Simple hack unlocks card-protected doors

Simple hack unlocks card-protected doors

At the Defcon security conference in Las Vegas a hacker and Defcon staffer who goes by the name Zac Franken demonstratede how a small home-made device he calls Gecko can perform a classic man-in-the-middle attack on the type of access card readers used at office doors around the country. Gecko is simply a small, programmable PIC chip with a wire connector on either side. Once it's connected to the wires behind the card reader, it's not only trivial to use a 'Replay' card to get through the door. You can also disable the system so that nobody else can come in behind you.

What's more, making a Gecko is easy and cheap. Franken says the hardware costs about US$10.

According to Franken, the hack subverts the Wiegand protocol, commonly used for communication between the card reader and the back-end access control system, and doesn't take direct advantage of any problems with any of the hardware involved. When you swipe your card at the office, the reader very likely sends a signal using the Wiegand protocol to the control system, when then opens the doors.

"The problem is, this is what we call a plain-text protocol," Franken says. "There's nothing secure about it."

For many card readers, getting Gecko in place is just a matter of popping off the reader's cover with a knife or screwdriver and undoing two screws, he says. That provides access to the wires that carry the signal from the reader to the control system.

In a real-world situation you'd quickly cut the wires and insert one cut end into one side of the Gecko, and the other cut end into the Gecko's other side. In Franken's demonstration he used pre-made connectors so he could easily disconnect and reconnect the device. When you put the reader's cover back, the Gecko would be hidden behind it.

The card reader also continues to work fine with the Gecko attached. It passes along the signal from the reader to the control system as it's supposed to. But when someone swipes an authorised card that unlocks the door, Gecko saves that signal.

With that saved unlock signal, the attacker can swipe a 'replay' card that tells Gecko to re-send that saved signal, and the doors unlock. What's more, any saved access logs would only show that the same person who originally swiped the saved signal swiped his card again.

The replay card isn't anything special, and could be any card. It's just one that Gecko knows about beforehand. When it sees that card's code – because the card reader passes it along – Gecko knows to send its saved signal in response.

The device also knows to look out for another card code – again, just a regular card – and in that case, disable the system. Only the recognised replay card can unlock the door. Every other card, authorised or not, will fail.

With nobody else able to use that door, an invader would have plenty of time to steal data or work his mischief. Other, non-Gecko modified doors would continue to work, though. And the attacker can re-enable the system and turn everything back to normal by swiping a third 'enable' card.

Franken says you wouldn't need to add the device right behind the card reader. If you knew where the wires went through a wall panel or anywhere else in the building, you could splice it in there.

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Defcon



The making of an MSSP: a blueprint for growth in NZ

The making of an MSSP: a blueprint for growth in NZ

Partners are actively building out security practices and services to match, yet remain challenged by a lack of guidance in the market. This exclusive Reseller News Roundtable - in association with Sophos - assessed the making of an MSSP, outlining the blueprint for growth and how partners can differentiate in New Zealand.

The making of an MSSP: a blueprint for growth in NZ
Reseller News Platinum Club celebrates leading partners in 2018

Reseller News Platinum Club celebrates leading partners in 2018

The leading players of the New Zealand channel came together to celebrate a year of achievement at the inaugural Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months, with more than ​​50 organisations in the spotlight.​​​

Reseller News Platinum Club celebrates leading partners in 2018
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP has honoured its leading partners in New Zealand during 2018, following 12 months of growth through the local channel. Unveiled during the fourth running of the ceremony in Auckland, the awards recognise and celebrate excellence, growth, consistency and engagement of standout Kiwi partners.

Meet the top performing HP partners in NZ
Show Comments