Understanding Access Control Attacks
Understanding Access Control Attacks
Understanding Access Control Attacks
Discover the weaknesses in access-control systems and find out how to protect yourself
Discover the weaknesses in access-control systems and find out how to protect yourself
Discover the weaknesses in access-control systems and find out how to protect yourself
Anatomy of an Access Control System
Anatomy of an Access Control System
What is an Access Control System?
What is an Access Control System?
Access control systems are essential for managing who can enter specific areas within a facility. They are critical for ensuring security in environments ranging from corporate offices to government installations.
Key Components:
Key Components:
External "Readers"
External "Readers"
Reads access credentials from key cards or fobs locally and then relay the read information (typically a number) to the controller
Reads access credentials from key cards or fobs locally and then relay the read information (typically a number) to the controller
Internal "Controllers"
Internal "Controllers"
Receives card numbers and ultimately makes the yes or no decision to trigger the relay, which will unlock the door. These are typically expensive and only support four doors or less
Receives card numbers and ultimately makes the yes or no decision to trigger the relay, which will unlock the door. These are typically expensive and only support four doors or less
Credentials
Credentials
Items used by individuals to verify their identity: just a simple number on legacy systems and cryptographic key on modern systems
Items used by individuals to verify their identity: just a simple number on legacy systems and cryptographic key on modern systems
Cloud Infrastructure
Cloud Infrastructure
Software and servers that manage access data, policies, and logs. Some even permit remote unlocking and locking
Software and servers that manage access data, policies, and logs. Some even permit remote unlocking and locking
Magnetic Lock (Maglock)
Magnetic Lock (Maglock)
A magnetic lock that uses an electromagnet to lock doors hold the door "locked." However, if the power goes out, these are programmed to fail-safe, or "unlocked" for the layperson
A magnetic lock that uses an electromagnet to lock doors hold the door "locked." However, if the power goes out, these are programmed to fail-safe, or "unlocked" for the layperson
Electric Strike
Electric Strike
A solenoid powered strike that will "unlock" when power is applied. Unlock the the maglock, these are fail-secure when the power is off and do not require exit buttons or motion sensors
A solenoid powered strike that will "unlock" when power is applied. Unlock the the maglock, these are fail-secure when the power is off and do not require exit buttons or motion sensors
Exit Button
Exit Button
Because maglocks will hold the door shut when powered, buttons are required on the interior to let people escape in emergencies
Because maglocks will hold the door shut when powered, buttons are required on the interior to let people escape in emergencies
Motion Detector
Motion Detector
Similarly, for maglocks that hold the door locked when powered, motion sensors let people exit the building without much hassle
Motion detectors use infrared, microwave, or ultrasonic waves to detect movement and trigger actions like opening doors or sounding alarms, but can be exploited by actions like vaping, mitigated by additional verification methods and sensor adjustments
Wiegand Protocol
Wiegand Protocol
The most popular communication standard for data transmission between card readers and controllers. It is unencrypted and therefore vulnerable to man-in-the-middle (MitM) attacks
The Wiegand protocol, a widely adopted communication standard for data transmission between card readers and controllers, uses pulses to transmit binary data but is vulnerable to man-in-the-middle attacks due to clear text transmission, which can be mitigated by transitioning to secure protocols like OSDP
The most popular communication standard for data transmission between card readers and controllers. It is unencrypted and therefore vulnerable to man-in-the-middle (MitM) attacks
Open Supervised Device Protocol (OSDP)
Open Supervised Device Protocol (OSDP)
The OSDP protocol was meant to enhance security and interoperability in access control systems through bi-directional communication and encryption
The OSDP protocol enhances security and interoperability in access control systems through bi-directional communication and encryption, allowing secure data exchange and better device monitoring, though it can still be exploited if encryption keys are compromised.
Known Exploits and Vulnerabilities in Access Control Systems
Known Exploits and Vulnerabilities in Access Control Systems
Known Exploits and Vulnerabilities in Access Control Systems
Disclaimer: The information provided in this article is for educational and informational purposes only. Allthenticate is committed to enhancing security awareness and readiness in the cybersecurity community. This content is intended to be used responsibly and ethically by security professionals, researchers, and organizations to improve their defensive capabilities.
Disclaimer: The information provided in this article is for educational and informational purposes only. Allthenticate is committed to enhancing security awareness and readiness in the cybersecurity community. This content is intended to be used responsibly and ethically by security professionals, researchers, and organizations to improve their defensive capabilities.
Man-in-the-Middle (MitM)
Man-in-the-Middle (MitM)
Man-in-the-Middle (MitM)
Wires between the reader and controller are susceptible to physical implants that can steal and replay employee credentials
Wires between the reader and controller are susceptible to physical implants that can steal and replay employee credentials
Connections between the reader and controller are susceptible to physical implants that can intercept and manipulate data like employee credentials.
Card Cloning
Card Cloning
Card Cloning
Cards with no or broken encryption schemes can be trivially cloned by walking nearby and employee and wirelessly reading their badge
Cards with no or broken encryption schemes can be trivially cloned by walking nearby and employee and wirelessly reading their badge
Cards with no encryption or broken encryption schemes can be trivially cloned by walking nearby and employee and wirelessly reading their badge.
Physical Bypass
Physical Bypass
Physical Bypass
Mechanical means like using smoke trip the motion sensor, a wire to hit the exit button, or a lockpick can be used to bypass the system entirely. We recommend checking out the courses at Red Team Alliance if you're interested in learning more
Mechanical means like using smoke trip the motion sensor, a wire to hit the exit button, or a lockpick can be used to bypass the system entirely. We recommend checking out the courses at Red Team Alliance if you're interested in learning more
Mechanical means like using smoke trip the motion sensor, a wire to hit the exit button, or a lockpick can be used to bypass the system entirely. We recommend checking out the courses at Red Team Alliance if you're interested in learning more
Current Vulnerabilities
Current Vulnerabilities
Current Vulnerabilities
Technologies that are known to be broken
Technologies that are known to be broken
Technologies that are known to be broken
CARD TYPE
CARD TYPE
VULNERABILITY
VULNERABILITY
Tools to Exploit
Tools to Exploit
Weak Encryption
Weak Encryption
Flipper Zero, Proxmark
Flipper Zero, Proxmark
Downgrade
& Relay Attack
Downgrade
& Relay Attack
Weak Encryption
Weak Encryption
Flipper Zero, MFOC, MFUK
Flipper Zero, MFOC, MFUK
Almost All Cards
Almost All Cards
Almost All Cards
Relay Attack
Relay Attack
Proxmark
Proxmark
WIRE PROTOCOL
WIRE PROTOCOL
VULNERABILITY
VULNERABILITY
Tools to Exploit
Tools to Exploit
Better Technology
Better Technology
TECHNOLOGY
TECHNOLOGY
WHY WE LIKE IT
WHY WE LIKE IT
Mifare DESfire EV2 & EV3
Mifare DESfire EV2 & EV3
Resistant to cloning, tampering, and relay attacks
Resistant to cloning, tampering, and relay attacks
PIV Credentials
PIV Credentials
Proper private/public keys; resistant to known attacks
Proper private/public keys; resistant to known attacks
Mobile Credentials
Mobile Credentials
Convenient, secure, can leverage biometrics and PIN on smartphone
Convenient, secure, can leverage biometrics and PIN on smartphone
Why Allthenticate is
Secure by Design
Why Allthenticate is
Secure by Design
Before writing a line of code, we analyzed and actively exploited all of the aforementioned vulnerabilities and specifically designed our patented architecture to be resistant to all of them.
Before writing a line of code, we analyzed and actively exploited all of the aforementioned vulnerabilities and specifically designed our patented architecture to be resistant to all of them.
Before writing a line of code, we analyzed and actively exploited all of the aforementioned vulnerabilities and specifically designed our patented architecture to be resistant to all of them.
Our ALL-IN reader/controller is installed on the secure side of the building as a single unit, leaving no reader or wires exposed to a Man-in-the-Middle (MitM) attack.
Our ALL-IN reader/controller is installed on the secure side of the building as a single unit, leaving no reader or wires exposed to a Man-in-the-Middle (MitM) attack.
Your private keys are stored in the Secure Element (SE) on the phone — the same technology in DoD-grade smartcards. Bluetooth connections reduce friction while maintaining best-in-class security. Additionally, TrustZone and biometrics are leveraged to prevent relay attacks, software exploits, physical tampering, and device theft.
Your private keys are stored in the Secure Element (SE) on the phone — the same technology in DoD-grade smartcards. Bluetooth connections reduce friction while maintaining best-in-class security. Additionally, TrustZone and biometrics are leveraged to prevent relay attacks, software exploits, physical tampering, and device theft.
We know how hackers think
because we are hackers
Find us at the Physical Security Village at DEFCON or HOU.SEC.CON and we'll show you how these attacks work
Want to defend yourself from all of them?
Sign up for Allthenticate
We know how hackers think
because
we are hackers
Find us at the Physical Security Village at DEFCON
or
and we'll show you how these attacks work.
Want to defend yourself from all of them?
Sign up for Allthenticate
We know how hackers think
because we are hackers
Find us at the Physical Security Village at DEFCON or HOU.SEC.CON and we'll show you how these attacks work.
Want to defend yourself from all of them?
Sign up for Allthenticate
Ready to get Allthenticated?
We are confident that we've built the best authentication solution. We'd love the opportunity to show you why we are so excited.
Ready to get Allthenticated?
We are confident that we've built the best authentication solution. We'd love the opportunity to show you why we are so excited.
Ready to get Allthenticated?
We are confident that we've built the best authentication solution. We'd love the opportunity to show you why we are so excited.
808 Travis St, Houston TX 77002
(281) 971-0773
808 Travis St, Houston TX 77002
(281) 971-0773
808 Travis St, Houston TX 77002
(281) 971-0773