News

IPv6 is not just about IP addresses! Although the World IPv6 Day tests were largely a success, that success isn't necessarily good news for the physical security industry. more»

We added a News Feed to the website! After getting many requests and one unposted Rant submission about it, we have added an RSS news feed to the website.

If you are familiar with news feeds, have a news reader program, or use the Firefox browser, use this link to Subscribe to the Bp.IP Initiative News Feed

Note that the term "Card Key" is used in the video link below, and on many web page comments, as a generic name, like the "Kleenex®" brand name is often used to describe any facial tissue. Cardkey® is a registered trademark and is not the product shown in the video below.

Network researchers Michael Gough and Ian Robertson made this video for the BSides regional security event that took place in Austin TX about a week ago. The access control system is one that is remotely managed via the Internet, but the system would have been just as vulnerable through any hardwired network connection. (For example, through a clubhouse network outlet connected to the same network as the access control system).

The Caribou program shown on the phone used to unlock the doors, is a Android application created to test the security of the system.

Continue Reading at Ian Roberton's CyberSecurityGuy website...

Note that Michael and Ian followed responsible disclosure practices in reporting the incident to CERT. They are currently working closely with the manufacturer of the target system to help them eliminate the vulnerability found.

Also see my Convergence Q&A column of July 21, 2010 regarding Responsible Disclosure, which explains the practice that is followed by network researchers upon discovering a serious vulnerability.

Interestingly, Michael got involved in examining the access control system because he is on the board of the association managing the pool property. As the only “tech person” on the board, he was the natural candidate to check into the problems that they were having with the access control system. He was also personally curious as to why the system kept failing as much as it had been.

As Michael Gough commented to me, “The devices were developed before the Internet was used to manage them and so the design did not start by thinking of this connection. The solution migrated to the Internet, though security improvements did not. It just worked, so why change?” That’s a typical history for vulnerable products in this industry.

Check out Michael's security blog at www.hackerhurricane.com for great information security news, articles and presentations.