I was in the airport awaiting a flight this week and someone who saw my presentation on a Card Key system hack from a year or two ago stopped to ask if I had created a White Paper to help in securing the systems from P0wnage like I demonstrated with a major vendor.
- Video of the Card Key exploiting a pair of gates
- Paul's Security Weekly Podcast Episode 388
- Original Blog post on the exploit
I told him check out my Blog (This post specifically) and that I would write up something to the vulnerability that is easily exploited on many, if not most Card Key systems using Lantronics Ethernet adapters. So here it is, what you need to know to asses and how to protect your existing Card Key systems back end controllers.
First off, newer designed Card Key systems are moving away from the Lantronics daughter board concept by building Ethernet adapters right onto the controller board. This should fix many of the flaws we found, and give the vendors more control over what they can code into their solution, but does not mean that a clear text Auth flaw in a new design will not exist, let's hope encryption is on by default in any new designs. Hint: if you are evaluating Card Key systems, make encryption on by default a must have and No Go decision point. Evaluating the newer designs is a job for another security researcher, or when I come across one I have to assess, or that is given to me ;-)
Internet based Card Key systems
For Internet based Card Key systems (like Brivo) where you login to a web portal to grant or revoke access, username and passwords are all you have to protect against break in from anyone on the Internet, which is the world. So you better use a very long password and cryptic username that is not like anything else you use on your corporate network.
A few of the flaws of network accessible Card Key systems
One flaw with network based Card Key systems is the ability to open all doors in a maintenance mode. Yes, all your front, side and back doors, not to mention sensitive or secret locations. So your access control by user and function is worthless to the flaw we found and why better protection of the Card Key master controller(s) is required.
Another flaw with Card Key systems you might have is logging is non-existent. I can brute force the system and you would have no idea that I was doing it, they do not have any usable logging or lockout capability after 5,10 or 10,000 attempts. Keep in mind these systems were designed before needing network access and the Lantronics daughter board modification. Adding the Serial to Ethernet board opened up a whole new use of remote administration without any re-design of the solution. The Internet is littered with these controllers for remote administration by a management or security company.
A third flaw is that these systems only had unencrypted communication. On the re-designed systems we were provided the encryption was off by default and thus only an option, not to mention off by default for 15 seconds if you could power cycle a system, which is not hard as these often have no battery backups. When I asked a Card Key system security implement or why they did not set the encryption option, a simple password or phrase to generate a unique key... His answer "Because no one would remember or know how to find the password"... Grrrrreat!
Secure Option 1 - Network Isolation
Isolating the Card Key system and all the PC's that would access it is an option, but not overly practical for anyone but large organizations with dedicated IT network staff. But here is what to do if this is a viable option for your organization.
Step One - Assess the signature of your Card Key System(s) NMap or any other port mapping utility is your friend here. Throw scans at all of your Card Key systems and understand the ports they are using. Ports 80, 443, 9999, 100001, etc. These are the ports used by the Windows fat client application to communicate with your Card Key interface. Lantronics systems have an obvious signature once you discover them, record what you have for future reference.
Step Two - Who needs access to add users and from where?
If you have any chance to limit access to the Card Key system over the network, you will need to know what users, specifically their systems IP address, which will need to be a static IP in order to build ACL rules to limit what systems might be able to try and gain access to administer the Card Key system. If you can manage to limit who's computer needs to access your Card Key systems and in what locations, you might have a chance to build some network ACL's to restrict the Card Key system IP's to just those IP's of the workstations with the fat client. This is how you would secure the Card Key systems from a network access control perspective. Though if a malwarian pops one of these approved systems and finds the software... Game over.
Keep in mind if I can find your Card Key system on your network, it IS game over or more appropriately Doors Open, and all of them, not just one.
Secure Option 2 - Consider a replacement or upgrade
Once we reported the flaw to the vendor we tested they graciously provided an updated system after they addressed a couple of the issues they were able to, but Lantronics did not change a thing. This means the best way to improve this vulnerability is replace all your Card Key systems. I know this is a bad option since roughly 10,000+ Lantronics controllers are shipped each month... Yup.... Major bummer for users of this legacy design.
Secure Option 3 - Isolate the Card Key system to a single PC ( My highest recommendation)
Ironically the reason that the Lantronics Serial to Ethernet daughter board was created was to move away from the limitation of one PC serially connected to the Card Key device so any user on the network could manage user access in any location or worse... Over the Internet in the clear.. Yup, you heard me... Clear text auth!
This option would still allow you some flexibility in that you could locate the dedicated PC in any server room or closet with your other phone gear and use patch cables to connect directly to the PC via a hub or cross over cable. Using a 2nd Network card you could then connect the PC to the open network. If I were to scan your network for the Lantronics signature, I would not find any, just the Windows PC it was connected to and no way to know if it had a Card Key system attached. This security option allows you to remote into the PC using basic Windows remote utilities, RDP, VNC, or whatever you fancy for remote control and from anywhere on the network and yes, if you use a secure remote control option, even over the Internet.
So there you have it, the basic ways to secure the Card Key systems controlling your door access. Check out what JGor (@Indiecom) has done with some nifty Card cloning P0wnage. You might want to understand how this works as well, but is a different problem and affects a specific users card and the access of that card, unlike opening all the doors of a building.