News - 2010

Last month at CarolinaCon, an annual hacker’s conference in North Carolina, security researcher Shawn Merdinger presented his successful attack on a name-brand networked access control system. He commented in the presentation, “The problem is that they [facilities and physical security] have this convergence ... and they are slapping this stuff onto your network. So you need to be aware of what’s going on.”

In the video recording of his conference session, not only does he demonstrate how easy it was to hack the access control system, he puts the company’s marketing statements up on the screen about how safe it is to connect the system to the Internet. He then demonstrates an Internet search that locates many such systems on the Internet which are wide open to the type of hack he demonstrates.

Like any good security researcher, Shawn reported the vulnerabilities to CERT/CC and worked with them
to follow responsible disclosure practices.

In his presentation he also outlined steps to mitigate their impact. View the recorded session below. Slides from the talk are here: http://tinyurl.com/no-stinking-badges.

The Caribou program shown on the phone used to unlock the doors, is a Android application created to test the security of the system.

view the presentation slide online below - they are more clearly readable than in the recorded vidwo.

Also see my Convergence Q&A column of July 21, 2010 regarding Responsible Disclosure, which is the practice that is followed by network researchers upon discovering a serious vulnerability.

Last year at the DEFCON conference, which describes itself as “The Hacker Community’s Foremost Social Network,” a network research firm (people who do network penetration testing for a living) hacked a brand-name system and fed back copied video into its video display and recording stream.

They picked up an object off a table, but the video system showed the object as still being there. This type of attack is called a “replay attack” where data recorded earlier is played back later and fed into the system.

A sophisticated version of this attack would involve injecting captured video data of the object removal several hours later in time from when it actually occurred. The system’s time-stamped video would then provide “evidence” of the object’s removal at a time when the attackers were several hours away, establishing a solid alibi. The recorded video would be properly watermarked by video management software, thus falsely “authenticating” the fact that the attackers “could not have done it.”

You can download the 50-minute video of the presentation from the DEFCON home page (www.defcon.org), under the heading “Advancing Video Application Attacks with Video Interception, Recording, and Replay.”

 

Note that the network researchers subsequently worked closely with the companies involved to eliminate the product vulnerabilities.