Shmoocon 2012: Attacking Proximity Card Systems

Brad Antoniewicz of Foundstone presented at Shmoocon on attacking proximity card systems.   HID is the most well known brand of cards.   We’ll see if I can summarize accurately.

Like the virtual pickpocketing of credit cards, and bad guy can also clone proximity cards.   As some buildings, outside work hours you need a badge and PIN to enter the premises.   But during work hours, you could just walk right in and use a cloned card.

ProxmarkIII allows the researcher to read and emulate any RFID tag.   Badges are typically sequentially numbered.   If the cloned badge doesn’t have the access you need, you could brute force the badge reader.   It would take two years to test the entire card space at the rate of one per second.  But if you already have the company code and one of the badge numbers, that narrows things significantly.

Brad’s experience is people wont challenge you even as you stand at the badge reader for multiple minutes trying badge numbers, even with the reader beeping at each attempt.

Side note, employees are told not to let other people piggyback, but at best they hold the door and ask people to swipe a badge.   The beep doesn’t indicate success.   Only that something was read.

Unless the physical access logs are sent to a SIEM, many proxcard systems will not alert you natively to the brute force attack.   There is one hilarious drawback Brad mentioned.   Security may not react to the brute force attack, but one time they had flagged a particular account so when the bruteforce tried accessing as it, security responded fast.

In addition to clone/playback attacks there can be attacks against the badge reader itself.   Communication between the reader and the controller are serial.   Physical taps may allow recording of a range of badge numbers and PINs.   You only need one badge to access so this is a bit of piling on.

The HID controllers also were found to have security issues.   I am wondering why the controller would be addressable on the network, but  this is what he found.   Default passwords, undocumented accounts, passwords that can’t be changed from default.    The database had default passwords and was vulnerable to SQL injection.

With all this access he was able to send commands like “unlock all”.

I enjoyed this talk and felt the demonstrations were very effective.   Proxcard spoofing seems very James Bond and unlikely to be used in real life.   The problem is, how many times has attack been deemed unrealistic by management until management reads about it in the Wall Street Journal.

It is important then to add monitoring for bruteforce attacks where it does not exist.   Monitor for unusual access activity, or impossible access activity (being at two locations simultaneously).   While we can only pressure the vender to remove default accounts and allow passwords to be changed, be should make sure these devices are not accessible on the network where possible.