Hacking the physical world.
In this episode, we talk about physical pen-testing with Deviant Ollam, author of the book, “Practical Lock Picking: A Physical Penetration Tester's Training Guide.”
Ben Halpern is co-founder and webmaster of DEV/Forem.
Julianna Tetreault is a published writer turned software engineer with an insatiable desire to learn. On any given day, you can find her putting her full-stack Ruby and Rails skills to work (if she's not traveling!) or head-down in a book.
While paying the bills as a physical penetration specialist with The CORE Group and the Director of Education for Red Team Alliance, Deviant Ollam is also a member of the Board of Directors of the US division of TOOOL, The Open Organisation Of Lockpickers. His books Practical Lock Picking and Keys to the Kingdom are among Syngress Publishing's best-selling pen testing titles. In addition to being a lockpicker, Deviant is also a SAVTA certified safe technician and GSA certified safe and vault inspector. At multiple annual security conferences Deviant started Lockpick Village workshop areas, and he has conducted physical security training sessions for Black Hat, the SANS Institute, DeepSec, ToorCon, HackCon, ShakaCon, HackInTheBox, ekoparty, AusCERT, GovCERT, CONFidence, the FBI, the NSA, DARPA, the National Defense University, the United States Naval Academy at Annapolis, and the United States Military Academy at West Point. In his limited spare time, Deviant enjoys loud moments with lead acceleration and quiet times with podcasts. He arrives at airports too early and shows up at parties too late, but will promptly appear right on time for tacos or whiskey.
[00:00:00] DO: You can use a can of compressed air to unlock from the outside loads of secure buildings.
[00:00:18] BH: Welcome to DevDiscuss, the show where we cover the burning topics that impact all of our lives as developers. I’m Ben Halpern, a co-founder of Forem.
[00:00:27] JT: And Julianna Tetreault, Software Engineer at Forem. And today, we’re talking about physical pen testing with Deviant Ollam, Author of the Book Practical Lock Picking: A Physical Penetration Tester's Training Guide. Thank you so much for being here.
[00:00:40] DO: Thanks for having me. It’s always a unique time when you’re discussing things with people whose lives involve more ones and zeroes and less doors and keys. I mean, all of our lives involve doors and keys. I guess that’s why some of this material translates well.
[00:00:54] JT: Yeah. So could you talk about the process for how you might do a physical pen testing job and how real covert entry works?
[00:01:04] DO: Sure. Every job is different, of course, and every client is unique and every target site has its own little quirks and vulnerabilities or robustness. But at its core, like any other kind of hacking, you’re essentially stressing a system and trying to make it behave in ways that the original planners and the regular users do not expect. And much of this starts off with simple reconnaissance. If we have a target facility that we’ve been tasked with trying to gain entry or trying to extract information, we don’t want to immediately walk right up to the front door and try it. Although you’ll be surprised at how often that lets you in. But reconnaissance involving, well, what do they do most of the time? What are their comings and goings like? What is the activity like at this facility? What do the people look like? If you’re going to do something unauthorized, it’s best if you don’t stick out like a sore thumb. So we’ll get cover stories and outfits. It’s amazing how often you can go to thrift stores in town of a certain facility and you say, “All right, well, if we’re going to go break into ConAgra and try to mess with food supply chains, go to your local Goodwill or Salvation Army.” “Oh my gosh, there’s a million outfits from former employees of ConAgra. Let me just build myself a jacket, a shirt, a cap.” All right, there we go. ConAgra is not a client of ours, although we have worked definitely in the agribusiness before. So yes, doing some recon, building cover stories. Now that recon can be optically on-site. You’re looking and you’re putting long distance lenses from across the street, in your cars. Or maybe you’re doing a lot of digital reconnaissance. Maybe you’re doing open source intelligence gathering, scrubbing through social media, looking to see, “Well, where are these employees from? Do they tend to always work out of this one office? Or do they have a lot of rotating staff?” Maybe you say, “Oh, look at this. People keep coming from the San Francisco office for this big meeting in New York and they seem to do that quarterly. Well, maybe I’ll pretend I’m from the West Coast office, if I’m coming.” So you start getting these little crumbs and if you know how to put them together, you can get a really good idea for what’s going on inside of the building, even if you can’t see in the windows. And I think a lot of software people can understand that when they’re just using input forms on a system, they say, “Okay, I’m pretty sure I bet I know how they’re parsing this data based on the way the form is loading or not loading.” “Oh, okay, look at this. I can see the page has this layout. I’m betting they might’ve hired this shop who uses certain templates all the time for their front end.” Even if you can’t see behind the scenes, if you can’t look under the hood, you’ve got a pretty good idea if you’re a veteran of the industry. So that’s our first step is basic reconnaissance to build a picture of the target. And then we start doing some light probing, something that’s not hopefully going to get us immediately caught or raise an alarm, but maybe I’m going to put on an outfit that makes me look like I’m from Comcast and I’m doing a little bit of site survey. I’m not entering your building. No, no, no. I’m just walking around the building, looking for junction boxes if anyone walks up to me, but no one’s going to walk up to me. You see the Comcast person or you see the person from Verizon outside, but what I’m actually doing is getting close to the doors, looking behind some hedges and saying, “Oh, okay. So they’ve got this style of hinge. Oh, I can see exactly what. Oh, they got Von Duprin exit devices on all these stairwells. Okay. So I can see through the glass in this vestibule. All right. I can see which request to exit sensors they have. So little light touch things like that. Maybe someone comes through a door and I might walk through into a vestibule and pretend I’m just kind of looking at a couple of ceiling tiles. And then as I walk back out the door, because I’m not staying on site, I’ll just kick the rug, the rug by the door. So it gets caught in the doorframe and the door doesn’t quite shut behind me. And then I’ll go back to my car across the street, look, and I’ll see, “All right, does it take a minute, five minutes? Is there an alarm?” That’s a door that’s propped open. And by walking through the door, I noticed that there was a position switch, a door contact sensor. So somewhere the access control system probably knows that door is open. What’s their response like? A lot of people testing software applications for security vulnerabilities, they don’t immediately try to drop a huge, dangerous SQL injection. They just maybe put way too many characters in an input form and they say, “Is it going to barf? Is it going to yell? Is it going to accept this? What’s going to happen?” Let’s just see how small, weird things make it behave unpredictably. And that will start informing you of what your next steps will be. If the guards show up right away at those doors, I say, “All right, well, we’re not going to be propping doors open. We’re going to have to take those sensors out of the equation if we’re going to attack that door in the middle of the night.” Or if a form literally allows you to put any random junk characters in it with no validation, you’re like, “Oh, all right, that’s going to be helpful if I start crafting some interesting payloads in here.” And then ultimately, then you just got to go for it. Right? You take all of your experience. You take the information you’ve gathered from that specific target and you say, “All right, there’s a pretty good chance that X, Y, or Z are going to work.” And we work in teams, of course, so you don’t put all your eggs in one basket. One person tries the perhaps most likely success avenue, but if they get roasted, you say, “All right, well, they’re off the board for a minute. I’m going to try this other avenue on building C and I’ve got someone else standing by on building B.” Before you know it, you’re getting messages in your group signal thread. “Oh my God! I can’t believe I’m totally inside the vestibule area!” “Oh my gosh! I can’t believe I’m inside the executive suites now!” And it’s always a debate whether you push hard immediately and just finish right away. Or, “All right, no, no, no, that’s a good win. Now get out clean. Come all the way back. Go back across the street. Write that finding down. All right, let’s try again now.” Ultimately, you want to deliver value. What we do, and this applies of course to any software bug bounty people, is we’re not there to make ourselves feel cool. We do it ultimately to add value to the client. You’re trying to do things in a way that makes it possible for other people to learn from it. And a lot of times that involves nuance, that involves professionalism and involves emotional work, how you deliver those findings, how you’re packaging up your report can do as much good or ill for the client as the findings themselves. Because if people aren’t listening at the end of the day to what you discovered, does it even make any difference?
[00:07:32] BH: You mentioned your group chat on Signal. I imagine everyone in this space is pretty security conscientious from all angles, cybersecurity and otherwise. But that one comment kind of made me curious, like Signal is kind of a newish thing and encrypted chat if anybody’s not familiar with it. But before Signal existed, you probably communicated in other ways. Curious just kind of going back in time, what were some of the most important baseline check-the-box items for communicating securely as you’ve been in this field?
[00:08:10] DO: So I’ve been on Signal back when it was split into two apps. So it was RedPhone and TextSecure. I mean, full disclosure, I’ve known Moxie and his team for a very long time, but I recall there was an app called Wickr that I believe still exists. I don’t know anyone who uses it anymore. I remember there was a tool called TigerText. I hope I’m not making that up in my imagination. I swear this thing used to exist. But before that, it was the early days where we really were all just sort of battling to make our instances of PGP work correctly with our email, which, I mean, I think I still have a PGP key to my email signature, but I can’t recall the last time anyone’s sent me a PGP message by email. So interoperability, an adoption, boy, that has been quite the battle over the years. I can remember people were giving presentations at developer conferences and hacker conferences with titles like, “Why Johnny Can’t Encrypt.” And I really think Signal is kind of an amazing exemplar of how making things turn key, making encryption and secure channels of communication not a fuss to use. We won’t use really tired and ageist and gendered statements about grandmothers and blah, blah, blah. I hate examples that are worded that way, but really getting your whole family and all of your colleagues to use an encrypted messaging solution. We are living in the heyday of that. This is like doing laundry compared to how you did a pre-industrial revolution. It’s night and day. And the idea that nowadays even mainstream products that everyone is using. Facebook Messenger, Instagram is of course in the news these days, which is Meta or Facebook products, and trust them with a grain of salt. But Instagram is talking about how they’re enabling encrypted communications for people in certain areas of strife nowadays, in Russia, in Ukraine, to which security experts are all applauding and saying, “Okay, now how about the rest of us now do it everywhere? Why not that? Why not make it like Signal on Instagram?” So yeah, I like this idea. I don’t know how political anyone in your audience is with their awareness of many bills and laws that have been attempted to undermine encryption, the horrendous EARN It Act, which the few tech savvy, congressmen and senators like let’s say Ron Wyden have been speaking out against, thankfully, but a lot of folks in Congress who do not understand the need for security and the need for encryption are often trying to undermine it while we’re all out here trying to do our best to get everyone to use it. So it’s quite the tug of war. It has been for a while.
[00:10:49] BH: Can you tell us about your background, how you got here?
[00:10:52] DO: Well, the sort of tongue in cheek one-liner when people say, “Man, your job is pretty amazing. How do I do what you do?” My answer is sort of, “Well, some of the right friends, some of the wrong friends when growing up and you’ll wind up like me.” But as facetious as that sounds, it is kind of true. Many people who work in technology will have origin stories that involve a perhaps healthy disrespect for rules and boundaries, we might say. You never want to be such an antisocial or outcast person that you wind up in trouble and can’t make something of yourself. But if you’re pushing right at the edges of what’s expected of you or what’s expected of a certain system or technology, I think that’s a very healthy inquisitiveness and we should be encouraging that, not discouraging that. When people just get in a little bit of trouble at school, maybe instead of disciplining them, you give them a free rein, you give them a place to say, “All right, well, take that idea and run with it.” And that’s what I did. I did a lot of exploring places where I shouldn’t be when I was younger. If you want to go all the way down to teenage years, I mean, it’s getting into some nature preserve or getting into some watershed and you’re just sort of exploring around the forest with your bike parked behind the 711 and you and your friends are looking on property that might’ve been private land, might’ve been public land, county land. No one’s really sure, but it was your little stream and your little creek. And then as you get older into high school and you get into college, you’re trying to get into a building that might be closed off. Not because you want to steal anything. You’re just like, “Why does no one go in that building? What’s inside there? Oh, old desks! Fascinating!” Or you get older than that and you’re staying at a hotel and you say, “Well, I mean, is it illegal to get on the roof? The door’s right there. It doesn’t have a sign on it. Oh, all right.” Well, there’s nothing that fascinating about a hotel roof, but everyone in the hacker community is always proud of when they got on the roof at a conference, that kind of mindset. “Hey, can I get here? Can I make this thing do something it wasn’t supposed to?” That’s the way I’ve always thought of systems around me and that’s what I try to encourage in others.
[00:12:58] JT: That just really resonates with me.
[00:13:01] BH: Yeah, me too. I don’t want to incriminate myself with any stories or anything, but I feel like been there, done that in some of that stuff.
[00:13:08] JT: What exactly resonated with you about physical pen testing? Was it just the ability to break into things and kind of do things that you weren’t supposed to and bend the rules? Or was there something more there?
[00:13:21] BH: Well, I think it’s twofold. I think that being able to break the rules and not get in trouble is absolutely a thrill. It's, I would say, equivalent to mountain climbing if you’re on a very strong belay rig for anybody out there. I mean, this is your harnesses and your roping and everything. So you can make that adventurous leap. You can try to try for this very hard handhold. You can guest on your way over this cliff face and you can do it with boldness because you know you’re not going to die. If you slip, fall, you’ll go down a few feet and get snagged by your rope, and then all right, try again. And being emboldened usually is a recipe for success. You can climb higher, find new heights. Well, there’s that part of it. There is, “Oh my gosh, I can do all these things that you’re not supposed to do, and I’ll never get in trouble. Ha-Ha-Ha! Confetti, isn’t my job amazing?” But that’s really just kind of a thrill at an ego stroke. That’s a reason to maybe get into the field. You say, “All right, I can do this. Isn’t it as neat?” But to stay in the field to really experience ongoing reward is to see how your work benefits others. And as far as physical penetration goes and physical security evaluation and education, I like how massively outsized the return on investment is when people are improving. And by that, I mean, and this might resonate well with the people listening here and those of you who are talking to me. If something is a flaw in a software system, it can often be deep in the architecture and a client who already paid perhaps tens of thousands of dollars, maybe hundreds of thousands of dollars for an expensive software product or custom installation or web application, for them to find out, “Oh, by the way, there’s this big flaw and you’re going to want to fix that.” Everyone goes, “Oh!” With their budget, they say, “Oh my gosh, we paid all this money already. How much is it going to cost to fix? We’re never going to be able to do this. Ah!” Well, if I come along and I say, “Oh, so you spend all this money on your access control system. Yeah. Yeah. Okay. So there’s this really bad flaw. Let me demonstrate that to you. Now hold onto your seats. You might be looking at a hundred dollars to fix the way that door is hung.” It’s much more achievable and much more easily implemented the types of solutions to problems I find. I like that I’m finding problems in the world that are easily correctable most of the time. And if people’s faces really light up when they say, “Oh my gosh, it had me really scared there for a minute, but are you telling me I can just buy this simple part and we can just replace these hinges and all of a sudden we’re protected against that thing?” I’ll go, “Hell yeah!” That’s simple as that, which is mechanisms.
[00:16:19] BH: Can you contextualize some of this stuff in the world of cybersecurity? So what do you feel is sort of by the inherent crossovers or why this could be interesting for developers from a mental process and modeling perspective?
[00:16:33] DO: Sure. I think the answer is twofold there. At the end of the day, all digital security is reliant on physical security. If an assailant or an unauthorized party can get hands-on access to your devices, your network hardware, your servers, virtually no software solution is designed to be robust in the face of that attack. You can have the most patched modern let’s say network switches and routers in your network stack. But if I can physically touch the routers and I get to the rack, I can drop the single user mode and just throw a console cable into something. Likewise, thinking about how security flaws can be emerging and can be exploited, physical security is a very good allegory and a teaching tool for people who live exclusively in the digital space, showing people how architecture thoughts and design decisions at the very beginnings of a project can have long ramifications down the road. I think it’s very healthy for engineers, even those who are exclusively ones and zeroes space, to see how their early thoughts and if you don’t bake security in from the beginning, it’s very hard to add it later.
[00:17:46] BH: Can you speak to any sort of like named methodologies that stand out? Give me some jargon and speak to that.
[00:17:55] DO: I mean, I do a lot of government consulting and I’m a government safe technician as well. There are two interesting terms and I’d be very curious if there are any parallels to this in the software and applications. If I tell people, “Well, I do covert entry work.” I say, “Okay. I mean, they can kind of get a picture in their head of what that means.” But one of the first things we teach because we train others to do this as well. I mean, that’s part of my job. There’s a lot of teaching and training. We talk about the difference between covert and surreptitious. And you might say, “Well, all right. I mean, that just sounds like a synonym that an author uses in a thriller novel to sound more techno literate. Is that a Tom Clancy word or something?” Well, no. Covert entry and surreptitious entry are actually quite distinct. Let’s take a step back and just talk about overt entry. If I take an ax and I literally shop, a door opens. The shining here’s Johnny style, right? Well, any one of you with no special training or skill can come along after the fact and look and go, “Well, that’s not right. Something’s happened here.” That’s overt entry. It leaves very clear and obvious signs, often as destructive. Anybody will notice that it happened, even if they weren’t particularly looking for evidence of entry, like, “Wow, what the heck happened?” Covert entry might be something like lock picking or using a slipping tool to attack a door latch. Now that’s not to say there isn’t evidence. There is evidence that I’m leaving tool marks inside the lock or inside the door mechanism. The thing about covert entry is that the evidence of the intrusion is not immediately obvious unless you have special training and unless you are actively looking for that evidence. So a passer-by on the street maybe wouldn’t notice that the door had been subject to lock picking, but a forensic locksmith could. They could testify in court. Oh yeah. These marks inside of this lock, these are not from a key. These are tool marks. Where it gets really interesting as far as government intelligence community work is surreptitious entry. That is when an intrusion leaves no discernible definitive evidence at all. And even if someone has training and is specifically tasked with looking for evidence of wrongdoing, they will not find conclusive evidence at all. An example here might be let’s say deciphering the master key of a master key system, which is again, something that I have presented about it at some hacker cons before. If I decipher the top master key and can extract its bitting, there’s a number of ways to do this. There’s a lot of fascinating attacks against master key systems. And then what am I going to do with that information? I’m going to make my own copy of the master key. And I can walk around the building, accessing things as I please. Well, we talked about forensic locksmithing right? A locksmith, if the government says, “Has a spy been in this security closet?” Well, they might take the lock apart and look for tool marks, but what are they going to see? “Well, I can testify that a key has been inserted into this lock.” Well, that’s not conclusive at all. And the idea of being able to ask yourself, “All right, what type of client are we being hired by? What type of target are we attacking? Can we leave any evidence at all? Or will that completely burn the mission?” Some of us on our team do far more government work than others. And the value that they are providing is not, “Could I get in and out?” The value they’re providing is, “Can I get in and get out completely unnoticed? I'm quoting my friend Drew on that one. But yeah, I don’t know if in the software world, if you think of logging and auditing functions, and if the system is designed very robustly, it should catch evidence of an authorized access. But the real scary attacks, the ones that keep people up at night are potentially the ones that don’t leave a discernible verifiable audit trail.
[00:22:09] BH: Yeah. I mean, I think depending on your discipline, there’s probably a few things in software that sort of speak to that. I think generally a lot of dialogue around observability in general and observability doesn’t always mean prevention, but it means just like one way or another like stuff going on as observable and like anything that’s out of the ordinary is automatically elevated. So working backwards from that, having an understanding of what you can do without being observable as an attacker I think is probably the closest parallel that comes to mind for me.
[00:22:46] JT: So in a talk that you gave a few years back, you mentioned that there’s this misconception almost that lock picking is a physical pen tester’s go-to tactic, but that’s not actually the case. So that being said, can we talk about some of the major tactics for physical pen testing?
[00:23:06] DO: The bulk of what my team and I do when we’re not strictly bluffing our way in with a pretext, right? The old joke, if you have two people and they’re in matching polos and they have the same logo and the same color on their hat, I mean, those people must be doing something. Look, they’re clearly walking with purpose. If we’re not just social engineering our way in a building, no, we’re not grabbing the lock picks as the first choice, the first go-to tool. Most of the time, our go-to tactics would be classified as bypassing. And when you say, “What is bypassing?” Well, think about when you come home to your house or apartment, if there’s a deadbolt on the door and you stick a key in, and many people have this concept, they understand that locks have little pins in them and tiny springs. The pins move when the key gets inserted and you turn the key and it unlocks. Well, it’s not those itty-bitty pins and the tiny springs. They’re not holding the door shut. Those are part of the authentication mechanism that interacts with your key, but the door is effectively being held shut by a bolt or a latch or maybe an electromagnet in the case of some commercial properties. Well, why would I reach into a super teeny-tiny hole like a key way and try to use very fine motor control and slowly and deliberately manipulate itty-bitty pins and springs? Why would I do that if there’s a much larger hole, known as the doorjamb? And if I’m interacting with much larger mechanical elements, like the mechanical latch or catch, if I can just pop and spring that open and the door instantly opens for me, that’s a far faster and easier to execute attack. If you’re nervous or if you’re under time pressure, you’re fine. Motor control might go out the window. But using a blade of metal literally just shoved into the doorframe and all of a sudden it springs open. I’m not talking about a pry bar. I’m not talking about damaging the door. There are plenty of perfectly good-looking hung and installed doors, but if a few metal parts aren’t lined up exactly right, well, I can come up with literally the cover of what you were thinking of like Office Space, the movie, I can come up with a TPS report. Like a heavy plastic cover of a printed document, jam it in the doorframe and all of a sudden, there you go, that executive office just popped right open and I can walk in. The idea that egress of a building is under code, under ADA code and NFPA fire code, we have to affect egress very easily in an event of emergency. Well, that means the interior handles on doors tend to be very easy to activate. For the audience, when’s the last time you’ve seen a knob, a round knob in a commercial space? Well, you don’t see that in new installations. It’s much more compliant with code to have a lever style handle or a push bar style egress device. Because in the event of emergency, you don’t need to use grip function. You don’t need to even be able to see very clearly. Maybe it’s dark. The power went out. Maybe there’s smoke, heaven forbid. Well, those very easily activated door handle devices, if I can reach under the door with a long rod, this is an actual tool. It’s just a long rod with a string. I can deliver a string or a hook to the inside of the door and all of a sudden yank, pop, boom, the door pops open. Why? Well, because all of our commercial doors these days need to be activated by very simple movement on the inside and very little pressure. Five pounds of pressure is all it takes to activate a panic egress device as it is known. We only think of someone activating that device if they’re already inside the building, but my team and I have tools to activate those devices when we’re standing outside.
[00:26:58] BH: Any other tools that exist that our audience might be curious about?
[00:27:04] DO: Sure. The audience might if they want to point their internet tube at some interesting images, they could search for what’s known as a J Tool or a thumb-turn flipper. So if you look up, these tools are often popular with first responders, fire crews show up at a building. And this is a big thing we talk about today is how we train a lot of first responders who have to show up on what might be considered non-priority calls or if they respond to an electronic alert, but there’s no secondary indicators. There’s no smoke or flame. They’re looking at each other, “Do we break the door down? Do we not?” There are times when I have literally trained and gotten amazing emails and messages from EMTs and paramedics. They say, “Well, we were on the phone with someone who reported shortness of breath or dizziness, but when we got there, they wouldn’t answer the door, but we’re not really certain if we were authorized to break in or would you have to wait for the police. But if you use latch slipping tools or if you use a J Tool, you’re essentially reaching through the doorframe and flipping a thumb turn from the inside and opening the door.” Using these techniques, firefighters and other paramedics love this because they can get in without any damage and oftentimes find people in need of help. Or if it’s a false alarm, they can clear the false alarm and the door is not destroyed. So yeah, J Tools are pretty neat. The classic one that really blows minds though is just go down to your local office supply store and get cans of air. Those air duster cans that usually have difluoroethane in them these days, some little propellant that boils off to make gaseous compression, because those cans don’t have just compressed air. Those of you who have ever had a little compressed air tank to fill up a sports ball or a tire on a bike, you know that compressed and a can that size would run out instantly. These cans have small propellant that is in liquid form. And inside of the can, as the pressure drops when you spray air out of it to clean your keyboard or what have you, well, the propellant will boil off and create a pocket of more gas, which is why if you use this product the can gets cold. That’s literally the propellant boiling off and turning into a gas. Well, if you flip that can upside down and maybe some of you who have air duster in your office have done this to freak out a coworker or if your cat’s climbing on something they shouldn’t be, give that blast of cold air because you’re spewing this difluoroethane out of the little straw. Well, that makes a giant cold cloud in front of you. If I slip that straw through a door jamb and the interior of a target that I’m trying to access has motion sensors, many times these motion sensors control the door locks. Well, if I walk up to a door, I blow a can of cold air through the door, the motion sensor on the inside says, “Hey, look at that! I see motion. Well, I know what that means. That means a human being is clearly approaching me as a door and wants to egress. I should unlock the door now,” says the door controller. You can use a can of compressed air to unlock from the outside loads of secure buildings. And you have the benefit of the door controller and the access control system thinking to itself, “Well, yes, my door just opened, but it was preceded by emotion event on the inside. No cause for alarm here. I will not register or log that as an alert of any kind.” That’s a normal egress event. So yeah, we can defeat alarm systems in the process just with a $6 can of spray duster from Staples.
[00:30:40] JT: I actually wanted to bring this up. So there are a couple of videos where you describe using gas stuff to bypass Honeywell sensors or those requests to exit sensors and also vapes and also cold air from drinks. That being said, can you talk about the creative process for coming up with new ways to break the security things?
[00:31:00] DO: So most ideas aren’t fabricated just out of whole cloth. We all bring a certain skill set and lived experience to anything we approach. If I was in the kitchen and someone said, “Hey, can you roast?” Let’s think of a really obscure bird, right? “Can you roast an ostrich for dinner?” Well, I’ve never eaten a roast ostrich. I’ve had an ostrich burger. It’s not bad. But I’ve never cooked an ostrich, but I can say to myself, “Well, I know how ovens work and I know how you roast other birds. I imagined that if I compensated for this or I adapted my techniques for that, I could probably roast an ostrich.” Well, if a software developer is tasked with say, “Okay, we need a product that will control,” you name it, not banking transactions, right? But let’s say some other kinds of financial transactions. Maybe I don’t want to get into the cryptocurrency space because, Lord, there are some “out there” ideas, right? But before any of these banking solutions that use new fake money have ever existed, people say, “Well, I know how banking works and you have this system and there’s probably some middleware and messaging in this format. I could probably build you something that does what you want based on what I already know. Whenever we approach a new lock or a new security product, it’s not like someone brought that to the market having never worked in the industry. They probably are an established company with established engineers and someone said, “Hey, we need to design a new bank vault that operates in, I don’t know, under the sea,” because we have the City of Atlantis. They probably said, “Well, we know how bank vaults work and we usually put the bolts this way and the gears this way and we usually have a lock that does this. Well, we have to compensate for deep pressure, and there’s the corrosion of salt water, but I guess we could.” So you say to yourself, “Well, I’m betting the engineers and the designers did it this way. And then if they tried to do these one or two things new and differently, maybe I’ll just make my attack slightly new and adapt it to this new different thing. Here, hand me that piece of rod. And here, can you give me that Dremel?” So much of our life involves Dremel, the tool that I liked, and I used to work in a machine shop and the Dremel was always referred to as the tool you use when somebody used a different tool wrong. The Dremel you bring in and fix things. Well, that’s a lot of what we do is sort of, “This is wrong. It’s not working the way I want it to. But if I kind of bend it and I kind of tweak it, oh, yeah, look, okay, it’s still just at the end of the day a spring or a hook or a bolt. I can attack that.” So we all have experience that is valuable. And even if you think that your work is mundane or you’ve just been asked to do the same thing over and over for years, that knowledge of how we’ve always done it this way, you build on that when you encounter something new and you say, “Well, how is this different than how I’ve always seen it? It’s 90% the same. Oh, they just did this. Okay, well maybe I’ll just do that.”
[00:34:21] BH: Julianna, do you want to speak as a software developer who I know is into this stuff? From your perspective, what do you think is the most fascinating about some of this stuff?
[00:34:33] JT: So I think, first and foremost, what got me interested in this was just sheer curiosity. But I think what keeps me interested is that there are just so many ways to get around things if you’re creative enough and willing enough to test those things that nobody’s ever done before. And kind of like Deviant had touched upon at the beginning of the podcast was that a lot of it comes from the feeling that you get after you’re able to accomplish something that maybe you’re not supposed to be doing. I kind of like living on the edge a little bit. I feel that way in software too. Right? And so I think that feeling coupled with just the creativity around it is something that keeps me really interested ultimately and got me into this in the first place to test the limits. Maybe I shouldn’t say that with my boss on the podcast, but I do.
[00:35:33] DO: No, right on. That’s the healthiest attitude anyone should be able to have all the time. And bosses should always make room for the people on their teams to test the limits.
[00:35:42] BH: I certainly hope that our limits are robust enough to withstand testing. And if not, that’s the whole point. Literally, we should be testing these limits. One of the more interesting buildings I’ve ever seen from a curiosity perspective, one time I visited a Google building in the Bay Area and every single door in the building required a key card. It was all like logged. I just sort of found that fascinating. I asked questions about that as I was walking around with the people I was hanging out with and they said like a software company logs all of this information and takes a very software first approach to their defense to some of this stuff. All that is to say I’m curious what some of them are interesting technical/physical solutions or stories going on out there where organizations are becoming more educated and creative about their defense systems. And what does that bring out of you?
[00:36:48] DO: Oh, gosh. Yeah. So electronic Physical Access Control Systems or PACS, P-A-C-S, as they’re called in the industry, this is when you see your classic RFID or some friend of mine, she calls them booby cards. Right? We have the contactless cards, right? Badges. These have been around for ages. We’re all familiar with using contactless touch credentials. You’d think that the industry is, I mean, these have been since the ’80s and ’90s, and now throughout all these last couple of decades, they must’ve evolved. Clearly, the readers look more interesting and some of them have keypads on them now. How has that tech evolved? Well, the thing is all access control systems of that nature, the credential what’s called the credential payload, that’s the actual user authentication data inside of your card. It’s kind of like a relay race where there’s the credential talks to the reader and then the reader talks down a wire through the wall to the door controller. And then sometimes even the door controller talks to a software server with the actual access control users and hours of day rules. Each step in that chain has its own series of vulnerabilities and each step in that chain has had its own evolution or lack thereof of innovation over these past many, many years. So we might think, “Well, the cards that you’re holding in your hand, there are all these new names. First, there was HID prox and then there was Indala and then there’s MIFARE and now there’s iCLASS and Seos. Some of you listening may be looking at your work badge and you’re seeing, “Oh, my card says Seos right in the back of it.” I mean, these are flagship modern for DESFire, it’s a big one in Europe, from NXP. Yes, the credentials have gotten newer and newer, but the actual language they speak, especially when that payload, that user information is not going from credential to reader. But when it’s going from reader down the wires to the door controller panel, that’s really old protocols and old language to this day. The way I would describe it as like this. Let’s say you walk up to the front of a building, human to human interaction. There’s a guard at the front door. There’s a boss deep inside the building. You walk up to the guard and you say, “Hello, I’m Julianna.” And the guard says, “Okay, hello, Julianna.” They pick up the phone and they say, “Ring, ring, ring. Hello, boss. Yeah, I got Julianna here.” And the boss, she looks in her database. She goes, “Oh yeah, Julianna works here. Okay. Yeah, let her in.” And the guard lets you in. And then if I walk up and I say, “Hey, I’m Dev.” And then they say, “Okay. Hi boss. Yeah, we got someone here named Dev. Okay. Nope. Nobody in the database named Dev. All right. Sorry, I can’t let you in.” Well, all the guard is doing is just passing a name, right? A very clear plain name. And you might think, “Well, geez, anyone could just kind of sit by the door. I could listen. And if I walk up and I say, ‘Hey, guard, yeah. I’m Julianna,’ well, then I would get let in.” Well, that’s the old sort of crackable cloneable credentials. We’ve talked about card cloning for years and how certain RFID credentials are vulnerable. What people don’t think about is they might have a very modern building where if you walk up to the guard, first, you have to give them a secret handshake and then you have to say a code word. The code word of the week is Green Mountain. And the guard says, “Okay, well, Herbal Flowers.” And after this back and forth then, and only then you can say, “Now that we know each other, I’m Julianna.” So you’ve had this very careful exchange and the boss lady on the inside, “Oh, Julianna’s here. Okay. Let her in.” Well, if that guard is trained to only interact with people who know the code words, that’s great. That’s a little more secure. But if I can walk up and that guard is like, “Hey, Purple Mountains,” I say, “I don’t know about your Purple Mountains, I’m Juliana.” And if the guard has been there a long time, if they’ve worked in this industry, I’ll say, “Oh, a legacy credential.” Well, at least I’m sure glad I know how to process those legacy credentials. “Hey, Julianna’s here.” That’s called a technology downgrade attack. If you have a building that has upgraded all of their credentials, but the backend system still supports really legacy-type RFID credentials, I can literally just package up my identity, not using this special code word encrypted format, I can just write it literally to an old as dirt 1980’s credential, present it to a reader on the door and the system will say, “Hey, well, let’s go with geek humor. It’s an older code, sir, but it checks out.” I’m not a big Star Wars person, but that’s literally what happens and we will do this. So these companies that spend oodles of dollars upgrading their access control system and their integrator sells them the latest and greatest whiz-bang, whamodyne badges, you have to remember to turn off legacy credentials in the system. And if you don’t, it’s a huge gaping security hole that we exploit all the time.
[00:42:09] BH: Are these legacy credentials accidentally maintained or purposefully maintained because they’re legacy and they want to keep supporting them?
This is a product of what’s usually known as a system migration. Many times an integrator will say, “Hey, you’re using these really outdated legacy credentials. They’re really weak. There’s this clown on the internet named Deviant. He’ll show you all these ways to attack them. It’s no bueno. We’re going to sell you these brand-new super secure credentials and we’re going to upgrade you.” And the customer says, “That sounds neat. How much do the credentials cost?” And the integrator says, “Well, your old credentials were a buck. These new cards, they’re $5 per card.” And the customer is like… and the integrator says, “Well, we have to upgrade your readers as well.” And the readers are also going to cost a couple hundred dollars per reader. And the customer’s like, “Oh boy!” But the integrator says, “Well, no, no, no, no, no, you don’t have to do it all at once. What we’ll do is we’ll put you on a migration pathway and we’ll just change your door readers on the most secure areas first and we’ll have your most important employees get the new credentials. But don’t worry. The old credentials will still be. We’ll slowly start cycling out your employees. If you have employees who are on the road all the time, they work remote, we’ll wait until they come into the office. And that’s when you give them new badges over the next few quarters. And once you’ve done all of that, after the last credentials rolled out, then we’ll turn off legacy credentials.” And it’s that last step that people forget because the idea of a migration pathway, so you don’t have to spend all your money at once, that’s a benefit to the customer. But it’s only a benefit if you finally get across the finish line and you eventually turn off the legacy credentials, which a lot of customers just never seem to do.
[00:43:58] JT: All right. So final question for you. To our audience listening, what would be your biggest piece of advice for future physical pen testers you’ve inspired?
[00:44:09] DO: Don’t dismiss the fact that the old attacks and vulnerabilities are going to keep working, but always be thinking of how to deliver new value and new information to the customer because clients have been told time and time again, they say, “Yeah, I know, I know our credentials are old. We’ve already heard that. We’re trying to fix it.” You always mention it. You always say, “Your door locks are vulnerable to that super old exploit.” And they say, “Oh, God, I know, I know. I know.” But be sure you’re providing them actionable value. It’s not about making you look cool and feel all big and bad, like, “Oh, I trumped all over your systems.” And the customer would say, “Yeah, I mean, well, we knew about some of these. We’ve been trying to fix those. We don’t have the budget. Give me something actionable. How can I actually feel better about myself and what can I do about these problems?” That’s really at the end of the day, not just physical pen testers, but anyone who provides bad news to anybody. It should be paired with, “Now here’s what you can do about it.” If you’re not delivering that along with your bad news, you’re just stroking your own ego and you’re not helping other people out.
[00:45:18] JT: Thank you, Deviant, for joining us today.
[00:45:20] DO: This was great. Thank you.
[00:45:30] BH: This show is produced and mixed by Levi Sharpe. Editorial oversight by Jess Lee, Peter Frank, and Saron Yitbarek. Our theme song is by Slow Biz. If you have any questions or comments, email [email protected] and make sure to join us for our DevDiscuss Twitter chats every Tuesday at 9:00 PM US Eastern Time. Or if you want to start your own discussion, write a post on DEV using the #discuss. Please rate and subscribe to this show on Apple Podcasts.