Author Archives: Felix

Today, we’re diving into the world of fire detection and response systems – you know, those lifesavers that keep us safe from blazing blunders. Picture this: fire systems have evolved from ancient manual bells to modern marvels that can trigger everything from smoke blankets to door locks. It’s like watching fire safety go from the Stone Age to the Space Age!

Now, let’s talk about BACnet – the rockstar protocol of building automation. Imagine it as the brain behind your fire system’s brawn. BACnet, short for Building Automation and Control network, isn’t just about fire alarms; it’s like the maestro orchestrating a symphony of tasks, from calling elevators to shutting shop shutters. It’s like having a super-smart assistant that knows how to handle emergencies and daily routines. However, like any superhero, even BACnet has its kryptonite – cybersecurity vulnerabilities.

So, why should we care about the cybersecurity of a BACnet fire system? Well, imagine if a mischievous hacker could trigger false alarms or manipulate fire-related actions. That’s right, they could potentially make doors unlock when they shouldn’t or create chaos while everyone else is evacuating. It’s like a high-stakes game of digital chess, where the attacker could try to exploit weak points and outsmart the system.

Let’s get into the nitty-gritty: BACnet, as it stands, has a chink in its armor – it’s unencrypted. Imagine this scenario: a crafty attacker captures a message signaling a fire zone activation, then replays it later, fooling the system into believing a fire has erupted. Sneaky, right? Plus, BACnet runs over networks like Ethernet and IP, which might sound great but could mean running it alongside your general IT infrastructure. But hold up – that’s a risky recipe! Imagine a hacker infiltrating your IT network and, oops, messing with your fire alarms. Not a good situation, my friends.

However, there’s a glimmer of hope: BACnet over Secure Connect. Think of it as the superhero’s upgraded suit – now with encryption! This beefed-up BACnet version uses modern tech, like TLS web sockets, to safeguard communications. But remember, the devil’s in the details – ensuring certificates are managed flawlessly is crucial. It’s like making sure your superhero gear is top-notch and ready to save the day.

In this podcast episode, Felix takes us on a fascinating journey into the world of “connected lifts,” also known as elevators. These lifts have been intertwined with technology for longer than we might think. With the emergence of telephones, lifts started gaining the ability to call for help when stuck, evolving into a system where they can report maintenance issues and usage data over the internet.

The episode explores the tech components found in modern lifts, such as call buttons, door sensors, and APIs. Beyond convenience, these advancements improve maintenance efficiency and security. Cameras and AI are now used to identify parts needing repair, making the maintenance process more streamlined.

Security also takes centre stage, with discussions about using swipe cards and smartphone apps for lift access. However, the potential risks associated with these innovations are debated, questioning if the convenience is worth the expanded attack surface. A noteworthy highlight is the introduction of automatic software updates for lifts, reflecting a forward-thinking approach to elevator technology. This feature not only enhances performance but also contributes to market innovation.

Safety remains a top priority, and the podcast provides insights into the mechanisms that ensure secure lift operation. Controllers monitor lift speed, brakes, and shock absorbers, all of which play a crucial role in passenger safety.

We delve into the vulnerabilities that could be exploited in connected lift systems. It highlights how attackers, if on the same network, could potentially manipulate these systems to misdirect lifts, causing them to stop on unintended floors, exit through the wrong doors, or even simulate emergency stops. While attacking such systems may require expertise and knowledge, the simplicity of the Modbus protocol could make it an attractive target for experienced attackers looking to disrupt lift operations.

Moreover, the episode discusses the changing landscape of lift security, noting that while traditional network segregation has been a protective measure, the rise of hyper-connected lifts connected to the cloud and smartphones introduces a myriad of new attack vectors. The integration of various technologies, such as Bluetooth connections and building management systems, significantly broadens the potential attack surface. This shift prompts a call for more robust security practices beyond mere network segregation, urging the industry to adopt comprehensive security measures, intrusion detection systems, and robust monitoring to safeguard against potential cyber threats.

In this episode of the “You Gotta Hack That” podcast, Felix delves into the realm of security concerning RFID door locks, a subset of digital door locks within the Internet of Things (IoT) landscape. He clarifies that RFID door locks encompass various electronic lock types, such as pin-based, Bluetooth-enabled, app-controlled, Wi-Fi-connected, and NFC-enabled locks. The discussion primarily centers on RFID (Radio-Frequency Identification) door locks, which come in high frequency (3-30 MHz) and low frequency (30-300 kHz) variants. While high-frequency RFID is more common, low-frequency options can be advantageous under certain conditions, like underwater settings. A notable manufacturer in this field is HID, with their iClass product series being prominent.

The security of these locks hinges on resource constraints, given the limited computational power of RFID cards compared to more substantial door lock components. Felix explains that the cards contain coils and simple electronics, with no batteries or additional components. He distinguishes between gaining access to cards versus gaining access to locks and explores potential attack vectors, such as denial of access, ransomware, tracking, and data manipulation.

Focusing on the technicalities of RFID door locks, Felix covers the MiFare Classic card, detailing its storage capacities and versions (EV1, EV2, EV3). He discusses how these cards transfer information to locks for verification and access control, either independently or by communicating with a centralized management server. Felix addresses the significance of attacking these locks, from gaining access through cloning cards to exploiting flaws in the protocol. He highlights historical attacks against MiFare Classic cards, like offline brute forcing, RNG vulnerabilities, and encrypted parity bit manipulation.

Felix also delves into potential lock-facing attacks, discussing scenarios like overloading RF antennas, corrupting firmware, and exploiting software vulnerabilities. He highlights the 2017 ransomware incident involving a hotel’s electronic key cards, clarifying that while it affected key creation, it didn’t trap people inside rooms. The podcast concludes with a discussion of key management benefits, allowing keys to be turned off remotely and transferred risk, particularly applicable to items like cars.