80% of Prox Card Readers are Now Vulnerable

A pair of security researchers introduced BLEKey at the 2015 Black Hat Security Conference.

It’s such a high percentage – 80% – because really, all proximity card readers are made by 1 of 2 companies. Actually, if you use one to get into work, I bet it’s a HID unit.

The BLEKey (Bluetooth low energy key) can be installed in 60 seconds by attaching it to the reader via 3 wires. Then, when paired with a mobile phone, this $10 device can open a proximity card protected door.

1 – Bluetooth

2 – processor

3 – where the 3 wires attach (2 data, 1 power)

4 – battery

Once in place, it can clone cards, remotely open the door, or disable the door entirely for 2 minutes after the attacker is through.

Business Owners:

At the conference, the pair threw 200 BLEKeys into the crowd, and made available both the code, and unit for sale; it’s now out there.

To protect your business, they suggest ensuring tamper detection is turned on, and make sure to monitor the logs for anomalies. Also monitor the camera by the door, to stop an attacker from installing one into your reader.

Pentesters:

Add this to your kit. It could make the physical portion of your pentest smoother, especially since sensitive areas are often protected by prox cards.

Or use it to mess with the company’s logs.

Get the code here – GitHub

Here’s the are the guys behind BLEKey and the best part is… they’re Canadian! They also received the most cheers of all the presentations I attended.

Left is Eric Evenchick, and right is Mark Baseggio.

From Black Hat 2015

Blog tag = Black Hat

 

 

My 1st Public Speaking Engagement

Last night I spoke at a TASK meeting (Toronto Area Security Klatch – Canada’s longest-running get-together of Information Security professionals.)

It was their annual Black Hat / DEF CON review session.

I covered the Jeep hacking talk, but tailored my presentation to illuminate areas of the auto industry that need security help – because if you want to be employed forever, go into the auto security industry.

There were about 170 people, I had 14 slides and spoke for 8 minutes.

(don’t know why the picture quality is crap, on my 3-week-old iPhone?)

A friend filmed it, but no no that’s not going online… watched the footage, sorry TASK for all the ummmms!

It started like that even, “Hi I’m Keri, ummm.” Literally cringed while typing that. I’m more eloquent and better paced that that, nor so verbose, that was 4 minutes too long; I was SO nervous.

But first one done! I enjoyed it. Think I could get good at this.

Go too.

TASK.to

Meets the last Wednesday of Every Month, 6:00 pm to 9:00 pm

Metro Hall, Rotunda (On main floor, just past the elevators)
55 John Street, Toronto
SE corner of King St. & John St.

 

 

Update your Android Phone NOW

There is a massive Android bug called Stagefright.

It’s being called the biggest Android flaw ever, it affected about 950 million devices.

It even has its own logo.

Hundreds of millions of phones are affected.

Above is a list of vulnerable devices.

That’s Adrian Ludwig, lead engineer for Android security at Google, speaking about Stagefright at Black Hat 2015.

The bug was discovered by Joshua Drake from the Zimperium security firm. He tells FORBES magazine,

“All devices should be assumed to be vulnerable. Only Android phones below version 2.2 are not affected.”

The Attack

Uses MMS (texting.) It installs with no user interaction required, scary.

A MMS message is sent > it contains a media file > that the phone opens automatically > which releases and installs the bug > MMS is deleted > no trace of attack

Watch the attack.

What can Stagefright do?

Turn on both the camera and microphone, and secretly record video and listen to conversations.

A level deeper, and it’s view photos; read the device’s email, Facebook and WhatsApp messages; access contacts and data; or use the mobile as a jumping-off point into the victim’s cloud applications.

The Defence

Google shut down some functions, that’s why the messenger app stopped auto-loading and thumbnails reverted to static-only. Nexus devices are being updated automatically over the air.

What you can do:

1 – update your phone

2 – disable “auto-fetching in MMS” to stop the media from auto-downloading. How to here.

3 – never open a photo, video or click a link, from someone you don’t know

4 – download Zimperium’s Stagefright Detector App for Android Devices 

Further reading – Zimperium’s blog post

From Black Hat 2015

Blog tag = Black Hat

 

 

Car Hacking Looks like This

Screenshots from the Black Hat presentation about the first remote hack of a passenger vehicle – a 2015 Jeep Cherokee (more here.)

It was these guys – Charlier Miller and Chris Valasek.

2 Biggest Takeaways for the Average Driver

1 – the attack they released no longer works

As of publishing of this post, the attack stopped working because Sprint closed the port they were using to enter the car (nice Sprint.)

If you own a Chrysler and were part of the 1.4 million recall, breathe a bit easier.

2 – update your car

This Jeep thing is a wakeup call – if your automaker issues an update, make it a priority. The industry is still in its infancy, the update will probably be inconvenient “pick up a USB from the dealership” DO IT.

Be mindful about how you connect your car to the internet (please never pair your car to public WiFi.)

From Black Hat 2015.

 

 

Vegas Decompression Complete

Above is Saturday night.

Below is Sunday night.

(didn’t achieve top score, he just let me put my name, kept tanking the putting)

What an over-stimulating environment, Vegas.

Don’t like the city, and coming up on 20 visits ugh; the blog tag is annoyingly large –Vegas (25).

It’s the extreme excess, and how people’s level of entitlement to it all severely increases… gross. 

But Black Hat ahhhh. Guys I learned so much.

Upcoming Security Posts

– car hacking stuff obvs
– defeating 80% of all proximity-keyed doors
– the “Avoid being Social Engineered” Series with Social-Engineer, Inc
update your Android phone NOW (really, don’t wait for the post – Google “libstagefright” and install ASAP)

Next Car Reviews

– 2015 Jaguar XJ & XJL
– 2015 Subaru Crosstrek
– 2015 Ford Focus ST

Plus the post: My Vegas Photos will Bore You

Three weeks left of summer, book stuff this week because we’ll blink and it’ll be September. Here’s to a strong start to your week!

xo Keri