Sep 18, 2023

Our village got shut down at DEF CON!

Fetti Depth

DEF CON 31 was bananas. Allthenticate set up shop in the Physical Security Village with some fresh demos capturing the thrill of exploiting RFID's weakest susceptibilities to break into a maximum-security facility (represented by an unassuming and cute ASCII door that opens upon success.)

Participants had the chance to take part in a fun workshop that focused on the exploration of different techniques for cloning and duplicating MIFARE Classic cards and key fobs. The workshop utilized portable Flipper Zeros and other advanced RFID writing tools and was conducted at a rapid pace on a table in the Physical Security Village amidst the buzz of hackers. It was a hands-on experience that allowed attendees to learn and practice these methods.

Although we don't want to criticize the industry standard access-control security measures, the fact that over 100 people were able to break in within 5 minutes indicates that there may be some shortcomings. (Okay, I'll criticize: many of the industry standard access-control security measures could use improvement.)

On the last day of DEF CON, right before Chad Spenksy was about to deliver his final talk to the crowded audience, some chaos unfolded. The village was shut down! It turns out you need a license to implant chips into people, much to the chagrin of another guest and his practice.

One of the most thrilling talks at DEF CON was presented by Dan Petro and David Vargas, researchers at Bishop Fox, discussing the significant vulnerabilities of OSDP that were revealed.

OSDP is a new protocol that has been created to replace the older and more vulnerable Wiegand protocol. OSDP includes Secure Channel, which encrypts all the communications between access control devices.

However, researchers have discovered several vulnerabilities in OSDP Secure Channel that allow attackers to bypass the encryption and access sensitive data.

Some of the vulnerabilities in question:
- The SCBK, or Secure Channel Base Key, is transmitted in plaintext when a new device joins the network.
- Devices can advertise as OSDP-compliant even if they do not support Secure Channel encryption.
- An attacker can downgrade the Secure Channel from its initial encryption configuration to an unencrypted mode.
- The master encryption key is not generated securely by default and can be easily guessed by attackers.
- An attacker can exploit the install mode to obtain the encryption key.
- Weak keys can be used in OSDP implementations.
- There is no secure in-band mechanism for key exchange in OSDP.

These vulnerabilities make OSDP Secure Channel effectively broken, and it is not recommended for use in secure environments. Just in case that hasn't been made abundantly clear.

The vulnerabilities were discovered by researchers who developed a device called Mellon, which could be used to access control systems.

Mellon is a discrete device that can be inserted into the wiring between an access control device and the control panel. With Mellon in place, it can intercept all communications between the devices, including sensitive data such as SCBK.

They strongly advise organizations to refrain from deploying OSDP Secure Channel until the vulnerabilities are addressed. Additionally, they suggest that organizations consider using alternative, more secure protocols for access control, such as TLS or IPsec.

You can read more in their brilliant blog post breaking it all down.

In other exciting news, we at Allthenticate are thrilled about the upcoming release of our new access-control panel, ALL IN.

More detail to come shortly, but rest assured, its the sleekest product we've concocted yet. Stay tuned and be sure to keep up with us via LinkedIn or even email if you just want to chat.

Fetti Depth

Share this post