At the Defcon security conference in Las Vegas a hacker and Defcon staffer who goes by the name Zac Franken demonstratede how a small home-made device he calls Gecko can perform a classic man-in-the-middle attack on the type of access card readers used at office doors around the country. Gecko is simply a small, programmable PIC chip with a wire connector on either side. Once it's connected to the wires behind the card reader, it's not only trivial to use a 'Replay' card to get through the door. You can also disable the system so that nobody else can come in behind you.
What's more, making a Gecko is easy and cheap. Franken says the hardware costs about US$10.
According to Franken, the hack subverts the Wiegand protocol, commonly used for communication between the card reader and the back-end access control system, and doesn't take direct advantage of any problems with any of the hardware involved. When you swipe your card at the office, the reader very likely sends a signal using the Wiegand protocol to the control system, when then opens the doors.
"The problem is, this is what we call a plain-text protocol," Franken says. "There's nothing secure about it."
For many card readers, getting Gecko in place is just a matter of popping off the reader's cover with a knife or screwdriver and undoing two screws, he says. That provides access to the wires that carry the signal from the reader to the control system.
In a real-world situation you'd quickly cut the wires and insert one cut end into one side of the Gecko, and the other cut end into the Gecko's other side. In Franken's demonstration he used pre-made connectors so he could easily disconnect and reconnect the device. When you put the reader's cover back, the Gecko would be hidden behind it.
The card reader also continues to work fine with the Gecko attached. It passes along the signal from the reader to the control system as it's supposed to. But when someone swipes an authorised card that unlocks the door, Gecko saves that signal.
With that saved unlock signal, the attacker can swipe a 'replay' card that tells Gecko to re-send that saved signal, and the doors unlock. What's more, any saved access logs would only show that the same person who originally swiped the saved signal swiped his card again.
The replay card isn't anything special, and could be any card. It's just one that Gecko knows about beforehand. When it sees that card's code – because the card reader passes it along – Gecko knows to send its saved signal in response.
The device also knows to look out for another card code – again, just a regular card – and in that case, disable the system. Only the recognised replay card can unlock the door. Every other card, authorised or not, will fail.
With nobody else able to use that door, an invader would have plenty of time to steal data or work his mischief. Other, non-Gecko modified doors would continue to work, though. And the attacker can re-enable the system and turn everything back to normal by swiping a third 'enable' card.
Franken says you wouldn't need to add the device right behind the card reader. If you knew where the wires went through a wall panel or anywhere else in the building, you could splice it in there.