Introducing
Your new presentation assistant.
Refine, enhance, and tailor your content, source relevant images, and edit visuals quicker than ever before.
Trending searches
Breaking & Entering with SDR
139
Breaking & Entering with SDR
Physical Access Control Systems or Wiegand Over VHF/UHF
Disclaimer
This information is freely provided and no warranty is provided. While this information is free and available, your actions can have consequences.
Do not break the law. It is illegal to transmit RF on the ranges discussed, without a license.
It is illegal to trespass, or otherwise gain unauthorized entry. Be kind! I am not responsible for your actions.
Basics of SDR
Next Level Mess
Closing Statements
- Key-fob Cloning
- Permanent Open-Lock
- Forced Close-Lock (Jamming)
- "God Codes"
- 0000000000000000 ?
- Application Bugs
Remediation steps:
- New key-fob system?
- Rotating keys
- Awareness!
GNURadio Modulation
Questions?
Tim Shelton - redsand redsand@redsand.net
@redsandbl4ck
Limitations of Writes
- Expectations?
- Security?
- Privacy?
- Vendor suggestion - unique facility code per user.
Initial Assessment
- Vulnerability - Replay Attack!
- Tell me why?
Attack vectors increase with data control
Let's keep hunting!
- 5 messages per second limitation
- Multiple sends needed to verify message received
- 1-2 tries per second.
- Weigand-33 keyspace: 24 bits
- 16,777,215 unique values
- Never seen a keyfob in the wild < 600k or > ~1.4M
- Facility code is consistent
- 1 code per key-fob button
- card # and facility are different for each button
Add'l reading: gracefulsecurity.com/keyfob-cloning
Problem and Impact
Modulation - Write Control
Who got hit?
- Affects remote transmitters allowing physical building access.
- Often times duals as garage and common space access controls.
Who's impacted?
- We have:
- facility codes and
- matching card numbers
- We want:
- to test if they work
- enumerate new codes
- Why is this useful?
- Commercial businesses with common space
- Apartment complexes (a lot of them)
- Problem impacts both domestic, as well as international.
RF Demodulation
Pulse Position Modulation
Courtesy of tutorialspoint.com
Pulse Width (update)
- Monarch - 12.0
- Other values out there but need discovering
- Width value expected to be lower and not higher
- Actual width of pulse be wider
Courtesy of tutorialspoint.com
GNURadio Demodulator
- Phase-shift keying (PSK)
- Frequency-shift keying (FSK)
- Amplitude-shift keying (ASK)
- On-off keying (OOK) (most common ASK).
- Quadrature amplitude modulation (PSK + ASK)
- Continuous phase modulation (CPM)
- and many more...
Wiegand 26, 30, 32, 33, 36, etc.
- Facility Code (1 byte usually 0-255)
- Card Number (24, 32 bits, etc.)
- Reference RFID, et al.
Bitstream: 000100001101111101010000000001011
[33]: Code: 0x21bea00b Facility: 16 CardId: 14635013 (parity success)
Oh, and also Differential Pulse Position Modulation
Market Impact
DFW - 70% of infosec participants polled that live in an apartment complex, are impacted by this attack.
Help me measure broader risk and exposure.