Full Public Disclosure of Obsolete Access Control Systems

1
Full Public Disclosure of Obsolete Access Control
Systems
2
Obsolescence in Physical Security
The pin tumbler lock The tubular lock Master
key systems Double wafer locks Proprietary
keyways
3
The goal is to get to the shear line.
4
Lock picks and bump keys are cheap and easy to
make.
Spring steel Hacksaw blades Plastic cards Paper
clips
Almost any existing key can be made into a bump
key.
5
Schlage F Series Bypass Methods
Lock picking and bumping arent necessary.
Weiser Shim Picks
6
A modified pick can also be used.
The Shim technique
7
Old Schlage F Series on the left.
New Schlage F Series on the right.
Schlage F Series Knob Puller
These tools will work on either version.
8
Removing the retainer for the pins is also known
as Blowing the Stack or Peeling the Bible
Bible a.k.a. the retainer cover for the pins.
The improved Schlage F series.
Insert modified pick or tool into the first pin
chamber.
It can be made from a hacksaw blade or center
gauge .
9
This configuration is very common for commercial
installations.
10
What is the weakest link in this system?
They can all be used to gain access.
11
Proximity cards can be copied and cloned.
12
Obsolescence in Electronic Security
Fixed code transmitters Proximity cards Mag
Stripe cards Barium Ferrite cards Concealed
Barcode card
13
Any reader can obtain data from a Proximity card.
An example setup
27 Volts
The Maxiprox by HID
The reader has an approximate 24 inch read range.
All codes are transmitted in ASCII.
14
Alternatively, you can build your own.
Reader and transmitter instructions can be seen
here
http//cq.cx/prox.pl
15
Codes are usually printed on the cards.
16
Many high security locks can be picked or
bypassed.
17
This design is no longer secure.
18
The pen is mightier than the lock.
Photo courtesy of engadget.com
19
Most tubular switch locks are using a default
key.
20
Going Postal
Postal lock
21
The Push to Exit circuit activates a relay.
22
Typically, a switch or motion detector is used.
The switch is more secure.
23
An Example of a Push to Exit Bypass
Ingredients for a bypass tool
Coat hanger
Tape
Paper
24
Door magnets can be bypassed.
25
Current disadvantages for Push to Exit and
mechanical bypass
No audit trail Sometimes on the same
circuit Most switch locks are not high
security Easily accessed by opening a panel
26
Most access control systems can be accessed
remotely.
27
Telephone Entry Systems
28
All Access Control panels are using a default
key.
All of these can be found using any search engine.
29
ANAC - Automatic Number Announcement
Circuit Typically a regional 3 digit telephone
number. It can also be a toll-free telephone
number.
Example The ANAC for Houston, Texas is 380.
The telephone number for the unit can be
determined by dialing an ANAC.
30
Answering machines can also be exploited in this
process.
Most telephone entry systems open a relay by
pressing the 9 key.
31
Insiders can also obtain the phone number to
the unit through Caller ID.
32
The telephone number for the system can also be
obtained through wardialing.
Various open source and commercial tools are
available.
Toneloc THC-Scan 2.0 Iwar PAWS PhoneSweep
Example The AE-1 and AE-2 models made by Linear
connect at 9600 baud.
33
Software for remote programming is abundant.
Examples For Windows HyperTerminal PuTTy AlphaC
om Symantecs Procomm Plus For
Linux Xterm GNOME Terminal
A full list of MS-DOS terminal emulators can be
had from http//www.eunet.bg/simtel.net/msdos/com
mprog.html
34
The door itself can be the weak link.
35
Some common problems are Exposed hinges Exposed
latches Large clearance between the bottom of the
door and the floor
Under the door tools are easy to make or obtain.
http//web.mit.edu/zacka/www/nlias.html
36
Is Anti-Passback more secure?
Absolutely.
37
Not the stuff of just movies anymore
Milan, Italy, 2008 Oscar Night Jewel Heist 20
million in jewelry Laguna Hills, California,
2006 - 500,000 in jewelry Antwerp, Belgium,
2003 - 100 million in diamonds Amsterdam 2005 -
102 million in diamonds East Coast Gate Cutting
Crew, 2003-2005 - 5 million in jewelry Florida
to New York, Dinner Time Burglars, 1969-1990 -
70 million Paramus, New Jersey, 2008 - 1
million in jewelry Baghdad, Iraq, 2007 - 282
million in cash
38
(No Transcript)
39
From Wired magazine
40
How much of this information is secret?
None of it!
41
Locks, Safes, and Security by Marc Weber Tobias
42
(No Transcript)
43
Physical Security Resources
Crypto.com Matt Blaze Security.org Marc
Weber Tobias Toool.nl The Open Organization of
Lockpickers The Locksport Community
http//www.lockpicking101.com The National
Locksmith The Locksmith Ledger Non-Destructive
Entry Magazine http//www.ndemag.com
44
http//www.michaelleesecurity.com