All Your Door Belong To Me – Attacking Physical Access Systems


Over the years RFID card cloning attacks have risen steadily in Red Team activity. While card cloning can be effective, entry isn’t always gained with this method alone. As Red Team members, we often focus too much on the card and not enough on the technology that supports it. Why settle for access to one door when you can have access to them all?

Physical Access Systems (PACS) have several components working together to ensure that doors and turnstiles lock and unlock when required. Many of these components require network access in order to function properly. Once installed and operational, these components are often forgotten by the physical security and IT departments. As many of these components are non-Windows machines that do produce findings during a vulnerability scan, the security department often overlooks them as well. This common situation leaves the PACS components exposed and mostly unmonitored, creating an ideal environment for an attacker.

This talk will move beyond the card and explore all of the PACS components. After an overview of the components and architecture, we’ll discuss their unique attack surfaces, and how to locate them. Finally, we’ll put all of the attacks together to achieve complete takeover.

Location: Lavender I & II Date: October 15, 2015 Time: 2:00 pm - 3:00 pm Valerie Thomas