Sunday, March 13, 2011
(W) My security research discovers major provider of card key systems can be exploited
At my Saturday morning presentation at #BSidesAustin I disclosed that a major provider of Card Key systems can be exploited knowing little more than the systems IP address and possibly guessing a few other settings.
In the course of finding the vulnerability and doing additional research we decided to see if the vulnerability could be exploited using a script... One thing led to another and my friend and fellow security researcher Ian Robertson successfully exploited the same Card Key system using a Java based application he created for an Android based phone dubbed 'Caribou'.
Caribou is a 'proof-of-concept' and is not available to the public. You can view the video here:
Video on card Key exploit
Caribou is an Android-based application written by security researcher Ian Robertson as a proof-of-concept demonstration of the incredibly poor security controls in use on widely popular cardkey door control systems.
By providing Caribou only with the IP address of the target cardkey device, a single-button "Unlock" will access the cardkey system, unlock all available doors in sequence, allow 30 seconds for entry, and then re-lock all those same doors. Caribou has the capability of performing a brute-force of any customized security PIN used with the system.
You can read More on Ian's website:
Cyber Security Guy website
If you have a cardkey access system, or any other security system which is accessible on the Internet, check out the important tips on the 'Safeguarding your Homeowners Association and Common Areas' on Ian's website.
Both security researchers are actively engaged with US-CERT and the manufacturers in order to improve the security of the products and provide better documentation and instructions to system installers.