DEF CON 29 - Bill Graydon - Defeating Physical Intrusion Detection Alarm Wires

Aug 5, 2021 17:39 · 7777 words · 37 minute read

- Hello, I hope you’re a psyched as I am for me to talk at you for 45 minutes all about wires.

00:06 - The hacker community has picked to bits many other aspects of physical access control, but the communication lines themselves remain largely at black box, and that’s despite them being manifestly exploitable, which we’ll look at today.

00:20 - So I’m sure you’ve seen this particular trope, the laser hallway, where the protagonist does all sorts of incredible gymnastics to get by these lasers without tripping them and get to whatever goal exists.

00:32 - That’s one defeat mechanism, is avoiding the sensors entirely, but if we can access any part of the wire that connects the actual light detector to the upstream controller, we can then walk through all these lasers without a care in the world, knowing that our activity will not be reported on.

00:50 - In a more real life example, you’ll see these all over.

00:53 - And if you haven’t yet, you will now that you know to look for them.

00:57 - Magnetic door contact sensors, they might look like this, or they might be mounted inside the frame, and they will detect when this door gets opened.

01:05 - The hackers among us will likely look at this wire here and say, “There’s gotta be something we can do with that to avoid this device actually reporting where the door gets opened.

01:16 - And, of course, there is. So this is a talk about sensor communication wires.

01:22 - We’ll give a brief high-level overview of alarm systems and access control first.

01:26 - And then we’ll talk about two ways to defeat those and to defeat end of line resistors, which is the most common defense and anti-tamper mechanism applied.

01:36 - And then we’ll talk about some defenses that work against these attacks.

01:40 - I encourage you to go try it yourself in the Lock Bypass Village.

01:43 - Everything that I’m talking about today and everything that I’m showing is available as hands-on demonstrations for you to go try.

01:51 - So let’s look at a couple of the sensors that are available.

01:54 - There are a lot of magnetic contact-based sensors in attack door and window opening.

02:01 - You might also have an area sensor, such as passive infrared, or one that seismically detects someone walking on ground, or that uses vibration to detect fence climbing.

02:12 - In this example, we have the floor plan schematics for a number of different ways to protect windows.

02:18 - So there is a contact sensor to detect the window being opened, and two different types of glass break detectors to detect someone breaking the glass through.

02:27 - If the window can be opened or broken, we might wanna have both.

02:31 - Now in days gone by, electronics were expensive and difficult to build, and so we wouldn’t wanna have an input to the controller for each of these individual sensors when they’re all on the same window.

02:43 - The way that was handled was with alarm zones.

02:46 - So a zone is multiple sensors wired together.

02:49 - If any of them get tripped, the alarm gets tripped for that zone.

02:53 - So a normally closed zone will have switches that are normally connected, but they’ll disconnect in the event that the sensor gets tripped.

03:02 - And then they’re wired in series. So either disconnecting creates the alarm, and a normally open zone are wired in parallel.

03:09 - So if either of them connect, then the alarm will go off.

03:13 - Zones are also often applied to rooms, and that’s why they’re called zones.

03:17 - So any sensor in a particular room will trigger a single zone in the controller, and they’ll all be wired together in that way.

03:25 - So we might have all of these sensors for the door being opened into the vestibule being wired into a single zone, or all the various window glass break type detectors on this room being wired into another zone.

03:42 - You can see an example of alarm zones with fire control systems.

03:46 - They are a lot more publicly viewable than security systems.

03:49 - And in the foyer of many large buildings, particularly with western hemisphere fire codes, you can look at what the zones specifically are.

03:58 - So is stairwell number three having a fire alarm in it? Are various other aspects that this system use to monitor behaving correctly? And are the wires intact? And that is all going to be displayable there.

04:12 - The second aspect where these technologies get used is with access control systems.

04:16 - Alarms that we’ve just talked about so far at least are relatively binary, they’re trying to look for any person entering the perimeter, without discriminating who it might be.

04:26 - Access control systems will make that determination of is it an authorized user, and it should only alarm when it’s not.

04:33 - So the most basic access control system has an authentication device such as a card reader.

04:38 - And it has some means of physically allowing or denying the door to open.

04:44 - We might wanna add a contact sensor to the door.

04:47 - So if the door gets opened, and there was not a card swiped, it can then trigger an alarm and indicate an unauthorized entry.

04:55 - If someone’s leaving, that creates a problem.

04:57 - So we also wanna have what’s called a request to exit sensor, and this particular type uses passive infrared to detect a person on the secure side of the door waiting to leave.

05:09 - If it detects that and the door is subsequently opened, there’s no alarm.

05:15 - We’ll look at some of the technologies available for these different systems.

05:20 - So the authentication can be done with various different technologies of card readers.

05:25 - And there’s lots of great talks so far about how to defeat those, which I won’t go into anymore.

05:32 - It could also involve biometric or a code or even a video doorbell, where a human remotely makes the go or no-go decision of whether this person should be admitted.

05:42 - In terms of allowing the door to open or keeping it locked, we can use magnetic strikes or a magnetic lock that magnetically holds the door shut.

05:52 - We can also use hardware that can be remotely controlled to lock or unlock, turnstile-based systems, or even a vehicle entry door.

06:03 - Detecting that the door is open is usually done with a magnetic switch almost always, like these three here.

06:10 - It might be an optical based switch though, or even a mechanical switch that is pushed in when the door is closed, and some hinges can detect their position as well.

06:19 - And, finally, the request to exit is usually done with passive infrared.

06:23 - It might be a button that you press, or pressing on the egress hardware itself will trigger the request to accessing that there is someone on the far side, and in secure installations, it might be another card reader, so you have to badge in and out.

06:37 - Here’s an example of one of those in the wild.

06:40 - So it’s a passive infrared detector mounted over the door, and we also see an in-frame door contact sensor over here that will pair up with this magnet on the top of the door.

06:51 - And when the door is closed, those are going to be together, and it will detect that the door is closed.

06:58 - There’s a couple other pieces of hardware we can potentially exploit.

07:01 - One is if there’s a key switch that tells the controller when it’s supposed to be building open and closed hours.

07:07 - Another is accessibility buttons, particularly the one on the secure side of the door.

07:11 - If it gets pressed, that will usually also trigger an unlocking sequence and disable the alarm from the door being detected to be open and the fire system.

07:21 - So when a mag lock is installed, if there’s a fire situation, it has to unlock by code.

07:28 - Otherwise people will be stuck inside, because otherwise the security system would be keeping it locked.

07:34 - And so if we trick it into thinking that there’s a fire going on, that will also unlock the door for us.

07:40 - We won’t look at these communication lines to the mag strike and the reader.

07:47 - That’s a bit outside the scope of this talk, but everything else that’s remaining on this screen is a binary communication line.

07:53 - It carries a yes or a no. And we can attack that to disable the alarm and cause the door to open, and another way to defeat these systems.

08:04 - So we can attack the contact sensor itself to make it think the door remains closed when we’ve actually opened it and gone inside.

08:11 - We can attack the request to exit sensor to make it think someone is exiting, and then we can safely enter without triggering an alarm.

08:18 - We can attack the accessibility button to make it unlock, open the door and disable the alarm.

08:24 - We can attack the key switch to make it think the building is open and the fire alarm, or the communication from the fire alarm to make the security controller think that we’re in a fire alarm situation, and then it will open things up accordingly.

08:39 - So here’s one relatively straightforward example of where those wires can be accessed.

08:44 - So this key switch here, you can see that this can just be unscrewed, but also anywhere up to this conduit will also have access to disable that alarm at the wire.

08:56 - The wires often run in conduits like this. And so we need to find those, and then determine which ones contain the wires we’re interested in.

09:05 - Well, how is that done? Sometimes it’s labeled for us.

09:07 - This one says FA, means fire alarm, so that is generally not one that we’d want to be looking at for this purpose.

09:13 - One that says door contacts is much more interesting.

09:16 - This one also does contain fire alarm wires, but also the door contacts.

09:20 - And this one, security junction box, is also a likely one we’d want to look into.

09:25 - In this case, we can tell contextually, well, this conduit is going to about the right position for a contact sensor to be mounted on the door, but we can tell from this bolt pattern, that likely that’s not what it’s for.

09:39 - It’s likely to a mag lock. And they generally get mounted with this type of bolt pattern.

09:43 - It might also have a contact sensor here as well, and that can be defeated as well, but it’s beyond the scope of this talk.

09:51 - Of course, sometimes it just tells us. “Do not unplug. ” Well, the wire’s been caught, I guess that’s technically not unplugging.

09:58 - And sometimes there’s very subtle contextual clues to tell us what general area of the building contains the wires we’re interested in.

10:07 - Sometimes we can find the sensor itself and just follow the conduits back from it to figure out which wires we need to attack.

10:15 - And if we see a card reader or other access control type hardware that does tell us that there will likely be intrusion detection sensors that we need to find and defeat.

10:28 - And then the last thing that sometimes gives us access is when conduits run outside.

10:33 - It’s a very bad idea to run your security wiring outside, but it is seen particularly in historical buildings where there’s not adequate duct space inside.

10:43 - And that’s something that we can open this right up and defeat the security system from the outside.

10:49 - Here’s a particularly egregious example, where we have the contact sensor, and this is actually all mounted on the unsecure side of the door.

10:57 - Definitely something to avoid. If we wanted to apply or attack, it might not make sense to do it right here, because it’s extremely obvious to anyone passing through this area.

11:09 - So how would we find way back on the line which one is the right one? If we follow it to a conduit, and that conduit might have a rat’s nest of cables in it, we need to determine which one is correct.

11:21 - Let’s take a look at how to do that. Now, if we have access to the wire at one point, we want to know where it goes, possibly a place for attack payload at a more desirable location, there is a tool we can use called a toner and probe.

11:34 - So we’ll take our toner and clip it onto the line we want to follow.

11:42 - And it will put a tone down that line, which we can then listen to with our probe device.

11:49 - (probe ringing) And so anywhere down the line, we can then tell that of these two, this is the one connected to what we’re toning and not the other one.

12:02 - So once we found the correct wire to attack and a good place to apply the attack, how do we actually do it? So in the situation of a normally closed sensor, so it’s connected in the normal situation, and it disconnects when there is an alarm condition, in that case, all we need to do is jumper the line, and that will then simulate the switch being connected, and no alarm will be raised.

12:25 - So in this case here, it’s a normally closed system.

12:27 - And we see that there is zero equivalent resistance seen normally.

12:31 - When I open the door, it becomes an open circuit, so it’s disconnected.

12:36 - To defeat that, all we have to do is we’ll cut the line, and that briefly causes an alarm, but we’ll fix that momentarily.

12:45 - And then we’ll strip the outer sheath, and then the inner sheaths.

12:48 - And we just need to jumper from one to the other.

12:52 - And now the controller continues to see an equivalent resistance of zero, and the door can be opened with abandon.

12:59 - Of course, that does trigger the alarm initially.

13:01 - So a better way to do it is to strip just the outer sheath, and then tap into the inner wires, but leaving them intact.

13:10 - And once that’s done, we can now apply a jumper wire between these two taps.

13:15 - And it has the same effect. When we open the door, it continues to see no equivalent resistance and no alarm is triggered.

13:25 - The second case is a normally open switch. So in the normal situation, it is disconnected and the switch will connect when the door gets opened.

13:33 - So to defeat that all we have to do is cut the line, and then it always sees an open circuit.

13:40 - So in this case, when we open the door, it goes from open circuit to a short circuit.

13:45 - If I cut this line, it now always sees an open circuit.

13:55 - The defenses against this. So it’s vulnerable to have just simple high or low resistance listening for.

14:04 - Instead we’re going to switch between two different resistance values.

14:09 - So this is what’s called an end of line resistor, and it’s less vulnerable.

14:13 - It listens to see, is it the resistance one for a normal situation or two for an alarm condition.

14:20 - If we detect an open circuit, so a cut line or a short circuit, it will then trigger a different alarm, indicating a tamper situation.

14:27 - And, of course, the best defense would be a well-designed, encrypted digital communication line.

14:35 - Those are much more expensive and have limitations for the maximum wire run.

14:40 - So they’re much less common to see. These end of line resistors though are ubiquitous.

14:46 - So how do we defeat those? Well, before we get into that, we’ll do some very brief review of resistors in general.

14:57 - So it’s only three slides, I promise. The first concept to remember is that resistance measured in ohms is how hard it is to put power through it.

15:08 - And by Ohm’s Law, it is the voltage applied across the resistor, divided by the current that then gets flowing through.

15:17 - The second aspect to keep in mind is two resistors wired in series will have an equivalent resistance that’s the sum of them.

15:25 - And when they’re wired in parallel, it’s going to be this harmonic sum, which makes some sense when you think about it, one over resistance is how easy it is for power to pass through, just like resistance is how hard it is.

15:37 - And in fact, there’s a name for it, conductance.

15:41 - And so with resistors wired in parallel, the conductances add up.

15:46 - That’s sort of a fun graphical computation available to us here.

15:50 - By taking three equal scales at 60-degree angles, we can apply a line from our two resistances.

15:57 - So if R1 and R2 are both 1000 ohms, the equivalent for them in parallel will be 500 here, 800 and 400 will then give us about 267 ohms, equivalent in parallel.

16:12 - So that’s kind of a cool tangent there. Keeping that in mind, we usually don’t have switches that flip between two separate resistors.

16:20 - Instead we have a simple, normally closed or open switch that will engage one resistor, while the other is always connected.

16:29 - So in this case, when the switch gets closed, we now have the equivalent resistance of these two seen in parallel.

16:39 - But I’ll continue to use this style of diagram for clarity in the rest of these demonstrations.

16:45 - The last part that we’ll have to consider is how does the controller measure resistance? So it can put a voltage across the line and measure the current through based on Ohm’s law.

16:55 - What’s more common is to have it put a voltage across the line and have some sort of internal resistance.

17:01 - And then it measures the voltage between that internal resistance and the end of line resistor.

17:07 - This is what’s called a voltage divider. So there there’s gonna be a certain voltage applied by our power source, there’s gonna be a voltage drop across the internal resistor, and a voltage drop across the end of line resistors.

17:19 - The sum of those two resistor voltage drops is going to equal the applied voltage, and how much of a voltage drop applies on each is going to be dependent on the relative resistance values of those two, which we can then measure by this voltage in the middle.

17:35 - So two special cases that are relevant here, when we have an open circuit situation, no current flows, the ammeter will measure zero.

17:44 - And because no current is flowing through this internal resistor, it has no voltage drop across it by Ohm’s law, and therefore the voltage measured is equal to the source voltage.

17:55 - In the case of a short circuit, a lot of current will flow.

17:59 - If there’s no internal resistor, it’s gonna do some damage.

18:02 - And we’re wiring now the top and the bottom of our voltmeter together, and so the voltmeter was going to measure zero volts.

18:10 - For instance, one commonly seen system is Honeywell Design Systems, where there is a 2. 8-kiloohm internal resistor and two-kiloohm end of line resistors.

18:22 - When this circuit gets closed or completed, we then have a voltage divider that creates five volts measured by the controller.

18:30 - And when it gets opened, we have the full 12-volt source that is measured by the controller.

18:36 - What do these underlying resistors look like? Well, there are a lot easier to spot with fire systems, where they tend to be in large, well-labeled boxes, such as these supervising the alarm bell, these end of line labeled devices, or this supervising a firefighters telephone.

18:53 - This is called line supervision in fire alarm systems.

18:57 - And it’s done because if the line gets accidentally or environmentally damaged, people could die, and they tend to be in large well-labeled boxes, because for fire alarms, it’s important that they be easily accessible and inspectable.

19:10 - With security, the opposite is true. So security end of line resistors tend to be installed directly inside the sensors that they’re supervising.

19:19 - In this case, we have one installed between these two leads here, which ends up being in series with the tamper and the regular infrared detector relays.

19:30 - And that will then detect whether either of those gets tripped.

19:34 - And if they’re both in the normal state, we will see this resistance at the controller.

19:40 - And so we can see that a little bit zoomed in here.

19:45 - So attacking these end of line resistors is a somewhat involved process, because we don’t know from the outset what the end of line resistance value is, what the polarity is, et cetera.

19:56 - So let’s take a look at how that might get accomplished.

20:02 - So first we’ll strip the line, and we’ll tap it into places.

20:07 - And this is going to enable us to measure the voltage on this line.

20:13 - We’ll install a voltmeter, and wire it up.

20:24 - And it now measures five volts across this line.

20:27 - If we would open the door, we would now see 12 volts across.

20:33 - The second thing we need to measure is the current.

20:35 - Once we have voltage and current, we can divide the two and get the equivalent end of line resistance.

20:41 - And to measure current, it has to pass through our ammeter.

20:46 - So we’ll tap this line in a second place, and install an ammeter here, and then we’ll have the current run into our ammeter, and we’ll have it run through a switch.

21:01 - You’ll see why in just a second. This is so that we’ll be able to engage your attack when we’re ready to do that.

21:08 - And so I’ll run the wire to the switch, and then from the switch to our tap device.

21:17 - And now we’re seeing zero current. This makes sense, because it’s still passing through the line right here.

21:22 - So I’m going to need to cut this line, and then we’ll actually measure the current passing through.

21:27 - And we now see that this is 2. 5 milliamps, approximately.

21:34 - So what can we do here? Well, we have the voltage, it’s about five volts, and the current, about 2. 5 milliamps.

21:42 - And if we divide those two, we get 2000 ohms or two kiloohms, because this is milliamps.

21:51 - So we’ll now find an appropriate resistor that’s as close to two kiloohms as we can.

21:57 - And the one we have that’s closest is 1. 96 kiloohms, which we’ll install it right here.

22:04 - And now what we need to do is, on the other side of the switch, when we flip it, we’ll instead route current through this resistor and then over to the negative line.

22:14 - So let’s install that now. So wire the switch to the resistor, and then the resistor to the negative line.

22:27 - And so now when we flip this switch, current is now getting routed through the resistor, so from this positive line, over through the switch, through the resistor, up to the negative line.

22:40 - And so now the controller sees the same equivalent end of line resistance as it saw when the door was in the normal situation.

22:48 - When we opened the door, the controller still sees our attack resistance and no alarm is raised.

22:55 - Of course, if we flip the switch back, and when we open the door now, it’s all systems as normal.

23:05 - So that’s how that attack gets implemented.

23:07 - To make this easier in the physical world, I’ve designed a couple of modifications to be made to a standard multi-meter to allow you to clip onto the positive and negative leads of the alarm wire, and then somewhere downstream on the positive leads, so we can cut the line and measure current in between.

23:24 - We can flip a switch to measure the voltage.

23:27 - And we can measure then the resistance value between the green and white switches.

23:32 - And then when that’s all set up and ready to go, we can flip this star switch here, and that will engage the attack and reroute power, so that the black is connected to the yellow, through the resistor, and then green gets connected to red, and back to the controller.

23:48 - The schematic for this looks like this. I won’t go into it in detail, but this should be enough for you to design and build your own.

23:56 - And the wiring is this rat’s nest here, and we can see how it’s wired directly into the measurement ports of the multimeter, so that it can measure our voltage, current and resistance as we perform the attack, so let’s look at what this looks like physically.

24:12 - So I have here a system simulating an alarm system.

24:15 - We have our controller, which measures the current and voltage being provided, the transmission line, and then our door at the end.

24:23 - So here’s our door contact sensor, the end of line resistor.

24:27 - When I open the door, it opens circuits it, so disconnects.

24:32 - And we then get no current and the full supply voltage of 10 being read at the controller.

24:37 - When the door closes again, we get a one-to-one voltage divider.

24:40 - So the end of line resistor being the same as the internal controller resistance, and we get half or five volts, and 50 milliamps flowing through.

24:49 - Let’s see how we’ll attack this. So this is a standard twisted pair wire.

24:56 - So we’ll open it up and give ourselves some room to work.

25:00 - And then I’m going to use these devices here.

25:03 - They’re made by Scotchlok by 3M. They’re called the Scotchlok Tap devices.

25:09 - And I put one wire into here, and get that fully in past the little plastic clips.

25:20 - I then take the other wire that I want to connect to the line that I’m tapping into, and insert it into the other port of our tap device, insert it all the way.

25:33 - And once I’m satisfied that those are fully in, I’ll clamp it down.

25:46 - So we’ve now tapped into this wire, we’ll do the same on the other side.

26:03 - And clamp it down firmly. And we now have access to the positive and ground lines.

26:16 - We can now use our homemade alarm wire defeat device.

26:24 - And I’m going to clamp one to each of these.

26:38 - And I can measure the voltage across now. So I’ll put it in voltage mode, and then flip this switch to send the red and the black to the leads of our multimeter, and we get about five volts.

26:52 - To measure the current, we need to tap it a second time, so I will on the hot wire.

26:57 - I know that this is the hot wire, because the voltage measured was positive.

27:02 - We’ll take another tap, and we’ll tap it a second time on this line.

27:08 - This will then force all of the current to flow through our multi-meter.

27:13 - And we can measure the current when we cut the line in between.

27:22 - So make sure those are firmly on. Then we can clamp this down.

27:33 - And then I’ll take this yellow lead. It’s for measuring current.

27:38 - Make sure it’s good and securely on there. I’ll flip this into current measuring mode, and flip the switch to send the multimeter leads to red and yellow.

27:53 - We get zero, which makes sense. All the current is still flowing through this line.

27:58 - So we now have to cut that line, at which point we’ll be able to measure the current.

28:06 - So we’ve done that. And we now measure 50 milliamps.

28:11 - With those two measurements, we can now calculate what resistance we need to attack this line.

28:16 - In this case, five volts divided by 50 milliamps is 100 ohms.

28:24 - And that’s ohms, because it’s milli amps, so we got our measure in kilovolts and have to convert.

28:31 - So here is a 100 ohm resistor, and I’m going to use this as my attack resistor.

28:38 - I’ll clip it onto our green and white leads.

28:41 - These are our attack leads. Again, making sure that it is fully securely connected, and actually I’ll clip on right at the base, and you’ll see why in a moment.

28:55 - And just to double check, flip it back out of current measuring mode, turn it into resistance mode, and flip this switch to send the green and the white to the leads, and we can measure that this is indeed 100 ohms.

29:13 - With all that done, we’re now ready. When I flip this switch to actuate the attack, it’s going to reroute power.

29:20 - Instead of going from red through to yellow, through the door, back to black, and back to the controller, it’s going to cut the line between red and yellow, and send red to green through the resistor, and white to black, and back to the controller.

29:36 - So I’ll flip that switch now. We’ve now engaged the attack.

29:41 - At this point, the door is no longer connected.

29:45 - All of the power is going through our attack resistor, and I can safely open the door, and the controller is none the wiser.

29:54 - The last thing that we can do is, to make this a permanent setup, we can wire these in directly using these 3M Scotchlok joins.

30:07 - So I will insert. We need to match white to black, insert the wire all the way, insert the wire all the way, as far as it will go.

30:27 - And then I will clamp that down to connect those two.

30:37 - I can now safely remove the white and the black leads, and I’ll do the same to connect red to green.

30:53 - Take another join. Insert that as far as it will go.

31:03 - Whoops, so you’ll notice that the controller just detected a short circuit, and that’s because I accidentally let these two wires touch on the wrong side of the resistor.

31:14 - So that would have been a fail had this been a real life circumvention of an alarm.

31:21 - Make sure those don’t touch again. And then I can safely remove all of the leads.

31:30 - And we’ve now instituted an attack. The ground wire is still connected, but it doesn’t need to be.

31:37 - And just to illustrate the point, I will cut that as well.

31:41 - And so now we’ve successfully measured what the end of line resistance is, and installed a new surrogate resistor that power is flowing through.

31:50 - And now, of course, it’s disconnected. Opening the door does not set off the alarm.

31:58 - So we can see in our schematic what was happening there.

32:00 - When we flipped this switch to measure voltage, it sends the red and the black wire to the leads of our multimeter, and it can then measure the voltage, likewise for the current, with the red and the yellow wire, and for the resistance sending the multimeter ports to green and white, which is what contains our attack resistor.

32:22 - So we can ask ourselves, can we do better than that? There were a number of problems with the resistor-based approach.

32:29 - One is measuring current is incredibly tedious or requires cutting the line.

32:32 - If we can avoid having to cut the line, then we can potentially remove the attack and restore it to its original state, if that’s necessary.

32:40 - And the second bigger problem is that when we flip the switch to engage the attack, two pull switches, when you flip them, have a brief period of time where neither pull is connected.

32:52 - And at that point, the controller would see an open circuit.

32:56 - It’s very brief, and the vast majority of controllers would not be able to detect that, but some will, and so that’s something that we want to avoid.

33:04 - So what would be ideal is if we can tap each line once, and have something across it that maintains exactly the voltage that we need and just enforces that, and then we don’t need to worry about the current.

33:17 - Well, such a component actually does exist, and it’s called a Zener diode.

33:22 - So diodes, as you know, allow current to flow one way and block at the other.

33:28 - When it blocks the current, it acts as an insulator, and all insulators will break down when exposed to a high enough voltage.

33:36 - Zener diodes are designed to do this at a lower and at a very specific voltage level.

33:42 - So when we reverse bias the Zener diode, i. e. , apply a voltage in the reverse direction, so it’s an insulator, above a certain breakdown voltage, it turns into a very good conductor.

33:55 - So what that then lets us do, is when we open the door in a jump safe from five to 12 volts, if this is a five-volt breakdowns Zener diode, it’s now 12 volts, so it becomes a conductor, and it pulls that voltage down to five, at which point, it becomes an insulator again, and it doesn’t pull it down any further, we get a feedback system where this maintains exactly five volts.

34:18 - Let’s apply this. So we have the same type of system.

34:22 - We can strip the wire. And right now it’s five volts.

34:25 - When we open the door, it opens circuits it, and it’s all the way up at 12 volts.

34:30 - And so we’ll try to find a Zener diode that will adequately maintain that.

34:37 - First we’ll tap each line once. Now, we can see the controller in this game, but in real life, we would just have access to the line.

34:49 - So we’ll have to add a voltmeter, so we can actually tell what is the voltage.

34:54 - And so we’ll wire that into our tap devices and that tells us, indeed, it’s five volts.

35:03 - So we need a Zener diode with a breakdown as close to five volts as possible.

35:08 - Well, 5. 1 is pretty close, and that should be within the parameters of what the controller deems acceptable.

35:16 - And we can wire that in as well. I have to wire it somewhat in reverse, because we need this to be in reverse bias, so that’s why criss-crosses over itself there.

35:28 - But now that we’ve done that, when I open the door, it now only increases up to 5. 1 volts, which is the breakdown voltage of our Zener diode.

35:38 - Anything above that, and the diode begins conducting and pulls the voltage back down to 5. 1 volts, and that’s well within the acceptable range for our controller, so it does not trigger an alarm.

35:51 - We can make a one addition to our multimeter adapter to help ease this process, and that is adding an internal power source.

35:59 - So we can flip a switch that will then apply that across the measuring leads of the multimeter and the green and white component leads, so that we can actually test a Zener diode, and make sure that it pulls down from the supplied voltage to what the Zener should be pulling it down to.

36:18 - Now, let’s take a look at this in real life and applying to this Zener diode attack.

36:24 - So let’s see how we’d apply the Zener diode-based approach.

36:28 - We have the exact same set up here, and we’re going to start the exact same way, by tapping each wire, but only once this time.

36:38 - We only need to do two taps. Of course, if the door opens, we get the same behavior, and so we’ll try to avoid that happening this time, so we can perform the defeat without setting off the alarm.

36:55 - So get that wire onto our tap device. Put in the other wire as far as it will go.

37:05 - Then we’re ready to clamp this down. That’s now good and connected.

37:17 - We’ll tap the other wire in much the same way.

37:23 - Make sure that’s fully on. Insert this as far as it will go.

37:32 - Make sure both are in place. We can then clamp this down as well.

37:41 - Of course, we wanna be careful that these two don’t touch.

37:44 - If they do, we will short out the system. The current jumps up, and the voltage jumps down to zero, and the controller will detect that as we’re seeing it does here.

37:53 - So in a real life scenario, we wanna make sure we don’t do that, but now we can measure what the voltage is as measured by the controller.

38:02 - So we’ll take our handy measuring device, clip it on, switch into voltage mode, and flip this switch to send the red and the black to the two ports of the multimeter.

38:19 - And we read five volts. So we need a five volt breakdown Zener diode, which I’ve got right here, and we’ll clip it on to our component leads.

38:44 - And we could perhaps also test that this is actually five volts.

38:48 - So to do that, first, I’ll unclip, we’ll leave it in voltage measuring mode, flip this switch to send these two leads to the ports of the multimeter.

38:59 - We get zero, which makes sense. I’ll flip this last switch to apply an internal 12-volt supply.

39:05 - So we’re reading 12 volts when it’s open circuited.

39:08 - If I connect it through the Zener diode, it then pulls it down to five volts, which is what we want.

39:17 - Turn off that measurement. We’re now ready to apply the attack.

39:24 - And all we need to do is flip the switch to engage the attack.

39:29 - It then turns on that Zener diode. And now if I open the door, it will regulate the voltage accordingly.

39:38 - It isn’t perfect. It’s not a perfect match to five volts, but we see that this would be within the acceptable parameters for the controller here.

39:47 - And, of course, if I flip the switch back to disconnect it, it now operates as normal.

39:54 - I should note that this fancy setup is not actually required.

39:58 - Because we never cut the line, we do not need to switch quickly from connecting the yellow port, which isn’t used, to our attack components.

40:10 - So all I really needed was any old voltmeter that could’ve measured across here.

40:16 - And at that point, I can then connect these up any old way I please.

40:22 - And with those connected, I’m free to open the door as well.

40:28 - And, of course, if they disconnect, it behaves as usual.

40:34 - And so in this case, as well as last, I could take some joins and connect this in to leave it as a permanent fixture, defeating the alarm.

40:45 - After everything we’ve talked about, it may be tempting to say, well, wireless must be more secure, and we should use that instead.

40:51 - Here’s why that’s not the case. This particular example we have here communicates on 433 megahertz.

40:59 - So if we open the door, it will send a signal, (alarm rings) and the alarm is triggered.

41:06 - We can listen to what that signal is with our trusty BaoFeng.

41:09 - So we’ll listen to 433 megahertz. - Four, three, three, zero, zero, zero.

41:18 - - And when we open the door, (device beating) we hear that signal.

41:22 - Of course, we can use the transmit feature to jam the signal.

41:26 - (security device beeping) And so now successfully opened the door and the controller has no idea.

41:38 - (security device beeps) (device beats) Now any frequency it might use, not just 433 megahertz, is jammable, possibly not so easily.

41:49 - Wifi is another point that has a known vulnerability, and that is deauthers.

41:53 - Here’s one that I particularly like made by Maltronics, but any will do.

41:58 - You can open it up and it’ll take advantage of the wifi protocol to listen for specific devices, and kick them off of the network whenever they join.

42:06 - You can use the hardware Mac address to kick off specifically those devices made by alarm manufacturers.

42:14 - So if using wireless is not a great solution, what can we do to defend against these attacks? So the first thing is, anywhere we run these wires should be in armored conduits, and places where it’s easy to unscrew a junction box and access to the wires underneath should be placed high, or out of reach, or under your camera to deter the ability for an attacker to do that.

42:36 - We might also consider placing tamper switches in those junction boxes, where that is not possible.

42:42 - We obviously want to avoid doing this, having bare wires out right at hand level, easy for anyone to access.

42:50 - We also wanna install all the critical security hardware and the wires for it on the secure side of the door.

42:56 - So we should never have a contact sensor mounted on the unsecure side of the frame, like this, and the wires themselves should be as well.

43:05 - In particular, we wanna give some thought to where the wires get routed throughout the building, and references to the security levels at different areas in the building.

43:12 - For instance, rooms 103 to 105 are more secure in this case.

43:17 - The wires for them go to this controller in room 103.

43:21 - We would want to run them in the rooms themselves and not in the hallway that has a lower security level.

43:27 - We also wanna give some thought to timing as well as spatial aspects.

43:32 - So if part of the building is open to the public during some hours, but not others, it might be possible for an attacker to modify these systems during open hours, and then come back afterwards.

43:42 - And that’s something that needs to be considered as well.

43:45 - We want to avoid at all costs running security wires outside of the building or outside of all security perimeters.

43:53 - And that’s not just if this is in your threat model.

43:56 - And let’s be honest, for the vast majority of installations, these types of attacks are not in your threat model.

44:01 - But also if the outside of your building is ever exposed to weather.

44:06 - It’s a rare phenomenon, I know, but it can wreak absolute havoc on communications lines when it infiltrates into there.

44:13 - And, of course, the ultimate of defense here is to use a well-designed, encrypted digital line.

44:18 - So that would be one that uses nonces to prevent replay attacks, and has heartbeats to detect denial of service, et cetera.

44:26 - But that’s very expensive and often not justified in terms of that cost.

44:32 - So thank you very much for listening. I hope this has been interesting and a foray into an area of physical security that has not yet been given a huge treatment in this community.

44:41 - I’d like to extend an enormous thank you to Paul, Karen, Jenny, and Bobby for their help preparing this talk, in particular to Paul for his expertise in the telecom industry.

44:51 - I encourage you to go try it yourselves. All of these games that I’ve shown in this talk are available for you to try in the comfort of your own home.

44:59 - Give that a try in the Bypass Village at DEF CON or at bypassvillage. org.

45:03 - And I’d be happy to take any questions, either in person at DEF CON or over email or Twitter.

45:09 - Thank you very much. .