Open Sesame: Access Control Hack Unlocks Doors: "Zac Franken, a DefCon goon (staffer), gave a brilliant presentation at the DefCon hacker conference today involving security access control systems and cards for building entrances that use electromagnetic coupling.

The hack involves exploiting a serious vulnerability inherent in the Wiegand protocol that allows an intruder to trick the system into granting entrance to a building to an unauthorized visitor, to lock out authorized visitors and to collect authorization data about everyone who has entered that door to gain access to other areas in a building secured with Wiegand-based readers.

The Wiegand protocol is a plain-text protocol and is employed in systems that secure not only some office buildings but also some airports. Franken has said that it's used at Heathrow airport. Retina scanners, proximity scanners and other access systems all use the Wiegand protocol so the vulnerability isn't device-specific. It's plain text and easily intercepted and replayed.

The hack involves splicing the internal wiring and inserting a device with a PIC chip that Franken has dubbed 'gecko.' To conduct the hack, Franken simply had to pop the plastic cover off the reader with a knife, then unscrewed an internal plate to access the wires. Once he connected the wires to the gecko he returned the plate and cover. (Some card readers have tamper evident devices that send a signal to the backend system if someone removes the reader's cover, but Franken says it's easy to bypass the devices if you know where they are.)

Once the gecko with the PIC chip is in place, here's how it works:

When someone uses their card to access the building, the gecko captures the signal. If Franken then entered later with a card that he designated his 'replay' card (a card that the PIC chip is programmed to recognize) gecko signals the system to use the same signal taken from the card of the person who was previously allowed access. The logs wouldn't show anything amiss, although a camera positioned at the entrance would (but that's only if they're saved and someone bothers to view them).

Using a different card, Franken could also signal gecko to instruct the system to lock out everyone but himself. He'd restore the access system to normal with another card when he exited the building.

The hack only works with the initial reader where the gecko is placed; an intruder would still be barred from entering additional areas inside a building that are secured with such readers. However, Franken says it's possible to do a data dump from the gecko's memory and use the stored IDs on cloned cards. With ID data for many people with various levels of access to different areas of the building, would enable the intruder to access all areas of a building.

But wait, there's more. Franken is working on another attack that would allow him to do the same with a biometric system that uses a retinal scan. Instead of using a card to send the signal to the gecko, Franken would send the 'replay' signal through a Bluetooth-enabled cell phone, thus bypassing the retina scanning process altogether.

Franken says the Wiegand protocal isn't easily patchable -- it would need to be replaced entirely to make entrances secure.

'There's nothing secure about it,' he says.

The proper solution, he says, would require a cryptographic handshake between the card and reader.

(Read Original Article - Via Threat Level.)

Editor: Photos of the Hack are availabkle at the site by following the link.