During HiTB CTF one of the challenges were to decode a Mifare clasic handshake and…
Physical security is one of the key elements in Security besides the human and technology part. The three elements basically linked together in an equal manner where hackers always try to find an entry access in one of the elements. A organization which have for example a state of the art firewall with IPS and IDS functionality and is fully patched and hardened is very difficult to defeat by an attacker. But what if the organization has no strong physical security system implemented where an attacker easily could walk into the building and connect a malicious device in one of the network sockets that is in an unprotected area. A strong Physical Access Control Systems (PACS) becomes very relevant in this case for enterprise organizations.
But having a strong physical security doesn’t prevent hackers to try to gain unauthorized access to the facility by manipulating the system vulnerabilities and cause damage. This blog shows some examples and crucial dangers for PACS from an attacker perspective.
The following attack scenarios can be used by an attacker:
- Card Cloning: Cloning of RFID cards or Card Serial Number (CSN) simulation to gain unauthorized access is the most common way to hack an access control system. In case of use of Mifare classic this would be an easy task. There are simple mobile applications that can clone and simulate RFID cards in a twist.
- Wire-Tampering: Exposure of lock cables or control cables to unsafe areas may lead to cable tampering for unauthorized access. Attackers that have access to the wires of a security system can shorten a circuit that can results into opening an closed door.
- Reader Replacement: When an organization uses a standalone reader with controller the attacker can easily strip off the reader and reverse engineer the inner working of the device.
- Reader Replacement: In case of a reader where an attacker can put a covering device over the reader it can easily eavesdrop the communication between the card and the reader.
- Wiegand Technology: Organizations who uses the Wiegand protocol in their access control system needs to have the strong advice to replace the protocol. The current implementation of the Wiegand protocol doesn’t provide any security.
- Hacking the Controller/ Reader: Most of the controllers nowadays uses the IP protocol to communicate with their backed system. When an attacker can access the Ethernet cable of your controller / reader the attacker has the ability to attack your internal physical security network. Most of the vulnerable systems are been located into those type of networks. Networks that don’t have any access to the internet are easily been forgotten to the patch management procedures.
- Backend sever application: When an attacker has Ethernet access to your internal physical security network. He can try to find vulnerabilities in your physical security system. Also, the use of default credentials can lead to full compromise to your physical security system.
- Application Access control: Access control systems and Identity management procedures are very imported in your physical security system. When users has to many privileges they can perform unauthorized access to certain function in your security system.
- Unsecured communications: Unsecured communication between your physical security component can be eavesdropped and inline modified which can lead to unauthorized access to your physical location.