Security Bsides Las Vegas 2024

login

All your badge are belong to me
.ical
2024-08-07 , Tuscany

It has been known for many years that a large number of access control systems based on RFID have vulnerabilities that make them susceptible to eavesdropping, cloning and manipulation. Even though this is considered common knowledge among most security professionals, the installation of new systems with fundamental security flaws still persists. This presentation aims to shed light on these basic vulnerabilities and to show how these vulnerabilities can be exploited by adversaries. Through warstories from real life physical penetration tests it will be demonstrated that these vulnerabilities are not theoretical concerns but present severe security risks in practice. The talk will also try to explain why outdated and insecure access control systems continue to be used, and why companies still buy it.
The audience will get an understanding of the most common vulnerabilities in RFID-based access control systems, insight into consequences of these flaws, and what to consider when purchasing a new solution.

This talk is based on experience from 10 years of real life physical penetration tests and talks with install companies, RFID hackers, technical building managers, card sellers etc, and is discussing vulnerabilities that are well documented and known by a large number of security professionals. That said, even though the vulnerabilities are well known, it does not mean that they are not relevant. Even today, in 2024, access control systems installed in new buildings have the most basic vulnerabilities that have been known for close to 20 years. Why is this, and why do companies still buy these solutions? This presentation will try to answer these questions, and at the same time show the most common vulnerabilities, how they can be exploited and what tools are needed. It will also have a short section on mechanical bypass, since it does not matter how secure your RFID solution is, if you can bypass it all with pliers and a bended nail.

Outline

  • Introduction (2 minutes)
    -- Who am I
    -- Disclaimer
    -- Why and what this talk was made
  • Introduction to PACS and RFID technologies (5 minutes)
  • Details on MiFare Classic (5 minutes)
    -- Default keys
  • Warstory 1 (5 minutes)
  • Non encrypted badges (MFC + 125kHz cards, UID) (3 minutes)
  • Warstory 2 (4 minutes)
  • Why are we still using this? (2 minutes)
  • A section on master cards and guest cards (2 minutes)
  • How is PIN stored? (3 minutes)
    -- Example from two vendors
  • Replay attacks (4 minutes)
    -- Reader <-> Backend communication
    -- Get access to the wiring
    -- espkey
    -- Pre recorded demo
  • Tools (3 minutes)
    -- Flipper Zero
    -- Proxmark
    -- Apps…
    -- Card emulation
  • Internet exposed access control systems (4 minutes)
    -- Examples from two vendors found on Internet
    -- Present script for password spraying on admin interface for an access control system
  • A small section on mechanical bypass (2 minutes)
    -- Tools
    -- Demo video
  • Closing/Thank you .. (1 minute)
    -- Where to find more info
    -- Thanks to..
    -- Questions?
The speaker’s profile picture
John-André Bjørkhaug

John-André Bjørkhaug is a seasoned penetration tester with over 15 years experience doing penetration testing, currently working as a Principle Penetration Tester for the Norwegian security company Netsecurity. He has a bachelor's degree in electronic engineering, but prefers to break stuff instead of building stuff. John specializes in penetration testing of internal infrastructure, physical security, Social Engineering, and full blown Red Teaming. He is also doing penetration testing of IoT, OT, and embedded systems.
John is an active participant in the Norwegian security community and has presented at conferences like HackCon and Securithon. He is also running the lockpick village at HackCon, where he is devoted to teaching others about lock picking and bypass techniques.