The PACS-man Comes For Us All: We May Be Vaccinated, but Physical Access Control Still Sucks

Presented at DEF CON 29 (2021), Aug. 8, 2021, 11 a.m. (45 minutes)

It's 2021. You're still here! You're vaccinated! You should be happy and carefree! And yet…the PACS-man still haunts us all. Why should this be? Don't we have newer, better tech with more bits of encryption and fewer wires? Haven't the professional sentinels we've entrusted with our physical security software-defined ALL THE THINGS and made them better? Nay, these are but fruits of the poisonous physical security tree! Come, fellow hackers and weary travelers, visit with the ghosts of access control and learn of the lies they've laid before us! Come see how false guardians have used BLE slight-of-hand to increase complexity and cost while reducing security and ask that they be paid a tithing for the privilege! Witness young software-defined gladiators do battle in an arena they did not prepare for and falter! Behold as our friendly ghosts of access control forge never-before seen tools to help slay false security prophets!

Presenters:

• Anze Jensterle
  Anze Jensterle is a Computer Science student by day, professional door opener by night that comes from Slovenia (not Slovakia). Having been involved with InfoSec since he was 17, when he made his first bug bounty, he has continuously been developing his skills in different areas including Web, RFID and Embedded System Security. @applejacksec
• Eric Betts
  Eric Betts is an exuberant, passionate, pragmatic software engineer. He is an avid open-source contributor. He likes to buy all the latest gadgets, and then take them apart. His claim to fame is making $10k from Snapchat (without taking his clothes off) for an RCE bug bounty. He responds to "Bettse" both online and in-person. @aguynamedbettse
• Nick Draffen
  Nick Draffen sometimes gives off a mad scientist vibe, an engineer who dives deep into technology, namely in the area where the physical and digital world meet. By day a security engineer/architect working to secure lab instruments and everything around them, and by night building/breaking things in his lab. @tcprst
• Babak Javadi - Co-Founder, Red Team Alliance
  Babak Javadi is the Founder of The CORE Group and Co-Founder of the Red Team Alliance. In 2006 he co-founded of The Open Organisation of Lockpickers, serving as Director for 13 years. As a professional red teamer with over a decade of field experience, Babak's expertise includes disciplines from high-security mechanical cylinders to alarms and physical access controls. @babakjavadi

Links:

• https://defcon.org/html/defcon-29/dc-29-speakers.html#javadi
• https://infocon.org/cons/DEF CON/DEF CON 29/DEF CON 29 video and slides/DEF CON 29 - Babak Javadi, Nick Draffen, Eric Bettse, Anze Jensterle - The PACS-man Comes For Us All.mp4
• https://infocon.org/cons/DEF CON/DEF CON 29/DEF CON 29 video and slides/DEF CON 29 - Javadi, Draffen, Betts, Jensterle - The PACS Man Comes for Us All - Live.mp4
• https://infocon.org/cons/DEF CON/DEF CON 29/DEF CON 29 presentations/Babak Javadi Nick Draffen Eric Bettse Anze Jensterle - The PACS-man Comes For Us All.pdf (slides)
• https://infocon.org/cons/DEF CON/DEF CON 29/DEF CON 29 video and slides/DEF CON 29 - Babak Javadi, Nick Draffen, Eric Bettse, Anze Jensterle - The PACS-man Comes For Us All.srt (subtitles)
• https://www.youtube.com/watch?v=NARJrwX_KFY

Similar Presentations:

• Kawaiicon (2019) / Physical Access Control on Sesame Street
• THOTCON 0x9 (2018) / Inside The Wire: Network Attacks Against Physical Access Controls
• AppSec USA 2015 / Security as Code: A New Frontier