Diagnose This Gate Access Install, Unsecure Cabling?

Avatar
Brian Rhodes
Apr 30, 2018
IPVMU Certified

How would you handle this?

You are looking at the unsecured side of the gate that protects the area behind it.  Notice the flex-tite conduit installed on this unsecured side of the fence.

Is this the best approach?

In my opinion, the device cabling should be installed inside the fence in rigid pipe to inhibit tampering vulnerability of just cutting or yanking it away from the reader/intercom.

But then again, putting conduit inside the fence puts it inline with gate travel, making routine maintenance hard, and potentially even making UL325 Compliance (Safety Offsets/Travel Limits of Commercial Gates) impossible.

How would you install this?

UI
Undisclosed Integrator #1
Apr 30, 2018

Not sure why one would mount that stuff on the fence but if you must then one could mount it on the lid of an enclosure which which would eliminate the flex-tite, you can wire all that stuff from the back.

Normally we would ditch conduit to a pedestal and run the cables inside of the pedestal to the intercom and reader.

UI
Undisclosed Integrator #2
Apr 30, 2018

Gates such as this are hard to come up with a totally secure and 'proper' install.  I can admit, I have done something similar in the past, and sometimes its the best you can do.

The largest red flag I see here, is a concern the A8004 shown is using the relay output to open the gate.  If so, this is a large security risk.

The readers, and the POE, although not ideal, are not in a way of causing a risk, but an inconvenience when some person of ill will comes along to attempt entry, and only does damage to prevent authorized entry (damage to reader or wiring preventing authorized access).

(1)
(1)
U
Undisclosed #3
Apr 30, 2018

What is is protecting? Is this system there to provide some degree of actual security, or is more to just keep random passers-by out?

Without knowing what is being protected/what is at risk, it is hard to say to what degree this job should change. I agree that the install is lacking, but hard to say if money should be spent on trenching, pedestals, etc.

(1)
SD
Shannon Davis
Apr 30, 2018
IPVMU Certified

At least it is in some type of conduit!!

(3)
Avatar
Bryan Buenaventura
May 01, 2018
www.dynamic-certified.org

Conduit trenched subterrain leading to a gooseneck pedestal mounted on the unsecured side. Mount both access devices on the pedestal face with tamper-proof screws and equip with tamper alarm switches. All wires would be inaccessible, it'd be very hard to breach, and would look best.

Avatar
Michael Silva
May 01, 2018
Silva Consultants

Don't forget the security vulnerability created by the fire department key switch. I have an article on this topic on my web site: Security Vulnerabilities Created by Exterior Key Switches.

(1)
Avatar
Bryan Buenaventura
May 02, 2018
www.dynamic-certified.org
In reply to Michael Silva

Excellent write-up of this security vulnerability Michael!

In addition, our researchers have also found that if proximity access cards are left inside those fire knox boxes, that the data in those access cards can be extracted at distance using a long range skimmer, such as the (Bishop Fox) Tastic ID Thief.

We put this to the test this back in 2016. What we discovered is that true 'Knox Box factory-made' steel keyboxes were so thick that they provided ample protection from long range radio-frequency extraction. They behaved similar to a Faraday's Cage. RFID was not able to get in or out.

But in other instances, (like whenever aluminum fire key boxes were used), we were in fact successful at long range data extraction. We then took that data and wrote them onto rewriteable cards. These pre-configured cards intended for firemen & first responders usually had MASTER ACCESS!

(1)
Avatar
Brian Rhodes
May 02, 2018
IPVMU Certified
In reply to Bryan Buenaventura

Oh man, that is so sneaky, terrible, and avoidable.  Very interesting.

Here's a picture of the Bishop Fox-style cloner.  Notice it uses a long range (ie: high power) reader.

It fits in a bag and is battery power able.  And it apparently has enough power to punch through Aluminum key boxes!

(1)
Avatar
Bryan Buenaventura
May 02, 2018
www.dynamic-certified.org
In reply to Brian Rhodes

Frankly, we were very disappointed that supposed "white hat" ethical hackers took the time to really break down the procedure in recreating their Tastic ID Thief. It was the equivalent to the ingredients + the recipe!

Like, WHY???

We made 2 versions of it: We have one briefcase with the Maxiprox (for skimming 125KHz LF Cards), and a second version with an iClass R90 (for skimming 13.56MHz HF Cards).

They both work!

Avatar
Brian Rhodes
May 02, 2018
IPVMU Certified
In reply to Bryan Buenaventura

Was it iClass SEOS you cloned?

Avatar
Bryan Buenaventura
May 02, 2018
www.dynamic-certified.org
In reply to Brian Rhodes

Nope, SEOS held strong then and still does now. It's the card technology we recommend.

HOWEVER, the groups that I follow on 2 different code repository sites are seemingly working 24/7 at cracking the rest of the HF technologies, especially SEOS. (HF iClass and Mifare have already been cracked).

SEOS and possibly DESfire may be the last of the secured, uncloneable cards.

(1)
Avatar
Brian Rhodes
May 02, 2018
IPVMU Certified
In reply to Bryan Buenaventura

Nope, SEOS held strong then and still does now. 

Thanks.  Full disclosure: I'm a little sad you weren't announcing you broke it here!  :)

Edit: Our post on 'secure' formats here: Vulnerability Directory For Access Control Cards

Avatar
Bryan Buenaventura
May 02, 2018
www.dynamic-certified.org
In reply to Brian Rhodes

Our research has only gotten better since... but it's not a comfortable place to be as a security professional. Pretty dark, trying to follow n the steps of crooks & cyber-criminals. All of whom are probably 1,000X smarter than us. (To reiterate: Bishop Fox are Ethical Hackers!)

Am thankful in a way that we aren't in InfoSec, with new threats breaking every few hours. Still, it would be nice to have more physical security professionals that could be more committed to responding to threats to our industry more appropriately.

I do wish that we had discovered IPVM sooner! We've learned so much on this forum. I only hope to be able to contribute to try and give back (to whatever we are capable of), to try and balance what we absorb from your important medium.

#StrengthInNumbers

UE
Undisclosed End User #4
May 04, 2018

Assuming that they are not using the relay out from the intercom, other than looks, what's really the problem from a security aspect? If someone ripped away the conduit and got to the network cable or Wiegand cable, what could they really do with it?

 

 

 

 

Avatar
Bryan Buenaventura
May 04, 2018
www.dynamic-certified.org
In reply to Undisclosed End User #4

See: BLEKey

JP
Josh Penn
May 05, 2018
Automated Controls

It should be put in a keypad pedestal 6' away and conduit ran as low on the fence as possible. There should be no device that can open the gate within 6' of the gate itself which is part of UL325 compliance (very hard to do sometimes when it's just an open lot) 

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions