This is one of the most well-known and common methods of attack. An attacker would target a badge that a cardholder has in possession, and either from a distance (within range) or physically gaining possession o the card, copy the contents of the binary encoded data on the chip to another card’s chip. The cloned card, which was previously blank and of the same type as the targeted card, now contains the same data as the target. The result is that the cloned card now has the same access as the target card, and the system cannot tell the difference that it is a cloned card. The scary part about this method is that for some technologies it is fast, simple and can be automated to execute. The limitation however, is that a specific card must be targeted and will only possess the target card’s access rights and state. To scale this, an attacker would need to know who to target, be in range of possession, leverage the existing privileges of the person being targeted, and repeat this process for any type of scale.
Card Minting (Produce new cards without having to clone)
Unlike the previous method (cloning) this method is not limited to targeting one card and only those set of privileges. Once an attacker gains an understanding of the credential technology used, the encoding scheme (format), and anything else about one of your cards in use, the rest of the cards in the global population can be figured out. From this point, the attacker can essentially become their own production/issuance bureau without seeking any further target cards (hence cloning method not required). This method is practically dangerous because it can target any person, access privileges, and workspace in your global facilities using single factor authentication. To pull this off, the attacker needs to have a fairly advanced understanding of RFID technology and context of how physical access programs operate, but any competent attacker (that does so for their profession) will be able to acquire this knowledge when determined to do so. Some of the debate from corporate security professionals regarding this method is that the attacker would not have an idea of what card numbers and ranges would be valid. However, there are methods to understand who was issued specific card numbers for this to be successful at scale. Any professional that has responsaibility to protect their organization should not underestimate the attacker’s determination, skills, and ability to execute this method and as a result should not discount this method unlkess tehy have taken specificv steps to mitigate this from being a possibility.
This method involves recording the RFID signal and payload and playing it back to the reader. It is different in that it is not really making a cloned card (sort of but only virtually).
Compromising master cryptographic keys of card or reader
More advanced technologies, that claim higher security, are dependent upon using encryption. The strength of encryption is dependent upon “keys” and how secret they can remain. There are different types of keys. Think of a lock on a door; it will have it’s own unique key to it, but also may have the ability to be unlocked with a master key (in case the key to the lock is not available, someone has a key to unlock all the doors in the building). Therefore, if the wrong person gets a hold of the key to the specific door, this will cause a risk. If a person gets a hold of the master key then the entire population of doors in a building, or organization is compromised them all of them will need to be replaced. Some aspects of encryption keys work in a similar way and the result would be compromised doors, readers and credentials that would have to be replaced globally to remediate. It sounds bad, and it is…very bad. Cryptographic keys for cards and readers should apply the best security practices possible to avoid this issue. However, a recent analysis by D6 Research has revealed that most vendors, technologies and practices do not measure up to practices that would be acceptable to Information Security and Auditor practices (where they have more expertise on the matter) leaving most enterprises at risk of complete exploitation.
When a person walks through a door (without presenting their credential) based on a previous person’s legitimate authentication and authorization to that access point.
When a person previously authenticates to an ingress point and does so again without first exiting the area, facility, or another facility. This could be a sign of them not being tracked to exit the building but could also be a sign of a duplicate credential being used.
Interception of card delivery/shipment
Cards produced by manufacturers are sent via mail carriers and hence can be intercepted and tampered. While these credentials are not likely to be active in the system, they can be used in other ways that helps them exploit cloning and minting techniques. These shipments should be shipped via a more secure method (than typically are) with tracking and alerts to account for delays, etc.
Social engineer card manufacturer or reseller
An attacker doesn’t really care HOW or WHO they get information they require to pull off an attack – whatever is easiest, most effective, and least likely to get caught. Some manufacturers and partners that customer’s order cards and readers from are significantly weak with their ordering and tracking processes and can be fooled into giving up information about the readers and cards that helps them pull off an attack method (or part of it). How much have you investigated, audited and tested your partners and manufacturers control over your data?
Exploit weaker Low Frequency to compromise matching High Frequency credentials
A common recommendation by manufacturers and integrators when moving from legacy credentials (such as prox) to more secure credentials (higher frequency) is to issue dual technology cards making the new frequency match the old one. The benefit here is that the migration is almost bulletproof, where all the existing readers and new readers will work with both old and new cards. However, this method is seriously flawed from a security standpoint as the legacy technology, common to all cards and readers can be exploited to reveal the contents of the new (intended to be private and secure) technology. Technologies that are immediately vulnerable to this are MIFARE and iClass and other technologies would likely be less secure much quicker than the intended life as they age and are deprecated. The longer it is planned that the investment of the cards and readers will not have to be replaced, the more you will want to avoid this method.
Tampering reader to panel (compromise authentication payload)
For the most part, readers don’t make decisions as to opening doors, the controllers do. The reader, in most cases only reads the card (sometimes securely) and then passes the data for the controller to analyze and make a decision. From the point of the reader to the controller (in vast majority of cases) this method/output is completely in the clear (readable to anyone that looks at it and therefore is very open to exploitation even if the reader is highly secure). This can be exploited a few ways by intercepting a real transaction and using that for replay methods or by creating a new transaction without the cardholder even present, at another access point or splicing the wiring. This technique, in typical conditions, also exploits any type of biometric and second factor implementation. Currently, there are some limited steps organizations can take to mitigate these type of attacks, either globally or for high security access points and environments where this risk is exceedingly unacceptable. However, typical installations, without specifically designing systems for mitigation, will include this vulnerability by default.
Intrusion to Physical Access Control System (software) to change credential/user data
This one is REALLY bad. Hackers are experts are cracking software (we know this right)? Access Control Systems are just that, software. If they can figure out how to get into bank systems, IT servers, etc. then you can bet that getting into a PACS is well within their skill set. In fact, it is likely even easier. D6 has performed research into the security of many of to the access control systems on the market along with the recommended configuration by manufacturers and typical installation procedures by leading integrators and has found that it is common for these systems to be setup in ways that make it easy for attackers to penetrate and sometimes the access control software has flaws in its code that makes the security of their security software very insecure. The result is that attackers can execute “command and control” of your central PACS. The things that can be done at this point is nearly unlimited and scary – from creating new users, changing photos with theirs, turning off alerts and alarms, getting all card format information, it is nearly endless. Perhaps the most scary thing about this is that the attacker will likely be able to delete all log data pertaining to their events so their session was invisible and leave a backdoor open so they can get back in (even easier the next time). This should be locked down like Fort Knox. If you haven’t hired a red team to test this (along with your controller configuration and security) then it would not be reliable to assume that this does not apply.
Intrusion to Physical Access Control System (software) to change controller configurations
Using the same method above, the attacker could gain access to controllers, configurations, and make modifications to enable authorization to new types of cards and users that were previously not authorized. For example, they might not be able to figure out your really wacky custom Indala card format but since 125 kHz is enabled, they can push out to the controller a new card format (such as standard 26 bit or a different Indala format based on the same bit count to ensure compatibility to the reader if it is finicky), make a card to match what they have created and go right through secure areas. We’ve used this technique in some of the most “secure” institutions in the world, so it is quite the reality. Scary indeed.
Controller Exploitation (hardware)
Most controllers are on a network back to the Access Control System these days. Unfortunately, similar to how PACS are built, implemented and configured, they often don’t follow best practices from an application security perspective that is designed to stop attacks. Common methods that are used on the IT side to scan for network devices, traffic and ports but are usually designed to be resistant to such efforts (as a result of IT getting better about configuration) are often wide open to these methods. In fact, some methods can reveal the location, name, and device of controllers publicly to be discovered from across the globe, to anyone. From here, taking control of that access point (sending an open door command) or exploiting the list of authorized cardholders is a next step that can be used to combine with another attack method.