CVE-2017-16241: AMAG Edge Network Door Controllers

At HushCon Seattle 2017, I had the opportunity to publicly disclose CVE-2017-16241, a vulnerability in AMAG’s Edge Network (EN) series of door controllers. Exploitation of this vulnerability gives an attacker to ability to remotely unlock doors and implant access card values into the door controller’s internal database, effectively creating a physical access backdoor. Vulnerable devices include: AMAG’s EN-1DBC, EN-1DBC+, and EN-2DBC. All current firmware versions (as 12/10/2017) are vulnerable out of the box. Other AMAG devices may also be vulnerable but were not tested.

For some background: A door controller acts as the middle man between a Physical Access Control Software (PACS) server and an authentication mechanism (usually an RFID reader). The door controller is connected directly to the RFID reader and other associated door hardware (locking mechanism, alarms, push-to-exit, REX, etc) and is, in most modern cases, connected to the PACS server via the local IP network. In the past, door controllers were usually daisy-chained with one directly connected to PACS.

In normal operation, a new employee’s credentials are added into the PACS, then specific access is granted to those credentials (ie: You can go to the accounting area, but not the datacenter). The PACS then sends a message to all door controllers to which the new credential has access. The door controller stores that information locally.

Once the employee present their credentials to the RFID reader (or other auth mechanism), the reader blindly passes that information to the door controller. The door controller checks it’s local database and makes the go/no-go decision itself, without asking the PACS (usually. Other non-default options exist). Based on the door controller’s decision, it will tell the reader to change it’s LED color, and either trigger the locking mechanism to unlock, or keep it locked.

In the case of CVE-2017-16241, the vulnerable devices do not enforce authentication for some command messages received via TCP port 3001, which should normally only be accepted from the PACS. Authentication exists and appears to be enforced for some commands, but not for others. This lack of authentication means that an attacker can send command messages from an unauthenticated system with network connectivity to the door controller and the controller will execute the commands. Unauthenticated commands include:

  • Unlock / Lock (Ud/Ld)
  • Version Query (Vf)
  • Card Add / Delete (Ca/Cd)
  • Reader Enable / Disable (Re/Rd)

Other commands may also be vulnerable but were not tested.

Additionally, these messages are encoded but not encrypted and are static across all EN Series controllers with no per-device change in messaging. Therefore, all that is required for an attacker to craft an exploit is MitM access to one EN series controller and PACS pair. By viewing a packet capture of their interactions, the specific command messages can be rebuilt and sent to other EN controllers regardless of their associated PACS.

In my case, I purchased an EN-1DBC and the demo version of AMAG’s Symmetry Security Management Software (SMS), both on eBay. I was able to get everything set up and capture events from adding a card, sending the direct unlock command, and more. I recreated the command messages in python and tested them in the field during a red team engagement for a client. That exploit code (and code for other physical access control stuff) is available at https://github.com/lixmk/Concierge.

Currently, no patch is available for CVE-2017-16241 and no timeline for a patch is known. That said, there are some non-default options that can be enabled that should protect against this attack. I say “should” because this is based on claims from the vendor and I have no ability to test or confirm. The biggest option is to enable encryption between the door controller and physical access control software (PACS). Additionally, according to the vendor, the latest version of their PACS has be ability to compare access card counts on the door controllers and alarm if the count is higher or lower than expected.

Badge Hackers Kit

As a fledgling hardware hacker, one of my favorite things about conferences is hacking on electronic badges. I’m not much of a CTF player and rarely do I care about the flags intentionally placed in a badge. I am, however, interested in the hardware itself and attempting to find unintentional method of accessing firmware or making potential modifications.

For the last two years or so, I’ve been packing up random tools from my bench and tossing them in my luggage. I got tired of sorting through all my tools before leaving and upon my return home, so I decided to build out a small dedicated travel kit for badge hacking. Probably important to note that I usually check my luggage. If you don’t check, you might want to put a bit more thought into what TSA would allow. I think the only tool over the size limit is the soldering iron, which might be fine with the tip removed, but don’t take my word for it.

I decided to share my load out to help those who may be new to hardware or interested in building something similar. Also, since I’m still relatively new to it, I’d love any feedback from others. I’ve built out 2 BOM’s, one contains the items I consider “must haves” and the second containing the optional items that most likely won’t be required but can be pretty nice.

Check out the BOM here: https://docs.google.com/spreadsheets/d/13yUsgbyqdR-uTF4VaN706SWAdZshy3CyjNz7YjBWk0U/

If you’re looking for a little more reading, continue on for my justification on some items and some additional things that I include in my personal kit that aren’t priced out in the BOMs.

Hardware Modification:

Travel Soldering Iron:
Hakko FX-901 Soldering Iron or Sainsmart Pro32.

Access to a soldering iron may be the most important thing for diving into the hardware of an electronic badge. Many cons have a hardware hacking village, but irons are usually in high demand. Currently my travel kit uses the Hakko FX-901 which is battery powered (using rechargeable AA’s). Being battery powered is nice because you don’t need to find an outlet if you’re hacking about con. The down-side to this iron is it’s weight. It takes 4 AA’s, causing the iron to be not only heavy but unbalanced.

I was introduced to the Sainsmart Pro32 (AKA TS100) just last weekend and it’s currently on it’s way to me. The Pro32 is powered using a 12-24 power supply, has adjustable temperature, and is just about as small and light as you could possibly make a soldering iron. While more expensive, it has more features than the FX-901. I haven’t personally tested this iron yet, but the largest draw-back appears to be the need for an outlet. I expect this will become my iron moving forward, and will update after some testing. The Sainsmart will be listed in the BOM, subject to change after testing. If you go with the FX-901, be sure to add batteries and a charger.

4″ x 6″ PCB:
This might seem like a weird item to add, but it serves it’s purpose. I have 2 of these in my kit to serve as heat resistance surfaces to do my soldering or removal. They also serve as a spot to set the soldering iron down while your working without needing to shut it off.

Compressed Sponges:
Also might seem odd, but I like working with a clean soldering iron. These compressed sponges are very compressed but expand to 3/8″ when wet. The 12 pack measures to roughly 1/2″ while compressed, meaning you’ll have more then enough sponge to keep your iron clean for a while.

Chipquik SMD removal kit:
This is something I’d definitely consider an optional kit component, but at it’s price I had to include it in mine. Chip removal can be very beneficial in PCB reversing or investigating the chips itself (dumping contents or programming). Chipquik’s SMD removal kit’s specially designed alloy lowers the melting temperature of the solder already on board making removal significantly easier.

56 piece driver set:
Another completely optional item. It’s fairly unlikely that you’ll run into an electronic badge that you’ll need a screwdriver set to hack. That said, you might find yourself hacking something other than a badge. I put one of these in my kit because I’ll often end up picking up some random IoT product or electronic kids toy just to hack on with friends while at con.

Small Adjustable Power Supply:
This is optional. You will almost never require it for badge hacking, but if you want your kit to work with other targets, then this becomes a lot more beneficial to have.

Various breakouts, headers, wires, and grabbers:
I carry a pretty diverse list of header pins with different pitches and layouts. Various different types of jumpers (m-m, m-f, f-f, etc), and a bunch of different sized wire grabbers. I could list each individual item out, but honestly, I’m too lazy to look up the links. The BOM will only contain basic jumper wires which should serve the majority of needs. Check out adafruit for various breakout boards. I’ve found they come in pretty handy, and not always for what you expect.

Additional tools:

  • 20-30 awg wire stripper
  • Small pliers
  • Wire snips
  • Solder sucker
  • Solder wick
  • Solder
  • Flux pen
  • Electrical tape

Signals and Firmware:

Buspirate and FT232H:
The buspirate and FT232H are both multi-purpose tools that can speak multiple different protocol. Each have their advantages and disadvantages over the other. Being that both are fairly inexpensive (for hardware tools), I decided to include both in this kit.

Logic Analyzer:
There are tons of options available for logic analyzers. You can roll your own using an Arduino or RPi, or you can buy something. In my kit, I’m using a Saleae Logic 8 primarily because I already had a spare one. Saleae recently discontinued the 4 channel, and increased their prices, but ~50% discounts are available for non-commercial use with little more than an email.

Multimeter:
If you search amazon for “pocket multimeter” you’ll get a ton of results. I picked up the Victor VC921 cause it was cheap and available for prime shipping (at the time). For badge hacking, you don’t really need something super special. Primarily just checking basic voltages, continuity, and resistance. Anything with decent review should be fine.

JTAGulator:
The JTAGulator is an optional tool as you can usually manually trace out pins to identify JTAG and you can easily use a logic analyzer to identified active UART pins. That said, the JTAGulator makes this process much easier, especially if the badge designer left lots of headers accessible. Also, it’s quite sexy with its hot pink solder mask and large metal-inspired logo.

Various USB cables:
Between all the different tools listed above and many badges now having some USB interfacing, you gotta have cables.

Wiegotcha – RFID Thief

Update: Wiegotcha will also work on the newer HID R90 SE, but in order to silence the speaker, you’ll need to dremel it from the sealed plastic inner casing.

As with most things I do, this is a work in progress. If you notice any bugs, run into any problems, or have any questions at all, ping me on twitter: @lixmk. Or you can submit an issue or a pull request on github, apparently that’s what they are there for: https://github.com/lixmk/Wiegotcha.

Wiegotcha is a long range RFID reader inspired by the Tastic RFID Thief originally released by Fran Brown and Bishop Fox. Wiegotcha is designed be a simple and reliable method of discreetly capturing RFID credentials from unsuspecting targets. Before I go any further, there are a lot of people who unknowingly helped out on this project. Check the README.md on github for a full list.

Wiegotcha improves upon the Tastic RFID Thief in few key areas:

  • Includes a wireless AP with a simple auto-refreshing web page to display captured credentials. No more need to open the reader and remove the sd card.
  • Uses a hardware clock for accurate timestamps. Useful for identifying when (and with a little note taking, where) credentials were captured.
  • Reduces or potentially eliminates (depending on choice of Level Shifter) the need to solder components.
  • Utilizes an external rechargeable battery. No more carrying a 30 pack of AA batteries or opening the reader to replace them.

Source is available at: https://github.com/lixmk/Wiegotcha

Working w/ Wiegotcha:

I won’t tell you how to steal badges, that part you can figure out yourself. But there are a few things to know about how Wiegotcha works. When powered on, Wiegotcha takes a couple minutes to completely boot and fire up it’s access point. Once that’s complete, you’re good to go.

Once connected to the AP, just browse to http://192.168.150.1 to get a (mostly) live view of badges as they arrive. The site refreshes every 5 seconds.

All captured badges are stored in /var/www/html/data.csv, which is parsed by the web site. At each boot, the previous data.csv is backed up with a timestamp to /var/www/html/backup/<TIMESTAMP>.data.csv. Directory indexing is enabled for easy browsing of backed-up badges (http://192.168.150.1/backup/).

If you are using a new hardware clock, or need to replace it, give the RPi an ethernet connection and run /root/Wiegotcha/fixclock.sh.

If you install manually, you’ll have the ability to change passwords for each of the users and the option to enable SSH for the root user (SSH is enabled for the pi user by default). If you used the downloadable image, SSH is enabled for root by default. CHANGE THE DEFAULT PASSWORDS. To change the passphrase for the wireless AP, just modify /etc/hostapd/hostapd.conf.

Defaults are as follows (Seriously though, change the defaults):

Default Passwords (Image only):
root:Wiegotcha
pi:Wiegotcha

IP Addressing:
eth0 = DHCP
wlan0 = 192.168.150.1

Access Point:
ESSID: Wiegotcha
Passphrase: Wiegotcha

I probably forgot some stuff. If you notice any problems or have any questions, reach out on twitter @lixmk.

Hardware Installation:

Installation is extremely straight forward. The tl;dr of which is: power pi, hookup GPIOs and RFID reader (with a level shifter as a middle man (wiegand output is 5v, RPi GPIOs are 3.3v), plug in battery.

In this build example, I’m using an HID MaxiProx 5375 (125kHz), but you can follow the same steps for an HID R90 (13.56mHz iClass) or Indala ASR-620. Start with a small bit of prep work. If your level shifter did not come pre-populated you can either: Solder pins to the through holes or solder the jumper wires directly. Soldering the jumper wires will make things a bit more sturdy, but it’s not necessary. If you choose to solder the wires, skip down a bit to check the wiring diagram.

Take the Y-cable from the battery and cut one of the tails off. Strip the outer wrapping to expose the red and black wires. Then strip roughly 1/8″ to 1/4″ off both the internal wires. Give each one them a twist to tighten up the copper. If you have a soldering iron handy, you can get a bit of solder on the twisted copper to keep it from fraying.

String the newly created power cable, and a short USB micro cable, through the conveniently located hole in the back the of the reader (micro side in). Connect the two power cable leads:

  • Battery Ground (Black) to Reader TB1-3
  • Battery 12v (Red) Reader TB1-1

Next, wire up the GPIO’s, level shifter, and reader. Refer to the mastery of MS Paint that is the following diagram:

(Good huh?)

Now wire the rest of the bits. Set the RPi with GPIO pins on the right and the level shifter’s low volt (LV) side facing left.

  1. Hardware RTC on pins 1,3,5,7,9 (First 5 pins on the left side)
  2. RPi pin 4 to Level Shifter HV in
  3. RPi pin 6 to Level Shifter LV gnd
  4. RPi pin 11 to Level Shifter LV 1
  5. RPi pin 12 to Level Shifter LV 4
  6. RPi pin 17 to Level Shifter LV in
  7. Reader TB2-1 to Level Shifter HV 1
  8. Reader TB2-2 to Level Shifter HV 4
  9. Reader TB1-2 to Level Shifter HV gnd

Next, you need to address the Reader’s speaker. Obviously, a loud beep every time you read a badge isn’t very stealthy. To address this, you can do 1 of 2 3 things.

**UPDATE**: I completed testing on replacing the speaker with a small haptic motor and it worked perfectly.

  1. You can desolder (or snip) the speaker to completely disable all audio output (including power-up auto-tune tones).
  2. You can adjust the dip switches on the top of the reader PCB to disable card read tones. If you choose to this option, push switch 4 of SW1 (right most set of switches) to the off position as pictured below:

3. You can replace the speaker with a small haptic motor causing a cell-phone like vibrate feeling and sound every time a badge is read. Desolder (preferred) or snip off the speaker and solder the on the motor. No in-line resistance is required. Red wire to + and blue wire to -. If you choose this option, leave SW1 switch 4 in the default “on” position.

Last step: since we’re using a 12v power supply to the reader, we need to move the P2 jumper. By default, the jumper is installed over pins 2 and 3. Move this jumper to pins 1 and 2. Like below:

Hardware installation is complete. I suggest getting some stick-on velcro to hold the RPi in place, and running the group of wires through the small slit towards the top of the reader. Also, some duct-tape helps holds wires in place. Your final product should look something like this:

Software Installation:

  1. Download the RPi image: https://drive.google.com/file/d/0B1KiYGoUoNwGem8tZlRxeEVwRHM/ *Updated 5-22-17*
  2. Check md5 sum of .gz: 7f8b0507e0b58cbc301b39550c59e33d
  3. gunzip and check .img md5 sum: b68d21f1c0e6b200985a29869491fbf0
  4. Push image to SD card (8GB or larger) (just like any other RPi image)
  5. Install the SD card in the RPi.
  6. Boot the RPi.
  7. If this is a fresh install with a brand new hardware clock. Plug the RPi into a wired ethernet connection and execute the fixclock.sh script: /root/Wiegotcha/fixclock.sh

For installation from source, see the github README.md: https://github.com/lixmk/Wiegotcha/blob/master/README.md

Bill of Material (BOM):