror in there at 45 degrees? then we can take a slice across the hand as long as it's in the field of vision of the camera and We suddenly get a 3d scanner so We now have the 3d scanner as you can see here. Here's an image and and Now I we're going to try and duplicate a credential for this and This is the credential and it's going to be entertaining Well, if it works, can I borrow you for a second, please? No, don't don't try and pull the wire Okay, we'll use another one excellent Can we have it up just a little bit? okay, so Here is my template one of the things with biometric systems is that As well as security they sell you on the fact that it's identifying you use a person No one else will get in that employee that you want access to your high security area The great thing with biometric systems is it's only that person can get in Well, we'll see if we can we can duplicate me so I This is less of a hack and more of a recipe really So we're going to start off and Now this is going to get a little bit mad because the stuff we're playing with here is going to go from powder to liquid to solid in about 120 seconds flat and if you notice we brought along his favorite stick which is Ribbed for his pleasure Okay, so we've got a bit of a recipe here so first of all Take four pounds of chromatic dental alginate and Add it to a bucket Chromatic dental alginate is fantastic stuff the first line in the instruction and say Chromatic dental alginate has a pleasant dentist waiting room smell Notice I went for the one with the dentist waiting room smell. I didn't cheap out on you guys. I didn't get the Dentist waiting room smell available separately Okay, and then Now this is this is where it's going to get absolutely fucking crazy Not to put a finer point on it mixing stick ready Jump me to help poor Okay Stand by now this is the secret sauce It's the mold Okay, hold it We're violet Okay, this is where I've just you just get me to stand very still for a couple of minutes major Major Okay No, that must be thing flip it over That one. Yeah, so We start thirdly and we try to avoid bubbles keep going and We added three pounds of meat to the mold So I'm gonna let major Beep Clicky clicky So we added the dental alginate over the meat and Now it's beginning to get hard. Okay. Oh, yeah Okay, we will be offering a service afterwards if you want something molded, okay click Click click, okay, so we're gonna let it marinate for a couple of minutes No, yes, I can't really do anything now. So Oh Yeah, I don't even think about it Okay, so I this credential not supposed to be duplicatable and If you think God I Want to break into that telco, but hey, how am I going to get the guy to? Stand around with his hand and a bucket of alginate The thing is you're not but You've got the other part of it, which is this is supposed to be Unique to me, so I'm having dinner with the chief of police Yeah, I think we've I think we've done it. I Think it's as hard as it's gonna get Okay Can I have the compressed air please? Thank you Okay, now that was part one A little bit of dry stuff came out, but we'll see. Okay. Now Here's the key thing about this mall. We've got we do have a couple of bubbles, but we'll see how it goes, right? Now come step two step two so what we're gonna do is We're gonna mix up some vinyl polysiloxane. I Also known as silicon rubber to you guys this stuff is fabulous Most silicon rubber takes 24 hours to cure this is going to go from liquid to solid in 20 minutes Possibly sooner because it's a bit warm so we're adding our Silicon base and we're going to add or the Actually, that was a catalyst so it and now we're adding the base and then he's going to stir it now Silicon tends to be a bit of a pain in the arse And you normally need a big vacuum chamber and you need to vacuum it to get all the bubbles out of it to set This stuff is pretty cool. You don't need to do that and it has a resolution of Two micrometers, right, which is pretty fine. I don't know actually I The question was what's the resolution of the hand geometry scanner, and I don't know Off the top of my head. It is less rigorous Then he's gonna fall asleep bastard Okay Right whilst this is going on Are you almost start? Have you got all the white stuff off of the bottom? Okay, so in order to again to try and eliminate bubbles Major is going to pour this very carefully in a very thin stream Into the deepest part of the mold go for it a bit higher. Oh Yeah, alien green So yeah, one of the problems of biometrics you're not really supposed to be able to do this and With a lot of biometrics as we've probably seen and as I've spoken about before Not so great when it comes to this. I had a collision with my one of my neighbors I have several of these hand geometry scanners and I was coming over here one summer and I was he was going to look after the house and I'm like, okay, and just in case anything goes wrong with the power you need to get into the plant room So I need to register your hand with a hand geometry system And that was that went okay So I enrolled him and I said right now you have a go and I typed in a code on the panel or his code on the panel and I said right put your hand in there And he did and it opened the door and he said, yeah, you know that wasn't my code So I put in my code and I'm back and he matched my template And that's not so good especially when it's your next door neighbor. Fortunately is a nice guy, but uh Okay so One of the key things here So let's just say I've tried this before and one of the key things to getting this right was the mold This mold's quite particular It's got a series of rods. You see it on the front. There's a scale picture of actually Can we bump it major? I? We're just going to tap it to get the to get any bubbles out harder Okay so So the key thing here was making a cast of your hand isn't good enough What you have to do is you have to get a cast of your hand and and get it laid out exactly right so on the front here there's a scale image of the platen of this hand geometry scanner and Drilled through the mold our holes and running through the holes are pegs exactly in the The same dimension as the pegs on the platen So when this comes out, hopefully if I wasn't too distracted talking to you and I got my hand position, right? Is my hand should be in exactly the same position as the hand geometry scanner expects to see it in so we're going to leave that for 20 minutes and And Bloody hell. Okay, we're running late Okay Prepare for lightning talk. Okay, so we're going to leave that to cook for 20 minutes and hopefully We should be able to de mold it and it should Get access through code one two three on here Okay Now the other problem with biometrics is how do you revoke your credential? now that's not so good and When I come back into the UK these days, I actually use an iris scan system, so I don't even bother my passport. I just walk in look into their poor user interface and I Get a picture taken of my irises This has slightly larger repercussions Of course being UK government, they'll no doubt provide me with a handy kit but The real issue is is is what happens when you have to revoke your other credential Okay So while this is cooking I are setting we're going to have a little chat about Some other credential technologies. We're going to talk briefly about the mag stripe card Why can't cards? I'm not really going to cover But I'm mentioning it and we'll get into that a little bit later and proximity cards So mag stripes everyone's got one in your pocket Normally they have about three tracks on the card and There are two types based on the amount of energy it takes to flip the The bits on the card effectively Most of the cards in your pocket will be high coercivity cards apart from your hotel keys Which are most likely to be local cards and and you can zap them with cell phones quite easily so No surprises there Some high security cards can simply mean just adjusting the The offsetting of the tracks on the cards, but there's some other quite cool technology You didn't think mag strikes could be secure and I haven't had a really close look at these other tech technologies I real good go at them, but hey You got to start somewhere. So They use tend to use fingerprinting So one of them is it'll take an image of the entire mag stripe and Try and work out where there's particular magnetic hotspots that were Just natural when the magnetic slurry was laid down There's an actual magnetic imprint which they lay down when they put the slurry down Which is permanent on the card and you can write data on and off the top of it And what you tend to do is you tend to use that Imprint the data from imprint on the slurry I As part of a checksum for the data on the card Some cards also use holograms on the actual mag stripe itself And and that's actually read with an optical reader and some use IR coding as well on the stripe So basically you're not really aware of it's there, but there's an IR code on the stripe that's read optically and then compared with the data on the card and Also people do jitter analysis So basically they look at the wobbly signal that was laid down on the card in the first place and use that as a checksum So I This is where Code monkey comes into play Code monkey has been writing code furiously for me Which is quite nice and I have been building toys so this is Jackson and and Jackson emulates a standard three track max stripe card There are three very tightly wound very thin coils And we have a driver circuit at the bottom that effectively emulates the the actual data That's read off when you swipe your card. It's easier than you think This guy here so one of the big challenges with this was actually making the transducers and This little guy here complete Heath Robinson What's that? What's the American version of Heath Robinson? No, no, no the guy that makes all Yes, we've go Berg That we have in the UK, we've got a guy called Heath Robinson that makes shit like this or draw shit like this And you've got root go go Berg. So this taking away and Over about 40 minutes will wind one of these transducers And has actually allowed me to make several of them Because if I had to do them by hand it just just ain't gonna happen So you see the the wire being spilled on to the the former Okay, now When you use access control systems with with Magstrike cards There's two ways of doing it. It either reads the data on your card such as the pan your account number and Hashes that into kind of muscles it into Y-Gand format or it directly writes Y-Gand a Data format onto one of the the tracks and this is it 13 characters on the bitstream you've got 10 leading zeros 10 trailing zeros and 13 characters giving you your site code and the the card ID Proximity cards now actually the the actual circuitry involved in driving Jackson Simply what happens and count zero back in the late 80s and 90s wrote pretty much the same in a work on Magstrikes or certainly the the Magstrikes he had back in those days and what actually happens a bit is A phase transition a north north south flip in the The bit stream that's being laid down on the cards. So basically You know north north north south at that point That transition signals a bit. It's it's encoded With is F2F major you mr. Magstripe sorry F2F frequency twice frequency and Major did a talk years ago because he's quite old and He he was Doing a whole bunch of Magstripe stuff and one of the things he was doing is he was replaying Magstripes through a computer sound card And we took this just a bit further and Actually built a complete digital device to to do it now. I was gonna Have the board attached, but I decided to do the the whole terminator two thing I'd be a bit sad, but hey It came out quite well, so you can check it out later on close up Okay, so now we're gonna talk about proximity cards This is something I've been quite interested in in a while and finally we actually managed to get some traction on it Again simpler than you think Standard proximity cards tend to be 125 kilohertz I contactless smart cards operate in the 13 56 megahertz range So the reader and I didn't actually bring one Emits an RF field that powers up the card And then the card sends its data back And the reader sends it back to the host system There are active cards that will tend to be vehicle transponders that can be read from from a good distance away and In general when they're energized they barf back a single bit stream so When the field hits the card the card goes To the tune of 540 bits To get its 26 bits across In general lots of things like for example this system here the hand geometry scanner Outputs 26 bits. It doesn't output anything more than that so 26 bits in the access control industry is very much seen as a standard and Manufacturers will sell you your own psych codes or formats if you want to 10 minutes. Thank you Okay Need to speed up here. So They'll sell you your own Proprietary formats and that's just an extra layer of security This is a What happens when you undress a proximity card in this case this card happened to be dipped in chloroform You can do it with Acetone however, and that's been going on a lot certainly with the my fair cards Okay, so Finding a concealed detectors is easy This is dead simple. It has three components a simple coil 33 turns around a regular soda can a point one micro farad capacitor and any red LED Red because it tends to be driven with a lower voltage and you can spot lit up detectors even when they're concealed behind Walls Okay, so we're going to move on to another proximity tag in this case. It's a unique tag And we'll discover it's not quite so unique So in general these tags contain an 8-bit ID bite ID As all proximity tags they barf back a single ID when they're energized Oh, and just so you know somewhere at Defcon There is a long range reader and When you're within a couple of feet of this reader and you have a tag on you It's going to it's going to read the tag out your pocket and it's Going to take your photograph So I'm trialing at this year next year. It just may well be on the wall of sheep So you might want to think about your tin foil wallets next year Or at least having a card that is slightly more secure than my deez one two three my deez one two three my deez one two three Okay, so this particular tag The UK police decided that they were having so many problems with the grannies forgetting their alarm codes They were going to mandate a Tags to disarm all burglar arms that they were going to show up to and That would that's kind of a poor idea. I'm like, can I have a code as well and they're like no so That's great Where do you put your proximity tag? Especially when it's one that looks like that? Oh? Why that looks like it's supposed to go on my key ring So I walk out the house. I drop my keys in front of my front door and they can break in and turn my alarm off Great, and you were supposed to be reducing crime. How? okay, so this is chameleon this is a very early version and Chameleon emulates unique tags or this particular version does and If you walk up to my house This will disarm my alarm not as unique as The manufacturers like you to think and a lot of these proximity to tags can be quite simple So that was v1 It's not clone as when it was pointed out to some manufacturers. They said oh You can't clone my card. That's not that's not in the same format physical format as my token. It's like, yeah it just happens to Transmit exactly the same idea as the original tag multi-pass Okay This is so that was version one. This is this is version eight and This is This is chameleon multi-pass. So what we have here is a bit bit more powerful device. It can it can handle More complex cards It can handle multiple cards And if I don't know if you guys can see this little silver thing with a blue tip any ideas Hands up any ideas what that might be Yeah, that's a Bluetooth chip So if you pair with it, it says hi, I'm chameleon What what tag would you like me to emulate today and? As I said, we chameleon is a bit more sophisticated than Version 8 from the multi-pass is a bit more sophisticated because it can actually do tags of a major Security vendor that's that's around all the place. I'm not going to mention their names It may have three letters in there But I couldn't I couldn't possibly say Are we are we there? Are you sure it's not going to be chewing on the offside and soft in the middle? Okay, we didn't work out where the hell we're going to put all this dental alginate. We're going to put it in that box Okay Right Major is going to have a chunk fest So yeah chameleon multi-pass it's so other people have attacked this vendor's prox cards previously and Prox cards now that's a very important thing because you should be able to pull it apart Gently now I'm gonna let chip monkey do some work now Don't squirt in his eye He doesn't like that It doesn't matter if you break the gunk because we only care about what's inside Do you want some leverage? We're not gay. Okay? We're British It's tasty, too This is how my hand would normally sit in this it's not bad let's say Oh, it's a bit spoogee on the inside by who cares Moment of truth. Okay. You're gonna have to hold hold this. It's a little bit damp. I should have brought some talcum powder Okay, that was a not good beat Yep Damn it. I hate live demos Well, here's one. I made earlier Okay, one beat Now If you guys want to quickly actually we're running out time So I'm not going to throw them into the audience for you to check out But you can hit us up in the Q&A. Let me just finish chatting with you about chameleon Okay, so oh was that That's the new one. Excellent. Fantastic Okay, so so now you can be sitting with your boss when your mates robbing your company Okay, now chameleon one of the key things about chameleon is we're actually emulating real tags and One of our kind of key breakthroughs recently is we're actually able to Arbitrally so previously people have been able to record and replay and now what we can do is arbitrarily select site codes and Badge numbers And that would be bad There's a great little mode we created which is called all the ones So you're a sysadmin. You've just had your new access control system You've chosen your site code and you've been given a block of cards What card number is in your pocket? card number one So all the ones actually rather than trying to brute force your card space brute forces The site code space, which is only 250 six 256 site codes So the chances are you can be in and you're going to be in with admin rights Okay, so Thank you So this is that we moved away from the coil antenna and went for a nice little flat edge one Shiny-triny So I'm going to finish up. Thank you very much to Major code monkey Was who's my beautiful system and also including major and I'd like to thank Nick at Tom's who managed to give us some direction on the the super good silicon goop So I hope you enjoyed it Bimetric systems Not unique. Take it easy. I'm Zach Franken and I'll see you in the Q&A room. Take care