Researchers have discovered a suite of vulnerabilities that largely break a next-generation protocol that was designed to prevent the hacking of access control systems used at secure facilities on US military bases and buildings belonging to federal, state, and local governments and private organizations.
The next-generation mechanism, known as Secure Channel, was added about 10 years ago to an open standard known as OSDP, short for the Open Supervised Device Protocol. Like an earlier protocol, known as Wiegand, OSDP provides a framework for connecting card readers, fingerprint scanners, and other types of peripheral devices to control panels that check the collected credentials against a database of valid personnel. When credentials match, the control panel sends a message that opens a door, gate, or other entry system.
Broken before getting out the gate
OSDP came about in the aftermath of an attack demonstrated in 2008 at the Black Hat security conference. In a talk there, researcher Zac Franken demonstrated a device dubbed Gecko, which was no bigger than a US quarter. When surreptitiously inserted by a would-be intruder into the wiring behind a peripheral device, Gecko performed an adversary-in-the-middle attack that monitors all communications sent to and from the control panel.
Because Wiegand sent all data in plaintext, Gecko would record the credentials sent from the reader to the control panel. An attacker could then use them to create a spoof card that an intruder could present at the security checkpoint and gain entry. More recently, researchers devised the ESPKey, a $79 device that weaponizes Franken’s attack and can be used by both security professionals and threat actors.
The industry response was to introduce something called Secure Channel and add it to OSDP, a pre-existing alternative to Wiegand that had yet to be widely adopted. Secure Channel allowed OSDP-based communications between peripheral devices and control panels to be encrypted with 128-bit AES, a tried and tested algorithm that is virtually impossible to break when used correctly.
Research being presented on Wednesday at the Black Hat Security Conference in Las Vegas shows that OSDP Secure Channel does little to rectify the failures of Wiegand. The talk, titled “Badge of Shame: Breaking into Secure Facilities with OSDP,” is the first technical analysis of the open standard. It presents five exploitable vulnerabilities and a host of other weaknesses that strongly call into question the security of OSDP. While all but four of the vulnerabilities can be effectively eliminated, mitigations require configuration settings that aren’t described in the official OSDP specification (available here for $200) and differ depending on the manufacturer of each device.
The takeaway: OSDP is effectively broken even before it has gained anything near widespread adoption.
“The attacks here sort of put us back into parity with basically being unencrypted,” Dan Petro and David Vargas, the two researchers who performed the research and will speak at Black Hat, said in an interview. The attacks are “giving us as attackers and as red teamers back the capability that we lost.”
OSDP works over RS-485, a serial communication protocol designed to provide relatively high bandwidth (up to 10 megabits per second), the ability to span reasonably long distances (up to 4,000 feet), tolerance for lots of radio frequency noise, and capacity for 32 devices on a single line. Use of RS-485 causes peripherals to connect in daisy-chain fashion to a single input port on the control panel. This design, known as multi-drop, means that messages sent to or from one reader run through a single line and are seen by all other readers on the same network bus. This design is sometimes known as a broadcasting network.