BG - RFID LOL - Terry Gold

all right I'm ready all right my name is Terry gold I'm an independent consultant and analyst and um couple things to get out of the way first um we're going to be talking about some topics around security identity basically how can you subvert security systems to get into corporate facilities okay um really excited to be here hey you know free beer end of the day I promise not to put you asleep some learning objectives okay I want to talk about RFID in the context of corporate facilities and I know this topic is going to be has been done before to some extent I'm going to address that on my next slide and tell you why this is a little bit different

okay uh learning objectives you can see them right there I want to talk about the context of of really what the credential is that gets you in the building what's on the credential the different text around this presentation is I've been living in this world for the past seven years but come from the it security side and I know how these Building Systems work and I want the audience to understand the context and how these Building Systems work authorize individuals credentials attributes that's what typically is missing from these type of topics it talks about what the binary string of Serial numbered format is on a card but without the context effective penetration testing or deciding what

you're going to do really it just it it's just isn't terribly effective okay we're going to talk about the threats we'll talk about what else is out there what's coming and what's the real risk to Enterprises out there my personal goals and the reason why I do this is because this physical access industry in a lot of ways has been quite irresponsible um this technology I'll go through it really wasn't built to be with security in mind um but now they're kind of talking about like they're security vendors because they sell to corporate security people you know guards doors Guns so we're security but um a lot of them don't really practice security they don't really manage risk

and we'll get into that too so I want to go ahead and enable everybody in this audience to really understand more about this and whether you go ahead and serve an Enterprise in a position you're a pentester you're a consultant you'll be way more effective in helping your customers understand what the real risk is and then I really want to go ahead and impose more responsibility from vendors out there because this is low hanging fruit you know I I know you know AP is really higher on the totem pole in terms of threats out there but this is such a low hanging fruit I mean if I just go walk into your data center or

walk into an executive office undetected what's stopping me why not if it's really easy right so that's my that's my personal goal out of this talk about the evolution of identity pretty simple back in the 40s 50s everything was paper based no photos yet you know then it got into photo ID hey you know can't just be a piece of paper in your pocket hey that was pretty cool and groovy and you know in the 80s came along and the 90s and said well you know people can go the printers are getting better we can go ahead and copy photo IDs and you know I mean look I mean I I made uh you know um copies of

photo IDs when I was you know underage trying to get drinks we probably all have um so the digitalite the the I the IDS today have gotten a lot more sophisticated uh they're really digital credentials inside of that form factor but the technology in them varies greatly it's changing very quickly uh there are a lot of standards and mandates out there and you know I want to say that RFID gets a lot of a lot of bad flak and there's a lot of bad RFID there's some very good RFID and very secure Technologies out there we'll talk about that why is this important in corporate Enterprise because when you go into a corporate Enterprise there there

are no more key locks okay these cards replace keyed locks okay that was the actual reason why why these cards were invented for Access Control in corporate Enterprise it wasn't for security okay RFID has been around for 30 40 years through the military and then then it became magnetic stripe because the problem of I'm an Enterprise and John leaves the company or it doesn't come back doesn't return his key I got to replace locks labor intensive there's a cost right if I can go ahead and not do that then it's a big gain for me and that's that's what these cards were meant to do so security was never ever baked in whatsoever we'll go through

that all right now as we get into this like I said we've been here before we've heard you know talks on RFID and physical access before yeah we've been here before right so here's the thing everybody knows about this Somebody went to go give a presentation of black hat one of the vendors basically said uh you know you can't go ahead and do that we're going to prevent it you're encroaching on IP uh you know so since we have a patent um it can't really be insecure you can't really talk about it right so their reasoning is pretty funny and this is what's wrong with the industry they're saying the act of hacking it and disclosing it viol

patents really um they're not they're saying it's not really a security issue they say Hey you know you should be able to catch them on CCTV if somebody's really not them getting in a door really you have 10,000 employees you know what everybody looks like and by the way the guys the front door watching the CCTV make eight bucks an hour you're hiring them that's outsourced come on right then they turn around and say hey nobody should be wearing the badge on them to be able to clone it right even though there's there's there's no threat there okay and you know keep him hidden all this stuff can't get close enough to clone but there's nothing wrong with it

now you go to the other side our community right and there's really good comments you know the ACL somebody from the ACLU weighed in and said hey this is really concerning you know this is kind of BS and you know I took out a few quotes from from the hacker community and pentest community and said you know hey same thing I'm thinking and the reason why I go ahead and say this is because I'm not the only one thinking this they say hey oh yeah they have a patent um it's IL legal hack it must be secure you know then they say you know rather than taking responsibility um you know they they just threaten and then you know now the

problem the problem that I have is these companies from that what's changed since 2007 they're actually claiming to be security companies now back then they weren't it was just access control so every other word out of their mouth is security this security credentialing this and they're not doing anything different okay now the additional considerations that I picked out from this community is saying hey cloning RFID is nothing new it isn't okay these cards just are passive emitting uh just a serial number that's actually not true there's more to it than just a serial number in these cards we'll go through that has facility codes you have to know a format there's all sorts of things that in order to go

ahead and make whatever is on a card work to a system it's one thing to clone it the different thing about this presentation I'm not going to just show you how to clone I'm going to show you how to Mint cards okay so it's one thing to go ahead and clone somebody's card they have but if I want to go ahead and mint 200 other credentials without cloning cards and just take full control that's a different story right and you know somebody summed it up Bast is is you know if you know if we don't go ahead and make a stand on this we'll just you know end up being deprecated down to looking at vendor cut sheets and

and that's that and that's really not where we come from um to give an example of that what some of these vendors might say is we can sell you a highly secure card that has a cryptographic key on it trust us it's secure now the audience they sell to doesn't go through a lot of evaluations like you and I do in the IT world they don't sit there and have 20 meetings and pick through things you know they were on law enforcement together it's kind of you tell me it works it's a handshake we have a contract in place it's pretty easy right so a lot of the claims are never ever abated and it's only now when

you have the merging of physical access and it security through maybe deploying a smart card that has pki certificates and the keys have to be managed and they're saying what's on these cards and these cards are also going to get me into my data center and people really want to look closely at it and now you have people that are very knowledgeable on the it side saying let's take a closer look at this stuff and it's getting real interesting now but if these vendors get a free pass then I'll tell you what happened what happened recently is they came out with a more secure credential they've been selling for years charging a premium and um

actually there's a guy out in Germany mil uh marak he's I have the link for the paper he hacked it um and I was with a company that that you know we knew about this and um it turns out that they were using the same master key across most of their customers and you they didn't secure the key you could just pull the key right out of the back of the reader so if I pulled the key out of the back of the reader just got it off eBay I had the key across hundreds of customers thousands of customers whatever it might be and this is what happens when it goes unabated okay so you know RFID like I said it's

not all bad there's some good things but we're going to talk about proximity which is if I had to estimate is still about 80% of what's out there in the corporate Enterprise and that's why it's a big deal okay and that's why the audience out there in the Enterprise has to be has to be aware of it okay you can gain access to data centers executive suites confidential information and here's the thing if you're a pentester nowadays I talk to a lot a lot of p pentesters and I say you know what do your activities consist of some of them say I have't hacked into anything in 9 months it's all social engineering you know if I go ahead and

gain access to the facility you know that's King I'm good you I put on a hoodie I blend in you know I look under keyboards under desks I go through things I'm good right and you know people say you can just go tailgate right in but there are different levels of controls of um of different areas restricted areas so you might get in through the front door but how do you actually get into the data center right how do you get into r& you have to kind of be able to do some stuff aside from just social engineering so we talk about cards from a technical level okay this is really what it breaks down to it breaks down to you

got PVC plastic okay inside you got a copper coil that's going to go ahead and condu conduct uh the data from the field the energy the frequency you have a fixed IC you know a silicon chip very small not capable of really doing much but storing binary data and then personalization so you might go ahead and print on the card take a photo visual ID wear it Okay now what's in the chip is a a number of different things how these cards communicate are by a radio field okay a frequency and I think everybody in the room kind of understands this but just in case it's kind of like if I tune T into 92.3 on the FM radio right on my

car something else that's broadcasting at 92.3 I'll pick it up so when this when this card gets in range of a reader and we'll go through that in a second basically it's going to power it up and it's going to go ahead and be able to get the data uh because it's at tuned to the same frequency what's in the card is binary data a certain number of bits okay and there are a different number of bits on cards it's it's it's there's a lot of different typ of bit strings and how they're set up format the sequence of those bits where they're placed and what system can understand it is another factor that I find really isn't talked

about in these venues typically but it's very important because if you don't know that you really can't match it up against an authentication system that's going to know what what you did and you know it's not going to work technology we we'll be focusing mostly on what is called proximity but there are a bunch of other Technologies out out there and we'll we'll touch on those too uh some function on a different frequency there are multiple Technologies on that other frequency some have cryptographic keys and all this stuff going on that are more secure but not something you can't hack um and then implementation uh sometimes a vendor goes ahead and claims standards but how they implement it it's

not compatible with different systems and they they do that intentionally this is an old school Market that wants to lock the customer in um that's a lot of the problem why I see an Enterprise that has has somebody's carrying around five different cards with them um it's a vendor lock scenario doesn't have to be that way uh and then you have standards tools and cryptographic keys that kind of makes the difference in that technology bucket let's talk about a little bit how these cards authenticate in the physical access infrastructure because without it knowing what's on the card doesn't really make a difference okay bottom line is I'm I'm I'm a user I go present my card to this reader at the door okay

they're tuned to the same fre quency this card gets energized from the reader field that's powered this card's not powered doesn't have a battery so it gets it gets powered by the field and then back scatter happens where it just blurts it in all directions it's indiscriminate it doesn't care it doesn't ask you know who's going to go receive my data when I blurt it out there's no security mechanism it just blurts it out anything can capture it this reader is built to capture it it captures the binary data okay ones and zeros great this reader goes ahead and sends it to a controller how many people know what a controller or panel is in

the physical access World okay a few people a lot of people don't when this card is presented to a reader and it goes to get authenticated there's a building access control system that holds the Privileges of all the users and what doors they can get into that Central system doesn't do authentication pretty surprising it's actually a controller that's in the wall and what happens is when I go ahead and enroll somebody and hand them their badge for the first time I enroll it and then then basically their card their card number that's unique to them or unique to their card gets pushed out to this controller okay gets transcoded to to hex and gets gets uh pushed out to this

controller and this controller actually makes the decision okay yeah

true uh well most mostly in the corporate Enterprise mostly it's going to be at the controller level that's changing if you're not doing weekend and you're doing Ethernet or something to some extent um but mostly it's caching to the controller and not on a reader because these these these users have to go to different places they have to be provisioned so in in in my efforts of Consulting with a lot of Fortune 500 companies um I really don't see anything cach to a reader unless it's a biometric or a pin a lot of times which you know probably not a good practice what's that well I'm not sure if that would be happening throughout all their readers

in in in their companies in the company but we can talk about that you know offline uh it's not a general practice um because this this is typically available offline that's why you cash it down to here it's actually not in the reader and maybe that's getting confused this is local so you need a controller to control no more than like two or three doors at a time that's the local privilege these readers generally I don't know many readers on the market that really store credentials at all it's all up here but anyway what happens is binary in sends it back to the controller controller makes a decision compares the hex to the hex and there

you go now here's the interesting part when I issue a card keep this in mind I go ahead and issue a card I take the next one the stack and I go entered into the system and I associate it with Jon Jones and it gets pushed out in transcod on uh these I don't I have so many cards here I don't even know what I have sometimes yeah but yeah these have these have a smart C chips on them uh so anyway that's we'll come back to that there's a big problem with that so there's generally two different frequencies in physical access and I've done this down a little bit before I get into some of the more technical stuff um

there's 125 khz anytime you hear proximity procs it's always 125 khz vice versa okay so there's really no Devi deviation from that that's been around for a long time that's like still running Windows 95 I mean it's just old right and has no no security mechanism built in down here you have 1356 megahertz okay now you can see it's it's a little bit faster why why would I want something to be able to go ahead and be faster even with the same credential information more data why would I want more [Music] data cryptographic key I mean because the key is much longer than a 26-bit string that's up here if I and this is pretty slow it just behaves fast because

there's such little data so this is where the Market's been going and you have multiple technologies that are available on this um my faar you can go ahead and crack the key in about 5 minutes if you know what you're doing my fair desfire is Pretty Tough desfire ev1 hasn't been hacked yet plaid is something that's open source that's new opacity is coming down the pike line which looks pretty damn good and there's you know there's there's other things but we'll focus up here because this is about 80% of what people are out there running okay

so here's the deal if I just go ahead and take clone a card I can probably go ahead and use that card that one card inside of the Enterprise great okay I'm that one person whoever that card is but cloning from a pent test standpoint sometimes I can't really get a hold of that card sometimes I get hold of that card but I might need different access or you know that person doesn't have all the Privileges it just kind of limits you and I hear a lot of people saying well you know I could go ahead and hook this up to the reader and it's like you know you don't want to be in in the

front door carrying around something and hack into you know a reader you kind of want to go undercover like you're a normal user right and this is where this comes in knowing how to go ahead and mess around with that string in in kind of layman's terms and I'll actually show you what's on there in a minute let's just say this is let's let's just say this is the string it's not but basically what happens at the controller level when you say I have a format I think of a format like a template I know where those digits go I know which ones count which ones don't so if I have facility code 12 and you know the card

number is 34281 you can kind of see there's a lot of data in there that just doesn't matter that the system's looking for it just for parody you know just to make sure the data is good just to make sure things are in the right place and if not it's going to go ahead and say no no no no no you might have the right card number but it it doesn't fit with our system there are literally hundreds of these different formats out there and that's why when people say ah it's you know it's a 26-bit card that's only one it's only one of the many many formats out there that's why you have different

different people carrying around multiple cards in an Enterprise now why is it that way okay here's here's the deal with the industry I'm the chip manufacture the fixed IC I sell my widgets to another widget card manufacture that makes the PVC plastic you know embeds the chip does all that the copper coils and uh then you know I go ahead and I manage all these formats and for these different the different distributors they sell always sell to a distributor always sell to a reseller always to the end user so there's like 3x markup by the time you get done if I'm an end user I'm paying like four five six S8 for a card nothing

Innovative about it at the end of the day you know we all know it's sub dollar to go ahead and make in China right so how do they hold their business together it's this format the stuff that we don't talk about the hundreds of different formats out there that unless you format the binary code in a certain way it may not work with a different system why why have they done it this way what's the purpose doesn't serve the end user it locks the customer in and if I'm if I'm this reseller this just if I'm this reseller that's been implementing you know for this company for a long time and I want to serve my customers 3

years later when my customer needs more cards I want to keep that end user coming to me for those cards I don't want them to go somewhere else where they can go ahead and get some generic format so you have all these different varieties of formats just to go ahead and for these resellers to own their different customers okay it's a real mess so when companies acquire other companies like big companies do what do they do you know hey we we have this other building we need to go ahead and give them another card or we need to go rip the system out to make it compatible with these cards millions of dollars doesn't need to be like that right and

it doesn't help security so here's here's a format let's talk about formats and masks here is a hypothetical example um back to my disclosure earlier why it would be hypothetical um of a 26-bit format there's 32 35 42 37 all over the place Okay and like this would be for parody this would be the facility code this would be the actual card number more par right these are the parody strings and then you have to know the the format Ashley's intelligent or the controller to know whether the the parity should be odd or even and all this stuff so when we talk about a I know the card serial number in a card and that's all it is

just passive they're talking about this if you don't get this stuff and right and where you put your ones and zeros you're h right so what happens is this gets loaded into a physical access control system that holds all the Privileges okay then that gets pushed out to those controllers in the walls and then those controllers in the walls compare the binary data that gets passed up transparently typically from the reader and makes a comparison and hacks and sends it back right so we're all good on that any questions no okay so here's here's kind of a quick demo all right see if I can hold so I'm going to I have a whole bunch of cards here and you know what

most of the time I don't even know what the heck I have I've collected them over the years and so let me just pick a stack here so these are all different formats and you know you guys have heard of the proxmark device right this is not a proxmark device this is actually a company that's Tak to the next level disclosure I used to work for them I helped launch the company um it's not a plug but it's a really cool device because it doesn't just do one format or just clone what's on one to another this thing's actually intelligent to read what's off a card tell you what it is if you want to know you can see the hex you

can see the facility code you and then you can actually go ahead and not just clone but you can say okay I know what they're doing I know a facility code actually it's probably better that I just show you right so let's take this card what is this okay this is a very typical card so put this on here so I'm just using Terra term and if I go okay so I read it okay so this is a 26-bit hid card um you can see the hacks this will actually go ahead and tell you that the facility code is 54 on 26 bit you have a possibility of 255 different facility codes and 65,000 something something because it's

26-bit on on this number right here this is 309 a pretty low number okay um now I can go ahead and take this card and I'm going to go ahead and read this card I'm going to go ahead and hit I'm going to I'm going to program this card so I'm not just cloning at this point so I'm going to program this card hi one one and I'm going to go ahead and verify what's in the buffer failed don't know why take a different card sometimes it's not perfect uh it's one this device is one at a time but there are devices that you can buy that'll go I mean just if you want to do Mass

issue ends and stuff um so let me go oh I know what I did wrong here

okay okay so if I hit decode I didn't do it [Music]

h26 okay yep so you can see I set it I I programmed this card to facility code one and card number one Okay now what's that no I I hit verify so they'll verify what's in the buffer after I did that one to the one I just wrote to so that's the command I can actually show you if I go back to this card I'll go back to the other

card okay that's totally different that's in the buffer right now I'll go I'll go back to this one there you go right so that that did encode the previous time okay so now I can go ahead and say okay this is a totally different card I don't want to clone it but you know here's a good thing I already know what the facility code is facility code is generally like like okay I have a serial number of you know possibility of 65,000 some odd numbers that I can go ahead and encode and I have 30,000 employees eventually I'm going to use those up so sometimes I say hey for for this facility out here in St Louis um it's going to be a

different facility than the the campus out in Los Angeles I get more numbers that way it differentiates the population a lot of organizations make the same facility code for everybody and there's pluses and minuses to that I'm actually an advocate for doing that with large populations for a different reason um but what you can do is I can say look um I got my first card so I'm not just going to go ahead and clone and be Li there now I got my first card I I know what their facility code is now and I also have a valid number okay so since I have a valid number these are typically issued in sequence I can say let me go

buy a couple hundred cards off the internet and let me go ahead and encode 100 down and 100 up so I I got this one I could have cloned it but I I can keep going and say you know what I'm going to go ahead and re-encode this card and go let's say facility code up here was 54 and I'm going to go 310 next card

up there you go I can go ahead and just start minting a whole bunch of credentials in the organization show up at the front door with a stack and just see which one's working get in through the front door using one start using other ones can I get into restricted facilities you beta and then they then you start to say okay well I got a pin on my data you know you have to do a pin entry I have a Flur gun you know I can go ahead and wait 30 seconds till somebody enters their pin walk away and just aim my Flur gun right at it and I can see the red dots and which ones

dissipated and see which ones are the first ones which ones are most anticipated which ones are the brightest they're probably the last ones and you kind of make out at least you know three of the sequence to say okay I'm pretty close I know their credential I could you know totally you know put them back to basically one factor and I can figure out that one factor okay is there anything else anybody would like to see on this demo of other cards whatever questions uh the the reader is from a company called identive identive group uh division Vision ID on demand they make some pretty cool stuff so it's this is not a science project to give you a

kind of a a manual of um of uh of commands that you can work with to do a lot of this stuff and the other thing too is there's um mod different modulations out there so like um there's some that use uh what's called FSK and then there's psk and there's ask like psk phase shift because when I showed you that that wavelength where it looked very linear that's not really how it happens that's kind of you know we're drilling down this stuff it it has a phase shifting it's kind of complex um but what you have to do is when there's certain cards that go ahead and use like like say psk this is set for a for FSK

right now there's a command in in the device where you can say okay set this reader to go ahead and work with um with ask now and then it'll go ahead and work with ask and you set it back so it's actually unique in that sense where some other things you've seen out there just work with 26-bit not other formats not other modulations so it's pretty cool so back to this portion right here let's talk about some of the funny things in physical access like th this this industry needs is going through Evolution um and uh but there's still some interesting things I think this community would find you know like I do um so it's pretty fun right they're all

they're all special um when I when I showed you this card right here and I went and read it and I said you know it's uh facility code 54 and you know it's uh the card number is 309 um remember when I said the person issuing the card They enter you know they would enter the number 309 associated with Jon Jones and then it basically gets sent out to the control to the controller in you know in in in HEX right well well this card actually is printed with 309 on it okay so this is done like 99% of the time in the industry and why because you have people that are enrollment officers that

typically aren't very technical and they just want to Stack they want to take it off the stack they want to read the number off the card and enter it into the system to me that's like you know ordering a computer from Dell and having them etch the password right on there and well it's easy now you know what the password is when you get it and and so you know I mean I've had people debate me on this I've been to trade shows talking to vendors and like oh you know proc is secure enough we weren't using Healthcare all the time and um you know it's convenience it's secure I'm like it's not secure and they're like oh sure

it is you don't know what you're talking about I'm like show me that card put it up to my face and I'll go ahead and hack it just by looking at it like oh yeah whatever right and then they put it right in my front of my face and I say okay is this card serial number 54271 they're like how do you know I'm like is that it they're like well we don't know I'm like I can tell you just flip it over it's it's it's printed right on there right it's like this is this is the industry mentality right so just do a time check so you know there's a big problem with that you know you're

minting this stuff on the card they're still doing it today and like 99% of the time it's just a bad lazy practice that doesn't practice security okay so that's kind of number one sequential number just just makes it easy to guess you know even 26 bits you don't have to go go totally sequential if I go up to like 32 35 42 bits I have millions to choose from I don't have to go sequential so my ability to go ahead and order cards and just go 200 up two you know 100 up 100 down you know it doesn't work as well if you if you spread them out and have a different system and batches

right the other thing I get is um to tell you a quick story um I I do engagements for cisos csos to go through their not just their facilities I do pki deployment smart card it's been doing that for years um telling them how to do this stuff but going through telling them what they have what problems they have and um I was on a engagement a little while ago and I was hired by the ciso to implement pki smart cards and U this is an organization that I guarantee they have information about everybody in this room just the nature of their business big fish and um so you know we did all the heavy lifting around pki and

everything and so physical security was actually redoing several of their facilities putting in new controllers a new system and they're saying hey you know okay we're staying with procs and I'm like why would you do that you're getting new cards that are capable of doing cryptographic Keys everything like that you're replacing all the critical components you could just go do something else for no additional cost anyway I kept telling the vice president physical security this and one day in front of like a dozen people he looked at me he was pissed off cuz I kept hammering on him and um he said Terry you got to cut this out you know it's not like we're Fort Knox and I looked at

him and I said shouldn't you be just because of the nature of your business I walk into your data center and just grab your HSM whatever I need to do and um so he called the meeting with the CI the CIO and basically to beat me over the head and I said look I'll do whatever you want I'm just calling out things you're not aware of that are critical to your business I have a responsibility and he said look give me the 4minute speech on basically what's going on here I said look very insecure went through this stuff broke it down he said hm well you know is it really that insecure I said I'll I'll do you better than that

the VP of physical access stood up and said it's we're fine it's not that insecure I looked at the CIO and said can I have you card yes I pulled out a device at the time I had a different device that actually just you touch and clone doesn't have to plug into a computer it's very slick I said give me your card I pulled out a blank card I touched it I walked out the door to his office shut the door gave me car back shut the door and then all of a sudden you heard a beep a click and I opened his door and I looked at him I said you want to go down to your data center now

you better hope I don't know what an HSM looks like and you're just like this is what we're using in our at our data center looking at the physical security guy how did we not know it's because in this organization's PCI Compliant right it's because qsas are not trained they go through and say okay yeah okay there are physical security controls that not anybody can get into this facility into the data center we check that box they don't know about this stuff nobody's telling them the CIO thought for years this was handled by a physical security group they know about cards they know about doors they're doing it and so you're sitting there thinking wow this

is low hanging fruit for anybody this you know Terry can just go anywhere right so you talk about not just I go in and get the HSM but the amount of social engineering I can go ahead and do I don't even you know the fact I can go ahead and walk through the front door and just put on a hoodie you know I call it hoodie gate you walk through the front door you print up a hoodie you know now one of you guys everybody holds the door you tailgate in but now you know I not only look like you but I have credentials that can get me through restricted areas that maybe are just for

a few people in the organization and if you don't have that bar high enough man you know I'm I'm in there doing whatever I really need to do I'm not just digging through dumpsters anymore okay or so their excuse from the physical access side the VP of physical access said well you know I'd know if this was going on how would you know I look like authorized user these systems are pretty archaic they don't have anomalies to be able to anomaly detection and basically say you know is something really going on here do I have multiple credentials um it's not there yet they're they're they're going to be evolving in that direction but it's not there yet you

wouldn't know then they say well we have a lot of guards in CCTV we'd see it n you wouldn't we just talked about that you Outsource it they don't know who what everybody looks like they're not looking at the credential as presented you know not going to happen um the other thing is people think they have a special format well my my integrator told me I have a special format and that special format I'm not susceptible to any of that other Pro proximity stuff proximity is proximity it has no security mechanism built in if I can figure out the parody and all that stuff and by the way this company figured out like a hundred different formats and

built them in built a library so yeah you can figure it out I've watched it being done there's nothing special you're on the same technology then you have other companies saying well I have a special number nobody else can go ahead and have the same number issued to my organization cuz when they issue a card they won't issue it to anybody else okay my whole thing is if I can if there's no security built in and I can copy clone and mint you can't guarantee me that okay and also that's not security I mean these these things aren't insecure big deal if you only send them out to one person or not right people think hey you know I

put a tamper on the reader so if anybody pulls a reader off the wall oh you know the system will know I mean the the typical infrastructure has something called weekend the wires that go from the controllers all the way back you know it's like it sends the ones up one one wire sends the zeros up to another wire and that's how it gets back it's not very sophisticated and um they think hey you know somebody screws with the reader you know that's that's what I mean I could climb if I got into the roof I'd go ahead and splice into it go ahead and send it up it won't detect that you know it doesn't know I mean I

could do that the target's great enough I'll certainly go ahead and do it you know hoodie gate right into the front doors and then figure out where do I go and you know if I couldn't mint a card whatever right um there's other things when you get down uh to go ahead and figure out how do you get these things more secure well you get into like adding a cryptographic key and you get into specific Technologies um that have like a have like a file system and can hold more data um the problem is vendors have still attempted to say okay how do we go ahead and make that technology our own right so this this company over here

this vendor can have my fair this vendor can have my fair I'm nxp who made my fair I don't discriminate who I sell to but how do I make it different well one of the things I do is I own the key I'm the vendor I don't give you the customer the key and then like we find out they use that key across every customer I just won't tell them problem with that model is physical security end user audience has never demanded no I own my key that's the only way I can ensure that it's Unique that's the only way I can ensure that I'm not locked in and you know this is a problem so then you have

some vendors saying okay I'll let you own your key but then what they do is they make special tools that only work with their reader where you can load the key into the reader it gets really weird and the customers that don't ask about all these cute things end up getting locked in and they have nowhere to go which is most of the time the thing that probably bothers me the most is um in the physical security industry is when they talk about Open Standards and the use of Standards um they talk about standards like oh that's our you know um 26 bit is the standard from who right from you know I mean what

stand or they say our new technology that we just went ahead and built one company built the technology what they did is um they put in um basic Bally uh a hash signature that gets compared to the rest of their products and if you don't have that hash hash signature um then it won't authenticate and they said well we're trusted that's how you know it's trusted and they say we're trusted it's your own it's your own internal ecosystem that is not validated with any outside third party it's not like a you know public roote or anything so they claim their own trust model then they say it's built on Open Standards when you ask them what Open Standards you

referring to they can't tell you which ones and it's certainly not open so it's kind of interesting but you know you can do cloning you can do sniffing but minting you know that's really what we're talking about here and by the way if you find if you can find out the key to their Advanced Technologies you're back in the same position all over again I got the key now I can start minting again um M marric out in Germany did a really good demonstration of a vendor technology where he was able to go ahead and discover the key and he was back to inting and that this was like the next most pervasive technology out there

saying oh it's really really secure so protect the key where's this going um you know cards are really being a pervasive medium inside of you know different uses whether it's Health Care uh mobile devices um parking Transit and it's not so much about the card in the future it's about this chip right it's about it's about this smart chip that's purpos built to handle cryptographic Keys timing and all those things okay and so that chip could be in a smartphone it's getting built in now the Sim the Sim chip it's basically the same thing now they're going to start leveraging it for other purposes one of the things that's really happened that's really interesting is the US federal government

has started a program that was a presidential directed to strength and identity it's called hspd1 12 and in 2005 or six they basic basically said hey um we're mandating that everybody goes to a smart card chip a cryptographic uh secure module secure element and it's going to have to have you know four pki certificates it's going to have to have um it's going to have to have trust there's there's processes in place now it's not perfect okay and I was doing implementations before that but it's the first venue that has actually went ahead and put some standards in place what didn't make that standard is proximity it's not in the standard you can't implement it okay

okay can't use it shouldn't be using it it's not secure government knows that they knew it years ago right so it's all about certificates public root trusting the roots on this card and that's where it's going for Transit uh for Health Care storing data it's a lot more secure and it'll you know use this high frequency okay so you know what can you do to go ahead and improve it I I'll wrap this up and take questions but these companies need to get away from need to get away from uh 125 khz okay it just it's it's like having Windows 95 out there it just doesn't have a place anymore um they're glad to sell it

because they they you know they have a great cottage industry off it okay need to get away from symmetric Keys usually it's the same key in the reader as the key on the card hack a reader got the key on the card or you figure out the algorithm to and how they Diversified it not a good situation okay and that's where pki comes in okay public private key start bringing that into physical access like the US government did that's the solution but physical access vendors don't really understand pki it's an evolution okay um culture from I issue Badges and let you through doors to actually being a security professional rather than my business card saying I'm

cor security okay and this is where this audience comes in you know you go do a pen test show them this stuff look into it you know that'll really go ahead and improve things quite a bit and you know corporate Enterprises have a responsibility to do deeper due diligence on how they buy technology just like ID it does it can't just be your buddy because it takes you out for steak dinner and you have a good you have a contract you got to go ahead and look at all the technical points and validate them bringing it into the project helps a lot because like I was educating an analyst last year and they were they said you know look I'm really

I understand technology one of the main analysts in the IT industry I I get the technology but I don't understand this stuff and I said here's a deal come from the same place you you are forget about every single thing you think you know and then it'll come to you that this industry is really way more screwed up than you think it is and you'll start learning how it actually is and then you maybe help solve it okay need to go ahead and uh do more standards versus proprietary lockin say no to lock in and you know Leverage What the government's doing there's a Nuance of how to leverage it because the government doesn't really fit well into an

Enterprise model you know they're they're vetting they tell you how you need to do things you need to rip replace it's not doable but I specialize in this area there's a way to kind of bring it in where it's a best practice benefit for you without getting into additional overhead and you know compatibility look for compatibility and push the industry for compatibility on you know on the tools right and then if you have to stay with procs uh proximity you know you can go ahead and do that you can go do random ranges disable feedback so anybody who's trying like you know 20 times disable that make a report so you know what's going on there

take a look at your log files demand from vendors that you can go ahead and do that so I'll wrap that up I'll take questions um there's my contact info and um and uh this is actually a really good it's on YouTube as well uh Milos marak and if you send me an email I'll send you the link um and if you have questions Milos likes to hear from people too so so I'll take a few questions and then we'll yeah