>>I'm Eric. This is Josh. Hi! Today we're talking about several attacks around RFID, specifically RFID tag that we'll go into detail about that are used access facilities. Not so much for cars or buses, amusements parks and stuff like that. So, a quick little agenda. We will kinda go through a high level around red teaming. The kind of attacks that we do. Traditional attacks and techniques you have heard about for years now, specifically RFID attacks is what we're doing today. Then we'll talk about some advanced attacks we've been able to develop ourselves, and then some mitigation and remediation and things you guys can do to protect against some of these things we are showing. So about Juarez. Myself and my partner Chris Nickerson started Juarez about 6 years ago. Since then we've been doing a lot of big things in the industry but something we have been proud of now for a couple years is we put together something called - - And with a lot of other people in the community put together something called the penetration testing execution standards, so if you guys have any questions around Penn testing, the process of it, how it works, details around it, check that out. We've also done lots of other things that are boring to read, so I'll move on. Myself, I'm one of the owners of Juarez and also principal consultant and also a co- owner of the company called Layer 8 Labs that we just launched this week, so when you guys get a chance, check that out as well. Do you have an important call? [Laughter]. >> Not anymore! Hi, my name is Joshua Perrymon. I came on with Lars almost a year ago. I think we worked this out at DEFCON last year. I'm also a senior partner with Layer8Lab.com. If you guys want to check it out, we just released a new user attack framework. That's about it. So, a quick little funny slide, it really says a lot of what we do. We have been lucky enough to build a company around our hobbies and passions and then get paid for it. So that's why Lars was started, and that's why everybody loves working there. Specifically today, we are talking about red team testing. Red team testing has a huge definition that I don't care to read. The analogy behind it that we always use is red team testing puts you in the ring, puts you in the fight. You can't have an idea of how well you can defend the fight until you get in and fight. And so, everybody does things in the labs, does things back in their own company itself, but until you actually put yourself against an adversary, you don't know how you will stand up against them. The things we are showing today are true adversarial modeling. The reasons to conduct it, pretty straightforward, right? Show real impact to the business from physical, social, electronic, whatever it might be, all the different ways it can be compromised. Just a quick little summary of how red team testing works. Red team testing, the idea behind is blended attacks, right? Where social, electronic and physical or all three come together. That is what red team focuses. So, today we are showing one component of that which will be direct physical attacks. Those can lead to things like physical access to facilities, then that would lead to electronic access, or we're going to be sandwiching things around blended attacks. So, we may compromise something electronically and get to a back system, which is what we'll show here in a little bit. And once we have back system access, then we can maybe get physical access after. So traditional attacks that we're not going to bore you with. You have heard of lock picking and tailgating and shimming and impressioning and bumping and all kinds of other cool things, what we are focusing on today is just RFID. >> which in those attacks they work really well, right? But, they are traditionally kind of loud in nature, so you can't always pull those attacks off, so what we're going to show is hacking RFID where it beeps and you walk in, basically. >> Yeah, because what we have seen throughout the years now doing this, is who is going to stop you if you beep in a door and the door opens and you walk in? Chances are no one is going to question you. right? If you can get yourself a badge, you can actually make a valid badge, maybe you are lucky enough and can get a picture on it, or get a picture in the badge system through a blended attack, who is going to stop you once you're in the building? >> All right, so we're not going to get real deep into details, I'm sure a lot of people understand RFID by now. So what we're going to cover is low- frequency and high- frequency. We don't get into the UHF stuff, so the low- frequency of the prox card, the older first badges, a lot of times the card is actually a lot thicker. And the other one or HF is high- frequency. So the I-class stuff, with encryption, that we're really into, it's 1356 megahertz. >> next two pages. So who uses it? 80% or 70 to 80% of people that have badges actually use the old unencrypted prox badges. Who is vulnerable? Government facilities, medical facilities, financial institutions, nuclear, power and water facilities, education. A lot of those are the old proxy stuff, right? They haven't even gotten over to I-class encrypted stuff which we're going to own in a minute. So understanding back systems. So here are the four main components of a badge system. Of course, this is a lot smaller version, but this is applicable to all badge installations. You have the cards which are powered by the reader, so think of it as shining a flashlight into a mirror. The reader is actually putting the power out. That is sent. It powers the card. The card then sends its information back over to the reader. That gets sent back to a controller. And the host PC or the badge system, for instance, it's hooked into the controller and that data is sent to the badge system and it makes its logic decisions based on the facility code and card data sent to it. >> So some of the things we brought today to demo some of the cloning we're going to be doing, a company out of Lithuania, Lithuania Midpoint Security, actually builds badge demo systems. Whatever components you want to include in it, you can buy, put together, have a rig set up in your lab, you can do your own testing with it. Here we have one of the new edge readers from HID. We also have a multi class so we can do both the frequencies Josh was talking about, and then you can simulate things like push to exit, break an alarm if you actually bypass a door, shim a lock, under-door hook it, whatever it might be to simulate an alarm as well as push to exit with a mag release. So just for demonstration purposes, we have a full badge system and software running to demonstrate the things we're going to be doing. >> Yes. And this is the newer edge system as Eric said. So, it is -- The one we've just shown is more of the older traditional style. This is what HID is moving to. Power over Ethernet, it has a lot of services, a lot of web app stuff listening. So a big attack surface with this new system as well. So, again, what we mentioned, we're really not interested in ski passes or anything like that. We're just focused on the badges that get you into physical facilities. So this slide shows the most common badges used. So, again, the 70 to 80% of the badges are prox, the old unencrypted stuff. So then there's company that, you know, newer facilities that are buying new stuff. Because that's the thing, right, with badge systems, a lot of that is tied into the facility. So if you have an old building, it's typically going to be the older stuff. Unless somebody goes in and redoes it. Because it's a real pain in the ass to come in and run all new readers and hook all new stuff up. So anyways, this shows is the layout of how the antennas are, and you see on the prox stuff, the antenna is a lot bigger than the I-class, but that's all built inside the card and the integrated circuit. So read ranges, so here are the limitations if you are using off the shelf hardware. So the prox stuff and even I- class, 12 inches. >> About 3 inches usually. >> Yeah, it's typically 3 inches if you use - - . >> Like this reader right here. >> Yeah. >> You have to get pretty close before it reads it. >> You almost have to touch it. So what we have here, this is a parking deck reader and they sell these for both prox and I- class, so it's a lot bigger footprint, but again if you are using off the shelf stuff, you are limited to that. And Owen did a bad ass talk about making this long- range. So what we wanna say, is don't think about you are just limited to what hardware is on eBay. You get with some guys, do some research and we're talking 10 to 25 feet and maybe more. >> Yeah. >> So - - . >> and just with a garage reader that you buy off eBay or buy from HID, it's anywhere from one and a half to two feet. Which if you think about it, that's me walking up to Josh and asking for a smoke or asking for a light. I'm that close to him. I can get a read on his card. So that in your backpack, clipboard, whatever it might be, a satchel If you are European, you can walk up and read somebody's card if you are a couple of inches away. >> so. And all this is built around the Wigan protocol, so if you go back thinking to the slide earlier, we present the reader with the card. Once the card does its translation, it's all Wigan clear text from the reader itself back to the back end system. So what that looks like is, this shows you the layout. Wigan is a faulting signal, so the signal will be flat lined and then when it actually receives the bit, it drops down. So falling edge is how we identify those signals in the aldrino. And the last thing we want to leave you with on this slide, there's three things that you need to get into a facility. You've got to know the bit link, the type of card it is, so 35 bit, corporate 1,000, or 26 bit or custom 46 bit. >> Or low- frequency, high- frequency, whatever kind of card it may be. And you can identify these things through various ways, and we'll talk about some of that. >> yeah. This shows the layout of the cards. There's the start bit, a parody bit at the front of the card and then you have the facility code and then the user code. It depends on what card type it is about how long those can be. So obviously a custom 46 bit is going to provide you with a lot longer facility code and a lot longer user code. >> So three major components, those things should be sensitive and private, right? Well, one of the things we found through a lot of the research we were doing, and development around these things is that information is not so private. Because of the way HID structures their ordering process and reseller process, you can actually go on eBay and buy extra cards companies are selling. And the sad part about this is, I don't know if you can see it, but printed on the box which is displayed in high quality pictures on eBay is the facility code and the card numbers in range for what they bought probably in excess. So right there alone, we have a facility code for a particular person on eBay. So everybody knows through O-cent that you can typically find somebody through social media or whatever it might be. So the chances of us finding who that card belongs to and what company we can get access to, pretty probable, right? Also go back one more. The way HID sells their cards is in a series in sequence numbers. So, say you run out of cards, you're hiring more people. You call HID up or your reseller up and they send you another 500 cards, 1,000 cards, whatever it might be. Then all of a sudden you have budget cuts and you need to sell some cards, whatever it might be, like this guy. And you decide to go sell a hundred of your cards. What we will show later is . . . If we have a valid card number, we can also do brooding and we can display say, access card 6,000. If I know 6,000 is a valid card . . . Chances are 6100 or maybe back a hundred, those are valid cards as well. So if they are selling excess off of eBay, and they have an extra 500 cards, chances are 500 back or 400 back, you're probably going to get a valid hit. So through intelligence gathering, just by looking at what's available, you can probably connect the dots and find out where those cards belong and what they might have access to. So, data's not so private. So if you have the opportunity to actually get a picture of somebody's card, if you can get it in your hands or you have a nice lens on your camera, you get a picture of somebody's card, there are printed on the bottom of the card a lot of times, they actually say some kind of an order number. Well, there are third party sites out there that are resellers of HID products and you can give them the order number and they will look up the number for you and say this is facility code and this is card number and they will ship you more cards. Well now if I've used the reseller to ship me cards that have a valid facility code just by a picture I took. So use someone else to do your identification. >> All right, so now we're going to get into the actual hands- on stuff is, which is the cool part. So the first thing we're going to talk about is cloning and replaying low- frequency cards. So, again, these are unencrypted used by 70 to 80% of the facilities globally - - or in the United States. Again, a lot of those are critical infrastructures that still use this old technology. >> and you guys have probably heard about this in previous talks. Fox 2 has been around for years, it's been vulnerable for years, it's all unencrypted, you can sniff the authentication to the reader. You can do cloning, replay, so I wanted to give you a little primer of what we are leading up to which is the encrypted stuff. Anybody ever heard of Proxmark3? Pretty common tools to use for RFID hacking. They have the ability to do both low- frequency and high- frequency based on the antenna you hook up to. Not too expensive, you can buy the knockoff versions out of China. Or you can spend a little more money and get them from the vendor. These will work really nice. So here we have a valid proxy 2 that works on the bad system. You'll see a successful authentication, mag lock opens up. So what we are going to do, we're going to take standard stock firmware on a prox mark 3, do an actual read on the card. >> Possibly. >> I think it read. >> Put it in replay mode. Or not. First fail. >> Demo, demo, demo. [Laughter.] >> Does that open the door? >> No, this card does. >> Yeah, it does. >> Nice. >> All right. Put it in record mode. >> This is awesome. >> So what should be happening is a Proxmark3 out of the box, no custom software or anything on it, you can put it into record mode so it gets - - if you get within the distance of the badge you can record it and then it turns around and replays it to the badge reader. >> [Laughter]. >> Hold on. This bitch is working. Record. Really? >> Eric, Eric. >> We just spend two hours testing everything in the back. >> Well that is the way it works. Every time you try to give a live demo, it never works right. >> Oh, we got this time. Yeah, it's awesome. >> [Laughter]. >> Next. What we were getting to was when that does work, we've been able to conceal it, right? You can't walk up to a building with a Proxmark3 and an antenna and try to badge in, somebody will probably question you. Put them inside of things that don't block the RFID signals, plastic clipboards work great, we found through years of red team testing that if you have a clipboard in your hand and a pen, put a collared shirt on and nobody is going to stop you anyway. Put a badge inside of it with that thing in replay mode, walk up, badge in. So. That was the point of that demo that just worked awesome. >> Anyway, the next thing you can do with that is you can take a custom firmware and upload it to the Proxmark and have Proxbrew works. Now, what Proxbrew does, again like Eric mentioned, so say there's 3 pieces of data we need to have, the card type, the facility code, and the user ID. So for this attack, we configured the card type, configured the facility code and then we brute forced the user space. So essentially what this does, if we know that, say, I have data center access, but Eric doesn't have data center access, so if you have his card space and know that the user ID is 100, then you start there and what - - essentially what this does is every so many seconds it goes through and presents a facility code and user ID just like the badge for him. And eventually it will get hit or get caught. >> Usually you'll get a hit. >> Yeah. Hopefully. >> And the one thing to note when you are doing Proxbrew, it is a custom version of firmware to put on the Proxmark 3, so re-flash your custom firmware has Proxbrew built in. Once you have it on there, you need to adjust the timing. By default, it's really noisy really fast. The readers either can't successfully or fail on authentication. Lower your timing a bit and you won't get as many false negatives. So. This is Josh's baby. We pulled some influence from a lot of different places. Again, a lot of things we are showing here today aren't necessarily OD and HID, they are things that have been out for a long time, but they are also things that people have talked about and talked about in small aspects of attacking some kind of company. Today we're talking about how to combine all of the things we're going to put into a blinded attack and a full scope test. >> exactly. Our saying is from the lab to the street, so everything we show you has been tested real world, live, for clients, and we know it works. >> Other than that. >> Other than the proxy. >> Yes, I'll just tell somebody to open the door and they'll open it. >> Yeah. >> So giving credit where credit is due, Bishop Fox did a talk I believe last year at Black Hat, on a tacit reader he put together, a simple parking garage type reader hooked up to his own version of an ardrena with his own code, and he was doing low signal reads or low- frequency reads from about one and a half to two feet away. Limitation over distance is obviously voltage and the type of reader that you have. What we have here that we're going to demo, we have the encrypto version. But credit to Bishop Fox and the research previously before him. He was able to put together the first long-range reader for low frequency. >> Absolutely. >> So we're going to step it up a little bit, talk about advancing these attacks beyond the unencrypted clear, what people have been talking about for years. >> Yeah, because anybody can buy a Proxmark and attack those 80% of companies in the US. So we want to show you how to get after the other percentage. So this is where we started. We had a need for this. One of the first ever the jobs we really wanted to get into a secure facility, they were not using Prox. So, we took the Proxmark and threw it away, just like that. So they were using I- class, so we're thinking oh, I- class, this is kinda interesting. They have encryption, the reader and the card share this private key. >> Private key. >> So one of the attacks that we did is to take this big reader and put it into a backpack. All this is off the shelf, nothing fancy, in this version we're showing. It's just an Ardreno Uno, and off the shelf I- class long- range reader that they use in parking decks. And if you get one, when it warms up, it's supposed to make this noise. I don't know why. >> HID, they never answered us when we called them. Go to the next slide. >>So, again, off the shelf stuff. As you can see, this is the first layout that we made. This is kind of like the lab unit that we set up. So just an Uno, it has a contrast switch on it and it's got some connecters so you can connect the wiring and things in. Because what we found out is, as you can see in this demo here, the wires are just plugged into the Uno, so if you're walking around you have that one chance, you know, creepy smoker guy, if you have to get into somebody's bubble, get a cigarette from them, then you don't want that read to fail. So we noticed there's so many wires, you can see here, that we got in, used fritzy and we designed this board using this setup. >> Whatever. Good enough. >> Yeah. And how it works is, you power it with a battery and it always, with all these readers, there's two wires that typically go to them, the green and white wire, that's the Wigan, data 1 and data 0. So the trailing falling edge is what we look for in the Adrena. I'm going to attempt to demo it. >> And the thing to note when you're building this, at the end of the talk I'll give you the URL off of GetHub to pull down the code that Josh has been putting together so you guys can go out and buy an Ardreno, put the code on it, buy a reader. You've got the full setup. >> Yeah, I mean $200, $300. Probably. >> Yeah, the reader is the biggest expense. >> Yeah. And we'll put up all the fritzing stuff to so you can make your own PCPs. That way you don't have all these wires because, again, it's really hard to keep those wires in it. So what we want to show is with the long- range reader, before you were within an inch, two inches rubbing somebody's ass. With the long- range reader, you can get within someone's bubble. >> That's this close. Can I bum a light? >> Sure, you can bro. Smoke with me, man. >> It works. >> So something Josh added, that was the demo, that was necessary for us in the field is, you are walking through a crowd of people, will get multiple reads and need some kind of offline storage. So LCD having access to what was read just now, if you have it out in the open, also having the ability to hook up an SG card to it, writes it all to a flat file. Go back to the van, pars through it, find out what card you need, make your card with some of the stuff we're going to show you, walk back into the building 5 minutes later. >> We heard there were new speakers here. >> Yeah. Over here. Long- term listener, first time caller. Yay! >> [Applause]. >> This is going to piss Rob off. Where are you at, Rob? Stand up. >> So we actually - - so we have another special edition of shot the new because in addition to having two new speakers, we also have a new speaker, Dune Scout. So if you could welcome Scout. We have not destroyed her yet, but there's always time. All right. Some love for our new speakers, please. >> [Applause]. >> Just one more. >> No, no. >> Didn't you hear, I'm giving the rest of your talk? >> Sweet! I'll drop the mic. >> All right. >> As you were. >> Thank you, guys. Thank you. >> [Applause]. >> Do you want to hook up and show? So all of these things we're talking about today, we get serious now, intimate, all of the things we're talking about today around I- class it's pretty sad, hence the slide. It came out in 2010 and this is the part where we're probably going to piss them off, but HID has known about the vulnerability with I- class and the encryption of I- class for four years. And the current technologies that Josh was showing in the previous slides with the multi card formats, the higher bit links, the longer facility codes, the longer range of user codes, all of those have been built upon the foundation that has been flawed since 2010. In 2010, what started all this was a paper that came out called Heart of Darkness. These guys put in heavy research on how I- class and how the protocol works. What they found was the first revision of readers that came out had the serial interface still enabled. By finding that, they then find out how to dump the firmware. Once they found the firmware, then they found the encryption keys and so the encryption keys were indirectly leaked out since 2010. The process to obtain them is nothing more than going to read the paper, get the right hardware and cable we searched all over for. Once we had that, we were then able to hook up to the revision a reader, dump the firmware and get an encryption key. At that point we had the encryption key to write our own codes, so now we're HID pretty much. >> There's a couple different ways to do this, a couple different ways you can go about it. There are two to three papers on how to do it. Here's the thing, if you're going to do it, you have to have a revision, a reader that you can plug into the ICSP interface with an FTDI cable. And it uses a bit bang method, so there is copy protection on the firmware. So the way that a couple guys got around that is they were basically taking two readers and putting jumps and stuff in the first one and getting part of it, and then getting part of the second one. It's going to trash both readers. We have got a stack of hardware that we burned down, that are no good anymore. >> One was burned by accident. I got grounded to the wrong one. >> You have to be careful planning this stuff, they have sensitive electronics. If you are messing around and you plug into the wrong hole or the wrong wire, it's going to brick. So what we want to show here is, so, you know, you can spend your three months like we did, you know, in the lab, staying up all night, reversing this stuff trying to figure it out, or, you can go online and buy one from China for 300 bucks. Already got the key in it. >> [Laughter]. >> With the China hardware that you buy, you actually buy a stock on the key 5321. Pretty cheap. 40, 50 bucks I think. Standard reader from HID. It also has the ability to write. But, it requires a custom driver. You are paying China for the custom driver. And you're also paying China to use the stolen key that's been out there since 2010. >> If you wanted to do this yourself, you could get the reader and VC contact list demo, HID has pretty much yanked it off the Internet, so if you need a copy, just ask for it. Somebody I know. So if you already have the key, you put it in that software and it's doing the same thing we're doing here. >> so. Pretty straightforward interface other than it's in Chinese that I can't understand sometimes. We have a valid badge, it's an I- class badge. It just got stolen. The badge opens a mag lock. Good to go. So if you can acquire one of these cards through various techniques, either steal it, read it, show up through some kind of social engineer attack and get a visitor badge, all you need is what kind of card type they have and the facility code and a valid access number. From then you can do whatever you want and we'll show you to modify the characteristics of the card. We have acquired a card somehow, whatever the particular attack vector may be. We have a card. At that point Chinese software works pretty straightforward. We read - - I can't see the screen. Fucking demos. >> [Laughter]. >> So we get a full read on the card. >> Yeah. >> You want to go and clone the card at that point. It works pretty simple. Take a card that doesn't work. Doesn't work. >> Wa, wa, wa. >> Stuck it on there. And we're essentially going to take. I need my glasses. Oh, my gosh, don't do that. >> I like how that worked out. >> [Laughter] >> Yeah. We've got a fix for that. >> [Laughter]. >> You know what the fix is? It's the little nipple on the damn thing. It's that little nipple right there. >> Yeah. Any problems, you can probably e- mail them real fast. >> Yeah. >> So get a read on the card. >> Eric, Eric. >> And all we're associated with - - do you want to explain the blocks? 5678? >> Yeah, we're not really interested in all the blocks on the card, we were just really interested in the blocks, like 2 through 9 that contain the facility code, the user ID, your thumb print and the keypad number that you're putting in there. That's the ones that we like. So we're essentially just reading and taking those and making a pure copy of this one. Probably add another demo. >> [Laughter]. >> Wow! Awesome! >> How are you guys doing? >> [Laughter]. >> Where did you go last night? >> How are you doing? I like that bee thing you have going. >> The fucking mouse is going crazy. what the fuck! This is stupid. >> [Laughter]. >> Whatever, trash it. >> Whatever. >> Whatever. Fuck that demo. We're going to show you the one that's much better. >> [Laughter]. >> Yeah, fuck that demo. >> So you can clone the card, which is good, right? >> That's what they said. >> Supposedly this worked in the lab. >> Got it. >> You can take Eric's card and clone it, but what if you need the modified card, Eric? What would you do then? >> I have the right answer. China works great, whatever. Laptop sucks. Time for the black box. Hell with that laptop. So what we decided to do was go one step further and we did all this bullshit that took a lot more time. >> Yeah, you can see half that shit don't work. >> The fact that I run that Chinese software on an XP software and it never gets connected to the internet. That laptop is busted and as you can see the mouse is busted, too apparently. >> It's busted now. >> Definitely busted now. >> So what we decided to do was go one step further and we get into several situations with I-class, we can either read long- range, we can also obtain certain pieces information from a direct attack against a badge system, we can also take a picture, we can use the reseller to look up the information for us, whatever it takes to get certain pieces of data that we need to make a card. >> If you happen to just - - so corporate 1,000, let me explain one thing about that, while he's setting up, so corporate 1,000 what that is HID's way of having the facility code be unique. It's a 35 bit card, I- class, the facility code is unique for those 1,000 companies that sign up for this. So their ideas was the biggest 1,000 companies will be assigned a unique facility code and we'll track those in the database. So what happens if you get a hold of that database? >> Sell it. >> Exactly. >> So you have all the 1,000, you know, biggest organizations, private and Government, you would have their facility code. So out of that, you would have two out of the three things we need, the 35 bit card type and the facility code. And then all you would need is user ID. >> So we said the hell with the Chinese device and we put together another device that is essentially a reader with custom software and custom driver. The honey badger. We call it the honey badger because it takes what it wants. >> A valid card opens the door. This bitch will work. >> This demo will work, guaranteed. >> Guaranteed. I'm putting that out there, guaranteed. So we take the card - - >> Guarantees it works. You gotta connect to it. Damn it. >> Bam, I've got green! >> Yeah, I should have bet on that. >> It gets a read on the card. We now have all the properties on that card, the facility code is 898 and the card number is 8435. We've read every memory block off that card. As Josh was saying before, only certain blocks on that card are really important to us. Block 7 being a primary block we really care about, and block 7 contains access card number - - or facility code and access card number. So when we get to the next step of modifying those things, we'll see how that works. Right now we're going to do a raw dump of the card and a raw clone. So we've already read the card. We then take one that does not work, that was supposed to work for China. >> Does not work, China sucks. >> Take that, stick that on there. There's the one that works still. We get the CSM number off that card which is just a unique serial number for that particular card. Put it in write mode and write each block which is better than copy and paste with the China card. >> Yeah, who needs quantum physics when you can push buttons? >> [Laughter]. >> The new card clones. >> Bam! >> [Applause]. >> Yeah, shit worked! >> So we've essentially just done a pure clone. Well, maybe that card only gets me into the building, doesn't give me data center access, but through other means of acquiring information about a particular person, whether you directly attack them and do some kind of sphere phish or you pop the badge system, or you potentially pull a badge report that had John Doe has access to the data center or access to human resources or whatever business or facility you are going after. Once you know your target and know that particular data, maybe you only need to modify just the card number. So what we're going to do here is take the same facility code but through some kind of facility code, fucking projector, but through some kind of intelligence gathering we know the particular user also has 89835, which we just clones. It also has one more. 8981337. So that's the one we want to modify. So we change our card number to 1337. >> And it stays the same? >> No you can change it. Just to be a badass. >> So 898 we already acquired from the clone, a read, a picture, a look up through a reseller, whatever it might be, with know the facility code. Now we know we need to make a badge to match a certain number, access card number. We know 1337 is supposed to get us into the system. We modify that particular block. Using the stolen encryption keys, we calculate Wigan, we also update block 7 and then we take a new blank card, this fucking thing, take our new card offline, back into the mysterious white van in the parking lot. >> Free candy. >> [Laughter]. >> Free candy is always good. We're writing the same blocks in the previous card we already read. And then we write block 7. We'll talk about 8 and 9 in a few minutes. So we have written a new block 7 with a different access card number, modified that with the calculations you can get from the Heart of Darkness paper. It talks about how Wigan works and the encryption key works. Once we've updated block 7, which it's supposed to match what the new card number is, now that guy gets in and has a different badge number. That worked. >> Yeah! >> [Applause]. >> Eric, Eric, Eric! >> So privileged escalation. Various ways to get into the facility, acquire the information, make the card offline, walk back in. You can also use it when you are on- site, potentially you have gotten into the building but now you can't get past bio, two- pin, 2 factor integrational pin, whatever it might be, we'll talk about some of that too. But you have obtained enough information to make a modified card. Do that offline and you have something that has been buffed, has additional rights, whatever that might be. One thing we're working on right now to note is the ability to - - the problem with I- class versus low- frequency prox 2, when McAfee or Foundstone came out with Proxbrute, it was easy to do, because it's all unencrypted. You don't have to calculate that block 7 each time for each authentication attempt. The problem with doing I-class brooding, is you have to calculate that block ahead of time and then have that in some kind of list that is going to present that card type each time you try to brute through the reader. A lot of calculations are done offline, have that data ready to go, then present that through a device and you can walk up to a reader and do the same thing the Proxbrute does but now you're doing encrypted authentication. We're working on that now, it's something that looks like it's going to happen, but we're still working out the kinks. We just did privilege escalation, got out of order a little bit - - do you want to talk about vulnerability? >> Yep. As we mentioned earlier from the controller to the reader, that is all unencrypted, clear text. So all you have to do is tie into that and you are able to identify whatever comes over the line, so the facility code and the user ID. So any way you can get into the facility and find those lines, which typically go back to small closet somewhere that nobody every goes into, if you can get into there and tap - - you just need two wires, yellow and green wires, those are the two wires you need. You tap those two and you can pull back and exfiltrate the user ID and the facility code. >> And essentially all you are doing is getting between the reader and the controller. And typically, like Josh said, they are buried in the wall. they're buried in a closet, wherever that controller might be. If you have the luxury of getting access to that back end when the authentication stops, at that point it's all clear text Wigan and you can allocate a clip into the wires, pull the data. >> If there's not a camera, you can take the reader right off and do it right there. >> Never done that before. >> Not happening. >> So we talked a little bit about some of these already. We have plenty of time, so we're good. The goal here is to stress how blended attacks work and the value you get out of those types of things showing those to your clients or the company you work for. We showed how leakage on eBay and leakage through resellers and possible. compromise of that database can lead to data access and data leakage. Using that data you can then modify certain aspects of card types. Also, like Josh said before, if they are rolling from an older infrastructure to a newer infrastructure, you can take those things, and modify certain properties of the cards to match what they are rolling to that might be at a new facility you are trying to go after. So using things that you may acquire through electronic access could turn into physical access. So keep those things in mind when are you looking at badge systems, it doesn't stop at just a clone. Clones and reads and brooding and modification and privilege escalation has come from other aspects which may be physical or social or electronic and how they blend together and that's how they come to materialize. >> One real quick story, one time old bad ass here, he ended up, we were doing a red team test for a really good client. We ended up popping them remotely, getting in, getting DA in like 7 minutes. So then Eric gets on the bad system and we pull out their facility codes, their card types, and their user ranges before ever going on- site. So we took that back to our lab. We wrote everybody a card, not only wrote a card, we took their badge template picture and took our faces and put on it so we had their real badge layout. >> We modified the picture on the badge system you'd see, so when you are running a badge system and they have a picture that pops up, a lot of you probably work for companies that have that picture that pops up at the front desk whenever you are walking in, if you compromise a badge system and modify that pop up the picture, when you walk in with a badge you made, your picture matches and no one is going to stop you. >> So all five of us show up with pre-made badges in a really tight facility and badged in and out all week, never got caught. >> Yeah, we were there for an internal pin and had our own badges for the whole week. >>It makes things a lot easier to show up with your own badge. >> So some of the things to focus on here that we want to stress here a bit is around activity monitoring for badge systems. This is something we have seen as a big gap in this space. Badge systems are limited in the amount of information they make readily available by default, like anything, but there are certain things you can look for if you are managing these types of system to identify an attack before it materializes. If you are doing things like Proxbrute and you roll up to a reader and you present 1,000 attempts. That should trigger something, right? There's really no IPS type of solution out for badge systems. So the vendors leave it up to operators of the applications, to make their own signatures, their own monitoring, their own alerting to say, why did this thing suddenly receive 500 failed attempts and then the door opened? Or why did Josh badge in the U.S. and an hour later he badged in in China? There are certain things that should raise red flags in these badge systems and that's one of the limitations we're seeing right now, what we're testing, you know, all the commercial badges that we have seen that don't have that built in natively. Big gap there. Monitoring, like anything, is always important. >> When we showed up to that facility, all five of us used the same user. >> Yep. And the other thing we're pretty adamant about doing when we do acquire badges. Josh decided to break into a building one time on an engagement with me and came in the front door as the bug man. And once he acquired a visitor badge at the front desk, he left, came back to the truck, used the visitor badge to get a read, we knew the facility code at that point and we already knew the access card number we wanted to try, based on a previous attack we did or we pulled it, however we got it, and we made the card and went back in. So we had two ways to get in. We had one, we took a visitor badge that had basic access to the facility, we cloned that and made our own visitor badge, then we used the badge system to elevate rights for the badge. We went and added data center access, we added other facilities because we had the badge system. So there are things we'll talk about in a minute about protecting the badge system itself, but those types of things should identify a red flag, too. Someone that's had basic level access for, three months, all the sudden has data center access? Why isn't that tripping an alarm? Just like in many of your environments, you probably have an alarm if someone gets added to the new admin group? Or new users created and added to that group. Those things trigger, whatever technology you are using for monitoring, that type of activity monitoring should be included in badge systems, too. >> Yeah, so this is one thing that we're working on right now. And, again, this talk was supposed to be, you know, just around stuff that we know that works. Stuff that's real world, stuff that we've used, stuff that gets you into a building. So the next area that we're working on right now is the bios stuff. So the biometric, your finger print and the keypad. So the issue typically with this is, when you go to the set up your finger print, you have a reader just like this, you put your finger on it and you will enroll yourself. So that gets written to the card. >> And that block 8 and 9, that we showed earlier, that is all F's right now, 8 and 9 that would be where bios is stored, biometric pin, whatever the second factor is, those are stored in the blocks. >> Yeah, and we can't say every badge system is configured that way, but the majority of systems, it's going to authenticate - - it's going to verify your thumb print on that card, just a thumb print tiplet, or the key code that you put in on the card. Not going back across the wire, not looking at the database. Some of them will go look at the actual keys you put in, but the majority that we've looked at so far just verifies that the key and the thumb print matches the card that you just presented with. If it does, then it send Wigan back to the back unit. >> So. Stress that again, the pin and finger print is an electronic signature that's written to a block on the card. So if I clone Josh's badge and I then write my own pin or my own electronic signature of my finger print to my card, when I authenticate to the badge system, it's validating on client side. Not server side. So I'm telling the badge system who I am, even though I am lying. So there are issues we have seen on this factor right now. >> So this is - - we're going to wrap up here, but the other thing that we're working on is so we go and we clone a badge or we go and read a badge in the parking lot, right? How do we get that back to the van, back to the team? So what we are working on is taking Zigby and basically if it's in with the incomly we will take and as soon as it gets a read it will transmit back or transmit it to another team member and then write the card on the spot. So you know when you get a buzz in your pocket, you have already received a code, user ID, and you pull that out of your pocket and badge in. >> So if someone is in the field walking around with a mysterious clipboard, or a long range reader in a satchel, they can send that back over 3G, Wi- Fi, Zigby, whatever it might be. >> The other thing is back door reader, so if you have access to a reader, you can get in, super easy, all you need are those two wires, red and green Wigan wires, you can backdoor it and have it talk wirelessly, Zigby or whatever, back to the cloud. >> Mitigation we will go through quickly because there's not a lot. Obviously the little 35 cents shield around your badge is important. Protecting physical access to the badge is important. Protecting visible access to the badge is also important because of the reseller issues we've seen. Being able to identify what kind of badge it is and the information on it just from an order number on the bottom that's printed. But the big one, we want to stress here, protect the badge system. This thing is the Holy grail of how the hell people come in and out of your building, and if this thing is not air gapped, if it's not two-factor authenticated, if it's not part of your domain, if too many people have access to it, if no one is monitoring it, if it's not segmented properly with VLANS and things like that, it's going to get attacked and if we're doing a job, we're going after the badge system. >> And with the badge system . . . Say we're internal, or external, don't matter, you get into the badge system, there are other things that you can do without having a card, you can pop doors, you can clean logs, you can set up a new user and elevate your own privileges that way. >> And the last one I wanted to stress here real quick and then we're done is the training the staff. The big issue we always see is the isolation between who manages the facility and who manages corporate security. Facilities are always a third party facility company in charge of watching the front desk and the visitor log. Things like that. They don't communicate well with who runs corporate security. And we make tend to make the joke, that we always play therapist, but having communication between these two groups is key because protecting this type of stuff is in their hands, not corporate security all the time, and there's a big gap between those two clients, or two groups. And last but not least, there's a URL on the bottom and we can pull the Adrena, for doing the long range reads. It's got our company name at the end. so gethub.com/larsconsulting. That's it. [Applause.]