This Tuesday at the ASIS Global Security Exchange (GSX) in Las Vegas, Mike Kelly and I presented our talk “Network Attacks Against Physical Access Controls” covering our experiences attacking organizations’ physical security controls post network compromise. This is a topic we had spoken about before at other conferences (HushCon, THOTCON) but the GSX was our first opportunity to move this conversation outside the strictly Information Security community, and speak directly with the type of people and organizations that would be on the receiving end of these types of attacks.
Mike and I work as penetration testers and Red Team members, assessing the security of computer networks, systems, facilities and personnel for numerous organizations. Most commonly, our clients are responsible for I.T. or Information Security at their organizations and requests for physical security testing would primarily focus on a basic scenario of: “Can an attacker leverage physical access to our facility to gain access to our internal network?” Findings for these physical security engagements would detail the methods an attacker, without network access, would use to physically compromise a location to gain a network foothold. This attack methodology provides value to the Information Security team, where protecting IT resources is the overall goal and where physical compromise is a means by which an attacker may attempt to bypass other defenses.
What we found missing from this methodology was a broader understanding and assessment of the physical security perimeter as a target itself. When we consider physical security controls as more than just a barrier protecting the network and instead think about their role protecting the physical security and safety of the entire organization we find that many of more common attack tactics and techniques fall short of assessing the complete physical security attack surface.
Understanding where your perimeter begins is a vital part of building a comprehensive security program. It’s easy to say that the physical security perimeter starts at the edge of the property, the main gate or the limit of the security camera’s field of view but these fail to consider the current level of connectivity found in the majority of organizations. Physical Access Control Systems (PACS) hardware and software has evolved from using dedicated equipment, cabling, and protocols to being near plug-and-play with the rest of the network. At the same, the explosion of internet-based attacks against organization’s networks and personnel has effectively expanded that physical security perimeter to include the entire world.
In our presentation we talked about how physical security testing is progressing; moving past some of the more traditional techniques such as lockpicking and tailgating or piggybacking and more recent methods like long-range RFID badge cloning. We provided with a number of examples of different techniques we had put into practice during engagements targeting physical access control systems after achieving a level of unauthorized network access.
The first method we covered involves attacking the PACS hardware/firmware directly. During a Red Team test, Open Source Intelligence (OSINT) gathering revealed the exact model of door controller installed at the target facility. After acquiring one of the devices, Mike discovered a weakness in the system’s communication protocol (CVE-2017-16241) and developed a working exploit. As a result, we were able to remotely unlock the doors of the targeted facility, including those protected by biometrics. Similar research into these type of systems is ongoing with the most recent example being Google’s David Tomaschik talk, “I'm the One Who Doesn't Knock” at DEF CON 26.
Next, we spoke about attacks against the PACS backend systems and supporting infrastructure. These fall in line with what we would see in network penetration test. Instances of improperly stored database backups containing badge numbers, PACS software with default credentials (including unchangeable passwords), unencrypted communications, and a lack of network segmentation result in the capture of sensitive badge credentials, and the ability to assume direct control of employee badging and surveillance camera systems.
Finally, we covered exploiting common user errors to gain physical access. These often follow a pattern of weak password selection combined with a failure to understand the sensitivity of the information like employee badge numbers. While most people would pause before emailing a spreadsheet full of unencrypted passwords, a list of employee badge numbers may not elicit the same caution. Compromising one employee email account can lead to an attacker having all of the information needed to create functional clones of employee badges for the entire organization.
One of our main motivations for presenting at GSX was the opportunity to speak with the people at the intersection of information and physical security. The separation of responsibilities between an organization’s information security team and the operations/physical security team can complicate communicating the level of risk revealed by this type of testing and opportunities to bridge that gap are key. The Q&A session and discussions we enjoyed with our audience and the other attendees at GSX provided us with valuable insight into the challenges facing all of us as we continue to work towards a more secure world.
For more information on this topic, please feel free to contact us at firstname.lastname@example.org.