Information security is not complete without securing physical access to information resources. Physical break-ins into locations that contain information system components have historically been viewed as traditional property crimes where trespass, theft, and vandalism were the motives. Physical security includes more than stopping human intruders and these controls are more than ever reliant on computing devices and connect to information systems. This posting is to bring attention that protecting the asset is more than logical but a defense-in-depth strategy to minimize the impact of a threat by protecting the physical controls.
On April 4, 2016, it was reported that there was a devastating vulnerability in doors at airports and hospitals through hacking or jamming methods from remote computers over the Internet. The vulnerabilities affect HID's flagship VertX and Edge controllers. The attack only requires a command injection to send a few UDP packets to vulnerable LED blinking lights service. This attack does not require any authentication. The command injection vulnerability exists in this function due to a lack of any sanitization on the user-supplied input that is fed to the system. Instead of a number of times to blink the LED, a Linux command wrapped in backticks, like `id` will get executed by the Linux shell on the device. Furthermore, the discovery service runs as root, so every command sent will be run as root, thus giving the attacker complete control over the device (Pauli, 2016).
In a separate article, hackers demonstrated how to gain access to offices through clone access cards from components purchasing from Amazon and eBay worth $700. The test was conducted on a power company. The researcher pretended to visit the company by posing as a student who requested a tour. The researcher was carrying a laptop which was capable of intercepting unencrypted communication (RFID badge reader) between an employee access card and the access control systems used to open/close doors. The attacker then can write the data captured on a fake employee badge (Paganini, 2016).
For more information on RFID hacking tools with videos then go to
http://www.bishopfox.com/resources/tools/rfid-hacking/attack-tools/ and http://hackaday.com/2013/11/03/rfid-reader-snoops-cards-from-3-feet-away/.
References:
Pauli, D. (2016, April 4). 'Devastating' bug pops secure doors at airports, hospitals. Retrieved May 21, 2016, from http://www.theregister.co.uk/2016/04/04/devastating_bug_pops_secure_doors_at_airports_hospitals/?utm_medium=email
Paganini, P. (2016). Hackers can break into a facility by spending $700 on Amazon or eBay. Retrieved May 21, 2016, from http://securityaffairs.co/wordpress/47125/hacking/rfid-access-card-hack.html?utm_medium=email
No comments:
Post a Comment