Raise their right hand. And point to people standing against the aisle. We appreciate everybody accommodating all the changes and hope you are having a good time so thank guys. >> So that thing over there is that translating everything I said. Does it do naughty words at all? Welcome. So wow. There are a lot of people. This is a lot bigger than their first 101 track. Made me nervous. So I'm Dennis some of you know me most you don't. So let's get right into it are we really safe. Hacking access control systems so I will talk about access control systems that matter to you guys you see it up here and you see these in your apartments every where so just let's drive in. I am security consultant and we do security stuff. My job is to hack things. This is one of those things. So you will hear a lot about what I have done in the past year with my research of this and you can keep me up in Twitter. I am also for those that are interested I am cofounder of (indiscernible) my other cofounders are here with me. We drink beers. I was told I was going to get heckled. And I am. I am rebooting haw. So if you in the Houston area come talk to me. I will talk about the what physical access control is. Then I will talk about a specific vendor that I have been doing research on and reason I will talk about this one vendor because of time and money. This thing cost $1700 and I don't have enough money to buy everyone out there and after we talk about how they work we will talk attacks and local mode and I have tool that I might release and then device and some recommendations because I had to. So let's get started, physical access control systems, so first what are they? They are system was the purpose of limiting access to a physical resource. They are outside many things that you guys have seen. They secure areas by hooking up with (audio drop) door magnet or door strike and use gates for apartment communities and barrier arms for parking spaces. How do they work? You have many different ways of authenticating a access control system, a lot of you guys that do liven gated communities have a key file like this and opens up a door and you can go to this key pad and use a button. So I will talk about what the demo is. Here I have a linear access controller and set up how it would be in a large apartment complex. You see picture frames with lights underneath and every time you see a picture frame light up that means door two in this case or door three has opened so imagine that. But you will never see door one open during my mentation I blue up -- where are they used? They are used in gated communities parking garages office buildings and even used in commercial facilities. Walking in downtown Austin I will see it guarding a post office or something so they are pretty much every where. You can walk up to them. Here is just some different things I have seen. So you may recognize some of these. Lift master. I will go back -- now they are calling themselves nor text control. So we will talk about this one more in a bit. Here is some picture that I took walking around you have a bunch of these mounted on the buildings. These were I think this one was in a nursing home. You have one next to elevator because they can control them. They can authenticate whether somebody can be in a elevator. You see P gray boxes and they are head list. They don't have key pads or anything. They are used for expanding existing installation or just installations that only require RFD readers. Doesn't require key pad or anything. Here is what they look like inside. Just without a keyboard without a big display. This is pointed on the wall you will never guess where I found this one. So I wanted to use the bathroom and very curious inside that gray box. So I took a peek and access control. It was protecting the doors for that building. That was pretty funny. So let's talk about linear access control. The vendor linear they have a few different models of commercial access control systems. 8301000 and APP plus is that toilet one I showed you. They are all pretty much the same way. The 1000 and 2000 has a bigger screen. Much bigger. That is only difference. AM3 doesn't have a keyboard or anything but they all do the same thing so anything we talk about is bone the apply to all of those. So let's go deeper in this. So this controller is pretty fancy. Has a lot of cool features and great for installation and uses telephone line so one can go up there and presses a director code. So it can also -- it supports thousands of users so great for any big installation. So you can these can only control four doors at a time. If you want more doors you add more. And the best part they can be controlled through a PC. Can be networked so apartment management in a different state can manages these small communities so this is kit. So these things -- they are require I will installed just by themselves because they are pretty expensive. So to do that they use this kit TCPI kit that turns the serial connection into a connection and that will allow the management of community to manages it from a computer whether it be on the network locally or online. So that is example of company at the different state. So let talk about architecture so the controller here, 81,000 blues interfaces through serial and connects through a serial cable and convert connection which is then plugged into a network and management PC can connect to it. It is pretty much simple as that. To refer to that controller you refer to specific IP port. This is default. So here is the same diagram but this came from the documents o the documentation does encourage that you hook that up to internet device so that you can control this from the internet. So that is pretty cool. Well pretty cool for some people. So how does the computer communicate with the controller they use the software access base 2000. It is pretty good software. Any transmitted or things like this you can control the controller or toggle the relays and open the doors remotely or lock them to keep them closed and view log reports. Or even opens the door right here the controller. It logs all of it. It does communicate through serial but when you have TCP converter then it is TCP connection in your eyes and does require a password. I hope you can see what you see here you see do you need to type in a password to use the software to controller but pretty interesting because the password is just six characters no less and no more and numbers only. You can imagine the key space. 1 million password that's it. May be a problem. Let's look into that. We will look to that in the attacks. So how does it communicate just how does it communicate with the controller. So first when someone is using the soft wire in computer you have someone senting a string to the controller whether it be a string to open a door or request to logs or anything like that. And the controller (audio drop) with another string and the string is consistent and will acknowledge the channeled or could be not acknowledged meaning the channel was a bad command. This does use the check to ensure data -- so if message is wrong it will spit back and do no response. If you didn't prior put the correct password first you won't get a responser at all so you are not authenticated. So let's break down the message. This is hex encoded and sent to controller so the first two bytes is going be packet header. The packet header is also going to be A5 and next header is -- data in yellow so when you send a command the minimum length can be zero and the next byte that could be in this case 0A and for those that know hex that is 10 in decimal so length of the data can be 10 and then you have net node and so what that is that is just identification number of the controller relative to any other controller on network so it 11 in this case. Then you have the command and this string is password command so this is 01 all bunch of others like pulling the logs pulling status, doing a particular firmware update so bunch of different channels which is 15. One of those numbers and the next -- in this case six bytes this is data so like I said this is password request so what I am doing I'm saying is 123,456 the password that is 123,456 hex coded and then reversed and wants to reverse the data so that translates to 123,456 the last two checks integrity. And that checks from the beginning of net node to end of data and if correct all systems go. So we have talked about how this works you have good understanding. Let's talk about attacks. How can we target these controllers. They have number pads and displays and you walk up to them at a gate community so you have physical access what happened can you do with physical access like make local programs because some of these things can below -- you can do local programming. And a serial inside these devices so let's talk since we have physical access so first this is 81,000 right on this desk and there AE500 and similar to these and only supports two doors and done allow for computer configuration because meant for much smaller installation. Meant for one or two doors so you have those. Those have a default -- those can be programmed locally from the key pad. So to great to that part where you start typing the password you hold zero and two and that will hold up the password prompt and in the documentation this all available online but the default password is 123,456 and who changes that. The lowest bid contractor they are not going to care about the password they are going D leave it like that and default password is 123,456 regard less of what you entry code is. So try it and see what happens. Pound is just to enter button. Press point and see it the works. Once you're in because you're going to get in, input the following commands you have all that string, and what that does is input own back door and own entry code so when you walk up to device and access granted so let's talk about what we just did. (CLAPPING) We have more. 123,456 just typed default password and we are in. Three is password that is entry code enter mode then 999 entry code and you can do whatever you want. No one has that then you do it again 999 just to confirm it because it wants you to do it twice and going back to normal functionality and you are in. I forgot I did that. So what is summary so I will show you how quick to do that. So you will see how quick it is. This you go access granted. That is where the applaud should come in. (CLAPPING) That was done in less than 10 seconds so if I find one of these devises do my thing and walk off and now I have full access because there is no way that I found where you can list the entry codes. You just have to if you just erase everything and start over. So what else can be do. Master key. This is interesting. So I bought this my company brought this for me and it came with a key and turns out company I found this out I was flabbergasted same key for every device. This 1000 plus you see here some of you have seen this this one of most common ones that I have seen in the United States the key that it came with like here. Works for this but also works for all of my other apartments that I have may or may not have tried. It works for someone that has never changed the lot. The same one that was on the toilet works for that too. May work for 8500 never tried it but why wasn't it so. You can purchase them on E-bay. You could pay $1700 and get the key but the AM3 blues find the enclose alone. It is a hundred bucks and now you have access but buy the key you don't need it. It is a fairly simple lock. And gives you full access to the device so let's talk about that but first. For those that are into key making keys (audio drop) they may or may not be the bidding code. So PowerPoints will be online. Physical access, so what does that get you. For you able to open up this device, in this device 1000 there is relay latch. So when the relay is triggered the door is open and if something is wrong, if the software is not working main tension can open up it and leave the gait manually open so there is buttons in there to open all the doors so let me show you real quick. So if I were to open this and I don't have a entry code or anything all I have to do is open it and boom -- I am in and if I were mean and locked this up everything stays open. Because all the button stay locked open so that cool way of entering if you want to enter with the key. Let's turn those off. So like I said you can lock the states or leave the gate open and have that cool house part but didn't want to break the lease. I mentioned relay one exploded literally there is bunch f of suit around the capacitors next the relay one. That was fun. I had to fan out the house for that. What else does physical access get you. Programming buttons. Other versus located somewhere else you can program the device or if you want to be a Dick you can erase the memory. There is active phone line for us -- find the phone number and put it back and maybe you can call it or do some pin testing and there is serial connection and all the remote attacks that we're going to talk about work on serial connection. So last thing I wanted to mention a monitor switch a magneton the corner that will detect when the case is open or closed so in the logs you will see tamper switched open or closed so that is to see no one is messing with the device but the problem is no active alerts and go to bunch of these buttons and view a log o of someone opening and closing it but no alert and you will never know it happened until much later when you decide to download the -- really temper monitoring. So for those that defuse a bomb competition next door you can use a magnet to bypass this tamper switch. You will see the screen tamper switch open and then closed so what I will do is grab my magnets, put it there where it is and be careful not to put it in is wrong place and I open it and when I open it you will see nothing logs you will see the two existing log entries from earlier but nothing new. So tamper switch avoided. We're going to need more of that time so we talked about physical access so what the next. The fun stuff. Remote access. Can be done dependent on the configuration so say you have leasing off and someone is looking for a new apartment so you plug in behind their desk and then you have external access and some people have it available on internet. Everything works over IP and usually default port. Can be changed but who does. So let's talk about remote attacks. Let me show you the software. Let's see if this works. You have this software here and you press this little button and you connect and you get the message wrong password so we don't have the password to authenticate so how can by the fix this. Like our I told you guys earlier, six character numbers only, tiny key space so 1 million password so you only limited by the connection speed so you can guess as much as you want. And this is script able so this is the backbone is all serial you can script all of this you don't have the touch the application. So let me show you that. So we don't have password here but I write a python script. So what you see now is brute forcing and giving the common codes and if it doesn't find it will it rate you are seeing more than once on the same password, if doesn't get a proper response just keeps guessing it serial response is not very reliable and that is why. Master code. 00,051. So it found it and we are done. I am connected now. All four doors are open. I will show you here and I just downloaded the logs and so you see these are the logs that I just downloaded certain people have access. So I just wanted to show you guys. What is cool so we have the password but did we need it a parentally not. So normal way you have to authenticate first. Is when I sent this device a command I would not get a response but turns out it will just run the command anyway. It will not tell me it did it so I will not get think response but it will still work so any command or most channels work that way so what can we do that. We can send a simple command that is opens a specific relay and sent it over and it processes that command and executes whatever it is sum posed to do. So still good. And it great for movie style scenes. Say you have a hacker in the van so when the hacker is ready presses something on the computer and opens up the door and everyone goes and steels the declaration of independence. Great for scenes like that. So that is what we can do there. We can lock doors open and close. And that will keep the doors or gates open if u wanted to have the house party or closed if I want to prevent from anyone from getting in so that will once the rely is locked in a specific state it will not respond to any key fobs or any legitimate access after that until I unlock it or the device reboots. Those fancy logs you can delete all of them. Because the controller has limited space when they are downloaded they are deleted from the controller. We have hidden the evidence of us doing anything. If you so want to use the access space 2000 software you change the password you can submit it data base update and it will just say okay and it will change the password back to default and now we can get in with the default password. You can up load anything. You can up load directory codes any back door you want. So pretty much that and then the last thing I would like to talk about service which you can if you want to be a dick about it when you get a data base update -- it will just keep flashing and when it is in progress it locks itself. And the only way to fix that is to stop the data base update and there is commando stop or just reboot the device. You can override the device firmware. Be a dick and make it use less to everyone or like we talked about earlier you lock the relays or keep the door shut so that no one can get in. All those attacks that we talked about what I have done is I have developed a simple tool to show these attacks so I called it access control. But neat I can say you guy go download a cat off of the internet. Let's show off this tool. I have this python scripts and works on windows and Linux. 10 You can go through IP address so let's do that. So here is my tool you just type whatever you want and have a bunch of options here so try toe trigger relay and this will trigger two seconds by default and so let's open all of them. One, three, four and so this python script opens all four doors and thought was sent. I walked up to my lab top and sent these. So relies are now open and another thing you can do is lock them open. So all four are locked. So let's lock two closed. So two is now locked close and if I try to use the normal transmitter. Nothing happens. No one can get in with relay two or any of relays so let's unlock them again. It works again. So that is a cool thing. So this is the one that sometimes doesn't work but we will hope it works so everything we just did was python script or transmitter that I am holding or opening and closing that and it is being logged in the internal memory. So what I will do is start a download and what the going to do download the logs but going to be deleted from the controller so it trying to see if it gets any feedback back so let's exit here and let's see if that works so I'm going to go here and connect and this use down of logs. Through show a dialogue box. Six, so it worked. But what I did notice is when this device has been rebooted and I did do that earlier there are six log entries that never get deleted for some reason so just take my word for it that it worked and you can applaud for that too. So if you did look at log you would not see access granted stuff. So let's connect back. So the next thing you can do is let's do up load - so we connect to this with password of 0,000,051. I am being attacked. I guess we are good. So we are connecting with brute force earlier. So let's go back to default password. So I up loaded default password to device so if icon they believe with existing password it should fail. Wrong password there you go so let's go back to using default password. How's it going. Excuse me. Okay have fun. >> So you are giving me your computer that is awesome. So you want -- I'm sure you something happened. You all know how this works. How is he doing as a new speaker? (CLAPPING). Are you hung over? Nope. You will be. (laughter). Lost audio. You're giving me that. Has to be something better than that. After you drink that I will be back with something better. >> To Def Con and new speakers. Clap. You still want that next one. Thank you very much. I'm not used to that I don't do shots so that is burning my insides. Speak of burning my insides, download service. Thank you very much. I'm going the ride this out. The last thing I want to show you that the tool can do you have functionality -- I something just broke but this one lights up so people that are going into the gate -- controller has been lost. So I will take your word for it but what wrote see on the screen should show data base progress. Not working. Let try again. DOS no longer works. In the same script you can stop it and everything is back the normal so that is pretty much the extent of my tool. I will give you one more try. So still doesn't work. It is getting hot in here. Okay. So now that we have talked about attacking these controllers, let's talk about locating these. How do we find these? One thing you can do is scan these on the network. Look for any COM port re-directors. There is specific one that the brand linear. Anyone will work so you scan the network and you send UDP pod cast and if I devices on the network it will respond. So attacker can sent UDP pod cast and with that specific port and the -- and go back to person started that pod cast so that how you identify any of devices on the network and once you found it you can send a password request string so regardless if you authenticated it or not you will get a response back whether a password you tried to guess is valid or in valid and if linear box it will respond back whether it a valid or in valid password. So you sent it something and it responds back. So let's demo another tools what this will do a sent a broadcast packet and listen for any responses and it will find them. If it finds response it will take it step further and send a password request and check if it is linear controller. So did find a device. And will make sure it is linear and hundred percent confirmed that it linear and if you see the as risk it is using the default password. So that is what that tool does and that may get released. So cool. We talked about all the fun stuff now we have go to this stuff. Recommendations, so I'm not really going to talk about how the specific vendor can fix these issues I will talk how you for a example a apartment manager can fix these. Change the password. I would love the say use a complex password but that doesn't exist. Wow it is really fighting back and I can't burp for some reason. So change physical locks. The master key works so change the lock. You have ability to change. You don't want the manager next door having the same access to your apartment as he does their apartment so change the locks and another thing you can do is use a direct serial connection. Instead of having this on the network connection these vulnerables are not done. Do allow for authentication no one every uses it is not intuitive to use but learn how to use it and use that authentication so not anyone can connect the IP address of the device and resist the urge to connect to internet like don't have it online just don't forward the port and like anything keep it off the internet unless it really need to be. Final thoughts so I didn't write this talk to crap allover one vender. There is 1I had time and money to invest research in but I wanted to open the door and open people's eye to find that if all these issue exist on one vendor they will exist on other vendors. So be caution out there and I will do some more research on this so I do plan on doing more research on this device and others when every I can get my hands on this thing. So these are prototype tools. More work is needed. One has already failed. But tool is a already up loaden a located on gate hub and open source whatever license I will put some open source license to it. It is called access control attack tool and I do intent on furthering it to do with other controllers as well so feel free to mess with it and I need over hall it. So if but want to help me with that that great. I want to work on M map script and that is get for red team assessment. And last but not least the slides are on slide share and have you can download the full version you will have to download to slide share to videos but it is all there. So that is all I have. Any questions? In the physical location. So you see it. >> (inaudible). >> So most of time unless they are configured properly you will not be able to tell where it is people up load this device a named this but that is sometimes not case and another thing you can do those director there is specific UDP packet and what that will do if you can see the device somewhere it be beep so you can locate it. So you I doing want to talk about it but what's one way to find it. Other than that you screwed from there. One more question because I only have one minute then you can talk to me later. CT FR read the fucking manual. I was hooking up is test light and I didn't read the manual so rely was for 30-volts not 120. (CLAPPING) You can hit me up on Twitter or e-mail me or find me at Def Con. Thank you.