Open Sesame: RFID, door controllers and some electronics

Controlling access to your organisation’s premises and to security zones within them is an important part of an information security management system. Access control is included in the PCI DSS and ISO 27001, and understanding it is part of the CISSP qualification from (ISC)2, as described in the Common Body of Knowledge. Access to facilities should be based on the principles of business need to know and least privilege: all those who need access should have access, and they should only have the level of access they need to do their job. Most standards require that access is controlled and logged, and there is a range of solutions, from security guards to sophisticated ‘mantrap’ entry portals.

A requirement of access control is that it should be proportional to the risk and impact; it should be transparent to users while meeting the requirements of the company in terms of compliance.

These days, technology is being deployed to provide solutions. Biometric solutions are not always transparent to the user, may not provide the level of convenience required and can be costly. Mechanical locks such as cypher locks are also not transparent enough to the user or convenient, and it can be difficult to change keys or codes and distribute the news across an organisation in a timely manner – it is not a solution that scales well.

RFID and NFC

A popular solution is a contactless entry card system based on radio frequency identification (RFID) or near-field communications (NFC) technologies. Such systems allow organisations to distribute key cards or tokens to employees and trusted third parties, and individual credentials can be revoked without affecting the whole user population. Being wireless, the cards or tokens only need to be in proximity to the reader, which provides high levels of convenience alongside unique identification, and accountability can be asserted by logging entry and exit.

Such systems can be easily purchased from eBay, Amazon and various system installers, and can vary from individual door locks to enterprise systems. While systems that rely on wireless communication to provide identification and authentication are convenient and transparent to users, they are also subject to attack owing to the nature of wireless communication, which can be intercepted. Additionally, some systems have been designed in an insecure manner.

Since April 2014, as part of talks that I give to branches of the BCS, at universities and for other organisations, I have been demonstrating attacks on door access control systems.

The demonstration shows two types of attacks:

1) Compromising the door controller.

2) Attacking the tokens.

The door controller in the demonstration was purchased from Amazon. Using information obtained by googling components, and other information, it was possible to compromise the system in a number of ways.

Compromising the door controller

In this attack, physical access to the door controller allows the attacker to capture the access codes. Proximity door controllers have a number of elements:

  1. RF circuit
  2. Microcontroller
  3. Door latch controller

In the attack demonstration, I intercept the signals from the RF circuit as they are being passed to the microcontroller, which allows me to read and capture authentication codes transmitted to the door controller. I can then record and replay them back to the controller at a later time or use them in a cloned token.

By soldering some pins to the circuit board, it was possible to capture the stream of binary data from the RF circuitry. Initial work was done with an Arduino, but small systems such as the Teensy could be used.1

2

It was possible to capture the codes, which could be stored or, if a wireless adapter was added to the system, transmitted to a nearby laptop.

3

A small enough device could easily be attached to a controller and the controller then fitted back onto the wall. The compromised controller could then be used to capture legitimate users’ access tokens, allowing them to be used in an attack.

Attacking the tokens

Proximity door controllers work by having a microchip connected to a coil. When the coil is moved through a magnetic field, it generates a voltage that powers the microchip, which then modulates a signal through the coil, which can be picked up by the receiver that generated the initial magnetic field.

Using simple electronics and a microcontroller like an Arduino, it is possible to either replicate the access controller or spoof a token.

4

In the attack I demonstrate, I do both. A coil, simple electronics and an Arduino are used to simulate an access controller. Any token in range of the spoofed access controller will transmit its codes, which can be recorded by the Arduino.

The exact same circuit can then be used to spoof a token and replay the captured codes back to a genuine door controller, allowing a user to be spoofed and the door controller to be tricked into opening. The microcontroller board can also be programmed to use the captured code as a base for a brute-force attack on all tokens by transmitting modified codes and seeing if the controller responds.

Conclusion

These are simple attacks that work on unsophisticated controllers; the principles, however, can be used for more sophisticated attacks that would work on more advanced controllers. Unless a system has been designed with security in mind, it is often easy to attack those systems.


About Geraint Williams

Geraint is a PCI QSA and leads our technical services team, which provides our clients with practical services to ensure their data remains secure. He is also the course leader for the IT Governance CISSP Accelerated Training Programme and the PCI DSS training courses.

He has a strong technical background, with experience of ethical hacking, digital forensics and wireless security issues. Geraint has broad technical expertise in security and IT infrastructure, including high performance computing.