Opinion: Biometric scanner or proximity cards it doesn't matter. Access control systems are full of holes.
LAS VEGASSections of our airports are being secured by two screws and a plastic cover.
You can press your eyeballs into retina scanners, you can walk up to iris scanners, you can press your hand (or somebody with a meat cleaver can press your hand) into a vein hand scan, or you can just swipe a proximity card across a reader and have it beep and flash green at you to let you in to
well, to a secure section of an airport, say, or to a bank, or to any number of secure locations that employ biometrics or proximity cards.
Unfortunately, besides a meat cleaver or, in the case of your eyeballs, a soup spoon, these systems are all laughably easy to bypass, thanks to a primitive protocol called Wiegand that just about all ACSes (access control systems) have inherited.
At the Defcon hackers conference here on Aug. 4, Zac Franken laid out on a table the components typical of a physical proximity card system, the essential elements of which, at least when youre talking about the way the ACS decides whether or not to let you in, are the same as a biometrics system. (Franken manages an IT company in London. Like many Defcon presenters, he asked for restricted identification.)
And then Franken proceeded to demonstrate how $10 worth of hardware will enable you to stick a quick connect microprocessor on a spliced wire, and flip the switch on whether the ACS thinks youve got access rights. The quick connect device contains a small, programmable microcontroller called a PIC chip
. In a nutshell, pop the plastic cover, pull the wire, snip, snip, snap on your quick connect, seal it up, pass your proximity card, green blink, andbzzzztyoure in.
"The problem is, as far as standards go, there are lots of standards for cards talking to the reader, but once it gets to the access system, its assumed its secure," he said.
To read about the help states are requesting to in order to implement Real ID technology, click here.
The classic use case for this is the smokers corner, Franken said. Install Gecko on an external card reader, located in the smokers corner, say, where theres a lot of employees coming and going after they get their nicotine fix. Install it, record data from a bunch of cards, come back, read the data out, and program programmable cards. Youll have amassed access rights from a swath of employees and can insert a card at each layer of security as you go through a building.
Franken is now working on Version 2 of his quick connect device, which is called Gecko. Whereas Version 1 requires physical intrusion and access to wiring and only works on one reader at a time, Version 2 is Bluetooth-enabled. The Bluetooth Gecko will allow access via phone. After that comes Version 3, enabled with a small GSM (Global System for Mobile) module, which will potentially allow him to control ACSes from anywhere in the world.
Hes also got a "Dump" card in the works. In Version 2, hell be able to control the LEDs on a reader and force them to feed back all valid user data captured via LED on the front of a reader. It will be a small reader that he will hold to the LED, which communicates via pulse. Swipe the Dump card, and the LED will pulse out all of the valid user data its collected.
Gecko isnt for sale, thank God. The ubiquity of these card reading systems, enterprises reliance on them for access to sensitive areas, and their easy hackability are a disturbing combination. Understandably enough, intelligence agents globally are trying to get Franken to cough it up for them, he said.
How did ACSes and proximity/biometrics readers get this lame? By habit; by relying on a protocol thats full of holes and still has been passed down through generations of products.
When Wiegand cards first came into being, they were considered hot stuff. ACS manufacturers "all made sure that their systems could interface with Wiegand-enabled readers," Franken said, and "they still do."
The Wiegand effect is a Wikipedia kind of thing: Heres the entry for Wiegand effect.
In a Wiegand card, as Franken described it, special alloy wire is processed in such a way as to create two distinct magnetic regions in the same piece of wire when it is passed over a magnetic field. Wire is embedded in the card in a distinct order to create an individual code, and each Wiegand pulse is translated to a digital 0 or 1 depending on wire location.
Referring to an array of biometric and proximity card systems he demonstrated during his talk, Franken said that "Every reader we saw today, from the super secure biometric retina scanner to as crappy as it sounds concealed barcode, uses the Wiegand electrical and data protocols to communicate to the access control system."
The problem with Wiegand is that the protocol a) is plain text. That means theres no authentication occurring between reader and ACS; b) is easily intercepted; c) is easily replayed and easy prey for man-in-the-middle attacks; d) includes outputs from biometric readers (meaning an attacker can steal whatever sensitive user data is stored on a card) and e) includes output even from strong crypto contactless smart card readers.
At this point, Wiegand is a standard. If you have a swipe reader, a card reader or some type of biometric device like a fingerprint scanner, you hook it to an ACS using the Wiegand protocol.
So, whose to blame, and how can this be fixed? Franken asked people taking photos of his setup (see ours in the accompanying slideshow) to refrain from identifying the reader manufacturer. Dont blame the reader manufacturer, he saidits the protocol thats outdated.
But blaming ACS manufacturers is another thing. "All access control manufacturers implement the protocol," he said. "Its no secret its not secured here. Its one of these things, these guys sell you secure systems, and if they take a long, hard look at themselves
The first solution is tamper-proof readers, which would help "a lot," Franken said. But theyre not particularly sophisticated things, he said, and if you know where they are, you can defeat them. Theyre easy to surpass if you know what youre looking for, Franken said. But still, theyre better than nothing.
Having lots of cameras trained on access points is also better than nothing, but how long do enterprises keep all that video, and who looks at it? Besides, take a look at office buildings. Check the back alleys. Youll find there are many doors that lack cameras, Franken said.
The proper solution for the problem is for a proximity card to do a cryptographic handshake with the reader, he said.
And the proper thing for physical security technology customers to do: If youre buying any type of biometric or proximity card reader system in order to limit access to parts of your organization, grill the vendor on Wiegand. Ignore what they say about proprietary protocols in the cardswhat you want to know about is the protocol linking the reader to the access control system. Tell them you know about Wiegand, and ask them what, if any, cryptographic resolution is happening between reader and ACS.
Theyve gotten away with implementing a Swiss cheese protocol up to now. Weve got to make them stop before somebody gets hurt.
Write to me at email@example.com.
eWEEK Senior Security Editor Lisa Vaas has written about technology since 1997.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.