Hack Chat Transcript, Part 2

A event log for Physical Security Hack Chat

Deviant Ollam will let himself in

Dan MaloneyDan Maloney 06/03/2020 at 20:040 Comments

Deviant Ollam12:26 PM

when i say "any one" i mean any super clear one

anfractuosity12:27 PM
silly question, do you ever use a stethoscope ?

Deviant Ollam12:27 PM
@anfractuosity something similar! i use an audio pickup amp at times

anfractuosity12:27 PM
ooh, cool i wasn't sure if they where really used

anfractuosity12:28 PM
i saw some safe locks which claim to be resistant against x-ray which sounds interesting i thought

Deviant Ollam12:28 PM
think of it as a stethoscope but it mag-mounts to the safe door. and it's not like a little cup on the end... it has a metal probe that hears vibrations within the safe. (and you're mostly hearing contact points where the nose interacts with the drive cam, as opposed to hearing the "wheels" as it were)

oz12:28 PM
I'd buy safe cracking 101 if I could. I have a couple of tell coin safes I'd like to open and put to use.

anfractuosity12:29 PM
neat @Deviant Ollam :)

Douglas Henke12:29 PM
Do you have any tools that caused a "where has this been all my life?" moment. (For me, the recent answers are Knipex cutters and step drills.)

Deviant Ollam12:29 PM
@anfractuosity Grade 1R safes, yes. "resistant to Radiographic attack" ... often Delrin plastic wheels. they have other vulnerabilities

Tametomo12:29 PM
Safe against x-rays could just mean they're lead lined.

Deviant Ollam12:29 PM
@Douglas Henke the A-1 pak-a-punch and the new Lishi 2-in-1 decoder picks

anfractuosity12:29 PM
@Deviant Ollam heh neat, could you expand on other vulnerabilities, if you can

Deviant Ollam12:29 PM
@Tametomo shielding became a ladders-and-walls game during the cold war. new materials, like polymer wheels, were the solution

Deviant Ollam12:30 PM
@anfractuosity you can melt the wheels... enough heat or even acid injected in the right spot, and the wheels just fall apart, lol

anfractuosity12:30 PM
haha wow

anfractuosity12:30 PM
that's very cool

oz12:31 PM
Aren't most modern containers electronic locks?

thomas.august12:31 PM
@Deviant Ollam Can you point me to any case studies or news articles where poor physical security practices have directly led to thefts or data breaches? I know it's implied, but sometimes its good to have independent sources to show that not focusing on this stuff has real consequences.

Eric12:31 PM
Get the safe too hot and the fusible link goes and triggers relockers and no one is opening that safe!

thomas.august12:32 PM
Management folks are not always the most tech savvy

Deviant Ollam12:32 PM
@oz i would say that most modern "building security solutions" are moving to electronic. and electronic locks are making in-roads even in residential spaces, yes. but mechanical locks will still be with us for quite a while

Deviant Ollam12:32 PM
@thomas.august most stories like that are ones that entail stolen laptops or other endpoints

Eric12:32 PM
To anyone who thinks they might try drilling a quality safe, watch out for tempered glass between the door and the lock. Break it and relockers trigger.

Deviant Ollam12:33 PM
@Eric yes, it's a delicate balance, that kind of attack

Tametomo12:33 PM
The security industry isn't often what outsiders think it is. You have to deal with risk bars, which are just a way of saying "will the solution cost more than the potential problem"? So depending who does the calculations, something can either be critical to fix, or something just worth ignoring.

pop1312:33 PM
Do you think that electronic systems have higher a higher barrier to entry for the common criminal?

Here's a question: do electronic safes have built-in back doors, like service technician codes so they can get in no matter what the owner does?

oz12:34 PM
@Deviant Ollam I was thinking of modern classified document storage containers. I thought that mechanical locks could not meet the requirements. \

Eric12:34 PM
Really really really old safes had explosives loaded in them. Watch out.

Deviant Ollam12:34 PM
here's another interesting kind of auto lock with a specialized entry pick tool...

Deviant Ollam12:34 PM
@oz this is correct as of FF-L-2740

Nicolas Tremblay12:35 PM

Tametomo12:35 PM
I get clients all the time trying to come up with the dumbest ways to explain away why they can safely ignore something, or try to fault the method in which the vulnerability was found. Until a company gets seriously bitten, security is something often seen as something which can be argued away.

Nicolas Tremblay12:35 PM
Any experience with those?

Deviant Ollam12:35 PM
@oz all modern containers for C, S, or TS materials must support "true" million combinations and auditing capability so for those reasons alone, effectively electro-mechanical locks are the only ones allowed on GSA containers now, etc

Deviant Ollam12:36 PM
@Nicolas Tremblay that looks like a kind of clone of the Mul-T-Lock MT5

Scott H12:36 PM
Dev - when we get back to in-person CONs, what are you most interested to talk about?

Deviant Ollam12:36 PM
(but a cheaper clone... without the interactive element on the key tip)

Eric12:36 PM
I'd say the electronic physical locking systems can be more secure when installed properly. But all too often, it's low bidders and low skill hacking the thing into a working state. Not bothering to connect tamper switches to 24hr alarm zones, drilling incorrectly, skipping 'unneeded' connections.

Nicolas Tremblay12:36 PM
Chinese Euro-lock

oz12:37 PM
I wonder how much those requirements contribute to real security. It's finite, but I wonder what the real contribution is vs how much is "fighting the last war"

Deviant Ollam12:38 PM
@Scott H that's a good question, hah. i am not sure right now. we've had some good RFID content for a while that we'll release eventually

Scott H12:39 PM
RFID as in hacking entry locks? Or ???

Tametomo12:39 PM
@eric Yeah, things are often about trying to save a few dollars here or there. Tends to take a major security event and a culture change to get a company to care about actual security. Until then, it's basically about trying to justify doing nothing or as little as possible.

Deviant Ollam12:39 PM
Cooper (From Dangerous Things), Max (from TOOOL), and I have an implantable RFID talk

Deviant Ollam12:39 PM
but my team is also doing things in the entry space a great deal, too

Tametomo12:40 PM
Always more fun to deal with clients who understand the value of the service being provided, rather than seeing it as a necessary regulation hurdle that needs to be muffled as much as possible.

tonkas64 joined  the room.12:40 PM

tonkas6412:41 PM
@Deviant Ollam is there a good guide to getting started with RFID?

Deviant Ollam12:41 PM
@Tametomo most definitely

Deviant Ollam12:42 PM
@tonkas64 i'd sound self-serving if i said "Red Team Alliance has a terrific 2-day Access Control training" =)

tonkas6412:42 PM
@Deviant Ollam ;-) do you run them in the UK?

pop1312:42 PM
Is it just me, but I find HF RFID very confusing

pop1312:43 PM
There is NFC, mifare, the stuff credit cards use

Deviant Ollam12:43 PM
i have a venn diagram or two that can help...

oz12:43 PM
@Tametomo Always better to deal with a truly informed client regardless of the topic. I consult for a living, and I'll pick a skilled client over a clueless one (even a benign clueless one) and day

pop1312:43 PM

Deviant Ollam12:44 PM

Deviant Ollam12:44 PM
from my slides

Deviant Ollam12:46 PM
it's helpful to first recognize that "RFID" is, broadly, in three groups: Low Frequency, High Frequency, and Ultra High Frequency. (the latter is basically never used for access control, etc, so we'll leave that aside... that's a tech used in things like tracking tags... think warehouse inventory, luggage, etc)

Deviant Ollam12:46 PM

Nicolas Tremblay12:46 PM
Wow, didn't know the freq. were all over. I really need to start working with RFID

Tametomo12:46 PM
@oz Yup, but you don't always get to choose the whole chain. Sometimes the client you're working with is subcontracting with someone else, who is the one being the pill. Always can tell the client that they suck, but sometimes they're large companies themselves, so... yeah.

Deviant Ollam12:46 PM
among Low Frequency and High Frequency tags, there are a wide array of different credential technologies (and protocols, effectively)

pop1312:46 PM
Cool, did you do a talk about just RFID hacking? Would love to watch it

Deviant Ollam12:46 PM
you may recognize some of those names in the second slide with two circles

tonkas6412:47 PM
@Deviant Ollam nice they help a lot, there's just so much to find out

Tametomo12:47 PM
Like I said, it usually takes getting hit seriously and a culture change to really get that attitude cemented.

Deviant Ollam12:47 PM
but i can simplify this a lot for you folk who are looking to acquire tools or RFID tags for hacking...

Tametomo12:47 PM
And then sometimes it's even more complicated than that too. Might just be specific divisions that suck.

Tametomo12:48 PM
Especially for global companies.

Deviant Ollam12:48 PM

Deviant Ollam12:48 PM
boom... simplified

Deviant Ollam12:49 PM
on the Low Freq side, the Atmel T5577 chip can emulate almost all existing, common-use credential types

Deviant Ollam12:49 PM
on the high frequency side, while there are many technologies, there are at least some real standards bodies overseeing them

pop1312:50 PM
Was there any research into using phones with NFC as a proxmark for HF tags?

Scott H12:51 PM
So the black hats are using these too - are there common types of targets, or is it more of a, "we want to break into abc company for xyz reason" ?

thomc12:51 PM
What would you recommend for a HF implantable chip? I've been looking at the Dangerous Things xNT. Ideally I'd like something that would be programmable or upgradable, if they exist.

oz12:51 PM
@pop13 proxmark?

Deviant Ollam12:52 PM
@thomc the xNT is great, but have you seen the NExT ? (it's the xNT and the low freq xEM in the same package)

pop1312:52 PM @oz

Deviant Ollam12:52 PM
@pop13 say again? phones with NFC as proxmark?

thomc12:52 PM
@Deviant Ollam Oh I haven't seen that, that sounds fantastic. Many thanks

Deviant Ollam12:53 PM
@thomc you bet!

0xOverflow12:53 PM
Thanks for taking the time to be here and answer all of our questions @Deviant Ollam !! I love your work! ... One question for you: I know alarm systems are nearly impossible to bypass (perhaps considered holy grails?), unless mitm before trigger goes to central ... anyways, have you ever encountered one on an engagement?

pop1312:53 PM
Yeah, was there any research into emulating tags and cloning tags discreetly?

Deviant Ollam12:54 PM
@0xOverflow imma leave this here... =)

Tametomo12:54 PM
@OxOverflow Might depend on what type of alarm it is.

anfractuosity12:54 PM
Would you be able to point me in the right direction for the term to search for, for probing vibrations from a safe lock, my googling is failing me. And also are there 'cheap' group 1 safe locks i could search for on fleabay?

Deviant Ollam12:55 PM
@anfractuosity when you say "probing" the vibrations... what you mean, specifically? learning how to feel the contact points?

anfractuosity12:55 PM
to listen acoustically i mean sorry

Deviant Ollam12:55 PM
search eBay for a LaGard 3330 or an S&G 6700 series. then you may need a mount, etc.

anfractuosity12:55 PM

On a related note, do alarm systems come with a back-door code that service techs or law enforcement can use for bypassing? Same question applies to electronic combo locks like the ones on some safes. Talking consumer-grade stuff here.

Deviant Ollam12:56 PM
ah... so most safe lock cases are Zamak, not ferrous. I wound up epoxying some small metal plate to some in order to test out the ear amp device i have

Deviant Ollam12:56 PM
@Dan Maloney 4140 is a popular installer code, often left enabled

Tametomo12:56 PM
@Dan Maloney There might be a default manufacturer code that the company never bothered to change on installation.

Tametomo12:57 PM
What @Deviant Ollam said.

Deviant Ollam12:57 PM
also, on many access control gates, 911 or 911# is sometimes in the system for emergency access

Eric12:58 PM
Most alarm panels will not accept the dealer/installer code while armed.

morgan12:58 PM
heh, classic 'get into the gated community party' trick

Which is why I installed my own ;-) Just wondering if there are any undocumented surprises that got slipped in there

anfractuosity12:58 PM
sorry, i'm a bit confused you mean, you attach a metal plate, and use a microphone + amp? What's the metal for?

Eric12:59 PM
Speaking of default codes. Many safes use 50-25-50 before installation... Also common but less so, 25-50-25 and I've seen 25-50-75 in one case

Deviant Ollam12:59 PM
@Eric this is correct... but we've used it when in a building during the daytime to add a new user =)