Category Archives: Uncategorized

USB Electronic Key Impressioner looks like it is made up…

Posted on by
USB Electronic Key Imressioner could help you be gone in 60 milliseconds

If you’re stealing a car these days, there’s a good chance you’re not bothering to actually pick the locks, but if you are, your job is about to get a little easier. A device called the Electronic Key Impressioner is inserted into a car door and scans the position of the tumblers inside. It feeds information back to a PC over USB which then, when told the car’s model, can provide the necessary information to cut the perfect key on the first attempt. Right now it only works on Fords with simple metal keys (like, say, a 1967 Shelby GT500), but the hope is to expand the device to support other manufacturers and, possibly, electronic keys in the future. It will be available to locksmiths and authorized security professionals in 2010. Sorry, Nick, you’ll have to find another way to get into Eleanor.

via engadget.com

What’s this thing all about? I’m not sure how it could possibly work, or if there is much point to it. The lack of photo suggests it isn’t real.

$75 shipping GPL software… really not in the spirit

Posted on by

I’m doing a bit of research at the moment, and found that the product that I was looking into used GPL licensed software. I found an e-mail address on a page to request a copy of this software, so sent them a mail asking for the CDs to be delivered.

I get a reply an hour later:

Please note that our Network Access Solutions code itself is not open source covered by GPL licenses. Only the embedded LINUX and a few other applications that are also included in our VertX or EDGE products are covered by the GPL License.

If you are interested in becoming an HID Development Partner, we do offer API’s to our code for our non-Solo EDGE and VertX products enabling you to create your own custom Host interface. If this is the case, please contact Brenten Scott at bscott@hidglobal.com. Note that a mutual NDA will be required for these next steps.

However, if you are looking for the GPL LINUX source code used in our VertX and Edge products, then please send an email to gpl@hidglobal.comwith the following information:

Your name
Company Name (if applicable)
Address
Phone Number
FAX number
company web address (if applicable)
email address
part number of desired GPL disk (6080-515 for Vertx/Edge)

We will then enter an order to fulfill your request. We cannot process any orders without all of the above information.

Please note that there is a $75 US shipping and handling charge for distributing free software and you will be contacted by telephone to get your payment preference and details. We accept MasterCard, Visa, or American Express. If you feel comfortable in providing your credit card information in your reply, feel free to do so.

Bah. $75 dollars? For shipping some CDs? Why not make it available for download?

I’m thinking of sending a reply:

Sorry, that’s a ridiculous amount of money for shipping a CD. I’m interested in finding vulnerabilities in your products – I’m sure I can find it for download on the internet anyway.

Make the Pope Pay (or go away entirely)

Posted on by
Petition the PM

Make The Pope Pay

We the undersigned petition the Prime Minister to ask the Catholic Church to pay for the proposed visit of the Pope to the UK and relieve the taxpayer of the estimated £20 million cost. We accept the right of the Pope to visit his followers in Britain, but public money would be better spent on hard-pressed schools, hospitals and social services which are facing cuts.

I don’t mind religious figures visiting the UK – as long as their agenda isn’t to preach their homophobic, xenophobic, anti-abortion and sexist views. Especially when it costs so much money.

I’d rather the campaign was “stop the Pope coming altogether”. But please add your name to the petition.

Cashless vending protocol standards

Posted on by
Page0154

So I looked into the protocols that are used in vending machines a bit more. It turns out that the MDB / ICP (Multi Drop Bus / Internal Communication Protocol) which is a simple serial protocol. This is freely available from the NAMA (National Automatic Merchandising Association) website http://www.vending.org/technology/MDB_Version_4.pdf

I'll draw your attention to the attached page from the earlier version of the protocol. It shows what happens when a vend fails.

VEND REQUEST contains the amount that the item costs, and it is up to the reader to decide if it should allow the vend. If it does, it sends a VEND APPROVED with the amount it had deducted.

The VEND FAILURE doesn't have any information about how much to refund though – it's entirely in the hands of the card reader. This goes against what I thought in the earlier post, and points to there being a problem with the card reader itself. Unfortunately, there isn't much information about the reader – I'm fairly sure it is a rebadged version of an OEM reader but have yet to find it.

Another interesting thing is that the reader doesn't appear to have any connection to a network – any data offloaded needs to come through an infrared data port on the front. This uses the EMA CVS spec http://www.vending-europe.eu/en/standards/eva-cvs.html – which isn't truely free. Let's see if they give me access!

If you outlaw bumpkeys, only the outlaws will have bumpkeys… Ban the Bump Key

Posted on by

The Ban the Bump Key campaign aims to outlaw the sale of specialist locksmith equipment to the general public. Our belief is that tools capable of opening doors to our homes and businesses should only be available to recognised locksmiths and security professionals.

via banthebumpkey.com

For those of you that don’t know, a bump key is a specially cut key, that along with a small hammer and a small amount of skill, can be used to open practically all pin-tumbler locks (that’s Yale locks to most people in the UK) in under 30 seconds.

They’ve gained notoriety over the last 5 years, probably due to how little practice and skill you need to use them successfully. There’s at least 5 online shops in the UK where you can pick up bump key sets for not very much money.

So it’s interesting that some people have set up a campaign to try and ban these keys. There’s a number of problems with banning bump keys:

  • They are just specially cut keys. They really aren’t that difficult to make by hand. 
  • You’d still be able to buy them from non-legal sources. 
  • Nearly everyone in the UK has a lever lock on their front door, which is not susceptible to bumping. Use both locks together.

Image by pt at Flickr, CC license

Advanced foil impressioning to open high security dimple locks « blackbag

Posted on by
via blackbag.nl

An interesting kit that makes foil impressioning of dimple locks a lot easier – the small pin that is inserted along the length of the key to stop the foil being crushed is a great idea.

By the time this hits the UK, it will cost £250 and the elitist lock smith community will have restricted sales down as far as they can.

Cashless vending FAIL – analysis of a RFID payment system

Posted on by

One other purpose of access cards at work is a cashless payment system for the canteen and vending machines. There are clear advantages – cash requires keeping a float for change, cashing up, auditing, storing etc. There’s also less obvious benefits – in most food outlets staff aren’t allowed to handle cash and food, but this is no longer a problem with a cashless payment system where the card holder simply inserts the card in a reader whilst the member of staff operates a clean till.

Historically these systems have been pretty poor from a security standpoint. At school, a smartcard based system was introduced for school dinners and the tuckshop. The value was stored on the card, and it wasn’t long before one of the PS/2 card readers was liberated and drivers found. The card were simple memory cards, and it only took a few snapshots after making purchases to work out where the value was stored and to modify it. If I remember correctly, there wasn’t even a checksum, though the value was slightly obfuscated. The system was either missing backend auditing or no one was checking it.

That was 10 years ago though, and I would have hoped that the systems in use would have come on a long way. Contactless and contact cards with protected memory and microprocessors are now affordable and in common use in access control systems. For these reasons, it’s unlikely that you’ll find a card where you can just modify the stored value without having access to a private key. Several places I have worked at have such systems, though what I am going to describe here is purely theoretical, of course.

The system consists of ATM like machines for adding value the card – only debit/credit cards allowed, card readers in the shops and canteens, and card readers in all the vending machines.

If we assume that only genuine readers can modify the value on the card, then we need to somehow change the behaviour of one of these readers to our advantage. I’d rather not mess with the ATM like machines, and playing with the readers in front of staff also sounds like a bad idea. The vending machines are nice and hidden away though.

Most modern vending machines have a control board that operates the rotating springs, stores the value of items, operates the display and so on. Then there is some kind of payment module, most commonly a coin handler, sometimes a note handler, and sometimes a card reader. The modular design makes sense – it means you can sell your vending machine worldwide without having to worry about making one that deals in Zimbabwean Dollars as well as Kuwaity Dinar.

If we look at a coin handler, the operation is quite simple:

  1. Insert coins
  2. Value of coins is signalled to control board
  3. User inputs selection
  4. If value of item is lower than coins, vend item
  5. If there is a problem, return coins

The coin return mechanism is simple. The coins are stored on a tray after being inserted. It is tipped one way to put the coins into the collection box, and tipped the other way to return them to the user. There’s no option to give change – it’s all or nothing.

This has important implications – there’s little need for any feedback from the coin handler to the control board. The control board says “return coins”, and the coin handler will do so. There’s no half-way house, no change or incremental payback. There is no need for any feedback from the coin handler to the control board.

Some units give change out. Generally this is a discrete coin hopper that can be instructed to give change. If you put in £1 and the product costs 60p, you should get 40p returned in change. If there is no change left in the hopper, you don’t get any change. Interestingly, you’d normally get this 40p as 2 x 20p coins. If there are no 20p coins left, but there are 10p coins, many machines won’t give you 4 x 10p coins instead. Yet if you bought something for 90p, you would still get a 10p coin returned. I suspect, again, that this is because there is no feedback from the coin hoppers to the control board – they are simply instructed to carry out an action.

So what would this mean if the payment module was swapped for a card reader? It turns out to be quite a lot.

The cards in this system are RFID cards, and the readers in the vending machine are manual insertion/removal type. Inserting the card presses a microswitch, enabling the field and reading the data off the card. I’m not sure why the field isn’t always enabled – I presume that they don’t want to have problems with long range cards being read by mistake.

One the balance is read from the card, any item lower than the value can be bought, and that amount is deducted from the card. This sounds very similar to the coin handler really – although in the example above, rather than say “give out 40p change”, the signal would more likely be “keep 60p”. What happens if the communication between the control board uses the same protocol for both payment modules?

Let’s try pulling out the RFID card just as the machine is starting to vend… nope, the machine debits the card before the vend starts, so I’ve still paid for the item.

So next step – let’s trick the reader. I’ll take my RFID card and slip a business card of the same size below it, and insert the two into the reader. The balance is read, at which point I pull out the RFID card, leaving just the business card which is still depressing the switch. I’d assumed that this attack mechanism would have been covered, but the machine vended the item fine, leaving me with the cash. I can only speculate to the cause:

  1. The control board tells the reader to charge the card
  2. The card reader has successfully read the card previously, and the switch hasn’t changed state, so it must be the same valid card.
  3. The card reader fails to update the balance on the card as a result.
  4. There is no feedback between the reader and control board, so the vend continues

This is completely in line with idea that the communication between the control board and payment module is always the same, regardless of the type. It’s treating it like coins, where the coin handler will always successfully perform the action requested. This highlights another difference between the coin handler and card reader. You relinquish control of the cash with the coin handler, but remain in control of the card with the coin handler.

So, I’ve worked out how to get free stuff from the vending machine. There have to be other ways though.

I’m sure everyone has used a vending machine and the item has hung up on the spring, resulting in the money being lost and you having no Mars Bar. Sometimes a shoulder to the machine sorts it out, but often not. These guys have thought of that though. There is a lightly sprung flap which detects the falling item. This is then used to decide if you should be charged or not.

How can this help me get free stuff? I get my money back if the flap isn’t moved by the falling item. So, if I hold the flap where it is, the item will land on it, and I won’t be charged. All vending machines have a tray which stops you putting your arm up into the product space to steal things, so I can’t just hold the flap up with my hand. But it’s easy enough to form a couple of pieces of wire which will hold the flap up with the tray shut.

This works perfectly – the card isn’t charged and we get the product. Brilliant. Yet it’s still just a free Mars Bar. Let’s take this up a notch.

Let’s think about this a bit more. How exactly does this process work? Here’s one idea:

  1. Read balance.
  2. Ask for product.
  3. Start vending product (if product costs less than the balance).
  4. If vend is successful, charge the card for the product.

There’s a problem here though – the card read is manual insertion/removal. If we remove the card between step 3 and 4, then the card never gets charged! I’ve already tried this though, and it doesn’t work – the card is charged before the vend starts.

So, how else could it work?

  1. Read balance
  2. Ask for the product
  3. Charge the card for the product (if product costs less than the balance).
  4. Start vending product
  5. If vend is unsuccessful, credit the card for the product.

This is much more secure. If we assume that most vends are successful and most people leave the card in the machine until the end, nearly everyone ends up happy. Even when there is an unsuccessful vend and the card is removed, the user loses the cash but the vending machine gains it – which sounds like something a profit making company would go for.

So far, we have two working attacks:

  1. Using a business card to trick the card reader into thinking the card is still there.
  2. Holding up the flap so that although the product is vended we don’t get charged.

What happens if we combine the two?

First, the flap is rigged so that the machine won’t register a successful vend. Next, I insert both cards, let the balance be read, and remove the RFID card. I chose the product, which starts to vend. I re-insert the RFID card, just in time for the machine to decide the vend was unsuccessful. The machine then credits my card for the value of the item. I remove the card and release the item.

Now I have the item and I have been refunded the value of the item. This is brilliant. It’s just a bit of a shame that Mars Bars only cost 40p.

It exposes something about the internal mechanism of the card reader, and again makes me think that the communication is exactly the same as with a coin handler. There are two different ways of signalling the changes to the balance.

One is with increment/decrement signals (in line with the coin handler). This is what would happen in the refund situation:

  1. Read balance – £10.20
  2. Deduct 60p (balance should be £9.60)
  3. Increment 60p (balance should be £10.20)

If we skip step 2, the balance will end up at £10.80 instead!

The other is with absolute values:

  1. Read balance – £10.20
  2. Set balance to £9.60
  3. Set balance to £10.20

If we skip step 2 here, we don’t gain anything!

So, there are a number of serious flaws here.

What could they do to prevent this from happening?

  • Use a motorised card reader – this means that I can’t remove the card when I want.
  • Use a read that detects card presence using the RF field rather than a microswitch – this means I couldn’t remove the card.
  • Send a confirmation signal from the card reader to the control board so the vend can be stopped when something is amiss.
  • Change the balance using absolute rather than increment/decrement signals.
  • Use a breakbeam detector rather than the sprung flap to detect the falling item – this would be much harder to trick.

Of course, backend auditing would quickly catch issues like this. But then, would they bother?

Like I say, all purely theoretical, but is it beyond belief?

 

 

 

 

 

Subtle failures in dual purpose ID/access card security

Posted on by

Many of the larger offices, hospitals, universities and schools around London and in other major cities have some form of ID or access control card system. There’s no doubt that these do help improve security. There are however frequently failures either in the designed or realised implementation. I think it is always important to separate the designed implementation from the realised – many systems have been designed to be secure, but factors such as excessive complexity or cost mean that the realised implementation is no longer secure.

Access and ID cards do indeed serve dual purposes:

Identification – this allows someone to verify who you are and to tie you to the card you are carrying.

Access control – the card will either allow or deny you access to the building, based on some form of authorization such as a list of ID cards which are allowed into the building.

By linking you to the card (identification), authenticating the card (which is normally done in the background using some kind of key exchange), and then checking to see if the card is authorized, there is a secure protocol to either allow or deny a person access. I’ve not included “authentication” as one of the purposes as really it is part of both the identification and access control.

A lot of sites don’t use the cards for both purposes however, and this can cause the protocol to break down.

Take a hospital for example, where staff are encouraged to visibly wear ID cards at all times. Many areas of the building will have no enforced access control – the system relies on people being vigilant and questioning anyone with ID. The same system is often used in schools and universities.

There are a number of problems with this system. There is no mechanism to revoke cards short of physical removing them from the holder. It’s also normally trivial to make a visually identical card that will pass all but the closest inspection. The fundamental flaw is that there is no access control in place.

Other sites use the system purely as access control. The card is used as an electronic key. The problem here is that they have some the disadvantages of a key – you have no way of checking that the person using the card is authorized. You can merely check that the card is authorized.

Of course, the most secure option is to use the card for both identification and access control. In fact, it could be perfect, but frequently the implementations have major shortcomings.

One of the big problems is that the two tasks of identification and access control are very different to one another. Humans are excellent at checking to see if a face matches a photo, but are terrible at checking lists of authorized names.

Machines can often be tricked when trying to match a face to a photo, but they excel at checking lists of names.

So often a hybrid solution is used – the human performs the identification and the machine peforms the access control. Sounds ideal, doesn’t it? The common implementation is to have a guard at each door checking the photographs before the holders walk up to electronic access control barriers.

The person checking the face matches the photo doesn’t just have to perform identification – they also need to check that the card is authentic. Authenticating a plastic card takes a lot longer than identifying the person, and frequently this step is skipped, or at best is purely visual. Anyway, why bother – the access control authenticates the card later…

So say I steal someone’s card, stick my photo onto the front, and walk in. The guard identifies me and authenticates the card visually. The barrier then authenticates the card electronically, and authorizes me. I’m in the building when I shouldn’t be.

How do we solve this? If we think about it, putting the photo on the card is a bit of a silly idea. Why not hold it centrally on a database, and allow the guard to both electronically authenticate and visually identify the person at the same time? The reason they don’t do this is because it would massively slow down entry to the building.

There are other issues. We can break the identification step by simply holding the ID card upside down. Humans are awful at matching upside down photos to faces, so this simple trick will often allow you to walk right past guards. You are relying on having a card with someone of the same sex and hair colour, and the guards being relatively polite. This does frequently work.

Commonly the card will give the users other powers as well, and it is possible to exploit these. I have a card for a building that I visit relatively infrequently, and I find that I need to get my card re-enabled each time I visit. I think it expires after a month of not being used.

I entered the building wanting to sign a guest in. I passed the guards, who identified me and let me past. I then went to the reception desk, and asked if I could sign in a guest. They looked at my card, decided it was authentic, but performed no authorization. They issued my guest a pass, and we walked over to the barriers. My guest was allowed through, but I wasn’t – as I expected, my card had expired. The reception desk doesn’t even ask for another form of ID from the guest – they are purely relying on my authorization, which they have implied from my authentic card.

Another interesting situation came up over Christmas. I had to visit a building but didn’t have my card with me. I went to the security desk, knowing that the response would be to call my manager and ask if I could be issued with a day pass. I also knew that on that day, no one would be there to answer the call.

The guard dialled the extension, and I heard it ring a number of times. My mobile started ringing, and I answered it, only to find I was speaking to the guard. What had happened here?

Our phones ring as a group so that if one person is busy, another can answer it. I knew I would be out of the office a lot, so I had set up call forwarding to my mobile. It seems that the entire group of phones was forwarded to my mobile, allowing my manager’s extension to be redirect to me.

The guard had no indication on his phone that the call had been forwarded. It would be possible for a malicious insider to engineer such a situation, allowing an accomplice to enter the building. Luckily, when issuing the day pass, security are presented with both your photo and access rights, foiling this attack. I still think it is worthy of though in other attacks though.

 

DVLA log book theft – massive failure of security

Posted on by

Tonight, Donal MacIntyre programme is going to run an interesting report investigating the effects of the theft of hundreds of thousands of vehicle log books (V5C documents) from the DVLA several years ago.

So what is a V5C? It’s a document that contains the details of the car and it’s owner. There are a few important pieces of information on it:

  • The registration mark (number plate)
  • The engine number 
  • The vehicle identification number (VIN)
  • The current registered owner’s name and address

So, in theory, when the car is manufactured, the registration, engine number and VIN should all match up. It’s possible to change both the plates and the engine, but when this is done you need to notify the DVLA and get a new V5C. Each change of ownership should also be notified, and hence a full provenance for the vehicle is built up.

Second-hand buyers have always been told to check the V5C document. Cautious buyers will also carry out a HPI Check or similar:

Shona Topping from St Albans was a cautious used-car buyer who had always driven company vehicles

When she spotted a Mercedes she liked in a magazine, she asked for its registration details so she could run a vehicle data check on its history.

“I took a mechanic along to have a look at the vehicle, carried out the check and obviously, being nervous, I had to do everything possible,” she said.

“It tells you on all the advertising that they check various databases, checking with the police on the computers.”

But because Shona’s car had been cloned, she was actually running data checks on a completely different, legitimate car.

That meant the result came back clean.

from bbc.co.uk/news.

So why are the checks passing cloned cars with invalid V5C documents?

There’s a number of security failures here, and I’m quite surprised that none of the articles seem to address these.

  • How did several hundred thousand of these documents get stolen? Even at the low estimates of 120,000, that equates to 50 boxes of A4 paper. That takes a large van, time, and people.
  • Why is there no decent revocation mechanism? If my credit card is stolen, it takes minutes for the bank to stop it working. It’s harder with pieces of paper, but what’s key here is that the piece of paper is simply a representation of a database record, which leads on to…
  • Why is it so hard for car buyers to verify the V5C? There seem to be a few mechanisms available to do this:
    • 1. Calling the DVLA. By all accounts, this will result in a long wait, and it seems like an expensive (in terms of running a call centre) way to look up a simple database record.
    • 2. Performing a HPI check. This costs the buyer money, which quite a lot of people won’t want to spend.

Why can I not simply go to a website, type in the 4 pieces of information, and get an instant answer on this? 

  • Also, why make the document so easy to forge? It’s both easy to forge one from the ground up, and print details onto a genuine but stolen V5C. Why have they not done anything to prevent this?

I particularly like the way that this press release from the DVLA pins the blame on the motorists, not the people who designed an insecure system and took inadequate action when it did go wrong:

More than half of motorists (53%) cannot tell a genuine vehicle registration certificate (V5C) from a fake.