Hacking the Wiegand Card Reader

LAS VEGAS--Sections of our airports are being secured by two screws and a plastic cover.

You can press your eyeballs into retina scanners, you can walk up to iris scanners, you can press your hand (or somebody with a meat cleaver can press your hand) into a vein hand scan, or you can just swipe a proximity card across a reader and have it beep and flash green at you to let you in to ... well, to a secure section of an airport, say, or to a bank, or to any number of secure locations that employ biometrics or proximity cards.

Unfortunately, besides a meat cleaver or, in the case of your eyeballs, a soup spoon, these systems are all laughably easy to bypass, thanks to a primitive protocol called Wiegand that just about all ACSes (access control systems) have inherited.

At the Defcon hackers conference here on Aug. 4, Zac Franken laid out on a table the components typical of a physical proximity card system, the essential elements of which, at least when you're talking about the way the ACS decides whether or not to let you in, are the same as a biometrics system. (Franken manages an IT company in London. Like many Defcon presenters, he asked for restricted identification.)

And then Franken proceeded to demonstrate how $10 worth of hardware will enable you to stick a quick connect microprocessor on a spliced wire, and flip the switch on whether the ACS thinks you've got access rights. The quick connect device contains a small, programmable microcontroller called a PIC chip. In a nutshell, pop the plastic cover, pull the wire, snip, snip, snap on your quick connect, seal it up, pass your proximity card, green blink, and--bzzzzt--you're in.

"The problem is, as far as standards go, there are lots of standards for cards talking to the reader, but once it gets to the access system, it's assumed it's secure," he said.

To read about the help state's are requesting to in order to implement Real ID technology, click here.

The classic use case for this is the smoker's corner, Franken said. Install Gecko on an external card reader, located in the smokers' corner, say, where there's a lot of employees coming and going after they get their nicotine fix. Install it, record data from a bunch of cards, come back, read the data out, and program programmable cards. You'll have amassed access rights from a swath of employees and can insert a card at each layer of security as you go through a building.

Franken is now working on Version 2 of his quick connect device, which is called Gecko. Whereas Version 1 requires physical intrusion and access to wiring and only works on one reader at a time, Version 2 is Bluetooth-enabled. The Bluetooth Gecko will allow access via phone. After that comes Version 3, enabled with a small GSM (Global System for Mobile) module, which will potentially allow him to control ACSes from anywhere in the world.

He's also got a "Dump" card in the works. In Version 2, he'll be able to control the LEDs on a reader and force them to feed back all valid user data captured via LED on the front of a reader. It will be a small reader that he will hold to the LED, which communicates via pulse. Swipe the Dump card, and the LED will pulse out all of the valid user data it's collected.

Gecko isn't for sale, thank God. The ubiquity of these card reading systems, enterprises' reliance on them for access to sensitive areas, and their easy hackability are a disturbing combination. Understandably enough, intelligence agents globally are trying to get Franken to cough it up for them, he said.

How did ACSes and proximity/biometrics readers get this lame? By habit; by relying on a protocol that's full of holes and still has been passed down through generations of products.

When Wiegand cards first came into being, they were considered hot stuff. ACS manufacturers "all made sure that their systems could interface with Wiegand-enabled readers," Franken said, and "they still do."

The Wiegand effect is a Wikipedia kind of thing: Here's the entry for Wiegand effect. In a Wiegand card, as Franken described it, special alloy wire is processed in such a way as to create two distinct magnetic regions in the same piece of wire when it is passed over a magnetic field. Wire is embedded in the card in a distinct order to create an individual code, and each Wiegand pulse is translated to a digital 0 or 1 depending on wire location.

Referring to an array of biometric and proximity card systems he demonstrated during his talk, Franken said that "Every reader we saw today, from the super secure biometric retina scanner to as 'crappy as it sounds' concealed barcode, uses the Wiegand electrical and data protocols to communicate to the access control system."

The problem with Wiegand is that the protocol a) is plain text. That means there's no authentication occurring between reader and ACS; b) is easily intercepted; c) is easily replayed and easy prey for man-in-the-middle attacks; d) includes outputs from biometric readers (meaning an attacker can steal whatever sensitive user data is stored on a card) and e) includes output even from strong crypto contactless smart card readers.

At this point, Wiegand is a standard. If you have a swipe reader, a card reader or some type of biometric device like a fingerprint scanner, you hook it to an ACS using the Wiegand protocol.

So, whose to blame, and how can this be fixed? Franken asked people taking photos of his setup (see ours in the accompanying slideshow) to refrain from identifying the reader manufacturer. Don't blame the reader manufacturer, he said--it's the protocol that's outdated.

But blaming ACS manufacturers is another thing. "All access control manufacturers implement the protocol," he said. "It's no secret it's not secured here. It's one of these things, these guys sell you secure systems, and if they take a long, hard look at themselves ..."

The first solution is tamper-proof readers, which would help "a lot," Franken said. But they're not particularly sophisticated things, he said, and if you know where they are, you can defeat them. They're easy to surpass if you know what you're looking for, Franken said. But still, they're better than nothing.

Having lots of cameras trained on access points is also better than nothing, but how long do enterprises keep all that video, and who looks at it? Besides, take a look at office buildings. Check the back alleys. You'll find there are many doors that lack cameras, Franken said.

The proper solution for the problem is for a proximity card to do a cryptographic handshake with the reader, he said.

And the proper thing for physical security technology customers to do: If you're buying any type of biometric or proximity card reader system in order to limit access to parts of your organization, grill the vendor on Wiegand. Ignore what they say about proprietary protocols in the cards--what you want to know about is the protocol linking the reader to the access control system. Tell them you know about Wiegand, and ask them what, if any, cryptographic resolution is happening between reader and ACS.

They've gotten away with implementing a Swiss cheese protocol up to now. We've got to make them stop before somebody gets hurt.

eWEEK Senior Security Editor Lisa Vaas has written about technology since 1997.


Loading