This week, we continue our series on: The 3 Functions of Rack Security Compliance. As a quick reminder, these 3 functions are the following:
- Physical Network Security
- Operational Security
This week, we focus on the second function of data center security compliance, namely: Physical Network Security. Physical Network Security systems in most data centers are comprised of 3 layers:
- Perimeter access security
- Rack physical access security
Its important to understand that most physical access security systems use standard protocols to make communication easy. Just like SNMP is the most common protocol used for network management communications, the Wiegand protocol is the most common protocol used for security management communications. Since few have heard of Wiegand, the first question is: what is the Wiegand protocol? The answer is that it is actually a group of standards all under one collective heading. It includes a method of communication between the card or fob reader and the controller unit as well as methods for storing data on both the card or fob and the controller. We are focusing on the communication aspect of the system as that is where much of the vulnerability lies.
Much of what I am sharing today comes from several well documented research projects that target Wiegand-based access systems. Brad Antoneiwicz from the Open Security Research group at Foundstone Security, a part of Intel Security has done excellent research in this area. You may want to link to his blog post about Wiegand vulnerabilities here and you may see an excellent presentation that he did gave that is posted online here. Brad shows in his blog and his presentation that it is easy to establish a man-in-the-middle attack on an card access system. That’s because the process is very easy execute in a small time frame and with limited tools and resources. Just as SNMP is vulnerable to virtual man-in-the-middle (MitM) attacks on network systems, so too card access systems can be attacked by a physical MitM gain entry to data centers and data racks.
With a simple Arduino board and some good logic, Antoneisicz shows us that you can easily gain access to any Wiegand-based card access system. The protocol is trivial to duplicate and you can use something as simple as a battery-powered Arduino to hijack a card access system and gain entrance into a data rack and its valuable data. It turns out that, while some parts of card access systems do offer some level of encryption (for example, the server usually offers https for remote management security) the serial communications from the card reader to the card controller is almost always open to intercept. This allows you to read, communicate and ultimately, hijack the card reader to gain full access to that facility or rack.
For those of you who really want to take a deep dive on the subject of access card reader hacking – including hacking the actual RFID signal from the access card – here is a truly detailed report from Bishop Fox Security. This presentation was very well received at the DefCon hackers convention in the summer of 2015 and it considered the definitive published work of all the easiest means to hack access security cards. Everyone who uses a security access card system should familiarize themselves with this report.
So what is the bottom line here? It is that access cards are easily hacked. The serial communications on a card access system are NOT supervised or encrypted but, are allowed to pass freely in open protocol format from point to point. Similarly, the RFID signal on an access card floats freely and anyone can grab that signal and use it to create a duplicate card or otherwise hack an access system. Anyone who can gain access to the wire or wireless data from a card can gain access to whatever that card system is supposed to be protecting.
Fortunately, there is an answer to this huge security hole. Our RackGuardian has an plug-in product known at the EnviroScout which can inspect and supervise ALL communications from the Wiegand-based reader to the controller. If this device sees any signs of tampering, the RackGuardian will immediately send a message to our server and then to our IOS device within 2 seconds of detection. The combination of instant notification to your mobile device coupled with our on-board analytics to catch any signs of tampering gives you the security that you need in your data center.
As a reader of this blog, you know that security compliance is serious business and its getting more pervasive all the time. We have shown through peer-reviewed research that existing card access systems fail to pass a simple third-party security test. Please consider discussing your physical security needs with one of our experts and lock-down your data center and data racks today.
Until next time,