We Don't Need No Stinkin' Badges: Hacking Electronic Door Access Controllers

Presented at DEF CON 18 (2010), July 31, 2010, 2 p.m. (50 minutes)

In the security world, attacker physical access often means game over - so what happens if you can't trust your building's electronic door system? This presentation and paper explore attack surfaces and exploitation vectors in a major vendor of electronic door access controllers (EDAC). The main focus is on time-constrained rapid analysis and bug-hunting methodologies, while covering research techniques that assist in locating and targeting EDAC systems. In addition, a review of practical countermeasures and potential research activities in the EDAC space are covered. Attendees can expect an eye-opening experience regarding insecurities of critical systems controlling physical access to hospitals, schools, fire stations, businesses and other facilities.

Presenters:

• Shawn Merdinger - Security Researcher
  Shawn Merdinger is an independent security researcher based in the USA. In former corporate lives he worked with Cisco Systems' STAT (Security Technologies Assessment Team) and TippingPoint. His current security interests include VoIP, medical devices and embedded systems. Merdinger is a technical editor for Cisco Press and Pearson Publishing and has presented at security conferences such as ShmooCon, Hack-in-the-Box, OíReilly, CSI, NoConName, IT Underground, CONfidence and SecurityOpus.

Links:

• https://defcon.org/html/defcon-18/dc-18-speakers.html#Merdinger
• https://infocon.org/cons/DEF CON/DEF CON 18/DEF CON 18 video and slides/DEF CON 18 - Shawn Merdinger - We Dont Need No Stinkin Badges - Video and Slides.mp4 (Video and Slides)
• https://www.youtube.com/watch?v=ubAv8gfsRBM

Similar Presentations:

• DEF CON 17 (2009) / Invisible Access: Electronic Access Control, Audit Trails and "High Security"
• THOTCON 0x9 (2018) / Inside The Wire: Network Attacks Against Physical Access Controls