Tweet
Badge of Shame: Breaking into Secure Facilities with OSDP
Dan "AltF4" Petro, Senior Security Engineer, Bishop Fox ,He/Him
David Vargas, Senior Security Consultant, Bishop Fox, He/Him
| Demo, Tool, Exploit | 45
Breaking into secure facilities used to be possible by inserting a listening device (such as an ESPKey) behind an RFID card reader and sniffing the unencrypted Wiegand badge numbers over the wire as they go to the backend controller. The physical security industry has taken notice and there's a new sheriff in town: The encrypted protocol OSDP which is starting to be rolled into production. Surely encryption will solve our problems and prevent MitM attacks right? ... right?
In this presentation, we'll demonstrate over a dozen vulnerabilities, concerning problems, and general "WTF"s in the OSDP protocol that let it be subverted, coerced, and totally bypassed. This ranges from deeply in-the-weeds clever cryptographic attacks, to boneheaded mistakes that undermine the whole thing. We will also demonstrate a practical pentesting tool that can be inserted behind an RFID badge reader to exploit these vulnerabilities.
Get your orange vest and carry a ladder, because we're going onsite!
Dan "AltF4" Petro is a Senior Security Engineer at Bishop Fox. Dan is widely known for the tools he creates: Eyeballer (a convolutional neural network pentest tool), the Rickmote Controller (a Chromecast-hacking device), Untwister (pseudorandom number generator cracker), and SmashBot (a merciless Smash Bros noob-pwning machine).
David "Shad0" Vargas is a senior red teamer at Bishop Fox. He enjoyes breaking into secure facilities by exploiting physical, social and network security controls. In a past life, David designed a power system for a cube satellite to be launched into space.
REFERENCES:
ESPKey
https://github.com/octosavvi/ESPKey
OSDP v2.2 Spec
https://www.securityindustry.org/202...osdp-standard/
https://libosdp.gotomain.io/protocol/introduction.html
RS485
https://en.wikipedia.org/wiki/RS-485