Hacker AT THE DOOR

Oct 1, 2007 12:00 PM, By Ashley Roe

A presentation at DEF CON 15 exposed vulnerabilities in Wiegand card access systems

DEF CON is widely thought to be the largest underground hacking convention in the world. The yearly convention caters to hacking enthusiasts, IT and security professionals, vendors, FBI investigators and journalists alike. They all descended on the conference in Las Vegas this August to reflect on the latest hacking methods and related research, first-hand demonstrations and roundtable discussions on system vulnerabilities and theory. Among the presentations this year was one taking aim at what may seem an unlikely target for a hacker — the card reader at your company's front door.

Founded and organized by Jeff Moss, known in cyberspace as the “Dark Tangent” (a good number of DEF CON “goons” or staffers have aliases), this year's conference included presentations ranging from “Dirty Secrets of the Security Industry” to “Teaching Hacking At College” to “ Why IPv6 is Bad for Privacy.”

A lot of people pay attention to DEF CON. Michael L. Davis, director of technology and intellectual property for HID Global, Irvine, Calif., has attended the event for the past five years. He looks to see what vulnerabilities are emerging in various systems so he can report back to HID and use the information to make products better. He estimates that DEF CON attendees are usually made up of one-third hackers, one-third government officials and one-third corporate officials. The two latter groups attend in part to study up on new methods criminal hackers are using and to remain steps ahead of the “bad guys.”

A sure way to get the attention of the physical security industry is to target the Wiegand-based access control card reader.

Franken's findings

During his presentation, titled “Physical Access Control Systems: Are You Protected By Two Screws and a Plastic Cover?,” DEF CON staff member and 38-year-old “London technology executive” Zac Franken (perhaps also an alias?) illustrated his method for hacking a Wiegand-protocol access card reader. He showed how he could use a proximity card in combination with a small PIC microcontroller chip (a Programmable Intelligent Computer chip) to outsmart card readers that use the Wiegand communications standard, allowing him to gain access to restricted areas protected by the readers. Franken says he spent 12 hours working on his method, which included embedding a program onto the PIC chip, which typically costs $2, and splicing it between one of three wire lines on the backside of a Wiegand reader. The entire manufacturing cost of the PIC device, wires and programming was about $3, according to Franken.

When Franken used a “mystery” proximity card to attempt entry in his demonstration, the programmed chip, which he nicknamed “gecko,” tricked the reader into replaying the code linked to the card of the authorized user who most recently entered the protected doorway. By changing the code of the program installed on gecko, Franken also illustrated how he could deny access to all valid cards after swiping his “mystery” card. Franken declined to identify the suppliers of either the reader or the cards he used in his demonstration because the vulnerability, he says, lies in the protocol and not the products.

So, are we protected by two screws and a plastic cover?

“Probably,” Franken concluded.

Franken, who calls himself a security researcher rather than a hacker because he thinks the term “hacker” has too much of a negative connotation, says his motivation for the presentation was exposing the vulnerabilities of the protocol to users who may be unaware. As a result of his findings, he says he hopes that users will take notice and adjust their system security. “As a security researcher, when I look at something such as a door, I don't see a door, I see, for example, the fact that its hinges are coming out,” he says. “I see vulnerabilities and flaws and, sometimes, they are just screaming out at you.” When he began working with the Wiegand protocol, the researcher says he thought “good grief,” in thinking of the ways the system could be manipulated. “My goal was to point out the vulnerability to the people who use and trust these systems,” he says.

Franken says he does not believe vendors are doing enough to let users know how they could be manipulated. “I think that vendors know about the vulnerability, but they are not doing anything about it. There is no compulsion to innovate a solution,” he says. “And users need to do more research on their systems. They should ask more questions of vendors before putting all of their trust into what the company says.”

Franken did not contact any individual vendors of the technology before demonstrating his method in order to give them time to develop a response. “It is not the fault of any individual vendor, so who are you going to call?” he says. “Should I give a commercial advantage to one or two vendors at the cost of the rest or just place my research in the public domain and have everyone on an even footing?”

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue