Sign up to save your podcasts
Or
Share HPR3158: Fingerprint access control? LOL...
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
HPR3158: Fingerprint access control? LOL...
Hello everyone, my name is Cedric and I'm here again with another story on pentesting and security, straight from the trenches.
Today I'm going to share a story with you about an assignment we did some time ago for a large entertainment company. Our client, like many entertainment companies, produces a lot of intellectual property. So, one of their biggest concerns is that someone might physically break into their premises and steal some of these designs and products. They had already taken some precautions, like installing intrusion detection alarms and access controls on all doors etc' The access controls they installed even had a dual function and could be used both as an RFID reader and as a fingerprint reader. So, they were already trying their best to secure their on-site intellectual property. And that's also the reason why they hired me and my team: they wanted to check if their investment in security was actually worth its money so far.
We proposed a plan to hack them, in any way our devious minds could possibly think of. Everything was on the table: We could try and hack ourselves in. We could social engineer ourselves in, basically by manipulating people and abusing their trust and confidence. We could do all of that, and we would, eventually. But first, the grand opening of this show, would be an attempt to physically break into their premises at night. And yes, that was as much fun as it sounds ;-)
Our approach was basically the same as that of a professional burglar: we'd start with a week of preparation and scoping the place.
So how do you do this? Well, we knew the address of course so first we checked out the place on Google Maps. And we were pretty lucky: Google had just recently updated their imagery of the area which meant we had recent maps to work with and the entire thing could be viewed in 3D with a fair amount of detail. That's pretty much as perfect as it comes when you're planning to do a major heist on a place in the physical world out there :-) So, we started with scouting the area from behind our laptops. We saw where all the entrances to the building were. We also saw that on the frontside the building just gave access to the street, while on the backside of the premise there was a public park. This looked very promising as a potential entrypoint, so our next step would be to actually physically go there and scout the area.
So, first we went there during daylight hours and just took a drive around the block using a rental car. We'd look for entrances to the building, camera's guarding these and the general view of the area, basic things… We didn't spot any cameras on the outside of the building. So we figured it would be pretty safe to take a walk and scout the area by foot. There was foot traffic but not too much, so we wouldn't draw any attention by just casually walking around and having a closer look.
The main entrance to the building was in a quiet street which led to a small square where a few kids were playing, and on the other side there was a street with some shops and a few restaurants. The entrance to our clients building had a gate through which we could see a quiet courtyard and the general layout of the building. The first thing that drew our attention was an access control device guarding the entrance, it was a fingerprint reader and it had a brand name Suprema printed on it. Straight across the courtyard we could see the trees of the neighboring park. There was a rooftop terrace on the first floor which gave access to the offices of our client. We also noticed the wall that separated this terrace from the park and it was huge, at least 6 meters.
We couldn't hang around for too long of course so we decided to continue our walk to the second entrance we spotted just around the corner. We could recognise its anonymous door next to a restaurant because it was guarded by the same Suprema fingerprint device. The restaurant how
View all episodes
By Hacker Public Radio
4.2
3434 ratings
Hello everyone, my name is Cedric and I'm here again with another story on pentesting and security, straight from the trenches.
Today I'm going to share a story with you about an assignment we did some time ago for a large entertainment company. Our client, like many entertainment companies, produces a lot of intellectual property. So, one of their biggest concerns is that someone might physically break into their premises and steal some of these designs and products. They had already taken some precautions, like installing intrusion detection alarms and access controls on all doors etc' The access controls they installed even had a dual function and could be used both as an RFID reader and as a fingerprint reader. So, they were already trying their best to secure their on-site intellectual property. And that's also the reason why they hired me and my team: they wanted to check if their investment in security was actually worth its money so far.
We proposed a plan to hack them, in any way our devious minds could possibly think of. Everything was on the table: We could try and hack ourselves in. We could social engineer ourselves in, basically by manipulating people and abusing their trust and confidence. We could do all of that, and we would, eventually. But first, the grand opening of this show, would be an attempt to physically break into their premises at night. And yes, that was as much fun as it sounds ;-)
Our approach was basically the same as that of a professional burglar: we'd start with a week of preparation and scoping the place.
So how do you do this? Well, we knew the address of course so first we checked out the place on Google Maps. And we were pretty lucky: Google had just recently updated their imagery of the area which meant we had recent maps to work with and the entire thing could be viewed in 3D with a fair amount of detail. That's pretty much as perfect as it comes when you're planning to do a major heist on a place in the physical world out there :-) So, we started with scouting the area from behind our laptops. We saw where all the entrances to the building were. We also saw that on the frontside the building just gave access to the street, while on the backside of the premise there was a public park. This looked very promising as a potential entrypoint, so our next step would be to actually physically go there and scout the area.
So, first we went there during daylight hours and just took a drive around the block using a rental car. We'd look for entrances to the building, camera's guarding these and the general view of the area, basic things… We didn't spot any cameras on the outside of the building. So we figured it would be pretty safe to take a walk and scout the area by foot. There was foot traffic but not too much, so we wouldn't draw any attention by just casually walking around and having a closer look.
The main entrance to the building was in a quiet street which led to a small square where a few kids were playing, and on the other side there was a street with some shops and a few restaurants. The entrance to our clients building had a gate through which we could see a quiet courtyard and the general layout of the building. The first thing that drew our attention was an access control device guarding the entrance, it was a fingerprint reader and it had a brand name Suprema printed on it. Straight across the courtyard we could see the trees of the neighboring park. There was a rooftop terrace on the first floor which gave access to the offices of our client. We also noticed the wall that separated this terrace from the park and it was huge, at least 6 meters.
We couldn't hang around for too long of course so we decided to continue our walk to the second entrance we spotted just around the corner. We could recognise its anonymous door next to a restaurant because it was guarded by the same Suprema fingerprint device. The restaurant how
More shows like Hacker Public Radio
View all
The Infinite Monkey Cage
1,952 Listeners
Click Here
418 Listeners
Hacker And The Fed
168 Listeners