1. InfoconDB
  2. DEF CON
  3. DEF CON 31 (2023)
  4. Badge of Shame: Breaking into Secure Facilities with OSDP

Badge of Shame: Breaking into Secure Facilities with OSDP

Presented at DEF CON 31 (2023), Aug. 12, 2023, 9:30 a.m. (45 minutes)

Breaking into secure facilities used to be possible by inserting a listening device (such as an ESPKey) behind an RFID card reader and sniffing the unencrypted Wiegand badge numbers over the wire as they go to the backend controller. The physical security industry has taken notice and there's a new sheriff in town: The encrypted protocol OSDP which is starting to be rolled into production. Surely encryption will solve our problems and prevent MitM attacks right? ... right? In this presentation, we'll demonstrate over a dozen vulnerabilities, concerning problems, and general "WTF"s in the OSDP protocol that let it be subverted, coerced, and totally bypassed. This ranges from deeply in-the-weeds clever cryptographic attacks, to boneheaded mistakes that undermine the whole thing. We will also demonstrate a practical pentesting tool that can be inserted behind an RFID badge reader to exploit these vulnerabilities. Get your orange vest and carry a ladder, because we're going onsite! REFERENCES: * ESPKey https://github.com/octosavvi/ESPKey * OSDP v2.2 Spec https://www.securityindustry.org/2020/12/15/security-industry-association-releases-version-2-2-of-sia-osdp-standard/ https://libosdp.gotomain.io/protocol/introduction.html * RS485 https://en.wikipedia.org/wiki/RS-485

Presenters:

  • David Vargas - Senior Security Consultant at Bishop Fox
    David "Shad0" Vargas is a senior red teamer at Bishop Fox. He enjoyes breaking into secure facilities by exploiting physical, social and network security controls. In a past life, David designed a power system for a cube satellite to be launched into space.
  • Dan Petro / AltF4 - Senior Security Engineer at Bishop Fox   as Dan "AltF4" Petro
    Dan "AltF4" Petro is a Senior Security Engineer at Bishop Fox. Dan is widely known for the tools he creates: Eyeballer (a convolutional neural network pentest tool), the Rickmote Controller (a Chromecast-hacking device), Untwister (pseudorandom number generator cracker), and SmashBot (a merciless Smash Bros noob-pwning machine).

Links:

Similar Presentations: