Hacking the Wiegand Card Reader

Defcon exhibitor illustrates weaknesses in common access control card reader design


LAS VEGAS--Sections of our airports are being secured by two screws and a plastic cover.

You can press your eyeballs into retina scanners, you can walk up to iris scanners, you can press your hand (or somebody with a meat cleaver can press your hand) into a vein hand scan, or you can just swipe a proximity card across a reader and have it beep and flash green at you to let you in to ... well, to a secure section of an airport, say, or to a bank, or to any number of secure locations that employ biometrics or proximity cards.

Unfortunately, besides a meat cleaver or, in the case of your eyeballs, a soup spoon, these systems are all laughably easy to bypass, thanks to a primitive protocol called Wiegand that just about all ACSes (access control systems) have inherited.

At the Defcon hackers conference here on Aug. 4, Zac Franken laid out on a table the components typical of a physical proximity card system, the essential elements of which, at least when you're talking about the way the ACS decides whether or not to let you in, are the same as a biometrics system. (Franken manages an IT company in London. Like many Defcon presenters, he asked for restricted identification.)

And then Franken proceeded to demonstrate how $10 worth of hardware will enable you to stick a quick connect microprocessor on a spliced wire, and flip the switch on whether the ACS thinks you've got access rights. The quick connect device contains a small, programmable microcontroller called a PIC chip. In a nutshell, pop the plastic cover, pull the wire, snip, snip, snap on your quick connect, seal it up, pass your proximity card, green blink, and--bzzzzt--you're in.

"The problem is, as far as standards go, there are lots of standards for cards talking to the reader, but once it gets to the access system, it's assumed it's secure," he said.

To read about the help state's are requesting to in order to implement Real ID technology, click here.

The classic use case for this is the smoker's corner, Franken said. Install Gecko on an external card reader, located in the smokers' corner, say, where there's a lot of employees coming and going after they get their nicotine fix. Install it, record data from a bunch of cards, come back, read the data out, and program programmable cards. You'll have amassed access rights from a swath of employees and can insert a card at each layer of security as you go through a building.

Franken is now working on Version 2 of his quick connect device, which is called Gecko. Whereas Version 1 requires physical intrusion and access to wiring and only works on one reader at a time, Version 2 is Bluetooth-enabled. The Bluetooth Gecko will allow access via phone. After that comes Version 3, enabled with a small GSM (Global System for Mobile) module, which will potentially allow him to control ACSes from anywhere in the world.

He's also got a "Dump" card in the works. In Version 2, he'll be able to control the LEDs on a reader and force them to feed back all valid user data captured via LED on the front of a reader. It will be a small reader that he will hold to the LED, which communicates via pulse. Swipe the Dump card, and the LED will pulse out all of the valid user data it's collected.

Gecko isn't for sale, thank God. The ubiquity of these card reading systems, enterprises' reliance on them for access to sensitive areas, and their easy hackability are a disturbing combination. Understandably enough, intelligence agents globally are trying to get Franken to cough it up for them, he said.

How did ACSes and proximity/biometrics readers get this lame? By habit; by relying on a protocol that's full of holes and still has been passed down through generations of products.

When Wiegand cards first came into being, they were considered hot stuff. ACS manufacturers "all made sure that their systems could interface with Wiegand-enabled readers," Franken said, and "they still do."

This content continues onto the next page...