80% of Prox Card Readers are Now Vulnerable

A pair of security researchers introduced BLEKey at the 2015 Black Hat Security Conference.

It’s such a high percentage – 80% – because really, all proximity card readers are made by 1 of 2 companies. Actually, if you use one to get into work, I bet it’s a HID unit.

The BLEKey (Bluetooth low energy key) can be installed in 60 seconds by attaching it to the reader via 3 wires. Then, when paired with a mobile phone, this $10 device can open a proximity card protected door.

1 – Bluetooth

2 – processor

3 – where the 3 wires attach (2 data, 1 power)

4 – battery

Once in place, it can clone cards, remotely open the door, or disable the door entirely for 2 minutes after the attacker is through.

Business Owners:

At the conference, the pair threw 200 BLEKeys into the crowd, and made available both the code, and unit for sale; it’s now out there.

To protect your business, they suggest ensuring tamper detection is turned on, and make sure to monitor the logs for anomalies. Also monitor the camera by the door, to stop an attacker from installing one into your reader.

Pentesters:

Add this to your kit. It could make the physical portion of your pentest smoother, especially since sensitive areas are often protected by prox cards.

Or use it to mess with the company’s logs.

Get the code here – GitHub

Here’s the are the guys behind BLEKey and the best part is… they’re Canadian! They also received the most cheers of all the presentations I attended.

Left is Eric Evenchick, and right is Mark Baseggio.

From Black Hat 2015

Blog tag = Black Hat

 

 

Ford Finally Fixes its Sync Software

Ford’s SYNC2 infotainment system was a disaster. So when I went to Detroit and tested the SYNC3 prototype, I figured there was only one way for this thing to go.

Gone is Microsoft, and the operating system is now Blackberry’s QNX OS, the user interface is minimal and intuitive, the system is WiFi capable, and Ford is first to bring Over-the-Air (OTA) updates to mass market. Short review: hugely improved, and now quite slick.

Read it online at Autonet.

 

Favourite line:

SYNC will have WiFi capabilities, allowing the driver to turn their car into a Hotspot (use WPA2 WiFi security – never connect your car to a public network, and remember you’re legally responsible for Hotspot users.)

***

Remember – YOU are legally responsible for those using your Hotspot, here.

More about the trip to Michigan here.

Back to ‘Keri on Driving’ – Index

 

 

A Test: Use only Voice Recognition to Control a Car

This week I conduct an experiment:

Automakers are touting, “control the car using just Voice Recognition, so it’s hands on always!”

So for 1 week, try to drive without removing my hands from the steering wheel, ever.

Rely solely on the wheel’s buttons to operate the cabin controls, and infotainment system.

(Conclusion: can’t)

Read it online at Autonet.

Favourite line:

Regardless of how you’re operating the infotainment system, your focus and attention are still taken elsewhere. 

Test conducted in a 2015 Chrysler 200.

About pairing my phone to a car for the 1st time – here

***

Back to ‘Keri on Driving’ – Index

 

 

Paired my Phone to a Car for the First Time

Ever.

Why never

I don’t think Chrysler (or any manufacturer) is going to do anything nefarious with my information, nor will the following auto journalists to test this car, but…

1 – Your contacts database is one of your most precious files, and ideally, you have a copy on an external drive, that’s been backed up in the last couple weeks (if you say you store all your contacts in Facebook, please leave my blog.) So why be careless about where that file ends up?

2 – I don’t know what information the car copies, then saves, from my phone. Nor do I know that the data is fully deleted when I un-pair the phone. Not-knowing means not-happening.

3 – I’m still undecided if I trust the cloud, and so I don’t use it. And pairing the car means I’ve dipped my toe into the cloud.

4 – pairing usually requires Bluetooth, which I don’t use. I’ve been attacked via Bluetooth before, so I quit using it (that’s why you never see me anymore, in my beloved hands-free headsets)

So why now?

I’m conducting a test for an upcoming ‘Keri on Driving‘ column…

The test is: automakers say we’re now able to fully control our car, without removing our hands from the wheel. Okay then, let’s see.

I set up for success and chose Chrysler because their ‘UConnect’ infotainment system is one of the best available.

How I paired it

I did not pair my own phone, not a chance.

Instead, I got a pre-paid SIM card from TELUS (talk & text only, no data), and put it in the Android they gave me. I saved the contacts I chat most with, and fired it up.

What happened

1 – the car now has saved all my contacts list, and my call history 
2 – the car can now access my text messages, and can send as me

So to word it dramatically – the car now knows all your friends, whom you speak with most, and can text them. This is why you always delete your phone from a rental car, and don’t name your phone your name.

Because a possible attack: return the rental car > next guy gets in > your phone is your name > look up home address for that name > guy now knows where you are not

That’s pretty high-level, and the guy would have to be quite skilled, but still, why chance it.

Let the test begin

Figured out voice command navigation this afternoon, and how to send texts but only using the screen (think I’m doing something wrong there), audio is easy, and not sure if climate controls are even a possibility…

How nice did this photo turn out

When it launched, I reviewed this car for the paper, click here.

Short review – the 200 went from barely competing, to the one to compete against.

 

Don’t Name your Phone your Name

At the airport, scanning Bluetooth signals in a passenger waiting area.

The results:

Purple * – See the person’s name clearly displayed? The type of device/computer they’re using?
Green * -And that long number? That’s a MAC address

MAC address – a device’s unique number, a digital signature. Every device has one. Not related to Apple/Mac computers.

These people are unnecessarily broadcasting a lot of personal information.

If someone shouted, “Hi Rahul!”,

a gentleman within a 30-feet radius would react.

Someone with bad intentions could do a lot with that.

Practice ‘Security through Obscurity‘, and name your phone something boring.

The name of my phone is —

And always remember, one of the most dangerous places to go online is using airport WiFi.

Even the best guys in the world don’t.

SOLUTION – tether your laptop to your phone using a USB cable