Hacking access
Connecting state and local government leaders
Token-based physical access control is not as secure as believed.
Systems controlling access to offices, plants and other facilities with card readers and biometric systems could be susceptible to hacking by someone with some technical know-how, a little imagination and a few pieces of commonly available hardware.
Take, for example, Zak Franken, a freelance U.K. security consultant with a penchant for PIC microcontrollers and a knack for thinking his way past access control systems.
'It's amazing what you can do with a PIC [Programmable Intelligent Computer] chip and a little bit of plastic,' he said today at the Black Hat Federal Briefings in Washington.
Franken outlined the strengths and weaknesses of physical access control systems using the most common card-based tokens and biometrics. None are perfect, of course, but the contactless smart card is probably the best, he said.
'In my opinion, it's the way to go,' because of its strong encryption and authentication between the card and reader, which reduces the chance of spoofing.
At the other end of the scale is the concealed bar-code card, on which the user credential is contained in a bar code that is covered by a film that is transparent to infrared for reading.
'It's ' embarrassing,' he said. 'Anything that can be duplicated with a flashlight and a photocopier should never be used.'
Biometric controls, which compare and authenticate a template created by a scan of a fingerprint, iris, retina or hand geometry, are only as good as the algorithm doing the matching.
'The algorithm pretty much is your security,' he said, and their quality varies.
This is complicated by the fact that the sensitivity of any system has to be tuned to balance it between an acceptable rate of false-positive and false-negative responses. Generally, the more secure a system is, that is, the fewer people it mistakenly approves, the greater the chance that legitimate users will be denied, which is an inconvenience.
'All biometric devices have a bit of a fudge factor built in,' he said. 'No two reads will ever be identical. There is a balancing act, and this is a big issue.'
But even a good biometric system might be circumvented by a little physical hacking on the reader that scans the biometric feature or reads a card. Most readers are backwards-compatible with technology called the Wiegand Card, which uses bits of magnetized wire embedded in a plastic card to encode a user identification. The card itself is not foolproof, Franken said. 'It is possible to cut the card open and rearrange the bits of Wiegand wire' to duplicate another user's ID. But the real weakness is in the readers that send ID data to a controller using the Wiegand format. 'It spits out the data over Wiegand in plain text,' whether or not the card is being used, Franken said.
He demonstrated Version 1 of a device called the Gecko that contains an inexpensive PIC chip and a few circuits and can be clamped onto the wiring of a reader, to intercept and store the plain-text signals. Most readers are not tamper-proof and have a plastic cover secured by two screws. With the Gecko in place, a Gecko proximity card can be used to replay the user ID of the last card read, which has been captured and stored on the device. A Gecko proximity card also can be programmed to keep legitimate persons out.
Version 2 of the Gecko is flash-programmable, and Version 3 is Bluetooth-enabled to so it can be used to fool biometric readers that do not use proximity cards. A fourth version will have a Global System for Mobile Communications cellular interface for remote operation.
'You could literally be on the other side of the world and open the door,' he said.
NEXT STORY: FAA sets cybersecurity center buildup