Blurred Boundaries: Hacking across the digital and physical divide
Earlier this month, Senior Offensive Security Consultant Topaz was able to enjoy the results of a plan years in the making. That plan was to create Australia’s first lock picking and physical security conference.
Following countless hours developing and coordinating in his spare time, the conference arrived this month in the form of OzLockCon 2017.
The goal for OzLockCon: to provide a forum for hackers and lock pickers to test their skills and push the limits of the latest physical security systems. Critically, Topaz saw this as an opportunity to bring the physical security industry into the 21st century through providing much needed collaboration between the physical security manufacturers and ‘defenders’ such as locksmiths, and white hat hackers such as Topaz and others.
OzLockCon was groundbreaking in the way it demonstrated just how intertwined our digital and physical security has become. Topaz was able to display how risks in one realm can easily affect the other. A key takeaway for Australian companies is the need to broaden their security testing regime to include physical testing and ‘red teaming’ exercises. Common external Penetration Testing is no longer enough.
The conference illustrated how determined attackers will use physical attacks to bypass the traditionally much stronger external cyber security controls such as perimeter Firewalls and Intrusion Prevention Systems. Once physically inside an organisation, attackers could access the soft and chewy internal networks where often far weaker security exists than the perimeter. If the RFID hacking workshop was anything to go by, companies should be reviewing their building and door access systems immediately. In a matter of seconds, Loop Offensive Security Consultant Gil Azaria was able to clone a commonly used door access swipe card, leveraging techniques adopted during various Physical Security and Red Team engagements.
Unfortunately, these problems also extend into our homes, as the demonstration from Huajiang ‘Kevin2600’ Chen showed just how easy it is for attackers to break into various ‘smart’ locks.
For years in the cyber realm we have seen close collaboration between white hat hackers and industry such as application developers, cyber security vendors and companies offering internet enabled technology. A culture of partnership and disclosure exists, with innovative approaches such as ‘bug bounty’ programs providing rewards to white hat hackers when they disclose vulnerabilities.
The reality is that across the physical and digital divide countless vulnerabilities exist. The issue is when the ‘bad guys’ discover and exploit these vulnerabilities before a patch or ‘fix’ can be released. The question is whether we want to encourage a culture where the ‘good guys’ are encouraged to identify and disclose these so called ‘0-day’ vulnerabilities in the Physical realm just as we do in the Digital space.
Given the increasing number of ‘smart’ and ‘connected’ physical security measures in our world today, I would argue that time is now.
Further coverage here: https://www.itnews.com.au/news/why-hackers-learn-to-pick-locks-464049