DefCon: We don’t need no stinking badges – Vulnerabilities in physical access systems
By Shawn Merdinger
Building access control systems are getting more and more IP enabled, but the IP enabled portions of access control systems are often poorly controlled and don’t get much love from either the it or facilities system.
But the vendors are not always helping the S2 security box e.g. Is using both a web server and a mysql version with lots of security vulnerabilities in it. The amount of security problems Shawn pointed out in various products was truly shocking.
Show continued to show us the results of the exploitation on a demo box he tested which just allowed him to open doors and get to camera feeds.
There is a worrying perception in the physical industry that hackers will not go after these systems, but after financial data and trade secrets, but this is not correct, it is very interesting flr attacks to actually attack the physical security infrastructure. There are some perceptions that these device are deep in the network and not connected to the internet, but a simple Google hack showed that there are 350+ devices connected to the internet today.
Vendors has start to offer better security and this will only happen if customers start to demand better security.
Hello,
I have an open offer for any vendor in the access control space — I will conduct a security evaluation under NDA if they provide a nominal donation to a non-profit like EFF. This is a “phase 1″ high-level evaluation with threat model, tool runs, etc. Contact me if interested.
Thanks,
–scm
shawnmer[removethis]@gmail.com