Server and Telecom Rack Physical Security Compliance

This week, we continue our series on: The 3 Functions of Rack Security Compliance. As a quick reminder, these 3 functions are the following:

  1. Cybersecurity
  2. Physical Network Security
  3. Operational Security

This week, we focus on the second function of data center security compliance, namely: Physical Network Security. Physical Network Security systems in most data centers are comprised of 3 layers:

  1. Perimeter access security
  2. Rack physical access security

Its important to understand that most physical access security systems use standard protocols to make communication easy. Just like SNMP is the most common protocol used for network management communications, the Wiegand protocol is the most common protocol used for security management communications. Since few have heard of Wiegand, the first question is: what is the Wiegand protocol? The answer is that it is actually a group of standards all under one collective heading. It includes a method of communication between the card or fob reader and the controller unit as well as methods for storing data on both the card or fob and the controller. We are focusing on the communication aspect of the system as that is where much of the vulnerability lies.

Much of what I am sharing today comes from several well documented research projects that target Wiegand-based access systems. Brad Antoneiwicz from the Open Security Research group at Foundstone Security, a part of Intel Security has done excellent research in this area. You may want to link to his blog post about Wiegand vulnerabilities here and you may see an excellent presentation that he did gave that is posted online here. Brad shows in his blog and his presentation that it is easy to establish a man-in-the-middle attack on an card access system. That’s because the process is very easy execute in a small time frame and with limited tools and resources. Just as SNMP is vulnerable to virtual man-in-the-middle (MitM) attacks on network systems, so too card access systems can be attacked by a physical MitM gain entry to data centers and data racks.

With a simple Arduino board and some good logic, Antoneisicz shows us that you can easily gain access to any Wiegand-based card access system. The protocol is trivial to duplicate and you can use something as simple as a battery-powered Arduino to hijack a card access system and gain entrance into a data rack and its valuable data. It turns out that, while some parts of card access systems do offer some level of encryption (for example, the server usually offers https for remote management security) the serial communications from the card reader to the card controller is almost always open to intercept. This allows you to read, communicate and ultimately, hijack the card reader to gain full access to that facility or rack.

For those of you who really want to take a deep dive on the subject of access card reader hacking – including hacking the actual RFID signal from the access card – here is a truly detailed report from Bishop Fox Security.  This presentation was very well received at the DefCon hackers convention in the summer of 2015 and it considered the definitive published work of all the easiest means to hack access security cards.  Everyone who uses a security access card system should familiarize themselves with this report.

So what is the bottom line here? It is that access cards are easily hacked.  The serial communications on a card access system are NOT supervised or encrypted but, are allowed to pass freely in open protocol format from point to point.  Similarly, the RFID signal on an access card floats freely and anyone can grab that signal and use it to create a duplicate card or otherwise hack an access system.   Anyone who can gain access to the wire or wireless data from a card can gain access to whatever that card system is supposed to be protecting.

Fortunately, there is an answer to this huge security hole. Our RackGuardian has an plug-in product known at the EnviroScout which can inspect and supervise ALL communications from the Wiegand-based reader to the controller. If this device sees any signs of tampering, the RackGuardian will immediately send a message to our server and then to our IOS device within 2 seconds of detection.  The combination of instant notification to your mobile device coupled with our on-board analytics to catch any signs of tampering gives you the security that you need in your data center.

As a reader of this blog, you know that security compliance is serious business and its getting more pervasive all the time. We have shown through peer-reviewed research that existing card access systems fail to pass a simple third-party security test. Please consider discussing your physical security needs with one of our experts and lock-down your data center and data racks today.

Until next time,

Be Well!

Cyber Risks of Power Reboot Devices

Welcome back!  This week, we look at a very serious problem with server and telecom racks: Cyber Risks of Power Reboot Devices.  To begin with, having the ability to reboot a server or telecom unit remotely is an extremely handy thing to use and it can save an enormous amount of time and effort.   The problem is that all-too-many of these devices have little if any protection from a cyber criminal using this device against you.

Let’s at the various devices that can be used to remotely power cycle an electrical outlet a little more closely.  Here are the common types of units used for that purpose in order of market penetration:

  • Intelligent Rack PDU’s
  • Rack mounted and small UPS units
  • Remote reboot devices

Rack PDU’s are Vulnerable

Intelligent Rack PDU’s are in high demand and use in server and telecom racks and for good reason.  Most of them can measure power usage, provide reboot capabilities and allow you to better manage your rack systems.  The problem is that Rack PDU’s rely on SNMP as their primary form of communication.  SNMP was a great protocol in its day but, the most recent version – v3 – is now 15 years old!  That brings me to a simple question: Would you trust a 15 year old piece of software or “secure protocol” to manage your critical systems?  I think the answer is: NO.

SNMP Communications are Vulnerable

To make the point clearly, there was an excellent study done by a group at Georgia Tech University on the security of SNMPv3 specifically for the units listed above: PDU’s, UPS’s and Reboot Devices.  The study is available here and proves beyond any doubts that rack servers and telecom units connected to these systems are highly vulnerable.  Please note that the research report also shows that Distributed Denial of Service (DDoS) attacks can be launched by using these SNMP devices.  SNMP devices are being increasingly used in DDoS attacks because of their prevalence and ability to be used in an amplification scheme as the SANS Institute points out.

Its clear from these reports that using any version of SNMP natively presents a risk to the systems being powered with these PDUs and UPSs.  In fact, its clear that power systems being managed by open SNMP ports are not in compliance with Sarbanes Oxley, HIPAA, Gramm-Leach-Bliley and other data standards.

Remote Reboot Devices are Extremely Vulnerable

While PDU’s and UPS’s that use SNMP are clearly vulnerable, there is actually one last item that we need to examine: Remote Reboot Devices.  We have examined several popular brands of Remote Power Reboot Devices and most of them allow control via simple HTTP access.  Please remember that HTTP has NO ENCRYPTION and all your logins and passwords are passed over your network in clear text.  Now for the kicker; because the purpose of these devices is REMOTE rebooting, you primarily use them from outside your facility.

If you login via HTTP to a reboot box over the Internet (the most common use of a reboot box) you are passing your login and password as PLAIN TEXT for anyone in the world to see.

I would encourage every reader of this blog to think about these facts and how secure your facility needs to be.  If you are covered under any data security standard, you must place a protective system between your rack PDU, UPS or Reboot device and your network.  Even if you are not under a security standard, if you use a Remote Reboot Device, you are just taking your server’s life and data into anyone’s hands who wants to take the effort to sniff your traffic.

RackGuardian was built from the ground-up to protect your rack assets from cyber or physical hackers.  At the same time, its patented remote control features provide a FULLY ENCRYPTED reboot authorization process with 2-Factor Authentication.  Please give us a call to confidentially discuss your rack security needs.  We are here to help you meet your compliance standards while continuing to give you the remote management capabilities that you need.

Until Next Time,

Be Well!