Network News

X My Profile
View More Activity

Access Card Systems -- Trivially Vulnerable?

LAS VEGAS -- A broad range of access card readers designed to grant or deny entry to office buildings, airport terminals and other sensitive areas are inherently insecure and easy to hack, according to a researcher who spoke and demonstrated his methods at the DEF CON hacker conference Saturday.

Researcher Zac Franken showed how to use an ordinary proximity card -- a common ID access card that transmits encoded data as a radio frequency signal when waved in front of a reader -- in combination with a tiny programmable chip to gain access to restricted areas protected by any card reader that employs a specific, widely used communications standard.

That standard, known as the Wiegand protocol, is the system responsible for handling the verification of data when an access card is swiped in front of a card reader. Not all card readers use the Wiegand protocol, but it is among the most widely recognized standard in the industry, due to its widespread adoption in the 1980s.

When a card is waved in front of the reader, it sends a signal over a braid of wires to an access control system that verifies the code hard-written on the card matches with one stored in memory. If it matches, the gate or door protected by the device is unlocked, and the person holding the card is granted access.

Franken's attack works in part because the access control system device on many Wiegand systems commonly stores the ID card number of the very last person to swipe their card. By embedding a simple program into a programmable chip and splicing it into the cabling on the back end of the unit, Franken showed how it was possible to use any proximity card to trick the device into replaying the code associated with the card of the person who most recently entered the protected area.

With a small change in the code, Franken showed how he could deny access to all valid cards after swiping his own, an attack that conjures up some pretty terrifying bad-guy scenarios.

Franken said the other weakness that makes this attack possible is that many card readers often are protected only by a plastic cover and two small metal screws. Removing the cover and screws and pulling the device away from the wall reveals a strand of wires. The device he demonstrated held the replay program on a tiny PIC chip -- an inexpensive, commonly available microcontroller with wire crimps on either side -- which was then spliced as a connector between the two ends of the wire strand.

This research would be scary enough if weakness were limited to regular card readers. But Franken said a great number of biometric systems on the market today -- such as hand geometry and retinal scanners -- also transmit identity information using the Wiegand protocol.

Franken said organizations that have Wiegand-based devices can take a number of steps to harden the security of the devices, such as using surveillance cameras at reader locations, or installing readers that include tamper protection seals. But he stressed there is little that can be done to update the security of the underlying communications standard.

"The problem is the protocol itself, which is outdated," Franken said, noting that all information on the vulnerable devices is transmitted in plain text. "There is no authentication between the reader and the access control device."

Franken said he is currently working on a different unit that can be controlled remotely via Bluetooth, potentially allowing the reader to be controlled from a Bluetooth-enabled mobile phone.

By Brian Krebs  |  August 5, 2007; 5:01 PM ET
Categories:  From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Letter From Hackerdom: Not the Same Old DEF CON, Black Hat
Next: Citing Security Concerns, California Limits E-Voting


When anti-passback is initiated will the system still allow entry of the same person?

Posted by: Michael Sackett | August 6, 2007 10:27 AM | Report abuse

The next to last para is the most critical, authenticated comm sessions should be built into the system. Also, any time you store 'secret' information in an unencrypted fashion, you are asking for trouble. Since the idea is that no actual person will be there to watch the authorized person enter, physical security cannot be assured.

Posted by: DBH | August 6, 2007 11:33 AM | Report abuse

The demonstration as reported is not very amazing. What is says is that if a system owner allows the system components to be exposed due to inadequate protection of the installed system then a devious do-bad can cause a problem. Simply adding a PIN to the access process reported in the demonstration will circumvent most of the issues raised by Mr. Franken. Frankly if a competant electronics technicaian could not trap and resend signals given access to wiring, etc. then I would be truly surprised.

Wiegand as used here is actually an electrical interface that readily and over long distances supports the transmission of small amounts of binary data. It is highly reliable and low cost. It remains a good choice for card readers because getting by it needs someone of some genuine capability to circumvent the controls offered by readers. And, getting by a reader is only the beginning of the intrusion process. Security is built in layers and getting by one just leads to another...!

I would go the PIN route (cheap)in lieu of cameras (expensive)to avoid the simple tampering that was demonstrated. I would enable the tamper switches that report the opening the of reader housing or the ripping of the reader off the wall. I would use all of the other low cost and typically required practices to ensure that basic tampering was not possible.

It is absolutly true that for enough money, time, and motivation, someone can get by anything. The purpose of the security systems is to raise the cost and difficulty of violation of one's security to more than one's estimated threat is likely to spend or have the energy or intellect to use to secure access to you yours, or things you cherish.

Posted by: Hunter Knight | August 6, 2007 7:00 PM | Report abuse

The increasing convergence of IT and Physical Security has led to some interesting misconceptions as practitioners of the former apply their operating assumptions to the latter.

Mr. Krebs would have you believe that the nation's Physical Security infrastructure will collapse as an army of techno-looters, suddenly emboldened by his article (or their own diabolical research), descends to ravage the assets of industry and government.

The Wiegand communication protocol is indeed, as Mr. Krebs states, ancient and limited (albeit more than adequate for most basic security applications) which is why a small but increasing number of access readers now offer RS485, RS232 and/or IP/Ethernet protocols (with options for AES or PKI encryption) as an alternative. But the rationale for this gradual shift has less to do with security (I am unaware of any breach of physical security resulting from the sort of Wiegand spoof that Mr. Krebs discusses) than with expanding the capabilities of access control readers for uses beyond security (such as logistics, electronic payment and other more advanced applications).

However, the Wiegand format is still (and likely to remain, at least for now) the second most dominant electronic communication format in Physical Security. The most dominant format (by far) is the dry contact closure--and you don't even need a PIC processor to spoof this protocol. So why aren't we worried?

Physical Security professionals, long aware of the capabilities and limits of their tools, use a combination of techniques to ensure appropriate and cost-effective security (depending on level of security required and the specifics of each location) such as tamper detection and CCTV (as mentioned by Mr. Krebs); PIN codes and security layers (as mentioned by Mr. Knight); anti-passback (as mentioned by Mr. Sackett); along with other techniques such as physical hardening and balanced line circuits. Can such systems still be defeated? Of course. But even bad people operate on an ROI basis--does the effort to defeat such systems deliver booty worthy of the time, cost and intellect? With rare exception, the answer is no. Indeed, compare losses from the defeat of Electronic Physical Security Systems (miniscule) to the losses from the defeat of IT Security Systems (huge).

The developers of Electronic Physical Security technologies seek perfection. But perfection is an asymptote. Thus improvements are always possible and so the Physical Security Community welcomes the critical analysis of their IT colleagues but the limitations of Wiegand are not a real threat.

Posted by: Bill Nuffer, Deister Electronics RFID Applications Center | August 7, 2007 2:41 PM | Report abuse

Asymptote = A line whose distance to a given curve tends to zero. An asymptote may or may not intersect its associated curve.

Posted by: Pete from Arlington | August 8, 2007 10:12 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company