Let's give uh, let's give Zeke a big round of applause.
Thank you. Rock and roll. Have a good time. Thanks.
Okay. Uh, so I think we're about out of time. Thank you everybody for coming out. Um, so yeah,
my, my name is, um, Ricky. I'm with Zeke. Um, this was my talk and let's just get right into
it. And do do do. Okay, so, um, I'm a security researcher at, uh, Tipping Point, DVLabs. Uh,
now Trend Micro Tipping Point. Um, until just recently HPE and before that HP, before that
3Com. Um, I wasn't there during that time, but whatever. Um, most of my hacking, um, involves
things that I find laying around the house and things that I have easy access to, which ends up
being a lot of IOT. Um, so, um, I'm a security researcher at, uh, Tipping Point, DVLabs. Um,
this is actually my third time, uh, speaking at DefCon. Uh, my first time with an actual
DefCon beard. Um, thank you. Um, so yeah, but I've spoken at like
RexCon, ReCon, uh, Insomnia Hack. Um, and I actually used to install physical security systems
for a living, um, which is, um, kind of where part of my motivation came from for doing this talk.
talk. Uh my first ever talk period was at DEF CON it was a little lightning talk about a
super overly complicated attack that I found in HID card readers. Um it was like a uh TCP
replay attack where you like capture a remote unlock command and then reinject it into the
session later on and you could reopen that same door for that same period of time but I
couldn't compose my own unlock commands and so it was really limited and I I feel like I could do
better um and I didn't much while I'm here. Um but I also um had a conversation with a friend
or two um about how cool it would be to be able to like mess with video streams and stuff and and
so um I started I started kind of formulating an idea for a talk and here we are. Um so um
I'm trying to decide what all I should skip through since we're so behind in time. Um so
physical security um basically it's just a a way to protect your valuable assets and your
facilities um and when I talk about physical security I'm talking about access control so the
reader stuff uh surveillance and alarms. Um so basically no matter how big your organization
is you've got some kind of uh physical security um whether it's just like you know a manual
physical lock on a door um whatever whatever it is um it's it's in every single organization
um but the larger the organization uh the more untenable managing a a physical security system
becomes. Um so piece by piece um people are starting to move it to the network uh to make it a
remote management really easy and really convenient um but with that convenience um comes
the worries of you know network attacks and and things like that. Uh so yeah what you end up
with is you've got these embedded devices um that are accessible via the network and they're
protecting all of your valuable assets and they're in every single organization out there. Um
so you should take a look at them. Alright so access control is uh by far uh the most
complicated piece of this puzzle. Um so it's um I'm I'm gonna go go through it in detail to
describe uh like the layout of everything. Um but basically you've got your locking mechanism.
Hang on I'm gonna grab this. Okay so I'm gonna go through it in detail to describe uh like the
uh so you've got your your locking mechanism um which is is what uh keeps the door from being
able to open. ID mechanism which lets you open the door. Um and then you're gonna have various
uh sensors and um oh sorry I just that was the equivalent of me forcing open the door. Um so
I'm gonna have to acknowledge that alarm. Maybe I'll just power cycle it hang on. Sorry door.
Okay and then of course you've got some management software um on a remote terminal somewhere
that you know when somebody says like hey I forgot my ID. Um you can buzz them in or you can
push down schedule changes and things like that. Alright so a little bit a little bit uh more
detail about about the door. Um when I'm talking about the ID reader um that covers the
entire span of of like you know from the low end like pin pad and mag stripe readers to the
high end like biometric retinal scanners and things like that. Um then you've got uh what's
called the request to exit which lets the door know that somebody is leaving from the secured
side. So even though you don't see um like a um a card reader or anything like that it's okay for
them to open the door cause they were already inside. Um the door contact is not a very good way to
do that. It's a magnet that shows you whether the door is open or closed. Um the lock or strike
is um the locking mechanism blah blah blah. Um most important part is uh the door controller.
Are you guys following along well with the slides the way I'm doing them? Okay. Um so the most
important part for my purposes um was the door controller um which is is uh the part that um
holds a local copy of the database. Um all the other pieces of the door wire into it and that's
what's connected to the network. Uh so here's a a diagram of how that all wires together. Um you
see above above the door in the middle you've got uh passive infrared that's your request to exit
or rex. Um it's just a motion sensor that says say somebody's walking up to the door. And you got a
little magnet on top of the door. You got a lock on the side of the door, reader on the side of the
door. Um hang on. Uh all of that is wired into the door controller which then goes out to the
cloud. Or you know the LAN or whatever. Alright so let's cover some attack factors. Um first I'll
I'll start by uh talking about some existing things and um things that aren't really network
based. Um so like uh I'm sure you've all heard a lot about RFID spoofing and uh brute forcing pin
numbers and even like pulling the reader off of the wall and tapping into the weekend uh data
lines. And brute forcing the pulses um for a valid ID. Um so there are lots of attack factors
there. Most of them uh seem um I guess RFID uh spoofing isn't that um or like cloning cards
um isn't that hard to pull off. But like if you're talking about like yanking a reader off of a
wall it's kind of destructive and obvious. Um so there's some funny attacks on uh request to
exits. Um so have have any of you guys seen um I think it's Rift Recon. They've got that like
loop on a stick thing. Where you like reach underneath the door and you hook on to the
inside handle. And then you pull down and it opens the door. Um hilarious things like that.
And like tripping motion sensors and stuff. Um of course you could attack the management
software if it's running on a vulnerable host or has an unsecured uh database. Um a little a
little unpredictable. Um or we could go after the door controller because it's uh it's a
network connected embedded device which is notoriously bad with security. And every single
piece of the door is wired into it. So it has it's basically like an embedded device that has a
bunch of software controlled relays on it. So if you can control the device you can control the
relays. Um so let's focus on the door controller now. Um basically the way I see it there are uh
two main ways that we could go after this thing. Um you guys could probably think of way more
but um so the the first um and probably most obvious is uh API exposure. Um so if you can see
kind of like uh what I did in my my uh little rinky dink defcon talk. Um where if you can see an
unlock command go into the door. Um and you can replay it later on. Um and then you can see the
um but um so I I do want to talk a little bit about this uh PSIA. Um which is a a uh an
interoperability standard that uh is starting to take off a little bit. Um I should say that
this this is strictly speculation. I don't have access to a controller that implements this
standard. But just reading through the spec it looks like something I would like to take a look
at. Um because it's based on uh the uh the uh the uh the uh the uh the uh the uh the uh the
um and uh uh and what we've done is we've done um HTTP requests to yuris. And they ha I saw this
one where you uh uh something that um uh it s used for anyway uh like uh like if there's an
incident at a facility and you need to like either unlock all the doors or lock lock off some
areas. Um you can override the access schedule by uh sending a put request to the access override
yuri. And um
S oranges sort of happens when you don't want to cutventing their So statements of that sort
access override state to unlatched and it would unlock all of the doors just like that. Um
it had mentioned something about um having like a I'm starting to run out of breath from
this going through this so fast. Um so it it had mentioned having like an ID number in the
request um to use as like an authentication mechanism um but that was just in the spec and
you know individual implementations may vary. Okay on the other hand um you could look for
running services uh since it's a network device. Um so they usually have like an on board
management system. Um if I had my display working I would show you what this what the on board
management system looked like on this guy. Um but it's it's a little bit more complicated than
it. Um so that's one thing you know usual web app attacks. Um or you could look for um like
standard Unix services and Linux services that are just out of date because they haven't been
keeping up with patching other other services that are running on their device. Um and also
they are a great place for uh fuzzing proprietary services that haven't been examined very
closely. Which is what I did. Um so that's one of the things that I wanted to show you. Um so
um this is an HID door controller. Um every single one of HID's door controllers across
their entire product line was running a service called Discovery D. Um which is a way to send
out um a UDP packet to the broadcast address and every door controller on the network would
then send a packet back to you that said like yeah here I am here's all my info uh blah blah blah
blah. Um but that was that was the only that was the only purpose of the service from what I
could tell but it wasn't the only function of the service. Um there was also an undocumented
command called uh command blink command blink on. Um that uh excuse me yeah so the command
blink on um it took a number of times as an argument. Um and uh it did a lot of work to get it to the
and that that number of times um was how many times to blink the LED on the door
controller. And the way that worked was they would build up a path to the blink binary and
then send um send that path and that number that you just gave it um and call system on it
with no sanitization at all on the on the uh user or the attacker supplied information. Um
so it was vulnerable to a command injection and um and the Discovery D service was running
as root. Um so this was um across their entire product line like the vertex, edge, evo, their
entire product line was vulnerable to this. Um it has been patched um since I think like March
or April. Um you can actually uh find these door controllers um on showdown. I don't know why
anybody would ever put their doors um on the internet but they're there. Um there's like
over 300 last time I checked and um the patch rate um is really low. Even though the patch
has been available for a while. Um so there's that. Uh surveillance is a lot simpler. Um so
you usually have a video camera that's either gonna be an IP camera or a hardwired
um and then you're gonna have some sort of recording device like a VCR or a DVR and then again
some kind of management software. So same deal as before with the management software as far as
attack vectors go. Um the DVR uh gets a little more interesting. Um there have been some some
attacks recently about um being able to dump um creds to to login to DVRs and and things like
that. Um you could also maybe try DOSing the DVR so the camera can't reach it if it's an IP camera
and avoid um recording. Um you can also do the same thing with DOSing the camera. Um but um what
would be way cooler is if you could man in the middle of the video stream um since it's uh since
it's an IP camera and it's just streaming across the network. Um so let's take a look at some of the
things that we're gonna be able to do with this demo. So I'm gonna go ahead and show you a
little bit of the demo. So I'm gonna go ahead and show you a little bit of the demo. Um this demo
I'm definitely not gonna be able to show you without my display working which is a shame cause
that was the one that I was really proud of. Um but so so most uh most video streams are gonna be
either RTP or motion JPEG. Um haven't seen a lot of encryption although it's starting to catch on
a little bit. Um the basic idea here is um when you see a frame you uh when you see a frame
you grab it, you modify it in whatever way you want and then you forward it on. Um and that
allows you to do things like uh like you would see in the movies like you know loop X number of
playback seconds you know so you like record record like 3 seconds of playback and then like
jump and just like keep replaying it over and over again. Um or you could uh cut the feed by
just uh replacing all the images you see with like the fuzzy static. Um one one cool thing
that I did was um um are there any fans of uh Ghost in the Shell? Let me be honest. Yeah. So I
used um I used OpenCV to do uh face face detection um on the images that I was that we were
going through. And then I would replace that face with the laughing man and then I would
see the laughing man logo um so I could actually like you know get in frame and my face would be
covered up with the laughing man thing. Um if you guys wanna you know whenever if you see me
out there somewhere um I could run through these demo's for you then. Um I guess I could I
could still show you the card reader attack, I'll do that. Um ok so yeah the the camera that I
was working with was a Ubiquiti Aircam. Uh it's a couple generations old but my friend let me
borrow it um and um the latest firmware they actually got rid of RTP um which made things a
lot easier. They were just doing motion JPEG so I all I had to do was write some custom
plugins for um for man in the middle proxy um to handle the images and it was super duper
easy. Uh oh also I should mention I'm not I'm not calling out Ubiquiti there's not like a a
vuln in their camera this is vendor agnostic um so don't don't sue me. And then alarms of
course um so we've got like fire, fire alarms, uh tamper sensors, motion sensors, buh buh buh
starting to run out of time.
Um so one cool thing that you could do with um with a um a networked uh fire panel is um you
could cause a uh a false positive or a false alarm in one area as like a distraction for
like what you're trying to do in another area something like that. Um motion sensor um is
probably the easiest thing that you would have to deal with. Um it's uh it's pretty easy to do.
Um because if they can't send their alarms then they're useless. Um so if you can either um
just straight up DOS, straight up DOS the uh motion sensor and then like if it's sending out a
heartbeat to say like I'm still alive then you have to spoof the heartbeat. Um or you could just
selectively DOS if if they're not using any encryption and you can recognize the alarms just
selectively not let those alarms through. And then that's all you can do. Um so that's just a
thing that's all there is to it. Um this doesn't make any sense since I'm not able to do any of my
demos. But um I I ran out of time uh trying to configure my um so I've got um I've got an IOT
motion sensor um that just was not pairing with its management software. Um so I ran out of
time trying to get that demo working. Okay so here was the hypothetical scenario that I was trying to
set up that I was gonna pull off for my demo section. Um typical typical office. They've got a
card reader on the unsecured side and a door controller on the secured side. They've got a
video camera watching the entire office. And then like like you do you've got the the hope
diamond and the uh all of the CEO's credit card info laying out on your desk. Um because you
can. You're you're totally secured. Um so I'm gonna I'm gonna hop out of the office and I'm gonna
hop over to this machine real quick. I don't know if those mics are on or not. Um but um so I
I won't be able to show you the video camera stuff because I don't have a display. Um but I will
be able to show you show you uh sending my exploit to permanently unlock unlock the door. So
bear with me. Hey. So I'm gonna go ahead and um I'm gonna go ahead and um I'm gonna go ahead
and um I'm gonna go ahead and record it. Um. I'm in parties and uh it doesn't work. It
does work. Okay so um I can't show you the code but um basically there there was a uh a
CGI script that was running on this thing or it was a compiled binary um that handled send
sending all of the settings to the relays to control their state. Um and so I I just uh sent it
the unlock state and then roll them from state to, to all of, with the vezes I just what were
removed execute permissions from that from that CGI binary um so that it unlocked the door
and then wouldn't let you re-lock it. Um and since since this works on um you can find all
the door controllers um by sending a packet to broadcast um I just like send out that
broadcast probe and then iterate through all of the door controllers that that come back and
I can permanently unlock every single door on an in an entire facility um so hang on one
second. Okay and it hang on that's not the that's not a good point um so it's just injecting
commands over and over again because there was like a character limit on on the how big the
packet. Okay so now
the door now the door is uh permanently locked and this or permanently unlocked and this is
where I would have brought up the management portal um to to click on the re-lock button and
show you that it wasn't re-locking um so yeah there's there's that and it's not as impressive
as I had uh originally planned out but these things happen. Thank you.
Okay and then the the camera thing was gonna be like um you know loop looping the playback so
that you can like walk in front of the camera without being seen and and stuff like that. Um so
there's that. Okay so let's talk a little bit quickly about um mitigations. Um so first off most
obviously is segregate these devices um from your normal network traffic um make it so that you you can use a
you know regular Joe blows on your network can't reach these devices. Um also if if the network
that you've got them on is very um static and um predictable you can look for anomalous activity
pretty easily. Um keep on top of firmware updates which is actually an interesting problem with
these kinds of situations especially with like the uh the um access control system. Um you know
where you know once upon a time IT handled computers and like facilities or whatever handles
um locks um but what do you do when it's both? You know? So you have to clearly define who owns
what and who's gonna be in charge of updates and things like that. Um also think before you link.
Um and as a you know I I think I give this some like a little bit of context quote unquote to the
advice in like every single one of my talks but hack yourself because that's how you learn
what what you're vulnerable to and and um how your overall security posture looks. Um third
party resellers um so that a lot of this stuff is really uh closed off to just like the
general masses um but third party resellers um are a little looser um like I bought I bought
this entire rig preassembled um from a company that I'm not going to name because I don't know
what their opinion of me naming them in a DEF CON talk would be. Uh maybe talk to me
afterwards but yeah it was like 300 bucks for that entire uh preassembled demo door system. Um
also I was able to find some some firmware images um that I wouldn't have otherwise been
able to get access to. Um I'm a bum. I'm a bum I'm a bum I'm a bum I'm a bum I'm a bum
uh okay um so yeah that's basically it. Sorry I had to rush and not show my fantastic demos
but um if you ever are interested in any of the code or or have any questions things that I
didn't have time to go over properly or anything like that I have an email and I have a
twitter and I'm way more responsive on twitter than I am on email. Uh so yeah hit me up.
Thank you.