Sistema de exenciones

This section talks about the technologies that are commonly deployed to keep intruders out and details the inherent weaknesses of each. Security measures discussed here include the following:

MECHANISMS OF PHYSICAL SECURITY 37

• guards; • cameras;

• physical access controls.

Once you reach an understanding of what you are up against, it is much easier to demonstrate how this knowledge can be used in the testing process or to strengthen your own security practices.

Badges

Badges are issued to staff during enrollment or given to visitors when they sign in at reception. The purpose of a badge is to identify (and distinguish between) staff and guests and, in theory, to be able to spot an intruder immediately. They take one of the following forms:

• Simple ID Badges– These badges provide basic ID only. They display a photograph and some employee information such as name, depart- ment, and position. These passes contain no electronic components or chips.

• Proximity Tokens– Tokens themselves may be blank (see Figure 3.1), in which case staff will have another form of ID. However, ID badges often contain a proximity token.

Figure 3.1 Proximity token.

A proximity token is designed to open doors when the pass is held close to the reader. They are passive, that is, they have no power

38 EXECUTING TESTS

source of their own, and only activate when they are in the proximity of the reader (hence the name). Aside from basic security, these devices have two advantages:

• Different levels of access throughout the building may be granted to different staff simply by changing flags in the central database. • Staff may be monitored so that it is possible to know where they

are and (usually more important) where they have been.

Sometimes such devices are intelligent: they don’t enable the same door to be opened in quick succession, to prevent sharing of tokens, but most of the time this is not the case due to various practical problems in implementation.

• Barcode Badges– This is a very simple extension of an ID pass where a bar code is added for access control (see Figure 3.2). Obviously, these are easy to copy. Sites that use such passes are likely to have readers only at the security border because of the inconvenience of physically swiping the pass through an optical reader. However, sensitive areas within the building are likely to be further protected using proximity-coded doors.

Figure 3.2 Barcode badge.

One advantage of this system is that bar codes are quick and cheap to print, making them an ideal solution when a site has many visitors that need to be issued with some form of access control. You will often find them in shared premises, where a central reception issues a barcode badge to access the lifts and individual receptions issue any further passes necessary.

MECHANISMS OF PHYSICAL SECURITY 39

• Temporary or Visitor Passes– When someone visits a site, they are usually issued with a temporary pass. This can fall into any of the previously discussed categories, although it is usually a simple piece of cardboard with a name, company and ‘V’ or ‘Visitor’ written on it. Some companies keep a stash of proximity cards with a predefined level of access suitable to guests. This is necessary on sites that make strong use of proximity technology as the alternative is to have guests escorted everywhere. Which pass is issued may also depend on the level of trust extended by the host company or the level of security clearance held by visitor. When examining passes, pay close attention to details such as numbers, letters or colors that might identify the level of access granted to the individual. You may also see markings such as ‘Escort Required’ or ‘Unescorted’.

Bypassing Badge Security

In a site that operates badge control as part of their security policy, all employees, contractors, and visitors are required to openly display their badges at all times. Security policy will also state that anyone not wearing a badge should be challenged. In my long experience performing security consultancy on many different sites, only once have I been challenged for not wearing a badge.

When I’m visiting a client and not performing penetration testing i.e. when I have been issued a badge legitimately, I make a point of wearing it inside my jacket or on my belt where it is only partially visible. Some badges are issued on lanyards to be worn around the neck and no one has ever challenged me for having it the wrong way around (lanyards always seem to cause the badge to face the wrong way) so that the details are not visible. This is curious though useful and there are two reasons why it occurs. Staff will assume that if you’re there then you are supposed to be there. The possibility that you’re an intruder is usually the last thing that will enter their mind. People in general are nonconfrontational by nature: most people will do whatever they can to avoid confrontation. If you present yourself as a legitimate employee with all the necessary peripherals (i.e. a crisp suit and laptop, or workman’s overalls and a hard hat) then the only reason that people will suspect you is if you go out of your way to give them a reason.

People will notice that you’renotwearing a badge far more readily than they will notice it’s not quite theright badge. When forging an ID, if you can produce something that will pass muster then you’re more than halfway there. How many times do you look closely at the badges other people wear? During preliminary research, you should have been able to determine, at least roughly, what the target badges look like and therefore what it is you’re going to need to be able to reproduce.

40 EXECUTING TESTS

Fabricating Passes

In general, visitor passes are printed card or paper inserted into a plastic pouch, whereas staff badges are made of plastic and inserted into a hard plastic sheath (see Figures 3.1, 3.2). You can easily obtain appropriate holders for passes online, although generally only in bulk. This leaves you with the decision of which route you will take. Visitor passes are easier to forge but a staff pass provides more freedom and encourages fewer questions. With modern image manipulation software and printers, creating fake ID of any kind is quite straightforward (see Figure 3.3). A laminator is also very useful.

Figure 3.3 An ID card can be created in ID Flow.

It’s a good idea to have a contingency plan in case you are stopped and challenged. Prepare some business cards that match up with your pass and bear the right name, company and logo. The company phone number on your business cards should be a direct line to your social engineer, coordinator, or team leader back at HQ. Most laptop bags have a business card holder on the outside so use it; keeping ‘id’ in plain sight like this reinforces your image of credibility as does the carrying of other items such as a business folder embossed with the company logo. If access control is regulated simply through a barcode mechanism, then by all means try to duplicate the barcode or work out the encoding. Barcode encoding, decoding, and printing software is freely available online. Security can certainly be bypassed in this way. Your preliminary

MECHANISMS OF PHYSICAL SECURITY 41

research should provide you with the raw material to work with. Sites that use bar codes have readers only prior to entering the core site. If you can bypass that then any old bar code will do as it will, of course, be just for the look of the thing.

Badges that contain electronic means of access control are the hardest to replicate. Because not all forms of proximity technology are equal, itis possible to duplicate badges but it is often prohibitively expensive. Your preliminary research, if well executed, will provide you with information about which vendors the company has used. This enables you to deter- mine if there are any known weaknesses in the technology. For example, consider the token in Figure 3.4.

Figure 3.4 Covert shot of keyring fob.

A quick Google search on ‘keyring proximity’ returns the page shown in Figure 3.5 from the Siemens website (http://buildingtechnologies.siemens. com/products systems/electronic security/access control file/cards and tags folder/proximity.htm). This page tells you the vendor and which readers work with these tokens. It’s a Siemens SiPass proximity key tag (serial number ABR5100-TG) and it works with several readers in the SiPass range (ACS3110, AR633X-CP, AR618X-RX and AR6473-RX). According to the website, these keyring fobs have all the functionality of SiPass proximity cards. A full product brochure is available at http://

42 EXECUTING TESTS

Figure 3.5 Siemens SiPass website.

www.siemens.cz/siemjetstorage/files/32721 BR$SiPass$Standalone$en. pdf. I suggest you read it.

The system works like this. Each token has an individual numeric ID, which is stored on the fob (it’s also printed on the exterior of the fob). During enrolment, this number is assigned to an individual and their level of access is keyed in to the computer. Another useful thing to note is that it is alarm capable, which means that when the SiPass system detects a fire alarm, for example, it disables the security system and unlocks the doors. Without going into complex card-cloning techniques, you have two avenues of attack already. The first is a social engineering attack against the card database administrator to add the number of a token you own and the second is much more simple – a fire alarm.

Note that Siemens won’t replace lost tokens. It’s necessary to activate a new number and expire the old one. Having a key fob or prox- imity card identical to those used on site in your possession (even if they’re not activated) will greatly improve your success with tailgating attacks.

Whichever way you choose to go with fake passes, it is most likely that you will have a badge with no electronic components and thus be unable to open proximity locks. In this case, you must resort to some form of social engineering to get others to open doors for you.

MECHANISMS OF PHYSICAL SECURITY 43

Weaknesses of the MIFARE System

This section discusses one form of electronic access control, called MIFARE Classic (or Standard), made by the Dutch semiconductor com- pany NXP (a spin-off from Philips). The card is used for many things, including site security and prepaid access to transit systems worldwide, including the Oyster card system on the London Underground (LU). It was recently demonstrated to have significant weaknesses allowing attackers to clone cards, increase credit, and bypass security.

MIFARE is essentially a memory-storage device that is very cheap to man- ufacture (hence its popularity). In 2007, two German security researchers, Henryk Pl ¨otz and Karsten Nohl, gave a presentation in Berlin that sug- gested the technology was extremely insecure based on their own partial reverse engineering. This theory was put into practice in 2008 by a research group based at Radboud University in Nijmegen, the Nether- lands. They demonstrated it was possible to clone and manipulate the contents of the card. What was of particular concern was that the encryp- tion used by the cards (dubbed Crypto-1) could be broken in about 12 seconds.

NXP took this research seriously and tried (unsuccessfully) to block its publication. Following the publication of this research, documents were leaked from within LU that showed they had been warned in no uncertain terms that MIFARE Classic was not suitable for adoption for the Oyster project and urged adoption of one of their other technologies, but LU decided to go ahead with it anyway. In security, hubris tends to be pun- ished severely. The equipment to clone MIFARE Classic cards is already starting to circulate on the Internet and within the computer underground.