At the RSA show it is not uncommon to bump into a hacker. But when four or five of them are huddled together you know some really cool or really scary has their attention. In this case it was a little invention by IOActive. The Seattle company is well known for the superstar lineup in its advisory board and management team. This is one of the few firms officially invited to test the Microsoft Vista operating system code before release.
The fellow grabbing the attention was a colorful geek with an HID reader and card. He was showing off his small gizmo that could copy and clone an HID card in 20 seconds. Serious, if he gets his hands on your HID access card for 20 seconds, you can be sure hell be able to get through the door posing as you.
The some guys were talking animatedly about how to crack this physical access control system, and that surveillance DVR.
Stay tuned for more reports from the RSA security show in San Francisco this week.
He would not be the first person to develop a tool to clone a prox technology access card. It has been known for awhile that certain students from a certain distinguished institute of higher education have done the same without the need to have possession of the card.
Good security designers take into consideration that reliance on one feature or aspect of security is like putting all your eggs in one basket. If the portal security is important enough, there can be multi-factoral identity verification concepts in play where the card is not the only item needed to gain access.
Good security programs presume that this can and does happen.
Posted by: LaurisF | February 07, 2007 at 01:24 PM
That's not the point Lauris. The point is that if the hacker community "discovers" physical security systems, they will not stop at simple RFID cards. They'll hit controllers, alarm panels, cameras, management software, etc.
Posted by: Steve Hunt | February 11, 2007 at 12:50 PM
Steve, again they have already accomplished hitting these on at least one system. Once security systems left the relative "security" of closed networks, it has been a fast paced race to build protection against the hackers that live in the public networks. Today's security will not prevent tomorrow's attack scenario. We can only protect against what we know.
Posted by: LaurisF | February 15, 2007 at 09:03 AM
LaurisF says: "Today's security will not prevent tomorrow's attack scenario. We can only protect against what we know."
There is some (or a lot) of truth to this statement. Yes, there is no such thing as absolute security, however I do believe that if systems are implemented from the startup with security in mind they will be able to protect against many of tomorrow's threats.
I'm talking here about basics principles like "default deny", defense in depth, least privilege, zoning etc.
I think LaurisF means "Security Technologies" when he says "Today's security".
Then there is always the issue that security technologies themselves can introduce risks, like AV software with bad signatures that delete legitimate files, security products with buffer overflow vulnerabilities etc.
To put it more optimistic, today's security principles can prevent many of tomorrows attack scenarios.
Posted by: OsamaS | February 25, 2007 at 07:35 PM
Lauris, I'm more inclined to what Osama says. You sound like you are throwing in the towel. (I'm sure you aren't, but you sound that way). Like you assume the bad guys will stay one step ahead, so what can we do? Osama on the other hand says let's use the best priciples of preparation, detection, response and remediation to battle the unknown. Bring it on, bad guys! right?
Posted by: Steve Hunt | February 26, 2007 at 07:22 AM