80% of Prox Card Readers are Now Vulnerable

A pair of security researchers introduced BLEKey at the 2015 Black Hat Security Conference.

It’s such a high percentage – 80% – because really, all proximity card readers are made by 1 of 2 companies. Actually, if you use one to get into work, I bet it’s a HID unit.

The BLEKey (Bluetooth low energy key) can be installed in 60 seconds by attaching it to the reader via 3 wires. Then, when paired with a mobile phone, this $10 device can open a proximity card protected door.

1 – Bluetooth

2 – processor

3 – where the 3 wires attach (2 data, 1 power)

4 – battery

Once in place, it can clone cards, remotely open the door, or disable the door entirely for 2 minutes after the attacker is through.

Business Owners:

At the conference, the pair threw 200 BLEKeys into the crowd, and made available both the code, and unit for sale; it’s now out there.

To protect your business, they suggest ensuring tamper detection is turned on, and make sure to monitor the logs for anomalies. Also monitor the camera by the door, to stop an attacker from installing one into your reader.

Pentesters:

Add this to your kit. It could make the physical portion of your pentest smoother, especially since sensitive areas are often protected by prox cards.

Or use it to mess with the company’s logs.

Get the code here – GitHub

Here’s the are the guys behind BLEKey and the best part is… they’re Canadian! They also received the most cheers of all the presentations I attended.

Left is Eric Evenchick, and right is Mark Baseggio.

From Black Hat 2015

Blog tag = Black Hat

 

 

The New Way to Steal a Car

A signal booster is the new shim.

The method exploits keyless entry, a once-luxury feature now found in entry-level cars.

I speak with Ted Harrington, co-founder of Independent Security Evaluators, a company that pioneered car hacking.

Very basically:

The Attack

Amplify the proximity radius, and now the key and car are talking when they shouldn’t be. Thief goes in, off he drives.

The Defence

Keep your key fob in a Faraday Cage (no signals can get in or go out)… do this by wrapping the fob in aluminum foil.

Read it online at Autonet.

Favourite line:

Pretty geeky, and probably beyond the average criminal, right? The trouble is that the online black market is massive and lucrative.

***

Back to ‘Keri on Driving’ – Index

Blog tag = auto security

 

 

Analzying a Vishing Attack

There’s a CRA (Canada Revenue Agency) scam going around right now.  I received a call from “Roger” at the CRA this week, asking me verify my current address.

Let’s analyze at the attack.

The Attack

Flag #1

Roger’s number displayed on my phone – 905-XXX-XXXX. Nope.

The CRA agent’s number will never display, it will come up as “Private” or “Blocked” because imagine? People would lose their minds dialling directly to harass the agent.

Flag #2

Roger lists my last 3 home addresses, my company name, then asks for only one piece of information to verify my identity – my birthday. One piece of publicly available information to verify me?  No way.

From the CRA website, here’s the list of identification questions they’ll use.

Flag #3

Me: this number on my screen, if I call it back it’ll go to you?
Roger: yes, that will go directly to my desk.

Uh-huh. See Flag #1. Plus, if he’s at his desk, why don’t I hear office noises in the background?

Let’s keep talking.

Me: what’s the problem?
Roger: the address we have on file for your company is incorrect, because the mail we sent you was returned. We need to update your address.

Flag #4

Not only do I have my mail forwarded from my old downtown address, but my accountant and I are very on top of things, so there is no chance this is correct.

I tell him to switch it to my home address, which he has already listed, and he rushes off the phone.

I immediately email my accountant, who searches the CRA database and comes back with this confirmation – my correct address is on file.

Flag #5

I call the number back and it goes straight to voicemail.

Not only is it full and cannot accept new messages, but the name on the voicemail is not Roger.

Flag #6

I trace the phone number, and land up at a suburban house just outside of Toronto. Not posting a map of that, bet the poor guy has no idea his number has been hijacked.

Flag #7

Over to Google, and there’s news everywhere, including one from CBC a couple weeks ago warning Ontario residents. Read it here.

The Defence

– stay sharp and calm… the above played out over 60 seconds, as in, quickly. And if the call comes in while you are distracted or busy, that’s how you slip up and they win 

– when in doubt never ever give out personal information, especially your Social Insurance Number (SIN)

– call the CRA directly to confirm the validity. Say something like, “I’m very busy at the moment, but will call you back by end of the day.” That way you’ve initiated contact, and the problem should be listed on your file

– ask lots and lots of questions, they don’t like that

– the scammer will be skilled on the phone, they’ll sound smooth, almost too-smooth

– CRA emails will never contain any links, nor will they contain personal information

– listen to your gut, it’s the best defence in these scenarios

See the CRA website for more details on scams.

As always in suspicious scenarios, be wary of clicking on links in an email, and if you must, expand the URL before clicking.

Test yourself here – Spot the phishing email

Blog tag = phishing

 

 

 

A Quick Way to Defeat a Padlock

The Attack

Forget breaching the lock.

Instead, remove the plate and loop the lock is attached to.

The Defence

Install the plates and loops on the inside of the doors.

Same thinking as to why the hinges on your home’s exterior doors are located inside your house, or should be.

 

 

 

Never Call when This Happens

Kind’ve clever eh: a real-sounding URL, “Support for Apple”, and a toll-free number, how nice for someone else to foot the bill.

The Attack

Pop-up window appears > you call the number > whomever answers is skilled with words > you’re tricked (social engineered) into doing something stupid, like providing a password or downloading a malicious file.

The Defence

Never call. This will never happen.

***

See also: You’ll never win a contest via text