Hello everyone, my name is Cedric and I'm here again with another story on pentesting and security, straight from the trenches.
Today I'm going to share a story with you about an assignment we did some time ago for a large entertainment company. Our client, like many entertainment companies, produces a lot of intellectual property. So, one of their biggest concerns is that someone might physically break into their premises and steal some of these designs and products. They had already taken some precautions, like installing intrusion detection alarms and access controls on all doors etc' The access controls they installed even had a dual function and could be used both as an RFID reader and as a fingerprint reader. So, they were already trying their best to secure their on-site intellectual property. And that's also the reason why they hired me and my team: they wanted to check if their investment in security was actually worth its money so far.
We proposed a plan to hack them, in any way our devious minds could possibly think of. Everything was on the table: We could try and hack ourselves in. We could social engineer ourselves in, basically by manipulating people and abusing their trust and confidence. We could do all of that, and we would, eventually. But first, the grand opening of this show, would be an attempt to physically break into their premises at night. And yes, that was as much fun as it sounds ;-)
Our approach was basically the same as that of a professional burglar: we'd start with a week of preparation and scoping the place.
So how do you do this? Well, we knew the address of course so first we checked out the place on Google Maps. And we were pretty lucky: Google had just recently updated their imagery of the area which meant we had recent maps to work with and the entire thing could be viewed in 3D with a fair amount of detail. That's pretty much as perfect as it comes when you're planning to do a major heist on a place in the physical world out there :-) So, we started with scouting the area from behind our laptops. We saw where all the entrances to the building were. We also saw that on the frontside the building just gave access to the street, while on the backside of the premise there was a public park. This looked very promising as a potential entrypoint, so our next step would be to actually physically go there and scout the area.
So, first we went there during daylight hours and just took a drive around the block using a rental car. We'd look for entrances to the building, camera's guarding these and the general view of the area, basic things… We didn't spot any cameras on the outside of the building. So we figured it would be pretty safe to take a walk and scout the area by foot. There was foot traffic but not too much, so we wouldn't draw any attention by just casually walking around and having a closer look.
The main entrance to the building was in a quiet street which led to a small square where a few kids were playing, and on the other side there was a street with some shops and a few restaurants. The entrance to our clients building had a gate through which we could see a quiet courtyard and the general layout of the building. The first thing that drew our attention was an access control device guarding the entrance, it was a fingerprint reader and it had a brand name Suprema printed on it. Straight across the courtyard we could see the trees of the neighboring park. There was a rooftop terrace on the first floor which gave access to the offices of our client. We also noticed the wall that separated this terrace from the park and it was huge, at least 6 meters.
We couldn't hang around for too long of course so we decided to continue our walk to the second entrance we spotted just around the corner. We could recognise its anonymous door next to a restaurant because it was guarded by the same Suprema fingerprint device. The restaurant however seemed quite popular, and it had a terras in front of it with a dozen tables, so that pretty much dismissed this entrance as a possible entry for our heist.
Needless to say that while we walked around the block we were also continuously scanning the area for Wifi and bluetooth devices. But nothing interesting had shown up so far. We had spotted our clients network but it was protected. We probably could use this information to set up rogue access-points later during our assignment, but for now this information was of little use to us.
We continued our walk and took a left to end up at the park bordering to the other side of our clients building. While the park was empty at that moment, we didn't really feel at ease. On one side the park bordered an apartment building and all of its rear terrasses faced this park. We went to the wall at the far end of the park as casually as possible, and inspected it. It had two large windows, giving the people working in the offices on the inside a nice view of the park. Unfortunately these windows didn't seem to have any way of opening. The wall was high, very high, we estimated about 8 meters. On the other side it would give access to the terrace on the first floor. We figured that this would be the perfect entrypoint for our heist. We'd use the cover of darkness to get a ladder across the park, under the trees against that wall. I'd climb over it to land on the terrace and that would be our first step onto the premise. Next step would be to find a way into the building and for that we'd have to find a way to bypass these Suprema fingerprint readers next to every door.
So we went back to our hackerspace and researched this device and we figured the best way to move forward would be to actually buy one of these to first try and hack it in the safety of our lab. So I spent a fair amount of time researching the exact model they had installed and ordering one from a local supplier. The thing came at a hefty price, these Suprema devices are not cheap. But now I had an electronic lock, a relay board, a power supply and one of these fingerprint readers with which I could start playing.
I started off with reading the manual of course, which already was very interesting on its own. I learned that this thing can be configured in a zillion ways. I figured that, like most things, the guys that installed it would probably stick pretty close to how it came out of the box. So that's what I did as well: I installed the thing exactly as it came, following the instructions in the manual.
I'll give you the summary of this entire installation. Electronic locks are pretty simple technology. Basically it's just an electro-magnet, a coil through which you send current to create a magnetic field that pulls a bolt out of the way so the lock can open, that's when it makes the clicking sound. Inside of the building, the receptionist can just press a button and a current will flow to the lock. However, on the outside of the building it wouldn't be very desirable that anyone can just press a button to open the door. That's why most companies implement access controls like RFID-readers or in this case fingerprint readers. A visitor scans his fingerprint with the device next to the door, the software checks if it finds the signature of the print in the database holding all recognized prints, and if so it will open the door.
So if we'd want to bypass this scheme, we'd basically have two options: hack the device to open the lock, or duplicate a registered fingerprint to fool the scanner and open the lock. Research had shown that this last option wasn't actually so far fetched. It's actually a proven feasible attack, last DEFCON even demonstrated an attack where a print was copied in 3D using a 3D printer. The technique we would try involved etching the negative of a high-contrast image from a lifted latent print onto a copper plate. Next we'd pour hot glue over that etch to actually recreate the fingerprint in 3D. However, this procedure requires some practice and skills, and we didn't have time for that. We tried it using our own prints lifted from a glass plate, following the procedure as best as we could but we failed miserably. So, this would not be an option and we already spent a fair amount of time.
So by now it had become clear we would have to hack the device. And as it was laying there in front of me on my desk, basically running the default setup with just my own print registered in the software, it became obvious that I had missed a crucial error in the design the entire time. I had never actually bothered to install this thing "properly" like mounted to a board with its cables fitted nicely behind a wall etc. The entire thing was just laying there, in front of me on my desk and all the cables really were a mess, but most importantly: the software wasn't showing any warnings whatsoever that the device was not mounted to a wall. I investigated the manual and I learned that the thing has something called a "tamper alarm". But this must have been disabled by default because I never had any alarms while the device was just laying there and was continuously shaking and moving it. So this meant that I could probably just pull this thing from a wall without any alarms going off.
I had to validate this premise first before we could continue. If this turned out to be a false assumption we'd waste valuable time investigating a plan which would probably fail in the end. So the following night I set out again to our clients building. It was like 3:30 in the morning and there was nobody on the streets. We already validated that there were no cameras pointing to the entrance, still I didn't feel too confident. My plan was simple but solid: I'd unscrew the fingerprint reader at the main entrance and put it back in place after 30seconds. I'd then walk to the little square at the end of the street and sit on the bench there so I would have a clear view of our clients entrance. I figured that, if the tamper alarm was enabled, and if they had someone monitoring it, they would probably come and check the device causing the alarm. I'd be interested in their response time of course, but most of all I was just hoping nobody would show up. And that's also what happened. I waited for 2 whole hours on that bench and nobody showed up, so I concluded the tamper alarm must have been disabled as is the default setting on these things, or nobody is monitoring it. Anyway, now I knew I could safely start tinkering on how I could manipulate this thing into letting me.
So the next day after I had a few hours of sleep we went back to work, playing with that Suprema BioLite and its software. I was in a good mood and had lots of inspiration. We started with investigating the general architecture of this access control scheme. So it turns out you have a client device, the scanner which is next to the door and this client device gets a database of recognized fingerprints from a control server which holds a list of all connected devices. So it's on this server where you register new doors and locks and new users that can open these locks. Now, when I installed the setup to experiment with, I learned that I had to register the lock into the control server before I could actually do anything, so I followed that entire procedure but unless I was missing something I didn't notice any real checks to be in place during that registration. So what I was thinking was: maybe I can disconnect this device from its network and the control server and reconnect it to my own server. Then I could upload my own prints to the device and then I'd be able to open the door with my own finger. So that's what I tried. I had the entire setup running in my own network, so I re-installed the software once again on my laptop. I then registered another print of mine into this installation. Next I disconnected the device from my network and connected it to a new temporary network running on my laptop: I had it running DHCP and I had a little USB-powered ethernet switch laying around which came in handy for this job. So the device quickly got an ip address from my new network and when I scanned for new fingerprint devices in my network using the Suprema control server that was installed on my laptop, I easily found it and was able to register it in this installation. I then was able to upload a copy of my fingerprints from my laptop to the device and after reconnecting it to the original network I could still open the lock with my newly registered print. So this meant we had our hack to bypass this device: we'd just upload our own set of prints to it and it would happily accept these and open the door for us.
So we hired a van and a ladder, and with some action cameras geared up we set out in the middle of the following night. We managed to get the ladder across the park and put it against the wall without making too much noise, we didn't wake up any curious neighbours. Next, I'd climb up the ladder, but since it was only 6m and the wall was about 8m high I'd have to climb the last bit by hand. Fortunately there was some vegetation growing on that wall and it felt like it would be strong enough to hold my weight. So, I gave it a try and pulled myself up from the ladder and the vines fortunately didn't break, so I climbed to the top of the wall and hoisted myself on top of it. I jumped off on the other side and landed on the first floor terrace we saw earlier. I went straight to the door and as expected it had one of these Suprema fingerprint readers next to it and I immediately went to work: I unscrewed the device from its mounting bracket and pulled the cables a bit from the wall. I then cut all the wires of the UTP-connection and connected a female RJ-45 socket to the UTP-wires of the fingerprint reader with crocodile clips. Next I hooked it up to my usb-powered switch which connected the device to the network running on my laptop. As I had tested everything in detail, the attack went smooth as a breeze and within no time I had my own fingerprint loaded into the device. I tested it and I could hear the lock of the door clicking while I put my finger onto the reader, so I started screwing the device back into the mounting bracket.
Everything went exactly as planned and I had just put my laptop and all my gear into my backpack again when suddenly I saw the lights go on through the glass door separating me from the inside of the top floor. I could see the elevator doors open and suddenly there I was, standing face to face with a janitor. I could see his face and he could see me so I tried to pull myself together, I had to think quickly. I figured he would let me in, or call the cops and I would probably only get one chance to explain myself. So I pulled my silly face, pointed with a finger to the access control, shrugged my shoulders and lipped slowly "it's not working". Well, I must have been an actor in a previous life because, sure thing the man came up to the door and opened up for me. While I entered and said a quick "hey thanks man", he looked a bit questioning and mumbled something of "who are you and what are you doing here?" and as casual as I could I answered "Oh I'm from IT, I'm here for work". I smiled, thanked him once again while I stepped into the elevator and pressed the button for the ground floor. I was in! My heart was pounding like a racehorse but I was in! This stuff was like straight from the movies.
Now it was time for the fun part of the night: claiming our flag of victory. First I went to the director's office, to leave a friendly signature of my presence: I left a bottle of champagne on his desk and I decorated the place with some CYBER-tape :-) On my way out I left a little present in the form of a LAN Turtle 3G. That's a 3G-enabled remote access toolkit with a network-connection which I hooked up with an empty socket underneath the receptionist's desk. The LAN Turtle would immediately boot and using its 3G connection it established a reverse tunnel using SSH to our command-and-control server. Using that covert connection we now had a way into the network from the outside. Installing it only took about 15 seconds and after having confirmed tunnel using a shell on my phone I went straight to the front-door and left the place. Mission accomplished! We had successfully penetrated the place.
I went to bed with a very big smile on my face early in the morning that day. By Noon I got up after a few hours of sleep and called our clients. They thanked us for the champagne and I gave them the gist of what had happened earlier that day while everyone else was still in bed sleeping.
The following weeks we would continue with our assignment and use our newly granted access into the place to go there physically during daytime hours, posing as an external developer. Eventually we gained full access to the entire place, including their on-premise datacenter holding their intellectual property, the crown jewels as to speak. Apparently, the access control-server was still protected with the default credentials admin/admin so I had pretty easy time expanding my initial foothold.
At the end of our assignment we presented all of our findings to our client and they immediately took appropriate action, including making sure tampering control got enabled on all of their access control devices. And I for my part had learned a whole lot of new fun stuff about access control devices and the possible flaws they can hold.
So, this was yet another story on pentesting and security. I hope you enjoyed this episode. If you'd like to reach out to me, please use the comment section on Hacker Public Radio or contact me on Twitter or Facebook. See you next time!