Abusing the Internet of Things

(Rick Simeone) #1

cards, yet there are no restrictions on which particular track an entity can use. The Onity door
lock happens to use track 3, which contains the following sequence of data:


16-bit ident value
An identity value to keep track of the door the key is assigned to and which copy the card
is. In the case of a master card created for hotel personnel, a value representing the iden-
tity of the hotel employee is stored instead of the door identifier. When a guest checks
into the hotel, the first key created for a particular door will have the copy identifier set to
0 , while subsequent copies will add 1 to this number for identification purposes.


8-bit flags byte
Used to set miscellaneous values in one byte for various other options.


16-bit expiration date
Set upon guest check-in to indicate the length of time the card will be valid.


24-bit unknown field
Set to all 0 s.


24-bit keycode value
This value is programmed into individual locks. When this is done, the lock is also config-
ured to have a look-ahead value. For example, if a lock was programmed with a keycode
value of 100 and a look-ahead value of 50 , it would accept integers between 100 and 150 as
valid keycode values. Every time a valid card is inserted, the lock resets its keycode value
to the value of the card. In this way, the lock increments its keycode value to make sure
older cards are invalidated. Note that specific keycode values representing master keys are
also stored in the locks. The hotel may decide to segment areas with different master
keycodes so that only certain locks in the hotel can be opened with any given master
keycard.
The values are encrypted using the sitecode value, which is a unique 32-bit value randomly
assigned by Onity to identify the hotel property. If this value is compromised, it can be abused
to generate arbitrary magnetic cards to unlock doors and also to program the locks themselves
(as discussed in following sections).
The actual encryption algorithm that uses the sitecode value is documented in Appendix
B of Cody Brocious’s whitepaper.
In addition to typical key cards described here, the system also includes programming
and spare cards. When a programming card is swiped through a lock followed by a spare card,
the spare card becomes the guest card for the lock. These cards are used when the encoding
machine (used to program the guest cards) isn’t working. Programming cards are also encryp-
ted using the sitecode value, while the spare cards are not encrypted. When spare cards are
created in a batch (to be used with programming cards), each subsequent card has an incre-
mental ident value.


CHAPTER 2: ELECTRONIC LOCK PICKING—ABUSING DOOR LOCKS TO COMPROMISE

(^40) PHYSICAL SECURITY
http://www.allitebooks.com

Free download pdf